I’m not a healthcare contracts specialist. I should say that up front. I’ve spent my career in commercial contract management across multiple industries, and healthcare has only been one of them. But the year I spent helping a regional health system get its contract house in order taught me something I think about a lot: every mistake I’ve seen in commercial contracts, healthcare makes worse. Not because healthcare people are bad at their jobs. Because the regulatory environment turns ordinary contract problems into six- and seven-figure problems.

A missed renewal deadline at a software company means you’re stuck with a bad SaaS deal for another year. A missed renewal deadline on a physician compensation agreement can mean you’ve been making payments that don’t comply with Stark Law for six months. One of those costs you money. The other one costs you money and triggers a federal investigation.

The volume problem, multiplied

Most mid-size companies I’ve worked with manage somewhere between 200 and 800 active contracts. A regional hospital system? Industry estimates put the average at over 1,200 contracts per facility, and that’s before you count the payer agreements, the physician employment deals, the locum tenens arrangements, the equipment leases, the BAAs with every vendor who touches patient data, and the GPO (group purchasing organization) contracts that govern how you buy everything from surgical gloves to MRI machines.

And each one of those contract types has its own regulatory overlay. Physician compensation agreements have to satisfy Stark Law fair-market-value requirements. Vendor contracts that touch protected health information need Business Associate Agreements that comply with HIPAA. Payer contracts have reimbursement terms that shift every time CMS updates its rules. Equipment leases have to clear Anti-Kickback Statute safe harbors to make sure you’re not accidentally receiving something of value in exchange for referrals.

In most industries, a contract is a business document. In healthcare, a contract is a compliance artifact. Every clause is potentially evidence in a future audit.

The compliance gap nobody wants to talk about

Here’s what surprised me most about that health system engagement: they had a compliance department. They had legal counsel. They had policies. What they didn’t have was a way to actually see their contracts. Not all of them, not in one place, and not with any ability to search or report.

That’s not unusual. Hallmark Health Care Solutions estimates that 96% of healthcare organizations either lack a contract management system entirely or use one that’s sub-functional for the complexity of provider arrangements. Ninety-six percent. In an industry where a single non-compliant physician compensation arrangement can trigger False Claims Act liability.

Think about what that means in practice. You have a compliance officer whose job is to make sure physician compensation meets fair-market-value standards. But the actual contracts that define that compensation are scattered across HR’s files, the medical staff office, a shared drive that three people have access to, and a filing cabinet in the CFO’s office. The compliance officer can’t audit what they can’t find.

Why Stark Law is a contract management problem

I want to spend a minute on Stark Law because it illustrates how healthcare turns a basic contract management failure into a crisis.

The Physician Self-Referral Law (Stark) prohibits physicians from referring Medicare patients to entities with which they have a financial relationship, unless that relationship fits within a specific exception. Most physician employment and compensation arrangements qualify for an exception, but only if the terms are at fair market value, commercially reasonable, and documented in a written agreement.

Here’s the part that matters for contract management: if the written agreement expires, or if the compensation terms changed but the contract wasn’t updated, the exception may no longer apply. And if the exception doesn’t apply, every referral that physician made during that gap is potentially a False Claims Act violation. The penalties aren’t theoretical. Stark Law violations carry fines of up to $15,000 per service and $100,000 per arrangement, and the False Claims Act adds treble damages on top of that.

Icertis documented a case where an Alabama healthcare group was fined $24.5 million because referral terms from contracts originally executed in the 1990s, carried forward through mergers, were deemed illegal kickbacks under Stark. The contracts were old. Nobody had reviewed them. The arrangements they described no longer reflected reality. And the penalty was $24.5 million.

That’s not a legal problem. That’s a contract lifecycle management problem. Someone needed to flag those contracts for review when the mergers happened. Someone needed to confirm the terms still met fair-market-value standards. Someone needed a system that could surface a contract from the 1990s and say: this needs attention.

The data breach dimension

There’s another piece of the healthcare contract puzzle that doesn’t exist (or doesn’t matter as much) in other industries: the Business Associate Agreement.

