PRACTICE AREAS

Healthcare Audit & Compliance

Healthcare compliance is not merely a regulatory obligation — it is an active defense against the federal government's most consistently aggressive enforcement priority. The HHS Office of Inspector General (OIG-HHS) publishes an annual Work Plan identifying the specific billing practices, provider types, and program areas targeted for heightened scrutiny in the coming year. Recovery Audit Contractors (RACs) operate on a contingency fee basis — they are paid a percentage of the overpayments they identify, creating a structural incentive for aggressive claims review. Medicare Administrative Contractors (MACs) conduct post-payment reviews and can demand repayment of overpayments with interest.

Healthcare Audit & Compliance

Why Compliance Matters

An effective healthcare compliance program accomplishes three things: it prevents billing irregularities from occurring; it detects them when they do occur; and it produces a documented record of good-faith compliance effort that can be presented to the government if an investigation begins.

Under the Federal Sentencing Guidelines (U.S.S.G. § 8C2.5(f)), an effective compliance program reduces organizational culpability scores — directly reducing fines and penalties.

In False Claims Act civil cases, a robust compliance program is frequently the difference between a declination and a full-scale investigation.

OIG's Seven Elements of an Effective Compliance Program

The OIG has published industry-specific compliance program guidance for hospitals, physician practices, home health agencies, and other provider types. All guidance documents are organized around seven core elements derived from the Federal Sentencing Guidelines:

A code of conduct and specific compliance policies addressing the organization's highest-risk areas: billing and coding standards, referral arrangement requirements, physician compensation compliance, HIPAA privacy and security, and employee reporting obligations. Policies must be specific enough to be actionable — generic policies that are not tailored to the organization's actual operations provide little protection.

A designated compliance officer with sufficient authority and resources, reporting directly to the governing board with independent access. A compliance committee with representation from billing, operations, legal, and clinical functions. The compliance officer must have real authority — a compliance function that can be overridden by revenue-generating personnel is not effective.

Regular, documented training for all staff on compliance obligations relevant to their specific roles. Annual training on billing and coding standards, Anti-Kickback Statute principles, and the organization's reporting hotline. Training records must be maintained — the government will ask for them.

An anonymous reporting mechanism — hotline, web-based reporting portal — through which employees can report suspected compliance violations without fear of retaliation. The False Claims Act's Anti-Retaliation provision (31 U.S.C. § 3730(h)) protects employees who report suspected fraud. The Sarbanes-Oxley Act (18 U.S.C. § 1513) provides additional protection.

Regular internal audits of billing and coding accuracy, including review of clinical documentation supporting billed services. External audits conducted at the direction of legal counsel provide an additional layer of objectivity and are protected by attorney-client privilege. Audit findings must be acted upon — an audit that identifies problems and is then ignored is worse than no audit at all.

Clear and consistently enforced disciplinary procedures for compliance violations — applied uniformly regardless of the violating employee's seniority or revenue contribution to the organization. Inconsistent discipline is one of the most significant red flags government investigators look for when evaluating whether a compliance program is genuine.

A documented procedure for investigating identified compliance issues, correcting the underlying problem, assessing overpayment obligations, and — where required — reporting to government agencies. The 60-day overpayment rule (42 U.S.C. § 1320a-7k(d)) requires repayment of identified Medicare and Medicaid overpayments within 60 days of identification and quantification.

RAC Audit Process — From ADR to Federal Court

Recovery Audit Contractors can review Medicare and Medicaid claims going back three years from the date of review. They identify overpayments and issue Additional Documentation Requests (ADRs) requiring providers to submit medical records supporting specific claims. The multi-level appeal process:

Additional Documentation Request (ADR)

RAC issues ADR requesting medical records for specific claim dates. Provider has 45 days to respond. Failure to provide documentation results in automatic denial as “no documentation.”

Overpayment Demand Letter

RAC reviews submitted documentation and makes a determination. If the claim is denied, the provider receives a demand for repayment specifying the amount and basis for denial.

