A single billing compliance violation can cost a medical practice between $11,803 and $23,607 per claim under the False Claims Act, with penalties adjusted for inflation every year. That’s per claim, not per incident. A pattern of improper billing across 50 claims turns a coding error into a million-dollar liability. The good news: building a solid compliance program isn’t complicated. It requires clear policies, regular audits, documented training, and a culture that treats accuracy as non-negotiable.
This guide covers the major federal regulations that govern medical billing, the specific steps every practice needs to take, and the audit process that keeps you on the right side of enforcement. Whether you’re a solo practitioner or a multi-location group, these are the compliance foundations you need in place.
HIPAA and Medical Billing
The Health Insurance Portability and Accountability Act applies to every aspect of medical billing that involves protected health information (PHI). This includes patient demographics, insurance information, diagnosis codes, procedure codes, payment records, and any communication with payers about a patient’s care. HIPAA’s Privacy Rule governs who can access PHI, and the Security Rule governs how it’s protected electronically.
For billing teams, the practical requirements break down into three areas. First, access controls: only staff who need billing information should have access, enforced through role-based permissions in your practice management system. Second, transmission security: all electronic claims, ERA files, and eligibility checks must travel over encrypted connections (SFTP or HTTPS). Third, breach protocols: if billing records are exposed, you have 60 days to notify affected patients and HHS if the breach affects 500 or more individuals.
HIPAA violation penalties range from $137 to $68,928 per violation, with an annual cap of $2,067,813 per category. Document your compliance measures and train billing staff annually. Keep training records for at least six years.
The False Claims Act (FCA)
The False Claims Act is the federal government’s primary tool for prosecuting fraudulent billing. It applies when a practice knowingly submits a false claim to a government payer (Medicare, Medicaid, TRICARE, CHAMPVA). “Knowingly” includes actual knowledge, deliberate ignorance, and reckless disregard for the truth. You don’t have to intend fraud for the FCA to apply. Consistent upcoding because nobody bothered to audit the coding is enough.
The most common FCA violations include: upcoding (billing a higher E/M level than documentation supports), unbundling (billing separately for services that should be billed as one code), billing for services not rendered, and billing for services that aren’t medically necessary. Each carries treble damages plus per-claim penalties.
The FCA also includes a whistleblower (qui tam) provision. Any employee can file a lawsuit on behalf of the government, receiving 15% to 30% of any recovery. The best protection is a compliance program that catches and corrects errors internally before they become patterns.
Anti-Kickback Statute (AKS)
The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving anything of value in exchange for referrals of patients covered by federal healthcare programs. This covers paying referring physicians, offering free billing services for referrals, or receiving vendor discounts contingent on referral volume.
Violations carry up to $100,000 per violation, 10 years in prison, and exclusion from federal programs. Claims from kickback arrangements also qualify as false claims under the FCA. Document the business purpose of every referral-related arrangement and have a healthcare attorney review any compensation tied to referrals.
Stark Law (Physician Self-Referral)
The Stark Law prohibits physicians from referring Medicare or Medicaid patients for “designated health services” to entities where the physician (or an immediate family member) has a financial relationship, unless an exception applies. Unlike the Anti-Kickback Statute, Stark is a strict liability statute with no intent requirement. Every claim from a non-exempt referral arrangement is automatically a false claim.
Common exceptions include the in-office ancillary services exception, the employment exception, and the fair market value exception. Document which exception applies to each arrangement and review annually. Penalties include full repayment, up to $15,000 per service, and potential exclusion from federal programs.
OIG Compliance Program Guidance
The Office of Inspector General (OIG) has published compliance program guidance for physician practices that outlines seven elements of an effective compliance program. While having a compliance program isn’t legally required for most practices, it’s the strongest defense you have if a billing issue surfaces. Practices with documented compliance programs receive more favorable treatment in enforcement actions and settlements.
The seven elements are:
- Written policies and procedures covering coding, billing, documentation, and claim submission standards.