Under HIPAA, any vendor, contractor, or partner that handles protected health information on your behalf needs a BAA that spells out how they’ll protect that data. If you don’t have a BAA and they have a breach, you’re on the hook. If you have a BAA but it doesn’t meet HIPAA requirements, you might still be on the hook.

The financial exposure here is staggering. IBM and the Ponemon Institute found that healthcare data breaches cost an average of $9.77 million per incident in 2024, making healthcare the most expensive industry for breaches for the fourteenth consecutive year. The next closest industry (financial services) was $6.08 million. Healthcare isn’t just more expensive; it’s in a different category.

And BAAs are fundamentally a contract management task. You need to know: which vendors have access to PHI? Do they all have current BAAs? Do those BAAs include the right provisions? When was each one last reviewed? If a vendor gets acquired, does the BAA transfer?

At the health system I worked with, they had over 60 vendors with access to patient data. They could produce BAAs for about 40 of them. The other 20? Some probably existed somewhere in someone’s email. Some might never have been executed at all. Each one of those gaps was a potential HIPAA violation waiting for a trigger.

The enforcement environment is not messing around

I want to be clear about something: healthcare contract compliance isn’t one of those areas where the regulations exist on paper but nobody enforces them.

The HHS Office of Inspector General’s Spring 2025 report to Congress identified over $16.6 billion in healthcare fraud, overpayments, and improper payments in a single six-month period. The OIG conducted 744 civil and criminal enforcement actions during that window. And the Department of Justice’s 2025 National Health Care Fraud Takedown resulted in criminal charges against 324 defendants in schemes totaling over $14.6 billion.

These aren’t abstract numbers. These are real organizations getting real fines for problems that, in many cases, started with contracts that weren’t properly managed, reviewed, or updated.

What I’d do differently now

Looking back at that health system engagement, here’s what I’d tell someone walking into a similar situation.

Start with physician agreements. These carry the highest regulatory risk per contract. Get every physician compensation arrangement into a single repository, with expiration dates tracked and fair-market-value review schedules attached. If you do nothing else, do this.

Map your BAAs. Build a list of every vendor that touches PHI. Match each one against an executed BAA. The gaps you find will scare you, and that’s the point. Closing them is straightforward once you know where they are.

Set up expiration alerts. In healthcare, a contract that expires without being renewed isn’t just an administrative inconvenience. It’s a potential compliance violation. Automated alerts (I use ContractSafe for this in my current role, though any decent system will do it) are the minimum. Someone needs to own the response to each alert, not just receive the notification.

Connect contracts to compliance. Your compliance team should be able to query your contract repository the same way they query your billing system. If they can’t see the contracts, they can’t audit the contracts, and if they can’t audit the contracts, they’re guessing.

Don’t assume contracts survive mergers. The Alabama case I mentioned earlier happened because contracts from the 1990s were carried forward through mergers without review. If your organization acquires another entity, every contract in that entity’s portfolio needs a compliance review. Not eventually. Before you start operating under those agreements.

The basics matter more, not less

Every post I write on this blog is some version of the same argument: the fundamentals of contract management (know what you have, know when it expires, know what it requires, keep it where people can find it) solve most of the problems that cause pain. Healthcare doesn’t change that argument. It amplifies it.

In healthcare, you’re not just managing business risk. You’re managing regulatory risk, patient safety risk, and financial penalties that can threaten the viability of the organization. The same contract management failures that cost a tech company some money and some embarrassment can cost a healthcare system millions of dollars and its ability to participate in federal programs.

The answer isn’t a healthcare-specific CLM (though some exist). The answer is doing the basics well and understanding that in healthcare, the basics aren’t optional. They’re the thing standing between you and an OIG investigation.

I’m not a healthcare lawyer. I can’t tell you whether your specific physician arrangement satisfies a Stark Law exception. But I can tell you that if you can’t find the contract that defines that arrangement, you’ve got a problem no lawyer can solve for you.