Executive Summary
- Cash-pay healthcare models do not eliminate referral risk. Even when a company does not bill Medicare, Medicaid, or commercial insurers, federal, state, and “all-payor” fraud and abuse laws may still apply to compensation arrangements involving patient referrals.
- Certain arrangements carry heightened scrutiny. Percentage-based compensation, referral fees, physician equity, and marketing arrangements tied to patient volume frequently trigger regulatory risk.
- The risks extend beyond regulatory penalties. Improper referral arrangements can create downstream issues for companies that go beyond possible civil and criminal liability, including issues arising when the company expands its business model to accept insurance, expands nationally, or undergoes investor diligence for future fundraising rounds, mergers and acquisitions, or IPO preparation. Improper arrangements can also invalidate contracts, harm the company’s reputation with patients, and create reluctance among providers to participate in the company’s platform due to fear of professional discipline.
Introduction
Cash-pay healthcare companies enjoy many regulatory freedoms that their insurance-accepting counterparts do not. However, cash-pay healthcare companies, their founders, operators, and investors, and the providers they work with, may still face meaningful kickback, self-referral, and fee-splitting risks under federal and state laws, including so-called “all-payor” laws. These risks often arise when companies structure compensation, partnerships, or other relationships with referral sources who may have the ability to steer patients to the company in exchange for payments, percentages of revenue, equity, or other forms of compensation.
Federal Healthcare Fraud and Abuse Laws
Most sophisticated healthcare stakeholders are familiar with the federal Anti-Kickback Statute1 and Stark Law2 and often know to analyze their referral arrangements against these laws, but many such stakeholders mistakenly end their analysis with these statutes. The Anti-Kickback Statute and Stark Law apply to healthcare companies that accept federal healthcare program payments, such as those from Medicare, Medicaid, TRICARE, CHIP, and other federally funded programs, as these fraud and abuse laws are expressly limited to federal program business, leaving cash-pay arrangements outside their direct reach. For example, the federal Anti-Kickback Statute prohibits offering or receiving anything of value to induce referrals for items or services reimbursable by federal healthcare programs, and the Stark Law prohibits physicians from referring patients for certain designated health services to entities in which they have a financial interest. Importantly, the Anti-Kickback Statute has been interpreted very broadly, such that even where a company does not itself bill federal healthcare programs, risk under the federal Anti-Kickback Statute may still arise if the company’s products, services, or financial arrangements have the potential to influence items or services that are ultimately reimbursed by such programs.3
Violations of these laws can result in severe consequences, including criminal penalties, civil monetary penalties, exclusion from federal healthcare programs, and liability under the False Claims Act.4,5
Third-Party Payor State Fraud and Abuse Laws
Even when federal healthcare fraud and abuse laws do not apply because a company does not bill Medicare, Medicaid, or other federal programs, the analysis does not end. Many states have similar fraud and abuse laws that apply to healthcare services reimbursed by private commercial insurers.6These laws are designed to protect commercial insurers from kickbacks and self-referrals and are frequently modeled after the federal Anti-Kickback Statute and Stark Law but apply in the commercial insurance context. As a result, healthcare companies that accept payments from private insurers may still face similar restrictions on referral arrangements even without federal program involvement. Many states also have separate anti-kickback laws embedded in their Medicaid statutes that apply independently of the federal Anti-Kickback Statute.7
"All-Payor” Fraud and Abuse Laws and “Fee Splitting"
More broadly, even if a healthcare company does not accept any health insurance or has no nexus to health insurance, certain states have all-payor fraud and abuse laws that may apply and expose the company to civil, criminal, and professional liability. Unlike federal and commercial payor healthcare fraud and abuse laws, which are primarily focused on preventing improper and false claims against insurers, these all-payor laws focus on protecting patients from clinical decisions being made for financial incentives and from practices such as “patient brokering.” As a result, these laws often apply even in purely cash-pay healthcare models.
