PRIA Logo
Back to search
HealthcareHealthcare Regulation

Healthcare Fraud, Anti-Kickback & Stark Law

21 min read·Updated May 12, 2026

Healthcare Fraud, Anti-Kickback & Stark Law

Healthcare fraud costs the United States an estimated $100 billion or more annually — and the federal government's primary tools for fighting it are the Anti-Kickback Statute (AKS), the Physician Self-Referral Law (Stark Law), and the False Claims Act (FCA). Together, these laws prohibit paying for patient referrals, ban physicians from referring Medicare/Medicaid patients to entities in which they have financial interests, and impose massive penalties for submitting false claims to government healthcare programs (see Medicare Part B and Medicaid for the programs most affected). If you're a physician, hospital, pharmacy, lab, or any other healthcare provider billing Medicare or Medicaid, these three laws define the boundaries of your business relationships.

Current Law (2026)

ParameterValue
Anti-Kickback Statute42 U.S.C. § 1320a-7b(b) — criminal prohibition on healthcare kickbacks
AKS penaltyFelony: up to 10 years imprisonment and $100,000 fine per violation
Stark Law42 U.S.C. § 1395nn — prohibition on physician self-referrals
Stark penaltyNo criminal liability; civil: refund of claims + up to $26,000 per service + exclusion
False Claims Act31 U.S.C. §§ 3729-3733 — civil liability for false/fraudulent claims
FCA penaltyTreble damages + $14,308-$28,619 per false claim (DOJ 2025 adjustment; updated annually)
Qui tamFCA whistleblowers receive 15-30% of recovery
Safe harbors (AKS)OIG-issued regulatory exceptions for legitimate business arrangements
Stark exceptionsStatutory and regulatory exceptions for employment, in-office ancillary, etc.

| Annual healthcare fraud recoveries | $2-3+ billion through DOJ enforcement |

  • 42 U.S.C. § 1320a-7b(b) — Anti-Kickback Statute (it is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce or reward referrals of patients for items or services payable by federal healthcare programs)
  • 42 U.S.C. § 1395nn — Stark Law / Physician Self-Referral (if a physician or immediate family member has a financial relationship with an entity, the physician may not make referrals to that entity for designated health services payable by Medicare; the entity may not bill Medicare for such services; violations require refund and trigger civil monetary penalties)
  • 42 U.S.C. § 1320a-7a — Civil monetary penalties (HHS Secretary may impose penalties for false claims, kickbacks, and other specified misconduct; penalties up to $100,000 per violation plus treble damages)

How It Works

The Anti-Kickback Statute is the broadest of the three laws. It prohibits any remuneration — cash, gifts, free services, lavish dinners, below-market rent, sham consulting fees — given in exchange for patient referrals to providers billing federal healthcare programs. "Remuneration" is interpreted expansively: if one purpose of a payment is to induce referrals, it violates the AKS, even if the arrangement has legitimate business purposes too. The AKS is a criminal statute — willful violations are felonies carrying up to 10 years in prison.

To protect legitimate business arrangements, the OIG has issued safe harbor regulations that define specific practices immune from AKS prosecution: bona fide employment relationships, personal services contracts at fair market value, investment interests in publicly traded entities, discounts properly disclosed, and others. If your arrangement fits squarely within a safe harbor, you're protected. If it doesn't, you need careful legal analysis.

The Stark Law is narrower but operates as a strict liability statute — no intent requirement. If a physician (or immediate family member) has a financial relationship (ownership interest or compensation arrangement) with an entity, the physician may not refer Medicare patients to that entity for designated health services (clinical lab, physical therapy, imaging, DME, home health, and others). The entity may not bill Medicare for referred services. Violations require refund of all claims plus civil monetary penalties.

Stark has its own set of exceptions — for employment, in-office ancillary services, fair market value leases and contracts, academic medical centers, and others. The exceptions are technical and rigid — even minor noncompliance can trigger liability for the entire referral relationship.

The False Claims Act is the enforcement multiplier. A claim submitted in violation of the AKS is automatically a false claim under the FCA. A claim submitted pursuant to a Stark-violating referral is similarly a false claim. The FCA imposes treble damages plus per-claim penalties — making a pattern of illegal referrals potentially worth hundreds of millions in liability. The FCA's qui tam provision allows private whistleblowers to file suit on behalf of the government and receive 15-30% of any recovery, creating powerful financial incentives to report fraud.

