2024 HIPAA and Other Compliance Updates

2024 HIPAA and other Compliance Updates

The 2024 HIPAA and other compliance updates are included in the Office of the Inspector General (OIG) General Compliance Program Guidance (GCPG) for healthcare providers.

Although this compliance is not anything new, they have added this guidance to assist the health care community. This Compliance Program entails more than HIPAA. It is recommended after reviewing this summary that you review the Program Guidance in full.

Similar to the HIPAA Security Rule, the GCPG repeats certain information. This is because OIG recognizes that users may read, or may later reference, specific sections only, and not the whole document. Therefore, relevant information may be included and repeated in multiple sections.

The GCPG applies to all individuals and organizations involved in the health care industry. The GCPG addresses the seven elements of a compliance program. They have adaptations for small and large organizations. They anticipate updating the GCPG as changes in compliance practices or legal requirements.

Starting in 2024, the OIG will be publishing industry specific CPGs (ICPGs) for different types of providers, suppliers, and other participants in the health care industry. ICPGs will be tailored to fraud and abuse risk areas for each industry. They will also address compliance measures that the industry participants can take to reduce these risks. ICPGs are intended to be updated periodically to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance from OIG.

Keep in mind, the OIG’s compliance plan is a resource for healthcare providers and does not imply that it is a complete compliance program. Every organization is different, and this is not a one size fits all system. This is very comprehensive, and the following is a summary. For the complete document, see the link below:


Federal Health Care Fraud and Other Standards

The Department of Justice (DOJ), OIG, the Centers for Medicare & Medicaid Services (CMS), and the HHS Office for Civil Rights (OCR), are charged with interpreting and enforcing these laws and regulations. These overviews are intended to be summaries only and they do not address every legal obligation that may be imposed on the health care community and affiliated partners. For example, this guidance and these legal overviews do not address State fraud and abuse laws. It is important to understand that following these laws is the right thing to do and violating them could result in criminal penalties, fines, exclusion from Federal health care programs, and the enforcement to pay back overpayments.

Federal Anti-Kickback Statute

This statute prohibits organizations that are involved in Federal health care programs from engaging in some practices that are acceptable in other business sectors. For example, offering or receiving gifts for past or future referrals.

The Federal anti-kickback statute can be described as intent based. It is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to entice the referral of an individual for the furnishing of, or arranging the furnishing of any item or service, that is reimbursable under a federal health care program.

Violation of the Federal anti-kickback statute constitutes a felony punishable by a maximum fine of $100,000, imprisonment up to 10 years, or both. Conviction also will lead to mandatory exclusion from Federal health care programs, including Medicare and Medicaid.

Physician Self-Referral Law (PSL) a/k/a Stark Law

This law prohibits a physician from making referrals for certain designated health services (DHS) payable by Medicare to an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies, and its requirements are satisfied. Financial relationships include ownership and investment interests as well as compensation arrangements. For example, if a physician invests in an imaging center to which the physician refers Medicare beneficiaries for DHS, the PSL requires that the financial relationship satisfies all requirements of an applicable exception. If it does not, the PSL prohibits the physician from making a referral for DHS to be furnished by the imaging center and prohibits the imaging center from billing Medicare (or any individual, third-party payor, or other entity) for the improperly referred DHS.

The PSL is implicated only when all six of the following elements are present.

  1. A physician
  2. Makes a referral
  3. For designated health services
  4. Payable by Medicare
  5. To an entity
  6. With which the physician (or an immediate family member) or the physician organization in whose shoes the physician stands has a financial relationship (which could be a direct or indirect ownership or investment interest in the entity or a compensation arrangement with the entity).

When all six elements exist, the PSL prohibits a physician from making a referral for DHS to the entity with which they have the financial relationship unless an exception applies and its requirements are satisfied. It is important for entities that furnish DHS to have a method to keep track of, and review closely, their financial relationships with physicians who refer Medicare patients to them.