These all-payor laws differ dramatically from state to state, creating a complex compliance landscape that requires a careful state-specific analysis, particularly for companies operating across multiple jurisdictions. Some states have no such laws at all, while some limit liability to specific healthcare professionals or facilities, and others apply broadly to all persons involved in referral or compensation arrangements, including executives, founders, sales and marketing personnel, patient recruiters, medical billers, customers, influencers, and other individuals and entities involved in generating or directing patient volume.
California, for example, prohibits licensed professionals from receiving any compensation for referring patients, clients, or customers to any person.8Notably, California’s law applies broadly to all persons, whether or not licensed by the state, capturing any participant in the referral payment chain, not just the healthcare professional. Other states have included fee-splitting laws as part of their medical practice acts, such as the Illinois Medical Practice Act, which prohibits a licensee from directly or indirectly sharing or splitting any professional fee.9
Early-Stage Structuring Pitfalls
Early-stage companies frequently intentionally launch as cash-pay businesses to move quickly and avoid reimbursement complexity, only to later decide to accept commercial insurance or federal healthcare program payments. Relationships formed during the cash-pay phase, particularly those involving equity with referral sources, may become problematic once insurance reimbursement is introduced. While offering equity compensation to physicians can be permissible, such arrangements must be carefully structured to comply with both federal and state fraud and abuse laws.10These early-stage arrangements may also create issues during investor due diligence, fundraising rounds, acquisitions, or public offerings, when counterparties will carefully evaluate whether historical provider relationships comply with applicable laws.
Consumer Protection Laws
State and federal consumer protection laws and unfair advertising laws may also apply to healthcare companies. For example, entering into partnerships or other relationships that steer patients to a healthcare provider in exchange for payments or other forms of compensation also poses risk of Federal Trade Commission (FTC) enforcement if the referrer does not disclose their relationship to the healthcare provider. The FTC, pursuant to its Endorsement Guides and consumer protection statute, requires that an endorser clearly and conspicuously disclose when they have a “material connection” to an advertiser (e.g., the endorser is compensated by the advertiser, receives discounts or free products, or works for the advertiser). The FTC holds both advertisers and endorsers accountable for the endorser’s failure to disclose their relationship to the company. Thus, healthcare companies need to take steps to ensure that referrers clearly and conspicuously disclose their relationship to the company.
SEC Violations
Beyond specific healthcare laws and consumer protection laws, the U.S. Securities and Exchange Commission (SEC) has also brought enforcement actions against companies for problematic commercial arrangements, even where the conduct does not involve items or services reimbursed by federal healthcare programs. In a recent enforcement action involving DMK Pharmaceuticals Corporation, the SEC alleged that the company paid kickbacks to a veterinarian to generate prescriptions for compounded medications for animals. The SEC asserted that representatives for DMK falsely submitted the orders for the animal medications, not the veterinarian. In addition to allegedly violating potential state veterinary laws and Food, Drug and Cosmetic Act requirements, the SEC alleged that as a result of the fraudulent kickback scheme, the company violated Sections 17(a)(1) and (3) of the Securities Act, and caused the violation of Section 17(a)(2) of the Securities Act, which prohibit any person from, in the offer or sale of a security, employing “any device, scheme, or artifice to defraud” or engaging in any “transaction, practice, or course of business” which operates or would operate as a fraud or deceit upon the purchaser, or obtaining money or property by means of any materially false or misleading statements.
Penalties
The all-payor fraud and abuse laws vary by state in their enforcement risks and penalties, and some may include civil or criminal liability.11In practice, however, the most immediate consequences are often business and operational risks. Improper referral arrangements may complicate expanding the company’s business model to accept insurance or to expand nationally and may create issues during investor diligence for future fundraising rounds, mergers and acquisitions, and IPO preparation. Improper arrangements can also give a counterparty grounds to invalidate their contract, harm the company’s reputation with patients, and create reluctance among providers to participate in the company’s platform due to fear of professional discipline.