DOJ and HHS OIG are the primary enforcement agencies, recovering $2-3+ billion annually through healthcare fraud investigations and settlements. The Health Care Fraud Prevention and Enforcement Action Team (HEAT) targets the most egregious fraud schemes — billing for services never provided, upcoding, unbundling, and kickback-driven referral mills.

How It Affects You

If you're a physician with financial relationships at referral destinations: The Stark Law and Anti-Kickback Statute operate simultaneously and have different structure — Stark is civil strict liability (no intent required), AKS is a criminal intent-based statute — but the practical effect is the same: every financial relationship you have with any entity you refer Medicare/Medicaid patients to must be analyzed carefully. "Financial relationship" is extremely broad: employment, space leases, equipment leases, personal service arrangements, investment interests, and loans all qualify. If the arrangement doesn't fit a Stark exception and an AKS safe harbor, you have potential exposure even if you never thought of it as a kickback. The most important practical safeguards: (1) Fair market value compensation — what you receive must be consistent with what an independent assessment would determine, not influenced by your referral volume; internal valuations aren't enough for high-risk arrangements; (2) Don't accept anything of value from vendors — meals, tickets, consulting fees, research support — without a specific legal analysis of whether it fits an AKS safe harbor; (3) Get a written opinion from healthcare counsel before entering any financial arrangement with a referral destination. Stark violations must be self-disclosed through the CMS Self-Disclosure Protocol; delayed disclosure typically increases penalties. OIG's Self-Disclosure Protocol is at oig.hhs.gov/compliance/self-disclosure-info.

If you're a hospital, health system, or practice group managing physician arrangements: Every physician employment agreement, medical director contract, on-call coverage payment, space lease, and joint venture is subject to both Stark and AKS review. The penalties for getting this wrong are catastrophic: each Stark violation carries up to $15,000 per improper claim + exclusion from Medicare/Medicaid; AKS violations carry up to $100,000 per violation + 10 years imprisonment + False Claims Act treble damages on every claim submitted. The False Claims Act's qui tam provision means any employee, vendor, or competitor can file suit on behalf of the government and receive 15–30% of any recovery. Your exposure on a years-long kickback arrangement can easily reach eight figures. Core compliance requirements: (1) Annual fair market value re-certification for all physician compensation arrangements; (2) Written documentation of every financial arrangement before it begins (oral arrangements are a red flag in DOJ investigations); (3) A robust compliance hotline and genuinely independent compliance officer who reports to the board, not just the CFO. The HHS OIG Work Plan (oig.hhs.gov/reports-and-publications/workplan) identifies current investigation priorities — review it annually to understand where government scrutiny is focused.

If you work in pharmaceutical or medical device sales or marketing: The largest fraud settlements in U.S. history — GlaxoSmithKline ($3 billion, 2012), Pfizer ($2.3 billion, 2009), Abbott ($1.5 billion, 2012) — came primarily from AKS violations: speaker programs used to funnel payments to prescribers, consulting contracts that weren't real consulting, research grants that were thinly disguised inducements. The AKS safe harbor for speaker programs requires that: the speaker be paid fair market value for genuine educational services, the topic be a legitimate medical education need, and payments not be tied to prescribing volume. Compliance red flags that DOJ has consistently targeted: paying "thought leaders" for programs with no attendees or attendees who are friends; lavish meals that exceed reasonable educational expense; continuing the same speaker relationship despite flat or declining prescribing. The PhRMA Code (phrma.org/codes) and AdvaMed Code (advamed.org/member-resources/code-of-ethics) set voluntary industry standards that mirror AKS safe harbor requirements; failure to follow your own code can be used against you in False Claims Act litigation. If you become aware of conduct that may violate these rules, consult employment counsel — qui tam plaintiffs (whistleblowers) are often current or former employees, and you have rights and protections under both the FCA and your state's whistleblower laws.

If you're a Medicare or Medicaid patient or a healthcare whistleblower: Kickback-driven referrals are not victimless fraud — they direct patients to providers chosen for financial reasons rather than quality, and they drain resources from a system you pay into through taxes and premiums. If you have information about potential healthcare fraud — unnecessary procedures, billing for services not rendered, kickback arrangements between physicians and labs or device companies — the False Claims Act's qui tam provision allows you to file a sealed lawsuit on behalf of the federal government and potentially receive 15–30% of any recovery. Qui tam cases must be filed by an attorney; contact a healthcare fraud qui tam attorney for a confidential consultation before approaching any government agency — the "first to file" rule means earlier filers have priority. The Government Accountability Project (whistleblower.org) and National Whistleblower Center (whistleblowers.org) provide resources for understanding your protections. You can also report suspected healthcare fraud directly to the HHS OIG Hotline at 1-800-HHS-TIPS or submit online at tips.oig.hhs.gov — these reports don't entitle you to a share of recovery but can trigger government investigations.

State Variations

Federal healthcare fraud laws apply to Medicare and Medicaid (federal share). States add their own layers:

  • Most states have their own anti-kickback statutes, some broader than the federal AKS (applying to all payers, not just government programs)
  • Some states have physician self-referral laws similar to Stark
  • State Medicaid fraud control units investigate and prosecute fraud in the state Medicaid program
  • State false claims acts (modeled on the federal FCA) provide additional enforcement mechanisms with qui tam provisions
  • State medical licensing boards can discipline physicians for fraud independently of criminal prosecution

Implementing Regulations

  • 42 CFR Part 1001 — Program Integrity — Medicare and State Health Care Programs (38 sections — the OIG's exclusion regulations governing who is barred from participating in Medicare, Medicaid, and other federal health programs):

    • § 1001.101Mandatory exclusion: the OIG must exclude any individual or entity convicted of (1) a criminal offense related to Medicare or Medicaid, (2) neglect or abuse of patients, (3) a felony related to health care fraud, or (4) a felony for unlawful manufacture/distribution/prescription of controlled substances; minimum 5-year exclusion with no discretion; a second mandatory exclusion is permanent
    • § 1001.102 — Length of exclusion: minimum 5 years; aggravating factors (prior offenses, obstruction conviction, patient harm, scale of fraud) extend the period; mitigating factors (full cooperation, minor role, no prior history) support reinstatement at 5 years rather than extension
    • §§ 1001.201–1001.1801Permissive exclusion grounds: the OIG may (but need not) exclude for broader conduct including: misdemeanor health care fraud; license revocation or surrender; exclusion from other federal programs; providing excessive or medically unnecessary services; failure to disclose certain information; owner/controlling interest exclusion when an entity is owned by an excluded person (§ 1001.1001); default on health education loans (§ 1001.1501); false statements or misrepresentation (§ 1001.1552)
    • § 1001.1901 — Scope and effect of exclusion: excluded persons may not submit claims to any federal health program; no payment will be made for any item or service furnished, ordered, or prescribed by an excluded provider; employers that bill for services of excluded personnel face civil money penalties of $10,000 per item/service plus treble damages; providers must check the OIG LEIE (List of Excluded Individuals/Entities at oig.hhs.gov/exclusions) before hiring and monthly thereafter for all employees and contractors
    • §§ 1001.2001–1001.2002 — Process: OIG provides 30-day notice of intent to exclude; formal exclusion notice is effective 20 days after issuance; excluded parties may request an Administrative Law Judge hearing and appeal to the HHS Departmental Appeals Board and federal courts

    The LEIE is publicly searchable and must be checked against an organization's entire workforce monthly — automated monthly LEIE checks are a baseline healthcare compliance requirement. Employing an excluded person while billing federal health programs is itself a False Claims Act violation, creating treble damages exposure on every claim submitted during the excluded person's employment.

  • 42 CFR Part 1003 — OIG Civil Money Penalties (CMP) Law implementing Social Security Act §§ 1128A and 1140 — the enforcement regulation for monetary penalties, assessments, and exclusion across Medicare and Medicaid fraud categories:

    • §§ 1003.1000–1003.1020 — Remuneration and kickback penalties: up to $20,000 per violation (for violations after February 9, 2018) plus exclusion from federal health programs; penalties apply to offers, payments, solicitations, and receipt of kickbacks for patient referrals or orders for covered items or services
    • § 1003.130 — Assessment in lieu of damages: the OIG may impose an assessment of up to three times the remuneration in lieu of actual damages, adding a multiplier to the per-violation penalty
    • §§ 1003.1100–1003.1120 — False claims penalties: $5,000 per item or service falsely claimed under §1003.1100(a)–(c); $25,000 per violation for false DMEPOS claims, claims for services by excluded persons, and other specified categories; false claims penalties under Part 1003 are the OIG administrative track — separate from (and stackable with) False Claims Act liability in DOJ civil litigation
    • §§ 1003.1200–1003.1220 — Drug pricing transparency penalties: manufacturers who report false best prices or average manufacturer prices to CMS face up to $100,000 per misrepresentation plus $10,000 per day for continuing violations — directly affecting Medicaid rebate calculations and drug coverage determinations
    • §§ 1003.1300+ — Patient dumping / EMTALA violations: hospitals that fail to provide required emergency screening, stabilization, or appropriate transfer face CMPs of up to $50,000 per violation (small hospitals ≤ 100 beds pay $25,000)

