From Billing to Sales Pay: Lab Enforcement Is Expanding Fast

OIG enforcement is intensifying, and laboratories remain a primary focus.

False Claims Act settlements and judgments exceeded $6.8 billion in fiscal year 2025—a record year. Laboratory-specific enforcement continues at a steady pace, with recent settlements involving kickback schemes, medically unnecessary testing, and improper referral arrangements resulting in multi-million dollar penalties and program exclusions.

For publicly traded laboratory companies, the compliance landscape is even more complex. Beyond OIG oversight, public labs must navigate SEC cybersecurity disclosure requirements, board governance obligations, and the heightened scrutiny that comes with investor transparency expectations.

The labs facing the greatest risk aren't necessarily doing anything intentionally wrong—they simply haven't kept their compliance programs current with evolving enforcement priorities.

Where OIG Is Focusing—and Recent Enforcement Examples

🔍 Anti-Kickback Statute violations – A South Carolina lab recently agreed to pay $6.8M+ and plead guilty to kickback charges for payments disguised as office rental, phlebotomy fees, and consulting arrangements. A Virginia lab paid $758K to resolve allegations of kickbacks to doctors and marketers. These aren't isolated cases—kickback enforcement remains DOJ's top laboratory priority.

📋 Medically unnecessary testing – A Missouri lab paid $13.6M and accepted a 15-year Medicare exclusion for automatically performing expensive PCR tests regardless of physician orders. Blanket testing protocols without individualized patient determinations continue to drive enforcement.

🤖 AI-assisted coding scrutiny – As labs adopt AI tools for coding and billing, regulators are examining whether these systems introduce systematic errors or upcoding patterns. Self-auditing AI outputs against manual review is becoming a compliance essential.

💰 Referral source documentation – Labs must demonstrate that referral relationships are legitimate, properly documented, and compliant with Stark and AKS requirements. Recent settlements highlight that even arrangements that seem routine—consulting fees, medical directorships, marketing commissions—can trigger enforcement when tied to referral volume.

📊 Genetic and molecular testing arrangements – DOJ has pursued multiple settlements involving free genetic testing programs where test results were shared with sales teams or used to target prescribers—conduct viewed as kickbacks even when framed as patient education.

⚠️ EKRA sales compensation violations – The July 2025 Ninth Circuit ruling in U.S. v. Schena fundamentally changed the compliance landscape for laboratory sales compensation. The court upheld criminal convictions for a publicly traded lab executive who paid percentage-based commissions to marketers—and reversed earlier case law that many labs had been relying on. Labs that continue volume-based or commission-based sales compensation face criminal penalties up to $200,000 per occurrence and 10 years imprisonment—and EKRA applies to ALL payors, not just Medicare.

Why EKRA Deserves Immediate Attention

Many laboratories—including publicly traded companies—have not adequately restructured their sales compensation programs since EKRA was enacted in 2018. Industry surveys indicate many large labs took a "wait and see" approach, relying on favorable case law that has now been overturned.

The critical gap: Unlike the Anti-Kickback Statute, EKRA does NOT have a broad safe harbor for bona fide employee compensation. Paying W-2 sales employees based on test volume, referrals, or revenue is potentially criminal under EKRA—even though the same arrangement might be protected under AKS.

What the Schena case means: Commission-based pay isn't automatically illegal, but becomes criminal when combined with any improper conduct—misleading physicians, controlling clinical decisions, or failing to maintain robust compliance controls. Labs that haven't reviewed their compensation structures against EKRA's narrow requirements are exposed.

Additional Compliance Layers for Publicly Traded Laboratories

Public laboratory companies face compliance obligations that extend well beyond traditional OIG requirements:

🏛️ SEC Cybersecurity Disclosure Rules – Public companies must now report material cybersecurity incidents within four business days of materiality determination (Form 8-K) and provide annual disclosures on cybersecurity risk management, strategy, and board oversight (Form 10-K). For labs handling PHI at scale, this creates dual reporting obligations alongside HIPAA.

🔐 HIPAA 2025 Updates – New requirements include mandatory multifactor authentication, enhanced protections for reproductive health data, new AI data use provisions, and mandatory annual compliance audits—adding operational complexity for labs managing large patient datasets.

