While most organizations have a central mission and scope of services, it is not uncommon for various organizational departments to view third-party relationships and risks differently. For example, a clinical business unit may decide to contract with a vendor to provide widgets. However, that business unit does not know that the contracting vendor is about to be involved in a large-scale Anti-Kickback Statute (AKS) investigation. While there are no crystal balls to predict which third parties can create large-scale risks for an organization, it is reasonable to see that there could be compliance implications in each arrangement. One of the worst things a compliance officer or department can do is take a completely hands-off approach to third-party arrangements. Compliance leaders should establish strong working relationships with senior leadership and operational leaders. This will better enable compliance professionals to explain the risks that third parties present, generate support for the development and implementation of a compliance program, and, when needed, provide the organization with a rationale for the spending of corporate dollars to manage the program to address risks.

Third-party relationships cannot be managed without first understanding the regulations and compliance risks associated with these arrangements. These risks directly impact many of the daily legal and regulatory requirements compliance professionals encounter. It is important to understand how each of the following laws and regulations affects third-party relationships.

Federal Exclusion Statute

The Federal Exclusion Statute prohibits entities that participate in federal healthcare programs from entering or maintaining certain relationships with individuals or entities that have been excluded from participation in federal healthcare programs.^[1] The U.S. Department of Health & Human Services (HHS), Office of Inspector General (OIG) has issued a special advisory bulletin emphasizing the importance of exclusion checking.^[2]

Civil Monetary Penalties Law

The Civil Monetary Penalties Law (CMPL) authorizes HHS and OIG to impose civil monetary penalties, assessments, and program exclusions against any person that submits false or fraudulent or certain other types of improper claims for Medicare or Medicaid payment.^[3]

AKS

Under the federal AKS, no individual or entity may offer, pay, solicit, or receive anything of value (in cash or in-kind) directly or indirectly for federal healthcare program business referrals.^[4] This prohibition is broad and covers all situations where something of value is provided free or at a discount to any potential referral source.

Physician Self-Referral Law

“The Physician Self-Referral Law, commonly referred to as the Stark law, prohibits physicians from referring patients to receive ‘designated health services‘ [as defined in Stark] payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies.”^[5]

HIPAA Privacy and Security

Organizations must consider the HIPAA regulations when providing protected health information (PHI) to third-party organizations that are considered business associates (BAs) for services. Organizations must have a contract or business associate agreement (BAA) with the third party. The Privacy Rule requires, at a minimum, the agreement:

• “Describe the permitted and required uses and of protected health information by the business associate;

• “Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and

• “Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.”^[6]