In 2023, the Department of Justice recovered over $2.68 billion in settlements and judgments related to healthcare fraud — and a significant portion of those cases involved illegal kickbacks between providers, vendors, and referral sources. If you've ever searched the act that prohibits the practice of kickbacks is, the answer is the Anti-Kickback Statute (AKS), codified at 42 U.S.C. § 1320a-7b(b). But what many healthcare organizations miss is how deeply this federal law intersects with HIPAA compliance and the protection of patient data.

The Act That Prohibits the Practice of Kickbacks Is the Anti-Kickback Statute

The Anti-Kickback Statute makes it a federal criminal offense to knowingly and willfully offer, pay, solicit, or receive anything of value to induce or reward referrals for services covered by federal healthcare programs like Medicare and Medicaid. Violations carry penalties of up to $100,000 per violation, 10 years of imprisonment, and exclusion from federal healthcare programs.

This law exists because kickback arrangements corrupt medical decision-making. When a physician receives compensation for referring patients to a specific lab or facility, the referral is no longer based on clinical judgment — it's based on financial incentive. That distortion affects patient care, inflates costs, and often triggers additional regulatory violations, including HIPAA violations.

How the Anti-Kickback Statute Connects to HIPAA Compliance

Here's where covered entities and business associates need to pay close attention. Kickback schemes almost always involve the exchange of protected health information (PHI). A provider sharing patient lists with a vendor in exchange for referral payments is not only violating the Anti-Kickback Statute — they're violating the HIPAA Privacy Rule under 45 CFR Part 164.

The minimum necessary standard requires that your organization limit PHI disclosures to only what is needed for a specific, permitted purpose. Sharing patient data to facilitate a financial kickback arrangement is never a permitted purpose. OCR enforcement actions have made clear that improper disclosures of PHI — regardless of the underlying motive — constitute HIPAA violations subject to separate civil monetary penalties.

In my work with covered entities, I've seen organizations focus entirely on AKS compliance while ignoring the HIPAA exposure embedded in the same conduct. That's a costly oversight.

Real-World Enforcement: When Kickback Violations Trigger HIPAA Scrutiny

Federal investigations into kickback arrangements frequently uncover broader compliance failures. When the Office of Inspector General (OIG) or the Department of Justice investigates a kickback scheme, they often coordinate with OCR to examine whether PHI was mishandled in the process.

Consider this common scenario: a durable medical equipment (DME) supplier pays marketers to collect patient information from Medicare beneficiaries and route referrals to specific providers. The marketers gather names, diagnoses, insurance details, and contact information — all of which qualifies as PHI. Without proper authorization, business associate agreements, or legitimate treatment purposes, every party in that chain has committed HIPAA violations alongside AKS violations.

In 2022, a Texas-based healthcare company paid $8.5 million to settle allegations involving both kickback payments and improper handling of patient records. These cases are not isolated. They reflect a pattern that OCR and OIG are increasingly pursuing together.

The Workforce Training Requirement Most Organizations Underestimate

Your workforce is your first line of defense against both kickback violations and HIPAA breaches. Under 45 CFR § 164.530(b), covered entities must train all workforce members on HIPAA policies and procedures. But effective training goes beyond the Privacy Rule basics — it must address how fraud schemes like kickbacks create PHI exposure.

Staff members need to recognize red flags: unusual referral patterns, vendors requesting patient lists without a business associate agreement, or leadership pressuring employees to share PHI outside normal workflows. Without this awareness, your employees may unknowingly participate in arrangements that violate both the Anti-Kickback Statute and HIPAA.

Investing in comprehensive HIPAA training and certification ensures your team understands not only Privacy Rule requirements but also how adjacent federal laws create compounding compliance risks.

Safe Harbors and Compliance Program Essentials

The Anti-Kickback Statute includes regulatory safe harbors — specific payment arrangements that are exempt from prosecution if they meet all required conditions. These include certain employment relationships, personal services contracts, and group purchasing arrangements, among others. Knowing which safe harbors apply to your operations is critical.

However, safe harbors protect you from AKS liability only. They do not exempt your organization from HIPAA obligations. Even a payment arrangement that qualifies for an AKS safe harbor must still comply with the Privacy Rule, Security Rule, and Breach Notification Rule when PHI is involved.

Your compliance program should address both frameworks simultaneously. Key elements include:

  • Conducting a thorough risk analysis that covers both financial arrangements and PHI access points
  • Maintaining current business associate agreements with every vendor that touches PHI
  • Updating your Notice of Privacy Practices to reflect accurate data use descriptions
  • Implementing internal reporting channels for suspected kickback or PHI misuse
  • Documenting all workforce training with dates, content covered, and attendance records

What Your Organization Should Do Right Now

If your compliance program treats the Anti-Kickback Statute and HIPAA as separate silos, you're exposed. Healthcare organizations consistently struggle with this integration, and federal enforcers know it. OIG's compliance guidance for virtually every healthcare sector emphasizes that anti-kickback and privacy protections must be addressed together.

Start by auditing your vendor relationships. Identify any arrangement where compensation is tied to patient volume or referrals, and verify that PHI flows in those relationships are covered by proper authorizations and business associate agreements. Then ensure your workforce understands both sets of rules.

Building a culture of compliance requires ongoing education — not a one-time checklist. HIPAA Certify's workforce compliance platform provides the structured, up-to-date training your organization needs to stay ahead of both HIPAA enforcement and fraud-related investigations.

The Bottom Line for Covered Entities

The act that prohibits the practice of kickbacks is the Anti-Kickback Statute, but its implications reach directly into your HIPAA obligations. Every kickback scheme that involves patient data creates dual liability — criminal exposure under the AKS and civil penalties under HIPAA. Your risk analysis, vendor management, and workforce training programs must account for both. The organizations that treat these as interconnected risks are the ones that avoid seven-figure settlements.