Compliance for Integrated Provider-Payers

Health Highlights

Editor’s Note: As providers and payers increasingly align to offer integrated products, the bright line that once existed between the two has blurred. While there are considerable benefits to integration, provider-payer partnerships also present novel compliance challenges. In a new article for Compliance Today, summarized below, Manatt Health examines the benefits and risks of integrated ventures. Click here to access the full article free.

Payers and Providers Both See Benefits in Partnership

Provider-payer partnerships are increasingly common and deliver key benefits. For payers, integrating with providers is a means to improve health outcomes and control costs. On the provider side, partnering with payers or creating their own insurance products enables providers to increase margins by cutting out insurer overhead costs and profits.

The shared benefits are also significant. The parties can increase their market strength; leverage existing experience, infrastructure, data and resources; establish new lines of business; and experiment with innovative delivery and financing strategies.

With New Benefits Come Novel Risks

As providers or payers enter new markets, they must be aware of the regulatory framework in which the other party operates. Many arrangements require significant investment in care management services and information technology. In addition, partnership requires committed alignment, cooperation and integration over an extended period of time. To achieve this, the parties must be willing to integrate decision-making rights and become educated on new risks and compliance obligations.

The Focus of Compliance for Provider-Payer Partnerships

Providers and payers that partner must focus on a different group of compliance risks than each would face operating alone. The major healthcare fraud and abuse laws and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) remain at the core of compliance efforts, but the specific focus is on risks.

  • Stark Law. The Stark Law prohibits a physician from referring a patient for inpatient, outpatient or other “designated health services” covered by Medicare to a hospital or other entity with which the physician has a financial relationship, unless the relationship satisfies a Stark exception.i
  • The Anti-Kickback Statute (AKS). The AKS makes it illegal for any person to knowingly and willfully exchange remuneration for the referral of a patient for items or services covered by a federal healthcare program.ii
  • Civil Monetary Penalty Law (CMPL): Gainsharing. The CMPL prohibits a hospital from knowingly making any payment to induce a physician to reduce or limit medically necessary services covered by Medicare or Medicaid.iii
  • CMPL: Beneficiary Inducement. The CMPL prohibits a person from providing remuneration that he or she knows is likely to influence a patient’s selection of a provider or supplier for services covered by Medicare or Medicaid.iv

Risk-Sharing Stark Exceptions and AKS Safe Harbors

Provider-payers should ensure that their risk-sharing arrangements fall within a Stark Law exception (if the Stark Law applies) and AKS safe harbor(s).

The Stark Law risk-sharing exceptionv covers any “risk-sharing arrangement” between a Managed Care Organization or Independent Practice Association (IPA) (either directly or through an intermediary such as a hospital) for services provided to enrollees of a health plan. This exception should protect shared savings or similar risk-sharing payments from a value-based purchasing (VBP) entity to physicians, but each provider-payer must assess its arrangement. However, the exception does not protect VBP investment relationships or care management fees.

The AKS managed care safe harborvi protects payments made by a Medicare Advantage (MA) or Medicaid managed care contractor (such as a hospital or IPA) to providers for delivering or arranging healthcare items and services. This does not protect: (1) commercial plan payments; (2) marketing, payments or pre-enrollment activities; or (3) VBP investment relationships.

The AKS health plan discount safe harborvii shelters discounts on fees offered to plans or contracting intermediaries, but only when offered by providers. This does not protect: (1) shared savings or similar risk-sharing payments or (2) VBP investment relationships or care management fees.

Gainsharing Underutilization Risks

Gainsharing arrangements also pose a risk to provider-payers under the CMPL by providing financial incentives to hospitals which in turn incentivize physicians to reduce or limit medically necessary services covered by Medicare or Medicaid. Provider-payers should review the Department of Health and Human Services (HHS) Office of Inspector General (OIG) gainsharing advisory opinions for guidance on structuring gainsharing arrangements to avoid violating the CMPL.

Addressing SDOH and Beneficiary Inducement

When providers and payers integrate and share risk, they are further incentivized to address the social determinants of health (SDOH) that impact health outcomes and costs of care. SDOH are conditions in which people are born, live, learn, work, play, worship and age. Socioeconomic factors, physical environments and health behaviors collectively drive health outcomes more than medical care.

Integrated provider-payers are uniquely situated to address SDOH, as providers and payers each have different tools and flexibilities available. However, providers must remain cognizant of the CMPL prohibition on beneficiary inducements, and plans must remain compliant with marketing limitations imposed by any applicable federal or state regulations or guidance.

Providers may utilize several beneficiary inducement exceptions to address SDOH. They may provide items or services of nominal value (a retail value of no more than $15 per item or $75 in the aggregate per patient on an annualized basis).viii They can also offer incentives to promote the delivery of preventive care services where the delivery of such services is not directly or indirectly tied to the provision of other covered services that are reimbursed in whole or in part by a federal healthcare program.ix

In addition, under the financial hardship exception, the offer or transfer of items or services for free or less than fair market value does not constitute “remuneration” under the beneficiary inducement rules if:

  • The items or services are not offered as part of any advertisement or solicitation;
  • The items or services are not tied to the provision of other services reimbursed in whole or in part by Medicare or Medicaid;
  • There is a reasonable connection between the items or services and the medical care of the individual; and
  • The provider determines in good faith that the individual is in financial need.x

Provider-payers also generally may give incentives to individuals to promote access to care and that pose a low risk of harm.

