Direct Answer
Healthcare fraud and abuse cost the federal government an estimated $60–100 billion annually and trigger aggressive enforcement by DOJ, OIG, CMS, and state Medicaid fraud control units. The legal framework — the False Claims Act (FCA), the Stark Law (physician self-referral), and the Anti-Kickback Statute (AKS) — imposes liability that can be both civil and criminal, with penalties per claim ranging from $13,000 to $26,000 under the FCA, treble damages, and exclusion from all federal healthcare programs. The most effective protection is a proactive compliance program — one that identifies and corrects billing errors before they become government investigations, not after.
Table of Contents
The Legal Framework
Three federal statutes form the core of healthcare fraud and abuse law: False Claims Act (31 U.S.C. § 3729): the primary civil enforcement tool; creates liability for anyone who knowingly submits a false or fraudulent claim to the federal government; key provisions: a "false claim" includes: a claim for a service not rendered; a claim with an incorrect diagnosis code; a claim with an incorrect procedure code; a claim that misrepresents the provider, patient, or service; a claim for a service that was not medically necessary; penalties: $13,946–$27,894 per false claim (adjusted annually for inflation) plus treble damages; the "knowingly" standard: actual knowledge of the falsity; deliberate ignorance; reckless disregard — does NOT require specific intent to defraud; qui tam provisions: private individuals (relators, or "whistleblowers") can file FCA lawsuits on behalf of the government; relators may receive 15–30% of recovery; most major healthcare FCA actions began as qui tam lawsuits filed by former employees; Stark Law (42 U.S.C. § 1395nn): prohibits physicians from referring patients for designated health services (DHS) to entities with which the physician has a financial relationship, unless an exception applies; DHS includes: laboratory services, physical therapy, occupational therapy, radiology, DME, home health, outpatient prescription drugs, hospital services, and others; the Stark Law is a strict liability statute — intent is irrelevant; if a financial relationship exists without an applicable exception, the referral is prohibited and claims submitted are improper; exceptions: physician services exception; in-office ancillary services exception (most commonly used by group practices — requires services be provided in the same building, billed by the group, and supervised by a group physician); employment exception; personal services exception; fair market value compensation; Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b)): prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals of federal healthcare program business; broadly written — applies to any remuneration that is intended to influence referrals; criminal statute — conviction can result in imprisonment up to 10 years; civil monetary penalties also apply; safe harbors: specific arrangements that satisfy the AKS if all safe harbor elements are met; commonly used safe harbors: employment, personal services, small entity investment interests, GPO arrangements, managed care, price reductions.
Common Compliance Risks
Understanding the most common healthcare fraud and abuse risks enables proactive compliance: Upcoding: billing a higher-complexity or higher-reimbursement code than the services documented; E&M upcoding (billing 99215 when documentation supports 99214) is consistently a top audit target; surgical procedure upcoding (billing a more complex procedure than performed); FCA and upcoding: systematic upcoding is a false claims violation — each overcoded claim is a separate FCA violation; Unbundling: billing separately for services that should be billed together under a single comprehensive code; NCCI edits identify bundled code pairs; billing unbundled codes that should be packaged is an FCA risk; Billing for services not rendered (phantom billing): billing for a patient visit that did not occur; billing for a procedure that was ordered but not performed; billing for services by a provider who was not present; this is the clearest form of healthcare fraud — no documentation defense is possible; Medical necessity issues: billing for services that were not medically necessary based on the patient's documented clinical condition; common in: diagnostic testing orders for unnecessary tests; admission to a higher level of care than required; frequency of services in excess of clinical need; Physician self-referral (Stark) violations: physician-owned ancillary services that don't meet an exception; compensation arrangements with employed or contracted physicians that don't meet fair market value; improperly structured space and equipment leases; lab or DME referrals from owner-physicians; Improper use of billing modifiers: using Modifier 25 to bill an E&M on the same day as a procedure without a separately identifiable service; using Modifier 59 to bypass NCCI edits without clinical justification; using Modifier 22 (increased procedural services) without documentation; Kickback arrangements: paying physicians for referrals disguised as speaking fees, consulting arrangements, or research grants; medical directorships that are not actually worked; free or below-market-value goods or services provided to referral sources.