📑 Corporate Integrity Agreement (CIA) Considerations – Labs that settle FCA cases typically enter five-year CIAs requiring compliance officer appointments, independent review organization (IRO) audits, annual reporting, and reportable event notifications. Refusing a CIA places labs on OIG's "Heightened Scrutiny" list with ongoing monitoring.

👥 Board Governance and Oversight – SEC rules now require disclosure of board oversight of cybersecurity risks and management's role in assessing and managing those risks. Audit committees increasingly expect documented evidence of compliance program effectiveness.

For public labs, compliance failures carry compounding consequences: regulatory penalties, SEC disclosure obligations, investor communication challenges, and reputational exposure that private labs don't face to the same degree.

Six Best Practices to Strengthen Your Compliance Program

1️⃣ Audit Your Referral Sources Annually

Review all referral relationships for AKS and Stark compliance. Document the legitimate business purpose of each arrangement and ensure compensation reflects fair market value. For public companies, ensure documentation supports potential SEC disclosure if arrangements are later questioned.

2️⃣ Review Sales Compensation Against EKRA Requirements

EKRA's safe harbor is narrower than AKS—it only protects compensation that does NOT vary with referrals, tests, or billing. Assess whether any sales or marketing compensation could be tied to volume, and restructure high-risk arrangements before enforcement catches up. The Schena conviction demonstrates this isn't theoretical.

3️⃣ Validate AI Coding Tools Against Manual Review

If your lab uses AI-assisted coding, conduct periodic manual audits to verify accuracy. Establish monitoring protocols to catch systematic errors before they become patterns that attract regulatory attention.

4️⃣ Update Your Compliance Workplan for 2026 Priorities

Compliance workplans should reflect current OIG priorities, not last year's focus areas. Review the OIG Work Plan and recent enforcement actions, and update your internal priorities accordingly.

5️⃣ Conduct Billing Practice Self-Audits

Proactive self-audits of high-volume and high-risk test codes help identify issues before regulators do. Focus on medical necessity documentation, modifier accuracy, and order documentation. For public labs, self-audits also support SEC disclosure readiness if issues arise.

6️⃣ Align Cybersecurity and Compliance Programs

For publicly traded labs, cybersecurity incidents now trigger both HIPAA and SEC reporting obligations. Ensure your compliance team coordinates with IT security on incident response protocols, materiality assessments, and disclosure timelines.

Where LabMetrics Consulting Can Help

At LabMetrics Consulting, we support laboratories across OIG risk areas through comprehensive compliance assessments, IRO support, CIA oversight, billing and coding audits, referral source validation, and specialized guidance for publicly traded organizations navigating SEC, governance, and investor transparency requirements.

Our compliance services include:

✅ OIG compliance audits and scorecards – Comprehensive risk assessment against current enforcement priorities

✅ Independent Review Organization (IRO) services – Third-party audits for AKS, Stark, and billing compliance as required under CIAs

✅ Corporate Integrity Agreement (CIA) oversight – Ongoing support for labs under CIA obligations, including annual reporting and reportable event management

✅ Billing and coding audits – Identifying patterns that could trigger regulatory scrutiny, including AI coding validation

✅ Referral source validation – Documenting compliant referral relationships and fair market value assessments

✅ Compliance workplan development – Annual workplans aligned with current OIG priorities

✅ EKRA compensation structure review – Assessing sales and marketing compensation arrangements against EKRA's narrow safe harbor requirements

✅ Publicly traded company guidance – Specialized support for SEC reporting, board governance documentation, and cybersecurity disclosure readiness

Recent Success: We helped a genetics laboratory address OIG risk areas across billing, referral documentation, and AI-driven coding, resulting in zero findings during a subsequent regulatory review.

Your Next Step

If compliance readiness is part of your 2026 planning, now is the time to assess your program against current enforcement priorities.

Schedule a consultation today

P.S. The cost of proactive compliance is a fraction of the cost of enforcement. Let's discuss how to strengthen your program before regulators come knocking.

LabMetrics Consulting | Laboratory Strategic Planning, Revenue Cycle Optimization, Compliance & Technology Integration