Why Healthcare Consulting Agreements Are Different
Healthcare consulting engagements operate within one of the most heavily regulated industries in the United States. Beyond the standard contractual provisions found in any consulting agreement, healthcare engagements must address patient privacy laws, anti-kickback statutes, fraud and abuse regulations, and industry-specific compliance requirements.
A consulting agreement that works perfectly for a technology engagement can expose both parties to significant legal risk in a healthcare context. The stakes are higher because violations of healthcare regulations can result in criminal penalties, civil fines, exclusion from federal healthcare programs, and loss of professional licenses.
HIPAA and Patient Privacy
When HIPAA Applies
The Health Insurance Portability and Accountability Act (HIPAA) applies when a consultant will access, create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity (healthcare provider, health plan, or healthcare clearinghouse).
If the consultant qualifies as a "business associate" under HIPAA, the consulting agreement must include a Business Associate Agreement (BAA) — or incorporate BAA provisions directly.
Business Associate Agreement Requirements
A BAA must include provisions addressing:
- Permitted uses and disclosures: The consultant may only use or disclose PHI as permitted by the agreement or required by law
- Safeguards: The consultant must implement appropriate administrative, physical, and technical safeguards to protect PHI
- Subcontractor requirements: The consultant must ensure any subcontractors who access PHI agree to the same restrictions
- Breach notification: The consultant must report any breach of unsecured PHI to the covered entity within a specified timeframe (HIPAA requires notification without unreasonable delay and no later than 60 days after discovery)
- Individual rights: The consultant must support the covered entity's obligations to provide individuals with access to their PHI
- Return or destruction: Upon termination, the consultant must return or destroy all PHI
If your healthcare consulting engagement involves any contact with patient data — even indirect access through systems that contain PHI — include a Business Associate Agreement. The penalties for HIPAA violations range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category.
Minimum Necessary Standard
HIPAA's minimum necessary standard requires that consultants only access the minimum amount of PHI necessary to perform their services. The consulting agreement should define what PHI the consultant needs access to and restrict access to anything beyond that minimum.
Anti-Kickback and Fraud Considerations
Anti-Kickback Statute
The federal Anti-Kickback Statute (AKS) prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals of items or services payable by federal healthcare programs. Healthcare consulting arrangements must be structured to avoid violating this statute.
Safe Harbor Requirements
The AKS includes a "personal services" safe harbor that protects legitimate consulting arrangements if certain conditions are met:
- The arrangement is set out in writing and signed by the parties
- The agreement covers all services the consultant provides
- The aggregate compensation is set in advance, consistent with fair market value, and not determined based on the volume or value of referrals
- The services don't involve the counseling or promotion of a business arrangement that violates state or federal law
- The arrangement serves a legitimate business purpose
Fair Market Value Compensation
Consulting fees in healthcare engagements must reflect fair market value for the services provided. Compensation that exceeds fair market value raises red flags under both the AKS and the Stark Law (which restricts physician self-referrals).
Document how compensation was determined, ideally with reference to industry benchmarks, published surveys, or independent valuations.
Stark Law Considerations
If the consulting arrangement involves a physician (or an immediate family member of a physician) who refers patients to the entity paying for consulting services, the Stark Law may apply. The arrangement must fit within a Stark Law exception, such as the personal services exception, which has requirements similar to the AKS safe harbor.
Healthcare consulting compensation should always be documented at fair market value using objective benchmarks. Compensation that appears to correlate with referral volume creates significant legal exposure under both the Anti-Kickback Statute and the Stark Law.
Regulatory Compliance Provisions
Compliance Program Adherence
The agreement should require the consultant to comply with the client's compliance program, code of conduct, and applicable policies and procedures. This is particularly important for consultants who will interact with patients, staff, or government program beneficiaries.
Excluded Individuals
The agreement should include representations that the consultant (and any of their personnel) are not excluded from participation in federal healthcare programs. Check the Office of Inspector General's List of Excluded Individuals/Entities (LEIE) and the System for Award Management (SAM) before engaging healthcare consultants.
Credential Verification
For consultants providing clinical or professional services, verify and document:
- Current professional licenses
- Board certifications (if applicable)
- Malpractice insurance coverage
- Absence of disciplinary actions
Audit Rights
Include the right to audit the consultant's records related to the engagement. This is particularly important for compliance with federal healthcare regulations and for demonstrating that the arrangement meets safe harbor requirements.
Specialized Healthcare Consulting Areas
Clinical Consulting
Consultants providing clinical expertise (medical directors, clinical advisors, peer reviewers) may face malpractice exposure. The agreement should address:
- Professional liability insurance requirements
- Scope of clinical responsibilities
- Supervision and oversight arrangements
- Documentation requirements
Revenue Cycle and Billing Consulting
Consultants who advise on billing practices or revenue cycle management have unique compliance obligations:
- Adherence to accurate coding practices
- Prohibition on upcoding or unbundling
- Compliance with Medicare and Medicaid billing rules
- Documentation of the basis for billing recommendations
Health IT Consulting
Technology consultants working with healthcare systems must address:
- HIPAA security rule compliance for electronic PHI
- System validation and testing requirements
- Interoperability standards
- Data migration and integrity requirements
Insurance Requirements
Healthcare consulting engagements may require the consultant to carry:
- Professional liability (malpractice) insurance: For consultants providing clinical advice
- Errors and omissions insurance: For non-clinical consultants providing professional services
- Cyber liability insurance: For consultants handling electronic PHI
- General liability insurance: Standard coverage for bodily injury and property damage
Documentation and Record Retention
Healthcare regulations require extensive documentation. The consulting agreement should address:
- What records must be created and maintained
- How long records must be retained (federal healthcare records are typically retained for at least six to ten years)
- How records are stored and protected
- Access rights for auditors and regulators
- Record destruction procedures after the retention period
Healthcare consulting agreements require additional layers of legal and regulatory protection that don't apply in other industries. Both parties must understand and comply with the regulatory framework, and the consulting agreement should reflect these requirements clearly and comprehensively.