Best Practices
When structuring any arrangement with any provider, person, or entity that has influence over patient choice, a healthcare company must review all applicable laws to ensure compliance. Even when federal healthcare program business is not involved, state commercial payor laws, all-payor anti-kickback laws, fee splitting rules, and consumer protection laws may still apply.12 For a company operating across multiple states, a national rollout strategy should be determined, as what is permissible in one jurisdiction may present a significant risk in another. By evaluating the risks holistically, companies can better structure relationships that support long-term growth while minimizing unnecessary regulatory and business risk.
Wilson Sonsini’s healthcare and digital health regulatory team regularly advises digital health companies on navigating the complex web of federal and state fraud and abuse laws and related regulatory frameworks and has deep familiarity with all-payor laws. Because these laws interact in complex ways and vary significantly across jurisdictions, companies benefit from proactive regulatory analysis before implementing provider or referral relationships. Early legal guidance can help avoid costly restructuring later and protect both companies and providers from regulatory exposure. With careful structuring, documentation, and compensation models tied to legitimate services rather than referrals, companies can reduce fraud and abuse risk.
[3] The Anti-Kickback Statute describes how it prohibits remuneration in return for referrals for items or services “for which payment may be made in whole or in part under a Federal health care program.” The Anti-Kickback Statute is interpreted very broadly and can be triggered when there is a potential nexus to federal program reimbursement somewhere in the chain. The analysis turns on the particular structure of each arrangement, the nature of each party’s relationship with payors, and the totality of the circumstances surrounding the commercial relationship.
[5] Some companies attempt to mitigate Anti-Kickback Statute exposure by structuring arrangements to “carve out” federal business for particular arrangements. For example, the company may structure the arrangement so that the percentage-based compensation, or “kickback,” is paid only when the federal government is not billed or involved. However, the U.S. Department of Health and Human Services Office of Inspector General (OIG) has maintained a long-standing position that “carving out” federal healthcare program beneficiaries does not insulate a company from Anti-Kickback Statute risk. The OIG has repeatedly provided that such arrangements implicate, and may violate, the Anti-Kickback Statute by disguising remuneration for federal healthcare program business through the payment of amounts purportedly related to non-federal healthcare program business.
[6] See, e.g., Mass. Ann. Laws ch. 175H, § 3; Mich. Comp. Laws Serv. § 752.1004; Ohio Rev. Code Ann. § 3999.22.
[7] See, e.g., Colo. Rev. Stat. § 24-31-809; Del. Code Ann. tit. 31, § 1005; 305 Ill. Comp. Stat. Ann. 5/8A-3.
[8] See, e.g., Cal. Bus. & Prof. Code § 650.
[9] See, e.g., 225 ILCS § 60/22(A)(14) and 22.2.
[10] For a more detailed discussion of these considerations, see our Client Alert: Offering Equity to Physicians in an MSO/PC Structure: Key Fraud and Abuse Compliance Considerations.
[11] See, e.g., Cal. Bus. & Prof. Code § 650 (“A violation of this section is a public offense and is punishable upon a first conviction by imprisonment in a county jail for not more than one year . . . or by a fine not exceeding fifty thousand dollars ($50,000), or by both that imprisonment and fine”).
[12] Clients frequently assert that competitors maintain fee-splitting arrangements, questioning why they cannot do the same. Notably, companies should not take comfort in the fact that similar arrangements may be prevalent among competitors, as the existence of comparable arrangements at other companies does not insulate a company from regulatory risk. Companies rarely have full visibility into a competitor’s program and may not understand the specific terms, safeguards, or compliance infrastructure underpinning those arrangements. Moreover, a competitor’s risk tolerance, organizational priorities, and compliance maturity may differ significantly, and the mere absence of a public enforcement action against another company does not mean the practice is appropriate.
