This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health-care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.

Regulatory Developments

Continued Enforcement Focus on Data Security and Billing Integrity

Federal regulators continue to prioritize HIPAA Security Rule compliance under 45 C.F.R. Part 164, Subpart C, particularly the required risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A). Agencies also remain focused on timely reporting and repayment of identified overpayments under the 60-Day Rule, 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305. In addition, referral relationships and marketing arrangements continue to receive scrutiny under the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b). Recent enforcement activity from HHS’s Office for Civil Rights and the Department of Justice underscores a consistent message: regulators expect proactive compliance infrastructure, documented oversight, and timely corrective action.

Action Items:

  • Confirm your HIPAA Security Risk Analysis is current and reflects ransomware and third-party access risks.
  • Conduct a tabletop exercise to test breach response procedures.
  • Audit internal billing practices for medical necessity documentation and modifier usage.
  • Review referral and marketing relationships for written documentation and regulatory compliance.

Contracting Focus

Fair Market Value and Commercial Reasonableness

Compensation arrangements remain one of the most common enforcement triggers under the Stark Law, 42 U.S.C. § 1395nn and its implementing regulations at 42 C.F.R. §§ 411.351 and 411.357, as well as under the Anti-Kickback Statute, 42 U.S.C. § 1320a-7b(b), and its regulatory safe harbors at 42 C.F.R. § 1001.952. Regulators are evaluating not only whether contracts exist, but whether they are commercially reasonable, supported by fair market value, and consistent with actual operational practices. Agreements that appear compliant on paper may still present risk if services are not performed as documented or if compensation methodology raises referral concerns.

Action Items:

  • Review expiring physician, medical director, and management agreements.
  • Confirm services described in agreements are actually performed and documented.
  • Update fair market value support when compensation changes.
  • Ensure compensation formulas do not take into account the volume or value of referrals where prohibited.

Compliance Focus

Board and Leadership Oversight Expectations

Both the Department of Justice and the Office of Inspector General have emphasized active
governance oversight in compliance programs, including in the DOJ’s Evaluation of Corporate Compliance Programs guidance and OIG’s updated General Compliance Program Guidance. A written compliance plan alone is no longer sufficient. Regulators increasingly expect demonstrable leadership engagement, meaningful reporting structures, and documented oversight at the executive and board levels. The absence of documentation often becomes as problematic as the absence of compliance activity itself.

Action Items:

  • Ensure compliance reporting occurs regularly at the executive or board level.
  • Document leadership discussions regarding compliance risks.
  • Confirm anonymous reporting mechanisms are accessible and functional.
  • Update annual compliance training to reflect current enforcement priorities.

Litigation & Risk Management Trends

Overpayments, False Claims Exposure, and Employment Claims

Failure to timely return identified overpayments can create exposure under the False Claims Act, 31 U.S.C. §§ 3729–3733. Courts have interpreted “identified” broadly once a provider is put on notice of a potential overpayment, placing increased importance on prompt internal investigation and documentation. Healthcare employers also continue to face retaliation claims under 31 U.S.C. § 3730(h), wage-and-hour disputes under the Fair Labor Standards Act, 29 U.S.C. § 201 et seq., and restrictive-covenant challenges, depending on evolving state-law standards. Strong internal documentation and consistent employment practices significantly reduce litigation risk.

Action Items:

  • Establish a written overpayment investigation protocol.
  • Document steps taken once a billing issue is discovered.
  • Audit wage classification for exempt and non-exempt employees.
  • Review restrictive covenants for enforceability under current law.

FAQ of the Month

“If we identify a potential overpayment but are still investigating, when does the 60-day clock start?”

Under 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305, the repayment obligation is triggered
once an overpayment is “identified.” Courts have held that identification occurs when a provider has actual knowledge of the overpayment or acts in reckless disregard or deliberate ignorance. The regulation defines “identified” as when a provider has determined, or should have determined through reasonable diligence, that an overpayment was received. Prompt investigation, written documentation of findings, and timely repayment when required are critical to mitigating False Claims Act exposure.