CMS’s regulations define certain categories of DHS by Current Procedural Terminology (CPT) and Healthcare Common Procedure Coding System (HCPCS) codes. CMS publishes an updated list of codes for the relevant DHS annually.


False Claims Act

The civil False Claims Act provides a way for the Government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the Government.

This Act defines “knowing” and “knowingly” to mean that a person, with respect to information—

  • has actual knowledge of the information;
  • acts in deliberate ignorance of the truth or falsity of the information; or
  • acts in reckless disregard of the truth or falsity of the information; and no proof of specific intent to defraud is required.  

The False Claims Act defines “knowing” and “knowingly” to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This means individuals and entities cannot avoid liability by deliberately ignoring inaccuracies in their claims.

Filing false claims may result in liability of up to three times the programs’ loss plus an additional penalty per claim filed. Each instance of an item or a service billed to Medicare or Medicaid counts as a claim. Liability can add up quickly!

A few examples of health care claims that may be false include claims where the service was not actually rendered to the patient, is already provided under another claim, is up coded, or is not supported by the patient’s medical record. A claim that is tainted by illegal remuneration under the Federal anti-kickback statute or submitted in violation of the PSL is also false or fraudulent, creating liability under the civil False Claims Act.

The Affordable Care Act included a requirement that entities must report and repay overpayments to Medicare and Medicaid by the later of:

(A) the date which is 60 days after the date on which the overpayment was identified; or

(B) the date any corresponding cost report is due, if applicable.

If an entity identifies billing mistakes or other non-compliance with program rules leading to an overpayment, the entity must repay the overpayments to Medicare and Medicaid to avoid False Claims Act liability. Even if an entity makes an innocent billing mistake, that entity still has an obligation to repay the money to the Government.

Civil Monetary Penalty (CMP) Authorities

The OIG is authorized to pursue monetary penalties and exclusion through a variety of civil authorities. Most notably, the Civil Monetary Penalties Law (CMPL). Under the CMPL, the OIG can pursue assessments in lieu of damages, CMPs, and exclusion from participation in the Federal health care programs. With this authority, OIG can address a wide variety of improper conduct related to Federal health care programs and other HHS programs. The CMPL principally addresses fraudulent and abusive conduct. In addition to OIG’s CMP authorities that closely parallel the False Claims Act, the OIG has additional CMP authorities aimed at certain specific types of conduct unique to HHS and the Federal health care programs. For example, the “patient dumping” CMP. 

While False Claims Act cases are pursued by DOJ on behalf of HHS in Federal court, CMP cases are administrative and pursued by OIG before an HHS administrative law judge. By statute, different categories of conduct result in different penalty amounts.  Such as, false claims result in penalties of up to $20,000 per item or service falsely claimed, and improper kickback conduct results in penalties of up to $100,000 per violation.


Beneficiary Inducements CMP

This provides for the imposition of CMPs against any person who offers or transfers remuneration to a Medicare or State health care program that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for the order or receipt of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program.

There are exceptions to the definition of “remuneration” under this section. For any applicable exception to apply, each condition of the exception must be completely satisfied. The exceptions include:

  • nonroutine waivers of copayments and deductibles based on individualized determinations of financial need;
  • preventive care incentives;
  • items and services that promote access to care and pose a low risk of harm;
  • retailer rewards;
  • items and services tied to medical care for financially needy beneficiaries.

The Beneficiary Inducements CMP is different from the Federal anti-kickback statute and the corresponding anti-kickback CMP, but the Beneficiary Inducements CMP and Federal anti-kickback statute often prohibit overlapping conduct.

The Beneficiary Inducements CMP is a separate and distinct authority, completely independent of the Federal anti-kickback statute. It is narrower than the Federal anti-kickback statute and the anti-kickback CMP in several ways.

The Federal anti-kickback statute applies to remuneration to induce or reward referrals of an individual to a person for the furnishing of any item or service, and purchases of any good, facility, service, or item that is payable by a Federal health care program. In contrast, under the Beneficiary Inducements CMP applies to remuneration that is likely to influence a beneficiary’s selection of a particular provider, practitioner, or supplier for items or services reimbursable by Medicare or a State health care program.

