What Happens When You’re Not CPOM Compliant: Real Consequences

Many healthcare entrepreneurs treat CPOM compliance as a theoretical concern, something that only matters if you get caught. This is a dangerous assumption. States that enforce the Corporate Practice of Medicine doctrine do so with real teeth, and the consequences of non-compliance range from business-ending cease-and-desist orders to personal criminal liability for the individuals involved. Here is what actually happens when a healthcare business is found to be operating in violation of CPOM laws.

Cease-and-Desist Orders

The most common initial enforcement action is a cease-and-desist order issued by the state attorney general's office or the state medical board. This order directs the non-compliant entity to immediately stop practicing medicine or operating a medical practice.

The impact of a cease-and-desist order is immediate and severe:

• Operations must halt. You cannot see patients, bill insurance, or collect revenue until the violation is cured.
• Patient care is disrupted. Active patients must be notified and referred elsewhere, which can cause clinical harm and destroy patient trust.
• Insurance contracts may be terminated. Payors who learn of a CPOM violation may terminate your contracts and demand repayment of claims paid during the non-compliant period.
• Investors and partners are notified. A cease-and-desist order is often a triggering event under investment agreements, potentially allowing investors to exercise remedies or demand their money back.

Financial Penalties and Fines

CPOM violations can result in significant financial penalties. The specific amounts vary by state, but they can be substantial enough to threaten the viability of a business.

• State medical boards can impose fines per violation, which may be calculated per patient encounter, per day of non-compliance, or per prohibited act
• Attorney general enforcement actions can include civil penalties in addition to disgorgement of profits earned during the non-compliant period
• If the CPOM violation also implicates fee-splitting prohibitions, additional fines apply under those separate statutes

In some states, each patient encounter conducted by a non-compliant entity constitutes a separate violation. A busy telehealth platform seeing 100 patients per day could accrue hundreds of separate violations in a single week.

Criminal Liability

In several states, practicing medicine without a license, or enabling the unlicensed practice of medicine, is a criminal offense. When a corporation that is not owned by a licensed physician operates a medical practice, the individuals who control that corporation can face criminal prosecution.

Criminal exposure in CPOM cases typically includes:

• Misdemeanor charges for unlicensed practice of medicine, which can carry jail time of up to one year and additional fines
• Felony charges in cases involving patient harm, fraud, or repeated violations
• Individual liability for officers, directors, and managers who directed or participated in the non-compliant operations

California, for example, treats the unlicensed practice of medicine as a wobbler offense that can be charged as either a misdemeanor or a felony depending on the circumstances. New York classifies it as a Class E felony.

Examples of Enforcement

CPOM enforcement has accelerated in recent years, particularly in the telehealth and med spa sectors where non-physician ownership is common. While we cannot cite specific company names here, the patterns of enforcement are instructive:

1. Telehealth platforms: Several multi-state telehealth companies have received enforcement actions for employing physicians through non-physician-owned entities, resulting in multi-million-dollar settlements and mandatory corporate restructuring.
2. Med spas and aesthetics: State medical boards have targeted med spas where non-physicians own the practice and physicians serve as figureheads. Enforcement actions have included license revocation for the physician and criminal referrals for the non-physician owner.
3. Private equity-backed practices: As private equity investment in healthcare has grown, regulators have increased scrutiny of arrangements where PE firms effectively control clinical operations through management agreements, resulting in investigations and forced divestitures.
4. Mental health platforms: Online mental health companies have faced enforcement for operating in CPOM states without proper physician-owned professional corporations, leading to cease-and-desist orders and required restructuring.

Collateral Consequences

Beyond the direct legal penalties, CPOM non-compliance creates a cascade of collateral consequences that can be equally devastating:

• Malpractice insurance voidance: If your corporate structure is non-compliant, malpractice insurers may deny coverage for claims arising during the non-compliant period, leaving both the entity and individual providers personally exposed.
• Contract voidability: Courts in some states have held that contracts entered into by a non-compliant entity, including patient agreements and vendor contracts, are void as against public policy.
• Due diligence failure: If you are seeking investment, acquisition, or partnership, CPOM non-compliance discovered during due diligence will likely kill the deal or result in a massive valuation haircut.
• Physician license risk: The physician who serves as a nominal owner in a sham PC arrangement risks disciplinary action against their own medical license, including suspension or revocation.

How to Remediate

If you discover that your healthcare business is not CPOM compliant, the time to act is now, not after you receive an enforcement notice. Remediation typically involves the following steps:

1. Engage healthcare regulatory counsel to assess the scope of the non-compliance and develop a remediation plan
2. Form a compliant PC owned by a licensed physician in each state where you operate
3. Transfer clinical operations from the non-compliant entity to the new PC, including provider employment agreements, payor contracts, and patient records
4. Draft a compliant Management Services Agreement between your MSO and the new PC
5. Implement clinical governance structures that demonstrate genuine physician control over clinical operations
6. Conduct a self-disclosure to the state medical board or attorney general if appropriate, which may reduce penalties and demonstrate good faith

CPOM non-compliance is not a theoretical risk. It is a concrete threat with financial, criminal, and operational consequences. The cost of getting compliant from the start is a small fraction of the cost of remediation after enforcement. If you have any doubt about whether your current structure meets CPOM requirements, Foundry PC can conduct a compliance assessment and help you restructure before regulators come knocking.