Upcoming Deadlines & Reminders

  • Monthly OIG Exclusion Screening: Conduct monthly exclusion screening as recommended by OIG guidance using the List of Excluded Individuals and Entities (LEIE). Screening should be completed before the end of each month, with documentation retained.
  • Medicare Revalidation (Rolling Deadlines): CMS continues to issue revalidation notices on a rolling basis. Providers should monitor for revalidation letters and calendar submission deadlines immediately upon notice. Revalidation typically must be completed within 60 days of CMS notification to avoid deactivation.
  • HIPAA Security Risk Analysis Review: While HIPAA does not impose a fixed annual deadline, organizations that conduct risk analyses on a calendar-year cycle should schedule completion during Q1 2026 to maintain consistency with 45 C.F.R. § 164.308(a)(1)(ii)(A).
  • Overpayment Monitoring and Repayment Protocols: Ensure internal processes are in place to identify, investigate, and timely return overpayments in accordance with 42 U.S.C. § 1320a-7k(d) and 42 C.F.R. § 401.305.
  • Corporate Transparency Act (If Applicable): Entities subject to the Corporate Transparency Act should confirm applicable Beneficial Ownership Information reporting obligations under 31 U.S.C. § 5336 and current FinCEN guidance. Enforcement timelines have been subject to ongoing federal litigation, and reporting obligations should be verified prior to filing.
  • Annual Compensation Review Preparation: Organizations anticipating mid-year compensation adjustments should begin Stark Law and fair market value review processes early in the year to allow adequate documentation prior to implementation.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

This monthly update highlights key regulatory developments, enforcement trends, and compliance issues affecting health-care providers across the continuum – from solo practices to hospitals and large physician groups. Each section includes practical action items to help you assess risk and prepare for upcoming obligations.

Regulatory Developments

HIPAA Notice of Privacy Practices Updates Due February 16, 2026

Covered entities must update their Notice of Privacy Practices (NPP) by February 16, 2026 to comply with HIPAA Privacy Rule amendments addressing substance use disorder (SUD) records under 42 CFR Part 2.  The amendments affect providers that create or maintain SUD-related records, including mental health practices, primary care providers, hospitals, and integrated care settings. Even providers that do not offer substance use disorder treatment must update their NPP, as the obligation applies broadly to covered entities and is not limited to Part 2 programs.  Under the revised rule, Part 2 records may generally be disclosed for treatment, payment, and health care operations based on a single written consent, rather than requiring separate consents for each disclosure. At the same time, heightened protections remain in place, including limits on redisclosure and restrictions on using SUD records in criminal, civil, or administrative proceedings against a patient.  Many existing NPPs do not reflect these changes or treat SUD records the same as other protected health information. Those notices should be reviewed and updated to avoid compliance gaps and patient confusion.

Action Items:

  • Review your current NPP for compliance with the 2026 HIPAA updates, even if you do not provide SUD treatment services.
  • Update posted notices, including websites, patient portals, and intake materials, by February 16, 2026.
  • Ensure staff understand that SUD records remain subject to heightened privacy protections despite expanded consent rules.

Contracting Focus

Employment vs. Independent Contractor Arrangements in Health Care

Health-care providers frequently use independent contractor arrangements for clinical services, coverage, or specialized roles. In practice, many of these relationships function more like employment, which can create legal, tax, and regulatory risk if the structure does not match how the individual is actually treated.  Misclassification issues arise when contractors are subject to the same scheduling, supervision, and operational controls as employees, or when contracts do not clearly define responsibilities, compensation, and termination rights. In health care, these risks can extend beyond wage-and-hour concerns and affect reimbursement, licensure, supervision requirements, and liability exposure.  Recent enforcement and audit activity across multiple agencies has increased scrutiny of contractor arrangements, particularly in settings involving clinical supervision, use of facility resources, and long-term or exclusive relationships.

Action Items:

  • Review whether individuals classified as independent contractors are truly operating with appropriate independence.
  • Confirm that contractor agreements clearly define scope of services, compensation, scheduling authority, and termination rights.
  • Evaluate whether supervision, documentation, and coverage requirements are consistent with the contractor model.

Compliance Focus

Responding to ICE Requests in Health-Care Settings

Health-care providers increasingly face questions about how to respond when Immigration and Customs Enforcement (ICE) agents request information or access to patients or facilities. While providers must comply with applicable law, HIPAA and state privacy laws continue to apply.  ICE agents do not have automatic authority to access patient information. HIPAA generally prohibits disclosure of protected health information without patient authorization unless a specific exception applies. Administrative warrants or subpoenas may not require immediate compliance and should be reviewed carefully. Patient-care areas also raise heightened privacy and safety concerns.  Providers should be prepared to respond calmly and consistently, without interfering with law enforcement activity or disclosing information unnecessarily.