    The CMP process is administrative, not criminal — the OIG issues a demand letter, the respondent has 60 days to request a hearing before an Administrative Law Judge, and final OIG decisions are appealable to the HHS Departmental Appeals Board and federal courts. Exclusion from Medicare and Medicaid (which can accompany any CMP) is often more consequential than the monetary penalty for healthcare providers dependent on government payer revenue.

  • 42 CFR Part 402 — CMS Civil Money Penalties, Assessments, and Exclusions (29 sections — CMS's (not OIG's) civil enforcement regulations; unlike Part 1003 which is OIG-administered for fraud/kickback violations, Part 402 governs CMS-administered penalties for Medicare/Medicaid billing and payment violations):

    • § 402.1 — Basis and scope: Part 402 implements the Social Security Act provisions authorizing CMS to impose civil money penalties against providers and suppliers that: submit false or fraudulent claims; submit claims for services not medically necessary; fail to maintain adequate records; violate certain provider enrollment or participation agreement obligations; Part 402 penalties are distinct from OIG's Part 1003 penalties — Part 402 is for Medicare/Medicaid billing system compliance while Part 1003 targets broader fraud, kickback, and abuse schemes
    • § 402.105Amount of penalty: the base penalty is $2,000 per false or fraudulent claim submitted to Medicare or Medicaid; for certain violations (billing for non-covered services without required patient notice, billing for items furnished by an excluded person), specific penalty amounts are set by statute; all Part 402 penalty amounts are subject to annual inflation adjustment under the Federal Civil Penalties Inflation Adjustment Act; as of 2026, the $2,000 base amount has been adjusted upward to approximately $12,000-$15,000 per claim; the actual amount assessed within the statutory range is based on the factors in § 402.111
    • § 402.107 — Assessments: in addition to per-claim penalties, CMS may assess an amount up to three times the Medicare/Medicaid payment received for the false claim; assessments are in lieu of actual damages and provide a multiplier on top of the penalty amount
    • § 402.109Statistical sampling: CMS may use statistical sampling and extrapolation to determine the total penalty and assessment amounts for large volumes of claims; rather than reviewing every claim individually, CMS can review a statistically valid sample and extrapolate to the full universe of potentially violative claims; respondents may challenge statistical methodology but not the use of sampling per se; statistical sampling is used in all large-scale post-payment review audits (RAC audits, ZPIC/UPIC reviews)
    • § 402.111Factors in penalty determination: factors CMS considers when setting penalty amounts include: (1) the baseline submitted (nature of the act, whether services were actually provided, whether the beneficiary was harmed); (2) the Medicare/Medicaid loss; (3) the risk of harm to beneficiaries; (4) the provider's prior history of violations; (5) the financial condition of the provider; (6) the degree of culpability; these factors allow CMS to impose maximum penalties for repeat violators and reduce penalties for first-time providers who self-disclose
    • § 402.113 — When penalties become final and collectible: penalties are due after the earlier of: (1) the expiration of the 60-day request-for-hearing period without a request; (2) the date a final decision is issued after a hearing; unpaid penalties accrue interest and are subject to setoff against future Medicare/Medicaid payments — CMS can automatically reduce future payments to collect outstanding penalties without court action

    Part 402 operates in parallel with OIG's Part 1003 — the same conduct (submitting false claims) can trigger both CMS administrative penalties and OIG exclusion, with the two agencies coordinating through the national fraud enforcement programs. Recent rulemakings: 88 FR 70372 (October 2023) — annual penalty inflation adjustment; 66 FR 49546 (September 2001) — updated procedural requirements.

