In 2023, the Department of Justice recovered over $2.68 billion in judgments and settlements involving healthcare fraud — a significant portion tied to illegal referral arrangements. If your organization participates in federal healthcare programs, understanding what law prohibits offering or receiving payment to induce referrals isn't optional. It's foundational to your compliance program, and the consequences of ignorance can be devastating.

What Law Prohibits Offering or Receiving Payment to Induce Referrals?

The federal Anti-Kickback Statute (AKS), codified at 42 U.S.C. § 1320a-7b(b), is the primary law that prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals for services covered by federal healthcare programs like Medicare and Medicaid. Violations are felonies, carrying penalties of up to $100,000 per violation, ten years of imprisonment, and exclusion from federal healthcare programs.

The AKS is broad by design. It covers both sides of the transaction — the person offering the payment and the person receiving it. "Anything of value" has been interpreted expansively by the Office of Inspector General (OIG) to include cash, gifts, free services, excessive compensation, and even certain business arrangements structured to disguise referral payments.

How the Anti-Kickback Statute Intersects with HIPAA

Healthcare organizations consistently conflate HIPAA requirements with broader healthcare fraud statutes, but the connection is real and consequential. The Health Insurance Portability and Accountability Act established the Healthcare Fraud Prevention and Enforcement framework that funds investigations into AKS violations. When OCR enforcement actions uncover improper disclosures of protected health information (PHI), those investigations sometimes reveal referral-for-payment schemes operating underneath.

A covered entity that violates the Anti-Kickback Statute is almost certainly also compromising HIPAA's minimum necessary standard. Kickback arrangements frequently require sharing patient data — referral lists, treatment histories, demographic information — in ways that go far beyond what the Privacy Rule at 45 CFR Part 164 permits. The sharing of PHI to facilitate illegal referrals is both a HIPAA violation and potential fraud.

The Physician Self-Referral Law, commonly called the Stark Law (42 U.S.C. § 1395nn), is often discussed alongside the AKS. Stark prohibits physicians from referring Medicare patients for designated health services to entities with which the physician or an immediate family member has a financial relationship — unless a specific exception applies.

The critical difference: the Stark Law is a strict liability statute. No intent to violate is required. If the financial relationship exists and no exception applies, the referral is illegal. The AKS, by contrast, requires that at least one purpose of the payment is to induce referrals. In my work with covered entities, I've seen organizations that believed Stark compliance alone was sufficient — only to face AKS liability because their compensation arrangements had a referral-inducing component.

Safe Harbors and Exceptions Your Organization Must Understand

The OIG has established safe harbors under the Anti-Kickback Statute (42 CFR § 1001.952) that protect certain payment arrangements from prosecution. These include:

  • Employment relationships — Payments to bona fide employees for covered services
  • Personal services and management contracts — Written agreements with fair market value compensation set in advance
  • Space and equipment rentals — Lease agreements at fair market value with written terms
  • Discounts — Properly disclosed price reductions passed along to federal programs
  • Referral services — Arrangements meeting specific participation and fee requirements

Safe harbors are narrowly construed. If your arrangement doesn't fit squarely within one, it remains exposed to AKS liability. Every business associate agreement and vendor relationship should be evaluated through this lens.

The Workforce Training Requirement Most Organizations Underestimate

HIPAA's Security Rule and Privacy Rule both require workforce training on policies and procedures relevant to each member's job function. But effective compliance programs go further. The OIG's compliance guidance for healthcare organizations explicitly recommends training on fraud and abuse laws, including the Anti-Kickback Statute and Stark Law.

Your workforce — from front-desk staff accepting vendor gifts to physicians entering referral arrangements — needs to understand these prohibitions. A medical receptionist who accepts a $50 gift card from a laboratory representative in exchange for steering specimens is participating in an AKS violation, whether they realize it or not. Comprehensive HIPAA training and certification programs should address these intersections explicitly.

Risk Analysis Should Cover Referral Arrangement Exposure

Under the HIPAA Security Rule, every covered entity must conduct a thorough risk analysis. While this typically focuses on electronic PHI safeguards, OCR has made clear that a risk analysis should be comprehensive enough to identify all vulnerabilities — including how patient data flows through referral relationships.

Map every referral arrangement in your organization. Identify the financial terms, the PHI exchanged, and the business associate agreements in place. If compensation correlates with referral volume rather than fair market value for services rendered, you have a red flag that demands immediate legal review.

The consequences of AKS violations compound quickly. Beyond the criminal penalties of up to $100,000 per violation and ten years imprisonment, the Civil Monetary Penalties Law allows the OIG to impose penalties of up to $100,000 per kickback plus three times the amount of the remuneration. Add mandatory exclusion from Medicare and Medicaid, and most healthcare organizations would not survive a confirmed violation.

The False Claims Act amplifies this further. Since 2010, AKS violations automatically constitute false claims, meaning every claim submitted in connection with a tainted referral creates additional liability. Whistleblower (qui tam) lawsuits by employees who witness kickback arrangements account for the majority of healthcare fraud recoveries.

Building a Compliance Program That Addresses Referral Fraud

Your organization's compliance program should treat anti-kickback obligations as seriously as HIPAA Privacy and Security Rule requirements. Start with these concrete steps:

  • Audit all physician compensation and vendor arrangements annually for AKS safe harbor compliance
  • Implement a Notice of Privacy Practices review process that accounts for how PHI is shared in referral contexts
  • Establish a confidential reporting mechanism for employees to flag suspected kickback arrangements
  • Require all staff to complete training that covers HIPAA, AKS, and Stark Law obligations together
  • Engage legal counsel to review any arrangement where referral volume could influence compensation

Building compliant referral practices into your organizational culture starts with education. HIPAA Certify's workforce compliance platform helps organizations train every team member on the regulatory requirements that matter — including the critical intersections between HIPAA and healthcare fraud law.

The question of what law prohibits offering or receiving payment to induce referrals has a clear answer: the Anti-Kickback Statute. But the real challenge lies in operationalizing that knowledge across every department, every vendor relationship, and every referral your organization touches. The organizations that invest in that operational compliance are the ones that avoid becoming the next enforcement headline.