How do HIPAA breach response calls generate billing gaps for healthcare regulatory attorneys?

HIPAA breach response generates billing gaps because the 60-day breach notification clock under 45 C.F.R. § 164.412 begins running from the date of discovery — which is the date the covered entity or business associate discovers the incident, not the date the attorney is formally engaged. The initial breach notification call arrives as an urgent request from the covered entity's privacy officer or CISO when a potential breach is discovered: 'We think our EHR system was accessed without authorization — what do we need to do?' The attorney begins substantive HIPAA analysis on this call: the incident response protocol under 45 C.F.R. § 164.308(a)(6), the breach risk assessment four-factor analysis under 45 C.F.R. § 164.402 (nature and extent of PHI involved, identity of person who used or received the PHI, whether PHI was actually acquired or viewed, extent to which risk has been mitigated), and the 60-day notification deadline calculation. No billing matter is opened at the time of this call because the covered entity does not yet know whether the incident will require HHS Office for Civil Rights notification, affected-individual notification, or media notification. Subsequent calls cover: the forensic investigation status (IT vendor calls arriving as the investigation progresses, 15–25 min each); the business associate agreement analysis (20–30 min) if a business associate's systems were involved; the risk assessment documentation calls (20–35 min) as the attorney writes the risk assessment narrative that must be retained in the privacy officer's files; the OCR voluntary disclosure strategy call (25–40 min) if the risk assessment determines the incident is a reportable breach. At 55% untracked: 20 breach incidents/year × 6 calls × 30 min × 55% = 33 hours = $8,250–$16,500/year at $250–$500/hr. Annual HIPAA risk analysis advisory calls (required by 45 C.F.R. § 164.308(a)(1)) for 10 ongoing clients × 4 calls × 25 min × 55% = 18.3 hours = $4,583–$9,167/year. Combined HIPAA gap: $16,500–$33,000/year.

How do Stark Law and Anti-Kickback Statute advisory calls generate billing gaps?

Stark Law (42 U.S.C. § 1395nn) and Anti-Kickback Statute (42 U.S.C. § 1320a-7b(b)) compensation arrangement advisory generates billing gaps because physician clients and health system administrators call for informal guidance on proposed arrangements before deciding whether a formal written opinion is warranted. The informal guidance call is the most systematically undertracked billing event in healthcare regulatory practice: the physician calls to describe a proposed medical directorship, a recruitment agreement, a space-lease arrangement, or a fair market value compensation structure for a new practice group, and asks whether the structure 'looks OK' from a Stark/AKS perspective before the client invests in a formal transaction review. The attorney begins substantive analysis on this call — evaluating whether the arrangement qualifies for a Stark exception (e.g., the bona fide employment exception under 42 C.F.R. § 411.357(c), the personal service arrangements exception under § 411.357(d), or the fair market value compensation exception under § 411.357(l)) and whether a safe harbor under the AKS regulations (42 C.F.R. § 1001.952) applies — without a billing matter open. Call types: (1) initial arrangement structure call (20–35 min) to understand the proposed compensation terms and service scope; (2) fair market value benchmarking call (15–30 min) to discuss whether the proposed compensation rate is within the range of published FMV benchmarks (AMGA, MGMA, Merritt Hawkins); (3) OIG advisory opinion evaluation call (20–30 min) to assess whether the arrangement is fact-specific enough to warrant a formal OIG advisory opinion request; (4) Voluntary Self-Referral Disclosure Protocol (SRDP) coordination call (25–45 min) if the attorney discovers a potential Stark overpayment. At 60% untracked: 25 arrangements/year × 5 calls × 25 min × 60% = 31.25 hours = $7,813–$15,625/year. OIG self-disclosure protocol preparation calls add 5 SRDP matters × 6 calls × 30 min × 55% = 13.75 hours = $3,438–$6,875/year. Combined Stark/AKS gap: $15,625–$31,250/year.

What makes Medicare and Medicaid enrollment monitoring calls difficult to capture?