Information Blocking

Under the 21st Century Cures Act the OIG has the authority to investigate claims that health information technology (IT) developers of certified health IT (including entities offering certified health IT), health information exchanges and networks, and health care providers have engaged in conduct constituting “information blocking.” A health IT developer of certified health IT, health information exchange, or network that engages in information blocking may be subject to CMPs of up to $1 million per violation.

It is considered information blocking when a provider engages in a practice and the provider knows that it is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. Information blocking does not include any practice that is required by law or that meets an exception.

Criminal Health Care Fraud Statute

The criminal health care fraud statute makes it a criminal offense to defraud a health care benefits program. The criminal health care fraud statute prohibits knowingly and willfully executing, or attempting to execute, a scheme to either:

(1) defraud any health care benefit program; or

(2) to obtain, by means of false or fraudulent pretenses, representations, or promises, any money or property from any health care benefit program.

The Government must prove its case beyond a reasonable doubt and prove that the defendant acted with intent to defraud; however, specific intent to violate this statute is not required for a conviction. DOJ, OIG, and other law enforcement partners have successfully used this statute to pursue defendants who orchestrate complex health care fraud schemes. Cases that involve violations of the criminal health care fraud statute also often involve complex money laundering, tax, and other associated financial criminal offenses. The penalties for violating the criminal health care fraud statute may include fines of up to $250,000, imprisonment of not more than 10 years, or both.


HIPAA Privacy and Security Rules

The Department of Health and Human Services Office for Civil Rights are responsible for administering and enforcing the HIPAA Rules. Which includes the Privacy, Security, and Breach Notification Rule.

The Security Standards specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to ensure, among other provisions, the confidentiality, integrity, and security of electronic PHI (ePHI).

The OCR and ONC created the HSR Toolkit to assist providers and business associates in determining their risks. The HSR Toolkit does not produce a statement of compliance. Organizations may use the HSR Toolkit in coordination with other tools and processes to support HIPAA Security Rule compliance and risk management activities. Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority. By using Aris’ HIPAA Keeper™, this replaces the need to use this tool kit since our system includes the risk assessment and all policies and procedures. It is recommended to utilize a third party to audit your network to ensure that your data is secure.

Elements of a Compliance Infrastructure

  1. Written Policies and Procedures should encompass the HIPAA Rules and areas that could cause fraud and abuse. Including areas in billing, coding, sales, marketing, quality of care, patient incentives, arrangement with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business.
  2. All individuals are required to have access to your policies and procedures. Many entities maintain their code, policies, and procedures on an internal intranet site or use other electronic communication tools to ensure that everyone has access to the same documents. Policies must be maintained in languages that the staff can easily understand and written an appropriate reading level.
  3. Designating a compliance officer with appropriate authority is essential to the success of the compliance program. To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care services, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. In smaller organizations this can be burdensome, therefore a third party may be necessary for guidance.
  4. Training should include education on the organization’s compliance program. Including Federal and State standards, and governance, and oversight of a health care entity. The compliance officer should develop an annual training plan that includes the training topics to be delivered and the target audience for each topic.
  5. For a compliance program to be effective, the organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance. Consequences may involve remediation, sanctions, or both, depending on the facts. Incentives may be used to encourage compliance performance and innovation.
  6. Risk assessment is a process for identifying, analyzing, and responding to risk. Periodic compliance risk assessments should be a component of an organization’s compliance program and should be conducted at least annually. Entities may use commonly available spreadsheet software to analyze their data. Other software programs that entities already use, such as billing software and electronic health records, may also have components that allow entities to analyze the data they contain. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks.
  7. Audits may be conducted by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal health care program requirements. Medicare requires that items must be medically reasonable and necessary. Entities may identify other areas appropriate for routine monitoring, such as high-value billing codes, medical record documentation, medical necessity of admission.
  8. Monthly monitoring of the LEIE and state Medicaid exclusion lists, state licensure and certification databases, and an annual review of the organizations policies and procedures are also required.
  9. Detected Offenses and Developing Corrective Action Plans. If credible evidence of misconduct from any source is discovered and a reasonable inquiry is conducted, and the compliance officer or counsel has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the organization should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate Government authority of the misconduct. Prompt reporting will demonstrate the entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.