Redetermination — First Level

Provider may request redetermination by the Medicare Administrative Contractor within 120 days. The MAC’s medical director reviews the claim and documentation.

Reconsideration — Second Level

If redetermination upholds denial, provider may request reconsideration by a Qualified Independent Contractor within 180 days.

ALJ Hearing — Third Level

Provider may request a hearing before an Administrative Law Judge within the Office of Medicare Hearings and Appeals within 60 days of the QIC decision.

Medicare Appeals Council — Fourth Level

Appeal to the Departmental Appeals Board Medicare Appeals Council.

Federal District Court — Fifth Level

Final appeal in federal district court when the jurisdictional threshold is met.

Corporate Integrity Agreements (CIAs)

A Corporate Integrity Agreement is a formal agreement between a healthcare organization and the OIG, typically imposed as a condition of settling a False Claims Act or healthcare fraud matter. CIAs run for 5 years and impose detailed compliance obligations monitored by an Independent Review Organization (IRO) selected and funded by the provider. Standard CIA obligations include: compliance training for all employees annually; compliance officer reporting directly to the board; IRO conducting annual claims reviews and reporting findings to OIG; compliance hotline; OIG exclusion database screening for all employees and contractors; and mandatory reporting of material compliance events to OIG within 30 days. Violation of a CIA can result in stipulated penalties of $2,500–$50,000 per day per violation and, in serious cases, can trigger debarment from federal healthcare programs.

MB Law provides healthcare compliance program design, risk assessment, internal audit management under attorney-client privilege, OIG exclusion screening program implementation, and CIA compliance assistance. Contact MB Law to assess your organization's compliance posture before the government does.

Healthcare Audit & Compliance

Physician Defense

Physicians and licensed healthcare providers occupy a uniquely vulnerable position in federal enforcement. A single federal investigation can simultaneously trigger state medical board proceedings, Medicare and Medicaid exclusion, DEA registration revocation, and criminal prosecution — each with independent and career-ending consequences. MB Law provides defense representation specifically calibrated to physicians and licensed providers facing federal scrutiny in Texas and Illinois, with the goal of preserving not just the legal matter but the physician's career, licensure, hospital privileges, and billing ability.

Federal Healthcare Fraud — 18 U.S.C. § 1347

The federal healthcare fraud statute makes it a federal crime to knowingly and willfully execute — or attempt to execute — a scheme to defraud any healthcare benefit program. Unlike the False Claims Act's civil standard, § 1347 requires the government to prove specific intent. The government builds this intent case through: billing pattern analysis showing the defendant billed at rates statistically outlying from peer physicians; patient testimony denying receipt of billed services; internal communications showing awareness of billing irregularities; and cooperating witness testimony from employees or former partners.

Outcome Statute Penalty
Felony conviction — basic 18 U.S.C. § 1347 Up to 10 years imprisonment per count + fines
Felony — serious bodily injury 18 U.S.C. § 1347 Up to 20 years imprisonment per count
Felony — death results 18 U.S.C. § 1347 Up to life imprisonment per count
Conspiracy to commit healthcare fraud 18 U.S.C. § 1349 Same as underlying offense; applies to billing managers, administrators, co-owners
Program exclusion (automatic on conviction) 42 U.S.C. § 1320a-7(a) Minimum 5-year mandatory exclusion from all federal healthcare programs

Controlled Substance Prescribing — 21 U.S.C. § 841

Physicians with DEA registration are authorized to prescribe Schedule II–V controlled substances for a legitimate medical purpose in the usual course of professional practice. When the government believes a physician is prescribing outside these parameters — whether through intentional over-prescribing, exploitation by patients, or inadequate documentation of medical necessity — the physician faces criminal prosecution under 21 U.S.C. § 841.