Medicare provider enrollment (Form CMS-855 series) and Medicaid enrollment generate monitoring calls throughout the enrollment and revalidation cycle because the Centers for Medicare and Medicaid Services (CMS) and State Medicaid agencies issue requests for additional information (ADI letters) on their own timelines — typically 30 days before the applicant must respond under 42 C.F.R. § 424.520 — and the provider calls the attorney immediately upon receiving the ADI letter without scheduling advance notice. The enrollment monitoring gap concentrates in three call types: (1) ADI letter receipt calls (15–25 min) — when the provider receives a CMS request for additional information during the enrollment review period, the attorney must evaluate the ADI letter's requirements and advise the provider on the documentation needed; (2) enrollment status monitoring calls (10–20 min) — providers call to check enrollment status when payment credentialing deadlines approach (the provider cannot bill Medicare without an active enrollment); (3) reactivation and revalidation calls (20–35 min) for providers whose enrollment has been deactivated by CMS for failure to revalidate within the applicable cycle. For 30 enrollment and revalidation matters/year × 4 calls × 20 min × 55% untracked: 22 hours = $5,500–$11,000/year. Provider exclusion defense — responding to OIG exclusion actions under 42 U.S.C. § 1320a-7 — generates a concentrated investigation call cluster (8–12 calls in the first 30 days) when the provider receives the Notice of Intent to Exclude. For 5 exclusion matters × 10 calls × 30 min × 60% untracked: 15 hours = $3,750–$7,500/year. Combined enrollment and exclusion gap: $11,000–$22,000/year.

Vertical guide · Updated June 2026

Healthcare regulatory attorney time tracking: HIPAA breach response calls, Stark/AKS advisory coordination, and Medicare enrollment monitoring

Q: What role does FDA regulatory advisory work play in healthcare regulatory billing?

FDA regulatory advisory — advising medical device manufacturers on 510(k) premarket notification, PMA applicants on clinical data requirements, and pharmaceutical companies on labeling and promotional material compliance — generates advisory calls that arrive on the product development timeline rather than the attorney's billing calendar. Pre-submission meeting preparation calls (25–40 min) to prepare the client for an FDA Q-Sub (pre-submission meeting) arrive when the client's regulatory affairs team has completed the pre-submission packet and is ready to schedule the meeting with FDA. FDA complete response letter analysis calls (30–45 min) arrive when FDA issues a CRL denying a 510(k) or PMA application and the client needs to evaluate the FDA's deficiency findings before deciding whether to respond, request a meeting, or refile. Off-label promotion compliance calls (15–25 min) from the client's marketing team arrive when the team is developing a new promotional campaign and needs to confirm it does not cross the line into unlawful off-label promotion under 21 C.F.R. Part 202. At 55% untracked: 15 FDA advisory matters/year × 5 calls × 25 min × 55% = 17.2 hours = $4,292–$8,583/year. Combination product classification calls — determining whether a product is primarily a device, drug, or biological product for regulatory pathway purposes (21 C.F.R. § 3.7) — require 3–4 consultation calls with the client's development team before the formal Request for Designation (RFD) is filed.

Healthcare regulatory practice — HIPAA privacy and security compliance, Stark Law and Anti-Kickback Statute compensation arrangement advisory, Medicare and Medicaid provider enrollment and exclusion defense, FDA regulatory pathway advisory, CMS audit and overpayment refund compliance, and OIG voluntary self-disclosure — generates three billing-gap sources driven by regulatory timelines rather than the attorney's billing calendar: HIPAA breach response and risk analysis coordination calls (20 incidents × 6 calls × 30 min × 55% untracked = $16,500–$33,000/year at $250–$500/hr), Stark/AKS compensation arrangement advisory calls before a formal opinion is requested (25 arrangements × 5 calls × 25 min × 60% untracked = $15,625–$31,250/year), and Medicare/Medicaid enrollment and revalidation monitoring calls (30 matters × 4 calls × 20 min × 55% untracked = $11,000–$22,000/year). For a solo healthcare regulatory attorney, the annual billing gap is $45,000–$85,000.

TL;DR

ClaimHour captures every HIPAA breach notification triage call before the billing matter opens, every Stark/AKS structure advisory call before the formal opinion request, and every Medicare ADI letter response call when CMS sends a request — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.

HIPAA breach response: risk assessment calls before the 60-day clock triggers

HIPAA breach response generates one of the most structurally misaligned billing gaps in healthcare regulatory practice. The 60-day breach notification clock under 45 C.F.R. § 164.412 begins running from the date the covered entity or business associate discovers the incident — which is the date the attorney receives the urgent call, not the date the billing matter is formally opened. The covered entity's privacy officer or CISO calls immediately upon discovering a potential security incident: a ransomware event, an unauthorized EHR access, a misdirected fax containing PHI, or a lost unencrypted laptop. The attorney immediately begins substantive analysis on this call — without a billing matter, without an engagement letter, and without any advance notice.

HIPAA breach response call types: (1) initial incident triage call (25–40 min) — the attorney assesses the incident facts against the HIPAA Security Rule safeguard requirements (45 C.F.R. §§ 164.308–164.318), identifies whether a business associate's systems were involved, and determines whether the incident triggers the four-factor breach risk assessment under 45 C.F.R. § 164.402; (2) forensic investigation status calls (15–25 min each) — as the client's IT vendor or external forensic investigator reports findings, the attorney evaluates whether the investigation findings satisfy the breach risk assessment factors and advises on scope expansion; (3) business associate agreement analysis call (20–30 min) if the incident involves a vendor who processes PHI — the attorney must evaluate whether the vendor's BAA includes adequate security incident reporting and indemnification provisions; (4) risk assessment documentation call (20–35 min) — the attorney dictates the risk assessment narrative the privacy officer must retain to document the reasonable determination that the incident was not a reportable breach, or documents the determination that notification is required; (5) OCR voluntary compliance call (25–40 min) — if the breach requires HHS OCR notification, the attorney advises on whether to proactively contact OCR before the 60-day deadline to facilitate voluntary compliance credit. At 55% untracked: 20 breach incidents/year × 6 calls × 30 min × 55% = 33 hours = $8,250–$16,500/year. Annual HIPAA security risk analysis advisory for 10 ongoing clients × 4 calls × 25 min × 55% = 18.3 hours = $4,583–$9,167/year. HIPAA gap: $16,500–$33,000/year.

State privacy law compliance calls — CCPA (California Consumer Privacy Act), CIPA (California Invasion of Privacy Act), state health data protection laws — have expanded the call structure for healthcare regulatory attorneys whose covered entity clients operate in multiple states. Data subject rights request (DSAR) triage calls (10–20 min each) arrive when the covered entity receives a DSAR under state law that is not co-extensive with HIPAA's access rights, requiring the attorney to evaluate whether the HIPAA authorization framework satisfies the state law's response requirements.

Stark/AKS advisory: compensation structure calls before the formal opinion

Stark Law and Anti-Kickback Statute advisory generates billing gaps because the most valuable guidance the healthcare regulatory attorney provides — early-stage identification of whether a proposed compensation arrangement creates Stark or AKS exposure — happens in informal advisory calls before the client decides to commission a formal written opinion. Physicians and hospital administrators call with proposed compensation structures at the earliest stages of deal formation, when the arrangement is still being designed and the parties are evaluating whether the economics work. These calls provide substantial legal value (steering the arrangement toward an applicable Stark exception or AKS safe harbor during the design phase costs far less than remediation after the arrangement is executed and the arrangement structure is fixed), but they precede any billing matter because the client is not yet sure whether to proceed with the arrangement at all.

Stark/AKS advisory call types: (1) proposed arrangement structure call (20–35 min) — the client describes the proposed compensation terms and service scope; the attorney evaluates which Stark exceptions and AKS safe harbors are potentially applicable and what structural modifications would be needed to fit within an exception or safe harbor; (2) fair market value benchmarking call (15–30 min) — the attorney discusses whether the proposed compensation rate is defensible under the relevant FMV benchmarks (AMGA Survey of Medical Group Compensation, MGMA Physician Compensation and Production Survey, Merritt Hawkins compensation benchmarks) and whether an independent FMV opinion is needed to establish commercial reasonableness; (3) OIG advisory opinion evaluation call (20–30 min) — for novel arrangements without applicable safe harbor coverage, the attorney evaluates whether the facts are specific enough to support a formal OIG advisory opinion request and whether the OIG's historical advisory opinion guidance suggests a favorable result; (4) voluntary disclosure strategy call (25–45 min) — if the attorney discovers a historical arrangement that was not structured within a Stark exception (and therefore constitutes a technical Stark violation with CMS overpayment refund obligation), the attorney advises on whether to use the Stark Voluntary Self-Referral Disclosure Protocol (SRDP) or wait for a CMS audit. At 60% untracked: 25 arrangements/year × 5 calls × 25 min × 60% = 31.25 hours = $7,813–$15,625/year. SRDP and OIG self-disclosure preparation adds 5 matters × 6 calls × 30 min × 55% = 13.75 hours = $3,438–$6,875/year. Stark/AKS gap: $15,625–$31,250/year.