Other Compliance Considerations

There are other important compliance considerations related to several generally applicable risk areas. Forthcoming ICPGs will address industry subsector-specific risk areas for different types of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to Federal health care programs. The existing CPGs and supplemental CPGs will remain available for use as ongoing resources to help identify risk areas in particular industry segments as the ICPGs are developed.

Quality and Patient Safety

Quality and patient safety are often treated as wholly separate and distinct from compliance, and the compliance program often does not contain quality and patient safety components. But quality and patient safety are integral to the work of HHS, CMS, FDA, and other agencies. And OIG and DOJ have long emphasized the importance of quality and patient safety. OIG and DOJ have investigated and settled cases based on the submission of false claims for care that is materially substandard, resulting in death or severe harm to patients.

New Businesses in the Health Care Industry

The health care sector is seeing an increasing number of new businesses, including technology companies (both established and start-up companies), new investors, and organizations providing non-traditional services in health care settings. New entrants are often unfamiliar with the unique regulations and business constraints that apply in the health care industry, as well as the range of Federal and State government agencies that regulate health care and enforce fraud and abuse laws. Business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability.

Financial Incentives: Ownership and Payment – Follow the Money

The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse.

Payment Incentives

Compliance officers should be attuned to the varying risks associated with the payment methodologies through which health care entities are reimbursed for the items and services they provide.  When an insurer, including Federal health care programs, pays on a volume-sensitive or fee-for-service basis, there may be increased risks of overutilization, inappropriate patient steering, and use of more expensive items or services than needed. When payment incentives and associated risks are fully understood, compliance officers, including those at entities with private investment, are better positioned to design informed audit plans, conduct effective monitoring, detect problems early, and implement effective preventive strategies.

Financial Arrangement Tracking

Organizations involved in Federal health care program business may manage financial arrangements and transactional agreements, including those between referral sources and referral recipients, which can implicate the Federal anti-kickback statute and the PSL, among other Federal fraud and abuse laws. While legal counsel may be involved in the initial structuring and drafting of these agreements, ongoing monitoring of compliance with the terms and conditions set forth in the agreements remains equally important from a fraud and abuse perspective.

OIG Resources and Processes

OIG has a Compliance Section on its website that includes numerous compliance and legal resources. They most recently added a more robust section on Frequently Asked Questions, with a new process for the health care community to submit questions, as discussed further below. In addition, under the Newsroom tab, they have short, educational videos covering a variety of substantive topics, Testimonies before Congress, as well as News Releases & Articles.

They encourage organizations to subscribe to OIG’s What’s New Newsletter to receive email notifications when OIG has posted new information to their website, including reports, enforcement actions, and more. OIG also encourages to subscribe to email notifications when the List of Excluded Individuals/Entities is updated. Lastly, OIG has various social media accounts that users can opt to follow to view OIG posts.

The current list of topics addressed in FAQs

OIG Self-Disclosure Information

OIG has several self-disclosure processes that can be used to report potential fraud in HHS programs. Health care providers, suppliers, or other individuals subject to CMPs can use the Health Care Fraud Self-Disclosure Protocol to voluntarily disclose self-discovered evidence of potential fraud. Self-disclosure gives providers the opportunity to avoid the costs and disruptions associated with a Government-directed investigation and civil or administrative litigation.

The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The OIG states that compliance should be implemented. The complete guide may be accessed or downloaded on any computer.


There is an option to download only certain sections.


Be sure to check this link regularly as they will be updated and no longer available in the Federal Register.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. Our system includes documents on a variety of compliance topics, not just HIPAA. Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

HIPAA Documentation and Medical Records Retention

December 1, 2023

Common Online Tracking Technology that Could Lead to a HIPAA Violation

February 1, 2024
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC