There is a lot of activity in the healthcare space these days. Venture capital companies getting involved with various lines of healthcare, smaller practices merging or growing, adding lines of business or services…it is easy to overlook certain compliance issues, especially those that aren’t usually top of mind anyhow.

As I have worked with a variety of practices doing compliance assessments and program development, there are certain issues that arise regularly. Here are the top 4. I’m not saying these are the only critical issues, but they are the ones most often misunderstood or totally not on the radar at all:

  1. Contracts. Smaller practices typically aren’t very disciplined with their contracts, and usually, to be fair, it’s not much of a risk. They have a vendor to provide IT services, maybe a billing company and/or book keeping, those sorts of things. And although those vendors contracts should have certain provisions relating to privacy, security, and other compliance requirements, for a small practice with a lower volume it may not seem worth the expense to have an attorney review. As the practice grows, however, certain elements need to be in place. Below are a few that are often missed:

*Make sure any business partner specifically agrees to follow all laws, regulations, or other applicable requirements. Depending on the type of service, include any other relevant specific guidelines, such as Medicare billing standards, etc.

*The vendor should attest that they do background checks of all employees who would provide services for your practice, and that no employee or other agent of their company is excluded from participation with government health care programs. They should also attest that they routinely monitor for excluded employees and agree to notify you should any excluded employee be identified.

*If the vendor provides services to your practice, they should attest that their employees receive compliance and privacy training as a condition of employment prior to sending anyone to your site or allowing them to work on your behalf. They should be willing to provide evidence, if asked.

*Any agreements with physicians, referral sources, or lease arrangements should be for fair market value and compensation may not relate to volume or value of referrals, The agreement needs to say that, and you need attorney advice in these matters to protect you under the various state and federal fraud and abuse statutes.

*The vendor should agree to allow your practice, or a designee on your behalf, so review their practices or records to verify compliance. You probably won’t ever have a need to do that, but, for instance, if you found out your billing company was making mistakes that got you into trouble, you should have to right to get their practices audited (as it relates to your billing accounts).

2. HIPAA and other state and federal privacy and security laws. You may be well aware of the need to address this, but what is necessary? First of all, make sure you properly identify Business Associates under HIPAA. Those are the entities or people who access, use, disclose, or transmit protected health information (PHI) on your behalf. Billing companies are the easiest example. If they access your patient’s records, then they need to sign a Business Associate Agreement. If you don’t have a good template, go on the Health and Human Services Office of Civil Rights website, ( and you can find a good sample. If your Business Associate has a breach, you want to be covered!

Notice of Privacy Practices must be provided to patients and posted. Again, you can find good examples online. But also make sure you review those requirements, so you can make sure you have processes to meet them. Regulators look to see if you honor patient rights.

Security Risk Assessments need to be performed. There are vendors available, or tools you can find online, if you are a technologically savvy person. You don’t have to have a perfect score, but do need to know your risks and be working through them. Think of issues such as portable devices, encryption, secure workstations, texting and emailing patient information…these are the types of issues that need to be thoroughly assessed, in addition to your technical security.

Designated Privacy and Security Officials. Yes, it seems like overkill when you are tiny. But as you grow you need to meet these requirements, even if it means you are adding that to someone’s job description. For Security, however, make sure the person in this role can handle it, that they actually know the security regulations and how to meet them. And if it’s your IT vendor, which is an option, they need to be designated as such in your agreement. Don’t just assume that’s their job, because they won’t, unless it is discussed and agreed upon.

3. Labor Laws and Human Resource Issues. There are too many requirements to get into here in a meaningful way, and state laws have a huge impact, but you should consider getting an employment attorney or consultant to help you create an employee handbook that sets out the specific laws and policies for your practice. And keep that person in your contacts list, as this is an area of high risk for lawsuits if you accidentally make a mistake. Also make sure you have a rigorous background check process in place and follow it consistently. This includes checking for excluded individuals and entities on the state and federal databases. Those are easy checks to complete and the risk is not worth skipping this step.

4. Non-Discrimination. In addition to not discriminating in hiring practices, which is part of the above, the Affordable Care Act also has requirements that apply to patients. The emphasis here relates to communications and not discriminating against patients with disabilities or English as a second language. To address that issue, interpreters are required to be available, at the expense of the practice. Bilingual staff are not sufficient unless they are certified as interpreters. There are services you can use that also have sign language, and are available basically as-needed, via video or phone. These requirements are some that smaller practices are often unaware and it may never arise, but as you grow, depending on where you are located, it probably will.

These are the main things I see growing providers missing from a compliance perspective. Most practices understand the importance of accurate billing and clinical standards, but they are often just unaware of these other issues, or don’t grasp the risks they present in a larger organization. Feel free to reach out to me at if you have questions, or check out my website, – I hope this article was useful. If you are running a practice and need more compliance guidance, check out my new book, “Insider’s Guide to Compliance for Physician Practices”, available on Amazon at

Please note that this article is based on my own experience and opinions, and does not constitute legal advice.