Action Items:

  • Develop or update a written policy addressing law-enforcement requests, including ICE inquiries.
  • Train front-desk and clinical staff not to release information or grant access without appropriate authorization.
  • Identify a single internal point of contact for law-enforcement interactions.

Litigation & Risk Management Trends

Balancing Patient Privacy and Law Enforcement Requests

Recent complaints and enforcement actions show that providers face risk on both sides from improper disclosures of patient information to failures to follow internal procedures when law enforcement is involved.  Common problem areas include staff releasing information without authorization, inconsistent responses across departments or locations, lack of documentation of law-enforcement interactions, and confusion between administrative requests and judicial orders. Regulators and investigators increasingly expect providers to demonstrate reasonable, documented decision-making, even in high-pressure situations.

Action Items:

  • Confirm that privacy policies clearly address responses to law-enforcement requests.
  • Ensure interactions with law enforcement are documented and reviewed internally.
  • Align privacy, security, and risk-management teams on response protocols.

FAQ of the Month

“If ICE asks for patient information, do we have to comply?”

Not automatically.  HIPAA generally prohibits disclosure of protected health information without patient authorization unless a specific exception applies. Whether disclosure is permitted depends on the type of request, the information sought, and applicable federal and state law. In many cases, providers may decline immediate disclosure and request time to review the request with legal counsel.  Providers should not ignore ICE requests, but they should not comply without understanding their legal obligations.

Upcoming Deadlines & Reminders

  • February 16, 2026: Updated HIPAA Notice of Privacy Practices must be implemented and posted.
  • Q1 HIPAA Security Risk Assessments: Many organizations target early-year completion.
  • Professional License Renewals: Several health professions renew in Q1; verify staff deadlines.
  • Policy Reviews: Early 2026 is an ideal time to update privacy, compliance, and emergency response policies.

Disclaimer: The information provided here is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by this communication. Parties should consult with their own qualified attorney for advice regarding their specific legal situation.

For questions or assistance, contact Paul A. Drey or Emily E. Reiners of the Brick Gentry P.C. Healthcare & Regulatory Team.

Brick Gentry P.C. is pleased to announce the relaunch of our Healthcare Law Update, a monthly publication designed for Iowa’s healthcare providers, including hospitals, clinics, rural health systems, behavioral health organizations, physician groups, and individual practitioners.

Beginning January 2026, our healthcare practice group will provide regular insights on key legal and regulatory developments affecting healthcare entities and providers across the State of Iowa. Each monthly update will feature:

  • Regulatory and compliance changes, including HIPAA, Stark/AKS, telehealth, reimbursement, credentialing, and licensing.
  • Litigation trends and notable case developments impacting healthcare providers.
  • Federal and state guidance relevant to Iowa’s hospitals, clinics, physician groups, behavioral health providers, and individual practitioners.
  • Practical considerations for administrators, executives, and boards.
  • Hands-on considerations necessary to navigate healthcare contracts.

As state and federal requirements continue to evolve, our goal is to offer clear, Iowa-focused guidance that helps organizations and individuals navigate operational and legal challenges throughout 2026 and beyond.

We welcome suggestions from healthcare leaders and partners regarding topics of interest for future updates. Please contact us with questions or ideas.

– Paul Drey & Emily Reiners

Brick Gentry, P. C., and the Iowa Healthcare Law Blog are excited to announce that Emily Reiners is now a shareholder with Brick Gentry and will be a key contributor to the Iowa Healthcare Law Blog.  Emily brings her past healthcare experience from her time as an attorney in private practice and at Unity Point.  She brings a keen understanding of regulatory and compliance law issues in the healthcare arena, as well as superior skills in drafting and reviewing healthcare contracts and advising healthcare professionals in Iowa.  Her approach and knowledge of the important issues make her a trusted advisor to those with whom she works.  We are so pleased that she is now part of our Brick Gentry Healthcare Team.

MACRA’S QUALITY PAYMENT PROGRAM HAS GONE LIVE – ACTION REQUIRED IN 2017 TO AVOID PART B PAYMENT REDUCTIONS IN 2019 – QPP BASICS TO KNOW IN GETTING STARTED

A new Congress has convened, a new administration is at the helm, and repeal of the Affordable Care Act (ACA) is on the docket, an action of consequence for, among other things, the Medicare Shared Savings Program (MSSP), primary care medical homes, and other Medicare-developed alternative payment models (APMs). On the other hand, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), establishing a Medicare Part B Quality Payment Program (QPP), is bipartisan legislation of little debate. The American Medical Association, the American Hospital Association, and over 100 other health care entities have appealed to the Administration to preserve value-based care.  https://www.premierinc.com/wp-content/uploads/2017/01/Jan-25-letter1-24-17-Administration.pdf. So, even in the midst of ACA uncertainty, MACRA and its QPP are moving forward. The Centers for Medicare and Medicaid Services (CMS), by rule, has developed a QPP structure that went live on January 1, 2017.