  • 42 CFR Part 401 (Subpart D) — CMS Reporting and Returning of Medicare Overpayments (§§ 401.301–401.305 — the implementing regulation for the 60-day overpayment return rule, one of the most significant False Claims Act compliance obligations for Medicare providers and suppliers):

    • § 401.305(a) — Scope: applies to providers and suppliers that identify overpayments from Medicare Parts A and B; an "overpayment" is any funds received or retained by a person after the proper amount of payment has been determined — including improper cost report settlements, duplicate payments, payments for excluded items or services, and billing errors
    • § 401.305(b) — 60-day obligation: a provider or supplier that has "identified" an overpayment must report and return it within 60 days of identification; the 60-day clock runs from when the provider has or should have quantified the overpayment, not from when it first suspects a problem; failure to return an identified overpayment by day 60 creates an "obligation" within the meaning of the False Claims Act — converting what might have been an innocent billing error into an FCA violation subject to treble damages
    • § 401.305(f) — "Identified" standard: CMS uses a "should have known" (constructive knowledge) standard — a provider has "identified" an overpayment when it has determined, or should have determined through the exercise of reasonable diligence, that it received an overpayment; providers cannot avoid the 60-day clock by delaying their internal investigation; once a provider has information about a potential overpayment, it must act with "reasonable diligence" to investigate and quantify the amount
    • § 401.305(c) — Lookback period: the obligation extends back 6 years from the date the overpayment was received; providers must return overpayments even if identified years after they were paid; the 6-year lookback aligns with the False Claims Act statute of limitations
    • § 401.305(d) — How to return: overpayments are returned to the applicable Medicare Administrative Contractor (MAC) with a written explanation of the reason; providers may also voluntarily self-disclose through the OIG's Self-Disclosure Protocol or CMS's Voluntary Self-Referral Disclosure Protocol (for Stark violations) — self-disclosure typically results in a lower multiplier than post-investigation demand
    • § 401.305(e) — Tolling during investigations: the 60-day obligation is suspended when the provider has reported the potential overpayment to OIG, DOJ, or another federal law enforcement agency; providers who discover overpayments during an ongoing government investigation should confirm tolling with counsel before holding funds past 60 days

    The 60-day rule operates as a trip wire for FCA liability: a provider who knows (or should know) about an overpayment and sits on it past day 60 is no longer merely a debtor — it has "retained" government funds it knows it is not entitled to keep, creating an FCA reverse-false-claim violation. This was established in U.S. ex rel. Kane v. Health First (2016), where a court ruled that a hospital's failure to return Medicaid overpayments identified in its own data analysis was an FCA violation. Recent rulemakings: 81 FR 7654 (February 2016) — promulgated the current Subpart D rules, adding the "should have known" (reasonable diligence) standard for when an overpayment is "identified" and extending the obligation to all Medicare Parts A and B providers and suppliers.

  • 42 CFR Part 411 — CMS physician self-referral (Stark Law) (§§ 411.350–411.389 — definitions, exceptions, reporting requirements for designated health services)

  • 42 CFR Part 1128 — State Medicaid fraud control units (required state enforcement activities)

  • 42 CFR Part 420 — Program Integrity: Medicare: the foundational Medicare ownership disclosure and records-access regulation, implementing Social Security Act §§ 1124, 1124A, 1126, and 1861(v)(1)(i). Part 420 establishes a baseline transparency requirement: every Medicare provider, supplier, and fiscal intermediary must disclose who owns and controls the entity — because undisclosed ownership relationships are a primary mechanism for routing Medicare dollars to excluded individuals, convicted felons, or related parties in kickback arrangements.

