A guide for medical leadership and compliance teams navigating Corporate Practice of Medicine risk.
Important: This article is for informational purposes only and does not constitute legal advice. Organizations should consult qualified healthcare regulatory counsel for advice on their specific structure and contracts.
If you sit in medical leadership or compliance at an MSO, multi-site group, health system, or rural network, you live in the tension between:
The need to scale care-management (CCM, RPM, BHI, TCM, G0511, etc.).
The reality of Corporate Practice of Medicine (CPOM) laws, Stark, Anti-Kickback, FCA, and HIPAA.
Physicians who are rightly protective of their autonomy and judgment.
The market research behind this site surfaces a consistent theme:
MSOs and independent groups want the operational leverage of outsourced care-management.
Medical leaders and compliance officers are wary of vendors drifting into "shadow practice" or creating regulatory exposure.
CPOM is viewed as one of the most fundamental structural constraints on how non-physician entities can participate in care delivery.
This post is about what CPOM actually means in the context of outsourced care-management—and how to design a model that is physician-led, CPOM-sensitive, and audit-ready.
CCM/RPM Readiness Checklist (Free PDF)
Quick-scan checklist to launch or scale compliant CCM & RPM—built for independent primary care clinics, RHCs, and FQHCs.
1. CPOM, in plain language for clinical and compliance leaders
Every state is different, and the details belong with your legal team. But at a high level, CPOM laws are about two core ideas:
Who can "practice medicine".
Who can control the practice of medicine.
Many states restrict:
Corporate entities from directly employing physicians or "practicing medicine."
Non-physician entities from exercising control over clinical decisions.
Practically, that drives structures like:
"Friendly PC" models, where a physician-owned professional corporation (PC) delivers care.
Management Services Organizations (MSOs) that provide non-clinical services (staffing, IT, revenue cycle, care-management support) under a management agreement.
Compensation and control structures that must avoid looking like the MSO or vendor is de facto running the medical practice.
The research you've seen highlights three recurring concerns:
MSO or vendor agreements that exert too much control over clinical staffing, scheduling, or protocols.
Ambiguity about roles and responsibilities between medical group, MSO, and vendor.
Physician fear of losing autonomy or being second-guessed by a corporate entity.
When you add outsourced care-management—people who call your patients, document in your EMR, and influence care plans—those concerns become very real.
2. Where outsourced care-management can run into CPOM problems
Outsourced care-management can be a huge relief valve for staffing and burnout. But if it's designed poorly, it can:
Look like a non-physician entity is practicing medicine.
Create questions about who is actually controlling care.
Raise red flags under CPOM, AKS, Stark, and FCA lenses simultaneously.
2.1 Blurring the line between support and clinical decision-making
Risky patterns include:
Vendor staff initiating or changing medication regimens without clear physician orders.
Non-physician team members diagnosing new conditions or independently determining "medical necessity."
Care-management scripts that override clinician judgment instead of supporting it.
Workflows that route critical decisions through the vendor without explicit, documented supervision routes.
From a CPOM perspective, this can look like the vendor, not the physician entity, is effectively practicing medicine.
2.2 Shadow control through contracts and tools
Other risks are structural:
Management or services agreements that give the vendor too much control over clinical staffing, scheduling, or protocols.
Care-management platforms that force clinicians into vendor-defined workflows with no meaningful local governance.
Performance metrics or compensation that are tied inappropriately to volume or value of referrals or services.
Taken together, these can suggest the vendor is exercising de facto control over the practice, which is exactly what CPOM is meant to prevent.
2.3 Ambiguous roles: who is accountable for what?
The research also flagged:
"Clarity of roles and responsibilities" as a critical compliance and operational risk.
Increased audit exposure for small FQHCs and rural providers when documentation and responsibilities are unclear.
Without a clear RACI (who is Responsible, Accountable, Consulted, Informed), it's hard to prove:
Who is clinically accountable for decisions.
Who is operationally responsible for outreach and documentation.
How you distinguish between the physician entity and the management/vendor entity.
That ambiguity is uncomfortable for medical directors—and attractive to regulators and payers looking for enforcement targets.
3. A CPOM-sensitive model: physician-led, vendor-supported
The solution isn't to avoid outsourcing. It's to design the outsourced model around CPOM principles.
At LOGIC, we frame it this way:
Physicians and APPs own the practice of medicine.
We own the operational execution of defined care-management tasks under their supervision.
3.1 Define "we do" vs "you do" in clinical terms
A healthy model draws a bright line between:
Clinical judgment
Diagnosing conditions.
Initiating or changing medications.
Making treatment plan decisions.
Determining medical necessity.
Care-management execution
Outreach and education based on agreed protocols.
Collecting vitals, histories, and social context.
Documenting time, touches, and symptoms in the EMR.
Coordinating referrals and appointments.
Surfacing structured summaries and exceptions to clinicians.
In practice, that means documenting:
The physician entity is Accountable for diagnosis, treatment, and plan changes.
The vendor or MSO is Responsible for executing specific, protocol-driven tasks under supervision.
If you can't explain that division of labor to your state board or a CMS auditor in a sentence or two, it's probably not clear enough.
3.2 Local governance approving protocols and scripts
To stay on the right side of CPOM:
Clinical protocols, call scripts, and escalation rules should be approved by your medical leadership, not imposed by a vendor.
Medical directors should have a real say in how care-management workflows operate for their population.
Changes to protocols—especially those that affect escalation criteria or medication-related conversations—should go through a formal governance process.
The vendor can bring patterns and best practices, but the clinical authority over those patterns must reside with the physician entity.