Compliance Program Design
An effective compliance program is the primary defense against fraud and abuse liability — and demonstrates good faith in any enforcement action: OIG's 7 Elements of an Effective Compliance Program: Element 1 — Written standards and policies: written code of conduct; billing and coding policies; documentation standards; conflict of interest policies; response procedures for suspected violations; Element 2 — Compliance officer and committee: a designated compliance officer with authority and access to leadership; a compliance committee including representation from billing, clinical, legal, and administration; Element 3 — Training and education: annual compliance training for all staff; role-specific training (billers on coding rules, physicians on documentation requirements, managers on Stark/AKS requirements); new employee training; Element 4 — Effective communication and reporting: anonymous reporting mechanism (hotline, web form); non-retaliation policy protecting whistleblowers; open-door policy encouraging good-faith reporting; Element 5 — Auditing and monitoring: prospective audits: pre-billing review of documentation and coding; retrospective audits: review of submitted and paid claims against documentation; statistical sampling: random and targeted audits; audit frequency: at minimum annually, more frequently for high-risk areas; Element 6 — Enforcement and discipline: consistent, documented disciplinary action for violations; no tolerance for retaliation against compliance reporters; documentation of corrective actions taken; Element 7 — Response and correction: prompt investigation of identified issues; corrective action plan when violations are found; voluntary repayment when overpayments are identified; self-disclosure when appropriate; Practice size and compliance programs: large health systems maintain dedicated compliance departments; small practices can implement compliance with: a designated compliance officer (often the practice manager); a written compliance plan; annual coding audits; staff training records; an employee hotline or email address; even a basic compliance program demonstrates good faith.
OIG Work Plan and Audit Priorities
The OIG Work Plan signals where federal audit and enforcement attention will focus: What the OIG Work Plan is: the OIG (Office of Inspector General) publishes an annual Work Plan identifying the areas of Medicare and Medicaid spending it will audit during the coming year; the Work Plan is publicly available at oig.hhs.gov; review it annually to identify which billing practices and service types are under increased scrutiny; using Work Plan topics as the agenda for internal audits is a best practice; Recent and recurring Work Plan focus areas: E&M services: high-level E&M code utilization (99215, 99205); documentation adequacy for E&M services billed at the highest complexity levels; telehealth: medical necessity of telehealth services; appropriate use of telehealth modifiers and POS codes; audio-only telehealth coverage documentation; Evaluation and Management in various settings: hospital observation services; critical care billing; skilled nursing facility E&M; Specialty-specific targets: ophthalmology: anti-VEGF drug billing and waste documentation; home health: eligibility for home health services; DME: medical necessity for power wheelchairs, orthotics; laboratory: specimen validity testing unbundled from drug testing; chiropractic: maintenance care billed with AT modifier; Targeted probe and educate (TP&E): CMS MACs conduct Targeted Probe and Educate (TP&E) reviews, selecting claims from providers with high error rates for documentation review; providers with high TP&E error rates are placed on prepayment review; the TP&E process creates significant cash flow disruption; RAC (Recovery Audit Contractor) audits: RACs are private contractors paid a contingency fee to identify Medicare overpayments; RAC audits focus on high-dollar, high-volume services; claims selected by RACs must be defended with documentation; the RAC look-back period is generally 3 years.
Self-Disclosure and Voluntary Repayment
When a compliance audit reveals billing errors or potential violations, proper self-disclosure and repayment protect the organization from greater liability: 60-day repayment rule: the ACA created a statutory obligation to report and return Medicare and Medicaid overpayments within 60 days of identification; failure to repay a known overpayment within 60 days converts the overpayment into a false claim — creating FCA liability; the 60-day clock starts when the overpayment is "identified" — which triggers a good-faith obligation to investigate the scope; Voluntary self-disclosure paths: OIG Self-Disclosure Protocol (SDP): for potential violations of the Anti-Kickback Statute or other fraud and abuse statutes; submission to the OIG with a description of the conduct, the calculation of damages, and the proposed settlement amount; acceptance into the SDP typically results in a multiplier of 1.5x the overpayment (vs. 3x treble damages under FCA); CMS Self-Referral Disclosure Protocol (SRDP): for potential Stark Law violations; submission to CMS with description of the financial relationship, the referred services, and calculation of repayment amount; MAC or carrier direct repayment: for coding errors or documentation deficiencies that resulted in overpayments without an element of fraud; voluntary repayment to the MAC with a brief cover letter explaining the error; no SDP or SRDP needed when the issue is a billing mistake, not a potential fraud or kickback; Scope of repayment: when an audit identifies errors, the organization cannot simply repay the identified claims; the 60-day rule requires determining the full scope of the overpayment through statistical sampling and extrapolation; repaying only the claims you found without extrapolating to the full population of similar claims may not satisfy the legal obligation; Documentation of the compliance response: document the entire self-disclosure process: the date the issue was identified; the investigation conducted to determine scope; the calculation of overpayment; the repayment made; the corrective action implemented to prevent recurrence; this documentation is the evidence of good faith that mitigates penalties in any subsequent government inquiry.