    • § 420.201 — Definitions: "disclosing entity" includes every Medicare provider, Part B supplier, and intermediary; "person with an ownership or control interest" means anyone who owns 5% or more (directly or indirectly) of the entity, any creditor with a security interest in 5%+ of the entity's assets, or any officer, director, partner, or managing employee — the 5% threshold is low enough to capture significant minority stakes that might otherwise be obscured through nominee ownership
    • § 420.202 — Determining indirect ownership: indirect ownership percentages are calculated by multiplying the percentages of each entity in the chain — if A owns 10% of B, and B owns 40% of the provider, A has a 4% indirect ownership interest; because 4% falls below the 5% threshold, this layering technique can mask controlling interests; Part 420's multiplication rule forces disclosure of ownership chains rather than just the immediate entity level
    • § 420.203 — Former intermediary employee disclosure: a provider must notify CMS promptly if it hires or contracts with an individual who worked for its Medicare fiscal intermediary or carrier at any time during the preceding 12 months; the revolving-door disclosure prevents a situation where a fiscal intermediary employee — who knows which claims get paid and how CMS audits work — moves directly to a Medicare provider without that conflict being visible to CMS
    • § 420.204 — Criminal conviction disclosure: before CMS accepts a provider agreement or issues a supplier billing number, and at any time upon written request, the provider must disclose whether any person with an ownership or control interest has been convicted of Medicare/Medicaid program-related crimes within the preceding 10 years; conviction of a program-related crime is a mandatory exclusion trigger under § 1128(a) of the Act — Part 420 ensures CMS learns of those convictions before enrolling or re-enrolling a provider
    • § 420.205 — Business transaction information: providers and Part B suppliers must submit, within 35 days of a written CMS request, full information on ownership of any subcontractors that received more than 25% of their total operating cost in any of the past five years; the 35-day deadline and the 25% subcontractor threshold force disclosure of arrangements where a provider offloads actual service delivery to related parties while retaining the Medicare billing relationship
    • § 420.206 — Annual disclosure of ownership, financial, and control interests: disclosing entities must submit ownership and control information in the manner CMS specifies — including names, addresses, Social Security numbers (for individuals), and TINs (for entities); this information feeds CMS's provider enrollment database and the OIG's exclusion screening system; CMS cross-references disclosed owners against the OIG exclusion list and the SAM.gov debarment list
    • § 420.300 — Access to records (contractor access requirement): Medicare contractors that hold contracts with CMS worth more than $10,000 must give the Secretary of HHS and the Comptroller General access to their books, documents, and records for audit on written request — the foundational audit access right implementing the Comptroller General's oversight authority under 42 U.S.C. § 1395l(v)(1)(I); without this provision, Medicare's $800+ billion annual spend would flow through a network of contractors and providers whose records were beyond federal audit reach

    Part 420's ownership disclosure framework is the front-end of Medicare's integrity architecture — before exclusion lists, civil money penalties, or fraud investigations come into play, CMS must know who it is doing business with. The requirement is particularly consequential because Medicare program participation is a significant economic asset; excluded individuals have strong incentives to hide their ownership stakes behind nominees, family members, or layered entities. CMS's Provider Enrollment, Chain and Ownership System (PECOS) database is the operational implementation of Part 420's disclosure requirements — PECOS holds ownership and control data for all enrolled Medicare providers and must be updated when ownership changes. No major amendments to the ownership disclosure subparts in recent years; the contractor access provisions were last substantively updated to reflect HIPAA and contractor consolidation.

  • 42 CFR Part 1008 — OIG Advisory Opinions (21 sections — the procedural framework under which any individual or entity may request a formal written opinion from the HHS Office of Inspector General on whether a proposed or existing business arrangement violates the anti-kickback statute or other OIG enforcement authorities; authority: 42 U.S.C. § 1320a-7d(b)):

    • § 1008.5 — Matters subject to advisory opinions: the OIG will opine on what constitutes "prohibited remuneration" under the AKS; whether conduct constitutes grounds for OIG sanctions, civil money penalties, or exclusion; and whether a proposed arrangement would be subject to permissive exclusion; the OIG will not opine on Stark Law self-referral issues (those go to CMS), ongoing criminal investigations, or arrangements already under investigation
    • § 1008.11 — Who may submit: any individual or entity may request an advisory opinion regarding an existing or proposed arrangement — the opinion must describe a specific factual situation, not a hypothetical; the request must disclose all owners with 5%+ interest, all parties to the arrangement, and full details of the financial terms; incomplete or misleading requests may result in withdrawal of the opinion
    • § 1008.31 — Fees: the requestor pays OIG's costs for researching and drafting the opinion — typically $250–$350 per hour for legal and economic analysis; OIG bills at cost, not a fixed fee; complex arrangements (physician group joint ventures, device manufacturer arrangements, bundled payment structures) can generate fees of $10,000–$30,000 or more; requestors may withdraw before the opinion is issued to avoid additional charges
    • § 1008.43 — Issuance and binding effect: once issued and payment received, a formal advisory opinion is binding on the OIG with respect to the requesting party for the exact arrangement described — OIG cannot impose AKS sanctions on the requestor for conduct that conforms to the opinion; the opinion is not binding on DOJ (which enforces AKS criminally), state Medicaid fraud units, or other agencies; and it applies only to the specific parties in the request — competitors operating the same arrangement have no safe harbor protection from a competitor's advisory opinion
    • § 1008.45 — Rescission: OIG may rescind an opinion if the requestor provided false or incomplete information, if the law changes materially, or if the facts change; rescission applies prospectively — reliance on a valid opinion before rescission provides protection