Physician practice acquisition due diligence calls — when a private equity-backed management services organization (MSO) or hospital system acquires a physician practice — generate a concentrated pre-closing call cluster (8–12 calls in 30–45 days) to evaluate the target practice's Stark and AKS compliance history, identify unresolved technical violations, and structure the post-acquisition compensation arrangements within the applicable exceptions. Each due diligence call generates substantive advisory work that collapses into a single 'due diligence review' billing entry at reconstruction.

Medicare enrollment and revalidation: ADI letter calls on CMS's schedule

Medicare provider enrollment — initial enrollment, change of information, revalidation, and reactivation through the CMS-855 form series — generates monitoring calls that arrive on CMS's administrative schedule rather than the attorney's billing calendar. CMS and State Medicaid agencies issue Requests for Additional Information (ADI letters) during enrollment review when the provider's application is incomplete or when CMS's background check requirements generate additional verification requests. The ADI letter typically requires a response within 30 days; the provider calls the attorney immediately upon receiving it because the provider cannot bill Medicare while the enrollment is pending and the 30-day ADI response deadline represents a real revenue risk.

Medicare enrollment monitoring call types: (1) ADI letter receipt and response coordination call (15–25 min) — the attorney evaluates the ADI letter's documentation requirements and advises the provider's billing team on what records to submit; (2) enrollment status monitoring calls (10–20 min) — providers call to check on the status of a pending enrollment when credentialing deadlines approach (hospitals and health systems require active Medicare enrollment before a physician can begin seeing patients; the credentialing committee deadline creates urgency); (3) revalidation notice calls (20–35 min) — CMS sends revalidation notices on a 5-year cycle; when a provider receives the revalidation notice, they call the attorney for assistance completing the revalidation application and avoiding an inadvertent deactivation; (4) post-deactivation reactivation calls (25–40 min) — when a provider's enrollment is deactivated for failure to respond to a revalidation notice, the attorney must assist with an expedited reactivation application while simultaneously ensuring the provider has stopped billing under the deactivated enrollment. At 55% untracked: 30 enrollment matters/year × 4 calls × 20 min × 55% = 22 hours = $5,500–$11,000/year. OIG exclusion defense — responding to a Notice of Intent to Exclude under 42 U.S.C. § 1320a-7 — adds 5 matters × 10 calls × 30 min × 60% = 15 hours = $3,750–$7,500/year. Enrollment gap: $11,000–$22,000/year.

The No Surprises Act compliance advisory — billing and payment dispute requirements for out-of-network providers under the NSA's independent dispute resolution (IDR) process — generates a new category of monitoring calls for healthcare regulatory attorneys advising providers on IDR submissions. Each IDR submission generates 2–4 status calls with the provider's billing team across the 30-day IDR determination period.

How ClaimHour fits healthcare regulatory practice

If you advise healthcare providers and health systems on HIPAA compliance, Stark/AKS arrangements, and Medicare enrollment — and your invoices consistently understate the breach triage calls before the 60-day clock starts, the Stark advisory calls before the formal opinion is commissioned, and the ADI letter response calls when CMS sends its requests — ClaimHour was built for that gap. The passive capture logs every client call (iOS call metadata: duration, timestamp, direction — not content), every email advisory session, and every document review session. A 2-minute evening digest surfaces each unmatched call for matter attribution. No audio. No call contents. No email bodies. Privilege is preserved under ABA Formal Opinion 512. Join the waitlist and we'll email when early access opens.

Get early access