The Supreme Court's 2022 decision in Ruan v. United States (596 U.S. 619) significantly strengthened physician defenses by holding that the government must prove the physician subjectively knew or intended that their prescribing was unauthorized — not merely that a reasonable physician would not have prescribed as they did. This decision is central to MB Law's defense strategy in all DEA-related physician matters.

Drug Schedule Examples Criminal Penalty Under § 841
Schedule II Oxycodone, Fentanyl, Adderall, Ritalin Up to 20 years per count for first offense; 30 years if prior felony drug conviction
Schedule III Ketamine, Buprenorphine, Testosterone Up to 10 years per count; 20 years if prior felony drug conviction
Schedule IV Benzodiazepines, Tramadol, Ambien Up to 5 years per count
Schedule V Low-dose codeine combinations, Pregabalin Up to 1 year per count

In addition to criminal prosecution, DEA can initiate administrative proceedings to revoke or suspend the physician's DEA Certificate of Registration — which, for prescribers of controlled substances, effectively ends the ability to practice in most specialties. An Order to Show Cause can be issued on an immediate suspension basis when the DEA concludes there is an imminent danger to public health or safety.

Illinois Disciplinary Proceedings and Texas Medical Board

A federal criminal investigation or conviction invariably triggers state medical board proceedings. In Illinois, the Department of Financial and Professional Regulation (IDFPR) administers physician licensing discipline under the Medical Practice Act of 1987 (225 ILCS 60/). In Texas, the Texas Medical Board (TMB) has authority under the Texas Occupations Code to investigate and discipline physicians for unprofessional conduct — including conduct that is the subject of a federal criminal prosecution.

The critical intersection: a federal plea agreement that does not specifically address state licensing consequences can result in automatic license revocation or mandatory discipline proceedings. MB Law coordinates the federal defense with state licensing implications from the outset — ensuring that plea terms, cooperation agreements, and any public admissions are structured with the licensing consequences in full view.

Medicare and Medicaid Exclusion — 42 U.S.C. § 1320a-7

Conviction for healthcare fraud, false statements relating to healthcare matters, obstruction of a healthcare investigation, or controlled substance felonies triggers mandatory exclusion from all federal healthcare programs under 42 U.S.C. § 1320a-7(a). Mandatory minimum exclusion is 5 years — and can be permanent for repeat offenders or those with aggravated conduct. For a physician whose practice depends on Medicare and Medicaid reimbursement, mandatory exclusion is economically equivalent to the end of medical practice.

MB Law's defense strategy in physician cases prioritizes structuring any resolution to avoid mandatory exclusion triggers wherever possible — through negotiating the specific count of conviction, the characterization of the offense in plea documents, and pre-plea cooperation designed to reduce charges to non-triggering offenses.

Received a Medicare audit demand, OIG subpoena, DEA inquiry, or target letter? Do not respond without experienced defense counsel. Contact MB Law. The first 72 hours after receiving government contact determine whether an inquiry becomes a criminal prosecution.

Healthcare Audit & Compliance

Compliance Services — Advisory & Program Design

MB Law provides comprehensive compliance advisory services for healthcare organizations, government contractors, and regulated businesses in Texas and Illinois. Every compliance program MB Law designs is built with one overriding question in mind: if the government investigates this organization tomorrow, what will the compliance record show? A compliance program that looks good on paper but is not operationally implemented provides no protection when the government is in the room. A compliance program that is genuinely embedded in operations, regularly tested, and actively managed provides meaningful mitigation of enforcement risk — and the documented record to prove it.

Anti-Kickback Statute (AKS) Compliance — 42 U.S.C. § 1320a-7b(b)

The Anti-Kickback Statute prohibits the offer, payment, solicitation, or receipt of anything of value — directly or indirectly, overtly or covertly — to induce or reward referrals of items or services covered by federal healthcare programs. The AKS is an intent-based statute requiring willfulness, but courts have consistently held that the government need prove only that one purpose of the arrangement was to induce referrals — even if the arrangement had other legitimate purposes. The AKS carries criminal penalties of up to 10 years per violation plus a $100,000 fine, mandatory exclusion from federal healthcare programs, and civil monetary penalties of up to $100,000 per kickback plus 3× the remuneration paid.