    OIG advisory opinions are public documents (available at oig.hhs.gov) and represent the most authoritative statement OIG can make on AKS compliance short of a safe harbor. Healthcare lawyers routinely analyze the full corpus of OIG advisory opinions (400+ since 1997) to understand how OIG interprets ambiguous AKS issues — particularly novel arrangements (telemedicine, AI-driven referrals, value-based care structures) that predate or fall outside existing safe harbors. An advisory opinion favorable to your arrangement provides strong protection in a DOJ investigation: prosecutors are unlikely to bring criminal AKS charges against conduct OIG explicitly blessed in writing, even if the arrangement is factually distinguishable. Recent advisory opinion trends: OIG has issued favorable opinions for several risk-sharing and outcomes-based payment arrangements (2022-2024) that would have been more difficult under the pre-2021 safe harbor framework, signaling increasing comfort with value-based structures that share savings but not Medicare or Medicaid revenues.

Pending Legislation

  • S 1390 (Sen. Lankford, R-OK) — Ease Stark physician self-referral limits for covered rural hospitals. Status: Introduced.

Recent Developments

Healthcare fraud enforcement has continued at high levels, with DOJ recovering billions annually. Recent trends include increased scrutiny of telehealth fraud (accelerated by COVID-19 telehealth expansion), opioid-related fraud (prescribing mills, illegal distribution), laboratory testing kickbacks, and genetic testing fraud. CMS has issued updated Stark regulations simplifying compliance for value-based care arrangements. The OIG has modernized its safe harbor regulations to accommodate care coordination and outcomes-based payment models. Private equity investment in healthcare — and its potential to create AKS and Stark issues — has drawn regulatory attention. The False Claims Act remains the government's most powerful recovery tool, with qui tam filings accounting for the majority of FCA healthcare cases.

  • Telehealth fraud enforcement surge (2023-2025): DOJ's telehealth fraud takedowns have been among the largest healthcare fraud enforcement actions in history. A 2023 enforcement action charged 78 defendants with $2.5 billion in false telehealth billing; a 2024 action charged 193 defendants with $2.75 billion in fraudulent telehealth prescriptions for DME, genetic testing, and controlled substances ordered without real patient contact. The COVID telehealth expansion enabled legitimate care but also created an environment where fraudsters could bill for services never rendered by recruiting patients, paying kickbacks for orders, and using telehealth as a front for DME and lab fraud.
  • OIG's 2024 General Compliance Program Guidance: The HHS Office of Inspector General released comprehensive updated compliance program guidance for healthcare providers in November 2023 — the first major OIG guidance update in 20+ years. The guidance modernized expectations around risk assessment, training, internal monitoring, and response to detected violations. Healthcare organizations that fail to implement effective compliance programs face not only FCA liability but potential exclusion from Medicare and Medicaid — effectively a death sentence for most providers.
  • Private equity and AKS scrutiny (2024-2025): DOJ and OIG have targeted private equity-backed healthcare companies for AKS violations — particularly management service agreement (MSA) arrangements where PE firms receive fees from physician practices they nominally manage, potentially constituting remuneration for referrals. PE-backed dermatology, urology, and ophthalmology practices have been investigated. OIG issued a Fraud Alert on certain MSA structures. The intersection of PE's financial engineering with healthcare's complex referral network creates structural AKS risk.
  • AI and healthcare fraud detection (2025): CMS and DOJ have deployed AI-driven fraud detection systems — analyzing billing patterns, prescribing behavior, and clinical documentation for anomalies that suggest fraud. AI systems have identified billing fraud by detecting statistically impossible procedure volumes (e.g., a physician billing for more hours than in a day), geographic anomalies (patients traveling implausible distances for services), and documentation irregularities. Simultaneously, fraudsters are using AI to generate more plausible clinical documentation — an AI arms race in healthcare fraud detection and commission.

At My Address

See how Healthcare Fraud, Anti-Kickback & Stark Law plays out in your area

Pull up the federal-data report for any U.S. ZIP — federal spending, environmental risk, hospitals, schools, your reps, all on one page.

Enter your address