Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The Short Answer: The Risks That Sink Private Practices Are Almost Always Preventable
The risks that take down group and private practices in behavioral health are rarely dramatic. They are quiet, documented in plain sight, and entirely preventable. The five that put owners on the wrong end of an enforcement letter from the HHS Office for Civil Rights (OCR), the HHS Office of Inspector General (OIG), or the Department of Justice (DOJ) are: a stale or missing HIPAA risk analysis, sloppy 90837 time documentation, kickback-flavored referral arrangements, unscreened employees and vendors, and payer contracts no one has re-read since signing.
Here is what the data actually shows. OCR has now settled or imposed a civil money penalty in 152 cases totaling $144,878,972, and OCR has made 2,419 criminal referrals to DOJ. In 2022, 55% of the financial penalties OCR imposed landed on small medical practices. The myth that OCR only chases hospital systems died years ago. A two-clinician practice in Tennessee or Arizona gets investigated under the same rules as a multi-state IPA.
If you run a group practice, the question is not whether your operation has hidden risk. It does. The question is whether you have looked at it on purpose in the last twelve months.
HIPAA Risk Analysis: The Single Most Cited Finding in OCR Enforcement
A Shook, Hardy & Bacon review of OCR enforcement since the start of 2024 found that inadequate risk analysis appeared in 13 of 20 enforcement matters and produced total payments of $9,436,346. That is not a coincidence. In late 2024, OCR launched what it called a Risk Analysis Initiative, which the agency described as an effort “to increase the number of completed investigations and highlight the need for more attention and better compliance with this Security Rule requirement.”
Most owners we talk to think a risk analysis is a one-time IT exercise. It is not. It is an ongoing, organization-wide assessment of every system that touches ePHI, with a documented management plan that addresses the findings. A risk analysis dated 2021 does not satisfy the 2026 requirement. A vendor questionnaire is not a risk analysis. And the penalty math is brutal: under the current civil monetary penalty structure published by HHS in the Federal Register, Tier 4 (willful neglect, uncorrected) carries an annual cap of $2,177,880 for identical violations.
Run the analysis. Document it. Address what it finds. If a surveyor from your state agency, CARF, or The Joint Commission walks in tomorrow, the question is not whether you are perfect. It is whether you can show your work.
Billing, Coding, and the 90837 Problem
The OIG has been blunt about where it is looking. The OIG Work Plan now includes psychotherapy documentation as a priority, and the agency has flagged concerns about time documentation accuracy, E/M versus psychotherapy code selection, and billing for services that do not meet psychotherapy definitions. CMS contractors (the MACs and UPICs) run the same logic on Medicare claims. Translation: 90837 is the code that ends careers.
Commercial payer Special Investigations Units (SIUs) run the same analytics. A Florida practice we worked with last year got hit with a prepayment review after their 90837 utilization ran roughly three standard deviations above the regional peer benchmark. Nothing fraudulent. Just clinicians defaulting to the 60-minute code because it paid better, without start and stop times in the note. Recoupment exposure on roughly 14 months of claims. The cleanup took eight months.
- Time documentation: start and stop times in every session note that bills a timed code.
- Medical necessity: the note has to support the diagnosis and the level of service, not just say the patient showed up. ASAM Criteria 4th Edition language belongs in the note when you are documenting level of care decisions.
- Code selection: 90834 exists for a reason. Use it when the session was 38 to 52 minutes.
- Internal audit: sample 10 charts per clinician per quarter. Find the patterns before a payer does.
Referrals, EKRA, and the Risks Group Practices Talk About Least
Group practices grow through referrals. That is fine. What is not fine is what some owners structure to keep the referrals coming. The federal Anti-Kickback Statute, enforced by OIG and DOJ, applies to anything Medicare or Medicaid touches. The Eliminating Kickbacks in Recovery Act (EKRA), enacted in 2018, prohibits the payment and receipt of referral fees in connection with all healthcare billings, not just federal program billings. That last clause is the one that gets people. A cash-pay or commercial-only practice is not exempt.