Provider-payers may have additional flexibilities to address SDOH if the currently proposed AKS and CMPL rule changes are made final. A proposed new safe harbor would allow participants of value-based enterprises (VBEs) to provide appropriate patient engagement tools and supports to patients in a target patient population.xi

Beginning in 2020, payers have additional tools to address SDOH.xii,xiii Starting in 2020, MA Plans may offer supplemental benefits that address SDOH. MA Plans also may create rewards and incentives programs focused on promoting improved health, preventing injuries and illness, and promoting efficient use of healthcare resources. These flexibilities may also apply to Medicaid managed care plans.

Integrated Provider-Payer Data Sharing and HIPAA

Provider-payers can benefit from sharing data. There are limits, however, on what data can be shared and how data can be shared between plans and payers under HIPAA and 42 C.F.R. Part 2. In general, HIPAA prohibits the sharing of protected health information (PHI) between a provider and a plan, except for payment and healthcare operations. However, providers and payers may facilitate sharing for other reasons by the following:

  • Patient Authorization. Providers and payers may request patients’ authorization to use and disclose the patients’ PHI between the entities for purposes that are not for payment or healthcare operations.
  • Business Associate Agreement (BAA). If a plan is performing a function on behalf of a provider, the provider can enter into a BAA with the plan for this purpose. This would require the plan to return the PHI after the task is completed.
  • Organized Health Care Arrangement (OHCA). OHCAs involve clinical or operational integration among legally separate covered entities in which it is often necessary to share PHI for the joint management and operations of the arrangement.xiv An operationally integrated provider-payer therefore may find it useful to form an OHCA.
  • Affiliated Covered Entity (ACE). Legally separate covered entities that are under common ownership or control and are affiliated may designate themselves as a single covered entity for purposes of HIPAA privacy and security.xv

Provider-payers also must be aware that data related to substance use disorder (SUD) services provided to a patient by certain providers (a “Part 2 program”) are subject to Part 2. A Part 2 program is any organization that holds itself out as providing, and provides, SUD diagnosis, treatment or referral for treatment and receives federal assistance.

Integrated Provider-Payer Marketing and HIPAA

Provider-payers must be careful that their marketing does not run afoul of the laws and regulations that govern marketing by each of the parties.

  • HIPAA. With limited exception, HIPAA prohibits marketing using PHI without written authorization from the individual.
  • Provider Licensure Rules. Many states regulate how licensed professionals market and advertise.
  • MA Marketing Guidance. MA Plan marketing material is subject to the requirements and limitations set forth in the Medicare Communication and Marketing Guidelines (MCMG). MA Plans may use or allow providers to distribute MA marketing materials so long as the providers make materials available about all plans with which they contract at each plan’s request.
  • AKS. Marketing activities potentially implicate the AKS because the provider and Medicare and Medicaid plans are in a position to make referrals to each other for covered items and services.


Compliance professionals who are part of an integrated provider-payer organization should be involved early in discussions regarding the payer-provider integration to ensure that the arrangement is being designed in compliance with all laws and regulations.

i 42 U.S.C. § 1395nn.

ii 42 U.S.C. § 1320a-7b(b).

iii 42 U.S.C. § 1320a-7a(b)(1).

iv 42 U.S.C. § 1320a-7a(a)(5).

v 42 C.F.R. § 411.357(n).

vi 42 C.F.R. § 1001.952(h), (t) and (u).

vii 42 C.F.R. § 1001.952(m).

viii OIG, Office of Inspector General Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries (Dec. 7, 2016).

ix 42 U.S.C. § 1320a-7a(i)(6)(D). Preventive care is defined in 42 C.F.R. § 1003.101 as items and services that (a) are covered by Medicare or Medicaid and (b) are described in the Guide to Clinical Preventive Services published by the U.S. Preventive Services Task Force.

x 42 U.S.C. § 1320a-7a(i)(6)(H).

xi HHS OIG Proposed Rule 42 C.F.R. Parts 1001 and 1003, 147–92 (Oct. 3, 2019).

xii CMS, “Note to Medicare Advantage Organizations, Prescription Drug Plan Sponsors, and Other Interested Parties, Announcement of Calendar Year (CY) 2019 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter,” April 2, 2019, available at

xiii Medicare Managed Care Manual, Ch. 4, Sec. 100, available at

xiv Office of the Assistant Secretary for Planning and Evaluation, “Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble. Organized Health Care Arrangement,” Dec. 28, 2000, available at

xv 45 C.F.R. § 164.105(b).



pursuant to New York DR 2-101(f)

© 2022 Manatt, Phelps & Phillips, LLP.

All rights reserved