FAQ
What is the difference between healthcare fraud, abuse, and waste, and does the distinction affect legal liability?
CMS defines fraud, abuse, and waste as distinct categories with different legal implications: Healthcare fraud: intentional deception or misrepresentation to obtain an unauthorized benefit; key element: intent — the provider knew the claim was false and submitted it anyway; examples: billing for services not rendered; billing under a different provider's NPI; deliberately altering records to support a false claim; using a dead patient's insurance; forging a physician signature; legal consequences: criminal prosecution under 18 U.S.C. § 1347 (healthcare fraud), 18 U.S.C. § 1035 (false statements), or 42 U.S.C. § 1320a-7b (health care fraud); civil FCA liability; OIG exclusion from all federal healthcare programs; imprisonment; Healthcare abuse: practices that are inconsistent with sound fiscal, business, or medical practices, and result in unnecessary costs to the Medicare or Medicaid program; key distinction from fraud: abuse may not involve intentional deception; examples: billing for services that are not medically necessary; charging in excess of usual charges; excessive utilization of services; incorrect coding practices (not intentional upcoding but systemic inaccuracies); legal consequences: overpayment demands; civil monetary penalties; corrective action plans; may escalate to fraud investigation if pattern suggests intent; Healthcare waste: overutilization or inefficient use of healthcare resources; not necessarily illegal; examples: unnecessary testing, duplicate services, inefficient care pathways; not directly subject to fraud and abuse penalties but targeted by value-based care initiatives; Why the distinction matters legally: the FCA requires "knowing" submission of a false claim (which includes reckless disregard); pure waste without any element of improper billing is not an FCA violation; the line between abuse and fraud is often determined by: the provider's knowledge of correct billing requirements; whether a pattern of errors reflects systemic indifference (reckless disregard); whether the provider continued the practice after being informed of the error; compliance programs reduce abuse by identifying and correcting errors before they accumulate; they also create a factual record showing good faith, which mitigates the risk that abuse will be characterized as fraud.
How should a medical practice respond when it receives a government subpoena, CID, or audit request?
Receiving a government investigation inquiry is one of the highest-stakes events a medical practice can face. The response in the first hours and days often determines the ultimate outcome: Types of government inquiries: subpoena: a formal legal demand to produce documents or testimony; issued by a grand jury (criminal) or through civil litigation; Civil Investigative Demand (CID): a DOJ tool for investigating potential FCA violations; similar effect to a subpoena but specific to civil FCA cases; MAC audit request: a request for medical records from a Medicare Administrative Contractor for pre-payment or post-payment review; RAC demand: a request for records from a Recovery Audit Contractor; OIG audit request: from the Office of Inspector General; Immediate response steps: Step 1 — Do not ignore: a subpoena or CID must be responded to; ignoring or not complying exposes the practice to obstruction charges and contempt; Step 2 — Retain legal counsel immediately: healthcare defense counsel should be engaged before any response is made; an attorney-client privileged relationship from the start protects communications about the investigation; Step 3 — Preserve all relevant documents: issue a litigation hold immediately; instruct all staff to preserve documents (paper, electronic, emails, text messages, EHR records) related to the subject matter of the inquiry; destroying documents after receiving a subpoena is obstruction of justice; Step 4 — Do not speak to investigators without counsel: government investigators are skilled at gathering admissions; any statement made without counsel may be used against the practice; instruct staff not to speak to investigators without the practice's attorney present; Step 5 — Assess the scope: work with counsel to understand what the government is investigating, what records are being requested, and what the compliance history is in the subject area; Step 6 — Conduct a privileged internal investigation: an internal investigation under attorney-client privilege allows the practice to understand its own exposure before engaging with the government; this information informs the defense strategy; MAC/RAC audit response: for MAC/RAC documentation requests (which are administrative, not criminal), the process is less urgent but still requires: responding within the deadline; providing complete and accurate records; if records are incomplete, consulting counsel before submitting.
Healthcare Compliance Specialists Who Protect Your Practice from Fraud and Abuse Liability
Valiant Lifecare's compliance specialists design and implement healthcare fraud and abuse prevention programs covering False Claims Act risk assessment, Stark Law and Anti-Kickback Statute compliance review, OIG Work Plan-aligned internal auditing, compliance program documentation, overpayment identification and self-disclosure management for physician practices and health systems.
Strengthen Your Healthcare Compliance Program