The OIG has promulgated statutory and regulatory Safe Harbors defining arrangements that, if fully meeting all conditions, will not be prosecuted under the AKS:

Safe Harbor Key Requirements Common Compliance Failures
Personal Services and Management Contracts (42 C.F.R. § 1001.952(d)) Written agreement; covers all services; aggregate compensation set in advance; FMV; not based on referral volume or value Compensation varies with referrals; no written agreement; fees not documented as FMV
Space Rental (42 C.F.R. § 1001.952(b)) Written agreement; at least 1-year term; FMV rent; not based on referral volume Below-market rent; co-mingling of space; failure to renew at term end
Equipment Rental (42 C.F.R. § 1001.952(c)) Written agreement; at least 1-year term; FMV rental rate; not based on referral volume Below-market rates; no written agreement; use tied to referral patterns
Employment (42 C.F.R. § 1001.952(i)) Bona fide employee; FMV compensation for services actually performed Shell employee status; compensation tied to referral patterns
MSO Arrangements (no specific safe harbor) FMV for actual services rendered; not disguised referral payment; not based on volume or value of referrals; documented FMV opinion Management fees set above FMV; no documentation of actual services; fees fluctuate with referral volume

Stark Law Compliance — 42 U.S.C. § 1395nn

The Physician Self-Referral Law (Stark Law) prohibits physicians from referring patients for designated health services (DHS) payable by Medicare or Medicaid to an entity with which the physician or an immediate family member has a financial relationship — unless a specific statutory or regulatory exception applies. Unlike the AKS, the Stark Law is a strict liability statute: intent is completely irrelevant, and a single technical violation triggers the prohibition and requires repayment of all claims tainted by the impermissible referral relationship. The government does not need to prove the physician intended to violate the law.

MB Law assists physician groups, hospitals, and management service organizations in: identifying and documenting applicable Stark exceptions for all physician compensation arrangements; reviewing new arrangements before implementation for Stark compliance; and advising on the CMS Self-Referral Disclosure Protocol (SRDP) when potential violations are identified — SRDP settlements have historically been reached at less than full repayment of identified overpayments when the provider demonstrates good faith and implements corrective measures.

Management Service Organization (MSO) Compliance — Texas and Illinois

The MSO model — in which a non-physician management company provides administrative and management services to a physician practice in exchange for a management fee — is widely used to facilitate non-physician investment in healthcare operations in states with corporate practice of medicine (CPOM) prohibitions. Both Texas and Illinois maintain CPOM restrictions that prohibit non-physician entities from employing physicians and exercising control over clinical decision-making.

An MSO arrangement that is not carefully structured can simultaneously constitute: an AKS violation if the management fee is in whole or part a disguised referral payment; a Stark violation if the arrangement creates a financial relationship between a physician and an entity receiving DHS referrals without an applicable exception; and a CPOM violation if the MSO exercises excessive control over clinical operations. MB Law drafts and reviews MSO agreements for multi-state operations (Texas and Illinois) with attention to: establishing management fees at FMV for services actually rendered; preserving physician clinical independence; documenting the AKS analysis through a qualified healthcare appraiser FMV opinion; and structuring governance to comply with each state's CPOM requirements.

The government treats AKS violations as both criminal matters and the predicate for False Claims Act civil liability. Every compensation arrangement between a physician and an entity that receives physician referrals should be reviewed by experienced healthcare counsel before it is implemented.

Strategic Federal Defense Starts Early

Early legal intervention can significantly impact the outcome of a federal investigation or prosecution.

Mansoor Broachwala, Esq. — Licensed in Illinois since 2017

ATTORNEY ADVERTISING. This website is for informational purposes only. Visiting this website does not create an attorney-client relationship. Do not submit confidential information until an engagement agreement has been executed. Past results do not guarantee future outcomes.