- A designated compliance officer who oversees the program. In smaller practices, this can be an existing staff member with compliance added to their role.
- Regular training and education for all staff involved in billing and coding. Annual training at minimum, with additional sessions when regulations change.
- Open communication channels (an anonymous reporting mechanism so staff can report potential compliance issues without fear of retaliation).
- Internal monitoring and auditing to detect compliance issues proactively.
- Consistent enforcement through well-publicized disciplinary guidelines for non-compliance.
- Prompt response to detected offenses including investigation, correction, and voluntary disclosure when appropriate.
Start with the three elements that have the most immediate impact: written policies for coding and billing, annual training, and internal auditing.
Internal Audit Process: A Step-by-Step Approach
Internal audits catch errors before they become patterns and demonstrate good faith compliance efforts. Here’s how to build a practical audit process.
Step 1: Define your audit scope. For most practices, start with your top 10 CPT codes by volume. These represent the majority of your revenue and the highest risk area for coding errors. Pull a random sample of 30 claims per provider per quarter.
Step 2: Review documentation against codes. For each sampled claim, compare the medical record documentation against the CPT and ICD-10 codes submitted. Does the documentation support the level of service billed? Are the diagnosis codes specific enough? Were modifiers used correctly?
Step 3: Calculate your error rate. Divide the number of claims with coding errors by the total number of claims reviewed. An error rate above 5% for any individual provider or code indicates a training need. An error rate above 10% requires immediate corrective action.
Step 4: Document findings and corrective actions. Write up results with specific error examples and corrective steps taken. Keep audit records for at least seven years.
Step 5: Follow up. Re-audit the same providers and codes 90 days after corrective training. If the error rate hasn’t dropped, escalate to external coding auditor support.
Training Requirements
Federal guidelines expect annual training for all billing, coding, and claims staff. Training should cover coding policies, documentation standards, common errors, and an overview of major regulations (FCA, AKS, Stark, HIPAA). New hires should receive compliance training within 30 days of their start date.
Keep records that include the date, topics covered, trainer’s name, and attendee names. These records are the first thing auditors ask for. Practices with organized training records from the past three years are in a significantly stronger position during enforcement inquiries.
Documentation Standards
Every billable service needs documentation that supports the code billed. If it wasn’t documented, it wasn’t done, and you can’t bill for it. For E/M services, documentation must support the medical decision-making level or total time billed. For procedures, include the procedure performed, the clinical indication, and findings.
Common documentation failures include: copying forward notes without updating the assessment (cloned notes), documenting a comprehensive exam when only a focused exam was performed, and failing to document medical necessity for diagnostic tests. Train your providers to document what they did, why they did it, and what they found.
Penalties at a Glance
Understanding what’s at stake helps prioritize compliance efforts. Here is a summary of the major penalty structures:
- False Claims Act: $11,803 to $23,607 per claim, plus treble damages on the overpayment amount.
- Anti-Kickback Statute: Up to $100,000 per violation, up to 10 years imprisonment, exclusion from federal programs.
- Stark Law: Repayment of all tainted claims, up to $15,000 per service, potential exclusion.
- HIPAA: $137 to $68,928 per violation, up to $2,067,813 annual cap per category.
- Exclusion from federal programs: This is often the most devastating penalty. A practice excluded from Medicare and Medicaid loses access to roughly 40% of the average patient base.
Your Compliance Action Plan
If you don’t have a compliance program in place, start with these five steps this month. First, designate a compliance officer (even if it’s a role added to an existing position). Second, write a one-page coding and billing policy that covers your top 10 CPT codes. Third, schedule your first internal audit of 30 charts. Fourth, plan an annual training session for all billing staff. Fifth, create an anonymous reporting channel (it can be as simple as a dedicated email address).
These five steps create the foundation that every enforcement agency looks for: evidence that your practice takes compliance seriously and acts on it. Build from there with quarterly audits and regular training updates.
Need help evaluating your compliance program? Contact us for a free compliance review. We’ll show you where you stand and what to fix first.
