Smart speakers like Alexa and Google Nest are common in both offices and home workspaces—but they introduce real HIPAA risk. Because voice assistants continuously listen for activation, patient information can be captured unintentionally during calls, charting, or telehealth visits. This post explains why smart speakers create compliance exposure, how HIPAA applies, and what a clear smart device policy should include.

Attribution lists are common in value-based care—but they’re often misunderstood. Being “attributed” to a provider does not automatically create a treatment relationship or grant access to a patient’s clinical record. This post explains where organizations go wrong, why pre-engagement record access creates real HIPAA risk, and how to structure outreach, role-based access, and documentation so compliance keeps pace with population health goals.

OIG has released new Industry Segment-Specific Compliance Program Guidance for Medicare Advantage — the first major update since 1999. While nonbinding, the ICPG signals enforcement priorities across risk adjustment, utilization management, marketing, FDR oversight, and access to care. For MA organizations and partners, this guidance serves as a blueprint for strengthening compliance governance before the next audit arrives.

Federal enforcement of 42 CFR Part 2 is now aligned with HIPAA, meaning substance use disorder records are fully within OCR’s enforcement authority. Organizations that handle SUD treatment data must understand how Part 2 differs from traditional HIPAA PHI and what this enforcement shift means for policies, consent, training, and technical safeguards. The deadline has passed. The risk is no longer theoretical.c

QR codes are increasingly used to provide access to the HIPAA Notice of Privacy Practices—but convenience alone doesn’t guarantee compliance. While digital access can support modernization, HIPAA still requires the NPP to be prominent, accessible, and available to all patients. This post explains when QR codes help, where they fall short, and how organizations can meet both the letter and spirit of the Privacy Rule.

Requests for access to a deceased patient’s medical records are common—but often misunderstood. HIPAA protections continue for 50 years after death, and disclosure depends on legal authority and specific regulatory pathways. This post explains when records may be released, what documentation is required, how state law factors in, and why organizations should approach these requests with both empathy and clear compliance guardrails.

In November 2025, the Illinois Attorney General announced felony charges against a Cook County physician accused of orchestrating a scheme to defraud Medicaid and Medicare of more than $1 million. According to the press release, the physician allegedly submitted reimbursement claims for services that were not provided or were delivered by an unlicensed medical student rather than by the physician himself. The charges include theft, money laundering, managed care fraud, vendor

Epic Cosmos offers unprecedented access to de-identified clinical data, enabling large-scale research and population health insights. But for compliance teams, participation raises important questions about transparency, patient trust, and risk oversight. This post explores what organizations should consider before joining Cosmos—from opt-out decisions and privacy notices to risk assessments and staff training—so innovation doesn’t outpace governance.

OCR’s renewed focus on risk management under the HIPAA Security Rule signals a clear shift in enforcement priorities. Risk analysis and mitigation are no longer treated as background compliance tasks, but as foundational requirements subject to direct scrutiny—even absent a breach. This post explains why OCR is revisiting risk management, what recent enforcement actions reveal, and what compliance and security leaders should be doing now to avoid preventable penalties.

Artificial intelligence is already embedded in healthcare operations, often without a formal decision to adopt it. From EHR upgrades to billing tools and vendor platforms, AI shows up quietly and introduces real compliance risk. An AI policy helps organizations understand where AI is used, what data it touches, and who is responsible. Without clear rules and oversight, even well-intentioned AI use can create regulatory exposure.

As healthcare heads into 2026, the regulatory story is less about new rules and more about follow-through. Coverage churn, interoperability expectations, utilization management scrutiny, and technology oversight are all becoming operational realities rather than policy debates. This post outlines the compliance and operational pressure points organizations should be watching—from eligibility verification and prior authorization to vendor oversight, HIPAA security, and documen

The 2026 compliance deadline for updated 42 CFR Part 2 regulations is fast approaching, and organizations handling substance use disorder records can no longer afford to wait. While the rule introduces greater alignment with HIPAA—such as single consent for treatment, payment, and operations—it also preserves heightened protections for SUD counseling notes and legal disclosures. This post breaks down what has changed, what hasn’t, and what compliance teams should be doing now

When law enforcement enters a hospital, uncertainty can escalate into immediate compliance risk. From unconscious patients to unclear legal authority, these encounters expose gaps in policy, training, and escalation protocols. As regulators sharpen their focus, hospitals can no longer rely on judgment calls or informal practices. This post outlines why clear, written law enforcement protocols are now a compliance imperative—and what programs must address to protect patients,

Texas’s decision to abandon its lawsuit challenging the HIPAA Privacy Rule removes a major source of regulatory uncertainty for healthcare organizations. While recent court action vacated the 2024 reproductive health amendments, the core HIPAA Privacy Rule remains intact and legally resilient. For compliance leaders, this outcome reinforces HIPAA as the enduring baseline standard while highlighting the ongoing tension between state and federal privacy authority.

According to recent reporting, Kaiser Permanente agreed to pay at least $46 million  (potentially up to $47.5 million) to settle a class‑action lawsuit alleging it improperly shared patient data via tracking technologies embedded in its websites, mobile apps, and patient portals. Specifically: The health system used cookies, pixels, and other “web‑tracking tools” on pages likely to handle or display protected health information (PHI), rather than limiting them to purely publi

CVS’s $37.76 million settlement over insulin pen dispensing is more than a headline—it’s a clear enforcement signal. Allegations of overdispensing, inaccurate days-of-supply reporting, and systemic billing failures highlight how packaging, dosing complexity, and automation can quietly create compliance risk. For pharmacies, health systems, and payers, the case reinforces why billing accuracy, documentation, and operational oversight are non-negotiable.

Many healthcare organizations still treat the HIPAA Security Risk Assessment as a compliance checkbox. That approach is increasingly risky. In today’s threat environment, a thorough security risk assessment is the foundation of a modern information security program—helping organizations identify vulnerabilities, prioritize resources, and protect not just PHI, but the financial, operational, and strategic data that keeps the organization running.

A shocking whistleblower case revealed that Independent Health and its subsidiary DxID inflated risk scores through unsupported diagnoses, improper coding sources, and pressured provider addenda. The result: nearly $100 million returned to Medicare. This blog breaks down how the scheme worked, why it failed, and what compliance professionals must learn from it.

OIG’s new Information Blocking Enforcement Alert signals a shift from education to action. With penalties now in play, compliance teams must reassess workflows, exceptions, vendor contracts, and staff training to ensure EHI flows appropriately. This is a key moment for compliance, IT, privacy, and operations to align around safe, timely access to health information.

In today’s complex regulatory landscape, compliance and risk management can no longer work in silos. Each provides essential data and context to the other—compliance identifies risks, while risk management prioritizes them. Together, they create a proactive defense that protects healthcare organizations from costly penalties, reputational damage, and governance gaps while strengthening overall organizational resilience.