The behavioral health field has drawn specific attention here. DOJ has brought significant enforcement around patient brokering, free or discounted housing, transportation arrangements, and marketing agreements that pay per admission. If you run an outpatient group practice in Texas or Florida and you have a marketing contractor paid on a per-referral basis, you have a problem that no amount of clinical excellence will fix.
The other quiet risk: excluded provider screening. The OIG operates the List of Excluded Individuals/Entities (LEIE), and screening employees, contractors, and vendors against it at hire and monthly thereafter is not optional. The Centers for Medicare & Medicaid Services (CMS) and state Medicaid agencies maintain parallel exclusion lists. Most small practices we audit have never run a single LEIE check. That is a finding waiting to happen.
What Owners Should Actually Do This Quarter
None of this is theoretical. The OIG, established in 1976 with a staff of approximately 1,600 as of 2025, is the largest inspector general’s office in the federal government. OCR uses predictive analytics. CMS and state Medicaid SIUs run claim-pattern algorithms across provider TINs. DOJ continues to bring False Claims Act cases against behavioral health operators where the theory is documentation, not invented services. The era of “we’re too small to be on the radar” ended around 2019.
Owners we work with in states like Florida, Tennessee, Arizona, and Ohio focus on four things every quarter:
- Update the HIPAA risk analysis and document the corrective action plan that follows it.
- Run a 10-chart-per-clinician internal audit against the codes you bill most. Catch your 90837 patterns before a payer’s SIU does.
- Screen every employee, contractor, and vendor against the OIG LEIE, the CMS preclusion list, and your state Medicaid exclusion list. Monthly. Document the screen.
- Re-read every payer contract, looking specifically at timely filing windows, recoupment lookback periods, and what counts as “medical necessity” in that contract.
None of this requires a 200-page compliance manual. It requires somebody whose job it is to actually do the work, with a calendar, with documentation, and with enough authority to escalate when something is off.
Frequently asked questions
Does OCR actually pursue small group practices, or just hospitals?
Both. In 2022, 55% of the financial penalties OCR imposed were on small medical practices, per HIPAA Journal’s analysis of OCR data. Solo and small group practices have settled HIPAA cases for amounts ranging from $10,000 to over $150,000, often for missing risk analyses, social media disclosures, and right-of-access failures.
What is the single most common HIPAA finding in recent OCR enforcement actions?
Inadequate risk analysis. A review of OCR enforcement actions since the start of 2024 found that inadequate risk analysis was cited in 13 of 20 matters. OCR launched a formal Risk Analysis Initiative in late 2024 to specifically target this Security Rule failure.
Our practice only takes commercial insurance and cash. Do federal fraud laws still apply?
Yes. EKRA, enacted in 2018 and enforced by DOJ, prohibits referral fee arrangements in connection with all healthcare billings, including private insurance and cash-pay. The federal Anti-Kickback Statute reaches anything that touches a Medicare or Medicaid program. HIPAA applies to any covered entity regardless of payer mix, and CMS conditions of participation apply the moment you enroll.
What is the maximum HIPAA penalty a practice can face?
Under the current civil monetary penalty structure adjusted for inflation by HHS, Tier 4 violations (willful neglect, not corrected) carry an annual cap of $2,177,880 for identical violations in a calendar year. Per-violation amounts in lower tiers begin around $141 but compound quickly when a single gap, like a missing risk analysis, is counted across days, systems, or patient records.
References
- HHS Office for Civil Rights, Enforcement Highlights
- HHS OIG, General Compliance Program Guidance (2023)
- Shook, Hardy & Bacon, OCR Enforcement Activity: Trends and Insights (March 2025)
- HIPAA Journal, Healthcare Data Breach Statistics
- DoctorsManagement, OIG Work Plan 2025 Behavioral Health Priorities
- Oberheiden P.C., EKRA and OIG Compliance Programs
- Federal Register, OIG Compliance Program for Individual and Small Group Physician Practices