Continue Reading MACRA’s Quality Payment Program Has Gone Live

Medicare/Medicaid Reform and ACA Repeal on the Horizon, MACRA Moves Forward for Now

The new administration’s agenda for health care may have come into clearer focus with President-Elect Donald Trump’s nomination of House Representative Tom Price, MD, a Republican from Georgia, as Secretary of Health and Human Services (HHS) and Seema Verma, MPH, as CMS Administrator. The American Medical Association (AMA) released a statement of strong support for Congressman Price, encouraging a swift confirmation vote. “Dr. Price,” the AMA said, “has been a leader in the development of health policies to advance patient choice and market-based solutions as well as reduce excessive regulatory burdens that diminish time devoted to patient care and increase costs.”

Continue Reading President-Elect Trump Names Rep. Tom Price, MD (R-GA) as HHS Secretary, Seema Verma, Health Care Consultant, as CMS Administrator

QRUR Informal Review Also Available.

Physicians and other eligible professionals and practices who failed to meet criteria for satisfactory PQRS reporting in calendar year (CY) 2015 now face a negative 2% adjustment in Medicare Part B payments for CY 2017. Physicians who believe CMS has inappropriately determined that a negative PQRS payment adjustment applies to them have until November 30* to request an informal review.  CMS set forth the following instructions for requesting an informal review.  *Deadline for requesting informal review of VM calculations now extended to December 7, 2016.

Continue Reading Time Remains to File a request for Informal Review of CY 2017 PQRS Negative Payment Adjustment

On October 14, 2016, the Centers for Medicare & Medicaid Services (CMS) released its final rule implementing the new Quality Payment Program for physicians in lieu of the repealed sustainable growth rate factor (SGR). Rather than facing substantial annual reductions in Medicare payment fees as a result of the SGR, physicians now have two interrelated pathways to earn quality-based, cost efficient incentive payments under Medicare:  the Merit-based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (Advanced APMs). MIPS consolidates three existing quality-based incentives programs – the Physician Quality Reporting System (PQRS), the Physician Value-based Payment Modifier (VM), and the Medicare Electronic Health Record (EHR) Incentive Program – while maintaining an ongoing focus on achieving quality and cost efficiencies through use of certified EHR technology (CEHRT).

Continue Reading CMS publishes Final MACRA Rule for MIPS and APM Incentives

Physicians subject to the Rule must meet notice and posting obligations by October 16, 2016.

The federal Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has published its final Rule implementing Section 1557 of the Affordable Care Act (ACA), 42 U.S.C. 18116, prohibiting discrimination in health care programs and activities. The new Rule, like Section 1557, specifically focuses its prohibitions and requirements on four already existing federal nondiscrimination laws: 1) Title VI of the Civil Rights Act of 1964, prohibiting discrimination based on race, color and national origin; 2) the Age Discrimination Act of 1975; 3) Section 504 of the Rehabilitation Act of 1973; and, 4) the sex discrimination provisions of Title IX of the Education Amendments of 1972 (extended by Section 1557 to health care). Section 1557 is in addition to rights and remedies available under these four laws. While the nondiscrimination prohibitions of Section 1557 have been in effect since passage of the ACA in March of 2010, this final Rule advises health care consumers of their Section 1557 rights and informs affected health care programs and activities of their Section 1557 obligations.

Continue Reading Hhs’ Final Nondiscrimination Rule Impacts Most Physicians

CMS proposed rule details Medicare’s new physician “Quality Payment Program”

Reporting under new measures slated to begin in 2017

The Centers for Medicare & Medicaid Services (CMS), the federal agency responsible for Medicare payment to physicians, released a proposed rule on April 27, 2016, setting forth key provisions of its Quality Payment Program for physicians, implementing key provisions in the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). MACRA repealed the Sustainable Growth Rate (SGR) formula for annually adjusting Medicare payment to the nation’s physicians, replacing the SGR with a value-based payment system to be developed by CMS consistent with MACRA’s directives. The proposed rule has been published in the May 9, 2016 Federal Register. Comments are due by June 27, 2016.

Continue Reading MACRA on the Move!