3.3 Supervision pathways visible in the EMR
CPOM isn't just about contracts; it's about what happens in the record.
Good patterns:
Tasks and notes from care-management staff route to a named supervising provider.
Physicians/APPs see and sign off on material changes to care plans.
There is a clear documentation trail of who reviewed what and when.
The key question to be able to answer:
"If a board or regulator looked only at the EMR, would it be obvious that physicians—not vendors—are directing care?"
4. CPOM in the context of AKS, Stark, and FCA
Your compliance team doesn't look at CPOM in isolation.
The research you've seen ties CPOM concerns to broader fraud and abuse risk:
Anti-Kickback Statute (AKS) and Stark Law
Management fees and compensation must be fair-market value and not tied to volume or value of referrals.
Arrangements that are too aggressive about driving billable volume can raise eyebrows.
False Claims Act (FCA)
Incorrect billing and coding, or services that don't meet documentation expectations, can trigger significant liability.
Outsourced care-management must fit inside this broader risk frame.
4.1 Compensation and FMV
Best practices:
Structure fees based on fair-market value for services actually provided, not a pure percentage of collections.
Avoid incentives that directly reward volume of referrals or specific high-value services.
Give your legal and valuation teams clear visibility into what the vendor is doing and how those activities are measured.
LOGIC's engagements are designed so:
Fees reflect the operational workload and complexity (panels, programs, reporting), not just "more codes = more money."
Clients retain control over coding policies and billing; we do not submit claims.
There is a clear separation between clinical decision-making and care-management execution.
4.2 Documentation and FCA/RCM risk
The research also emphasized:
High denial rates and recoupments driven by slight documentation deviations.
Increased Medicaid integrity audit activity for RHCs and FQHCs.
For outsourced care-management, that means:
Time-tracking, consent, care-plans, and supervision need to be encoded in the documentation pattern, not left to chance.
Vendors should help you build an audit-ready evidence pack for CCM, RPM, and G0511—not just more free-text notes.
This is where CPOM-sensitive design meets revenue cycle protection.
5. A CPOM-aware operating model for outsourced care-management
Here's what a healthy model looks like when you put it all together.
5.1 Governance & agreements
The physician entity (or Friendly PC) retains clinical control and employs or contracts with clinicians.
The MSO and/or vendor provides non-clinical services under a management or services agreement reviewed by counsel.
The agreement and related documents clearly describe:
Scope of services (care-management tasks, staffing, reporting).
CPOM-sensitive role boundaries (what the vendor does not do).
Oversight and governance mechanisms.
5.2 Role clarity and RACI
Document a RACI that distinguishes:
Physicians/APPs
Diagnose, treat, and manage clinical plans.
Approve care-management protocols and escalation policies.
Supervise and review escalated cases and summaries.
Vendor/MSO care-management staff
Execute defined outreach and monitoring tasks.
Document according to standardized templates.
Escalate issues based on agreed criteria.
Compliance & risk
Review structure for CPOM, AKS, Stark, FCA implications.
Monitor documentation, audit results, and incidents.
RCM/finance
Own coding and billing decisions.
Monitor denials, yield, and audit feedback.
5.3 EMR-embedded workflows
Make the CPOM-safe model visible in the EMR:
Use distinct encounter types and templates for care-management programs.
Capture time, consent, program type, and supervising provider in structured fields.
Ensure escalations route to named clinicians and that sign-off is documented.
6. CPOM checklist for outsourced care-management
Here's a practical checklist for medical leadership and compliance to use when evaluating or redesigning an outsourced care-management arrangement:
[ ] Have CPOM, Stark, AKS, and FCA implications been reviewed by qualified healthcare regulatory counsel?
[ ] Does the agreement clearly define scope of services and explicitly state that the vendor does not practice medicine?
[ ] Is there a written RACI that distinguishes clinical judgment from operational execution?
[ ] Are care-management protocols and scripts approved by medical leadership and updated through a formal governance process?
[ ] Are supervision pathways and responsibilities visible in the EMR workflows (tasks, notes, sign-offs)?
[ ] Are vendor fees structured to reflect fair-market value for services, not volume or value of referrals?
[ ] Can we quickly produce an evidence pack (time logs, consent, care plans, supervision) for a sample of CCM/RPM/G0511 patients?
[ ] Do physicians and APPs feel they retain autonomy over clinical decisions and care plans?
[ ] Are denials, audits, and compliance incidents regularly reviewed with medical leadership, RCM, and compliance together?
[ ] Is the operating model designed to be consistent across sites, while allowing for legitimate state-by-state CPOM variation?
Any "no" on this list is either a CPOM issue or an opportunity to tighten governance.
7. How LOGIC approaches CPOM in outsourced care-management
LOGIC was built with CPOM and compliance risk in mind from the start.
We design our role as:
An extension of your care-management capacity—not a replacement for your medical judgment.
In practice, that means:
We work inside your existing EMR, under your supervision policies.
We provide time-tracking, consent, care-plan, and documentation workflows aligned with CMS care-management frameworks.
Physicians and APPs remain the ones who diagnose, prescribe, and change plans; we execute the outreach, monitoring, and coordination work that supports them.
We help your teams build an audit-ready, documentation-first approach to CCM, RPM, and related programs.
We expect—and welcome—legal and compliance review. Our job is to:
Make it easier for your counsel and compliance teams to see where boundaries are.
Provide the operational discipline and data that support their risk management goals.
Help physicians feel that outsourced care-management is a force multiplier, not a threat to autonomy.
If you're wrestling with how to scale care-management under a CPOM-sensitive model—and want to see what that looks like concretely in the EMR, contracts, and governance—this is exactly the conversation we're built to have.
