Fraud schemes rarely rely on a single bad actor. A recent DOJ case shows how proxy entities—marketers, telemedicine platforms, and suppliers—can be layered to create the appearance of legitimacy while obscuring accountability. For compliance teams, the real risk often lives between organizations. Understanding how inter-entity relationships operate, and where oversight breaks down, is critical to detecting fraud before regulators do.

Phishing simulations are a critical awareness tool—but repeated failures raise an uncomfortable compliance question. At what point does a teachable moment become a real risk indicator? As regulators continue to focus on reasonable safeguards and workforce behavior, organizations must decide how to respond to repeat simulation failures. Doing nothing can signal tolerance for risk, while overreaction can undermine culture. The challenge is finding a defensible, documented middl

Federal EMTALA enforcement is back in focus. A recent DOJ settlement reinforces that hospitals remain accountable for screening, stabilization, and transfer decisions, especially when capacity exists. Regulators are closely examining how EMTALA obligations are handled in real time, not just in policy. For organizations, compliance now depends on whether workflows, documentation, and escalation processes hold up under scrutiny.

Proof of delivery is a nonnegotiable requirement for DME POS claims billed to Medicare—but it remains one of the most common causes of audit denials. CMS requires clear documentation showing the beneficiary (or designee) actually received the item, with specific elements and long-term retention expectations. This post breaks down what valid POD requires, where suppliers often fall short, and how to reduce audit risk.

Same-day E/M services by multiple providers can be compliant—or problematic—depending on specialty designation, documentation, and how claims are submitted. Medicare rules allow separate E/M billing in some situations, but the distinctions are easy to miss in practice. This post explains how CMS treats same-day E/M services, where organizations get tripped up, and what compliance teams should reinforce to reduce audit and denial risk.

Smart speakers like Alexa and Google Nest are common in both offices and home workspaces—but they introduce real HIPAA risk. Because voice assistants continuously listen for activation, patient information can be captured unintentionally during calls, charting, or telehealth visits. This post explains why smart speakers create compliance exposure, how HIPAA applies, and what a clear smart device policy should include.

Attribution lists are common in value-based care—but they’re often misunderstood. Being “attributed” to a provider does not automatically create a treatment relationship or grant access to a patient’s clinical record. This post explains where organizations go wrong, why pre-engagement record access creates real HIPAA risk, and how to structure outreach, role-based access, and documentation so compliance keeps pace with population health goals.

OIG has released new Industry Segment-Specific Compliance Program Guidance for Medicare Advantage — the first major update since 1999. While nonbinding, the ICPG signals enforcement priorities across risk adjustment, utilization management, marketing, FDR oversight, and access to care. For MA organizations and partners, this guidance serves as a blueprint for strengthening compliance governance before the next audit arrives.

Federal enforcement of 42 CFR Part 2 is now aligned with HIPAA, meaning substance use disorder records are fully within OCR’s enforcement authority. Organizations that handle SUD treatment data must understand how Part 2 differs from traditional HIPAA PHI and what this enforcement shift means for policies, consent, training, and technical safeguards. The deadline has passed. The risk is no longer theoretical.c

QR codes are increasingly used to provide access to the HIPAA Notice of Privacy Practices—but convenience alone doesn’t guarantee compliance. While digital access can support modernization, HIPAA still requires the NPP to be prominent, accessible, and available to all patients. This post explains when QR codes help, where they fall short, and how organizations can meet both the letter and spirit of the Privacy Rule.

Requests for access to a deceased patient’s medical records are common—but often misunderstood. HIPAA protections continue for 50 years after death, and disclosure depends on legal authority and specific regulatory pathways. This post explains when records may be released, what documentation is required, how state law factors in, and why organizations should approach these requests with both empathy and clear compliance guardrails.

In November 2025, the Illinois Attorney General announced felony charges against a Cook County physician accused of orchestrating a scheme to defraud Medicaid and Medicare of more than $1 million. According to the press release, the physician allegedly submitted reimbursement claims for services that were not provided or were delivered by an unlicensed medical student rather than by the physician himself. The charges include theft, money laundering, managed care fraud, vendor

Epic Cosmos offers unprecedented access to de-identified clinical data, enabling large-scale research and population health insights. But for compliance teams, participation raises important questions about transparency, patient trust, and risk oversight. This post explores what organizations should consider before joining Cosmos—from opt-out decisions and privacy notices to risk assessments and staff training—so innovation doesn’t outpace governance.

OCR’s renewed focus on risk management under the HIPAA Security Rule signals a clear shift in enforcement priorities. Risk analysis and mitigation are no longer treated as background compliance tasks, but as foundational requirements subject to direct scrutiny—even absent a breach. This post explains why OCR is revisiting risk management, what recent enforcement actions reveal, and what compliance and security leaders should be doing now to avoid preventable penalties.

Artificial intelligence is already embedded in healthcare operations, often without a formal decision to adopt it. From EHR upgrades to billing tools and vendor platforms, AI shows up quietly and introduces real compliance risk. An AI policy helps organizations understand where AI is used, what data it touches, and who is responsible. Without clear rules and oversight, even well-intentioned AI use can create regulatory exposure.

As healthcare heads into 2026, the regulatory story is less about new rules and more about follow-through. Coverage churn, interoperability expectations, utilization management scrutiny, and technology oversight are all becoming operational realities rather than policy debates. This post outlines the compliance and operational pressure points organizations should be watching—from eligibility verification and prior authorization to vendor oversight, HIPAA security, and documen

The 2026 compliance deadline for updated 42 CFR Part 2 regulations is fast approaching, and organizations handling substance use disorder records can no longer afford to wait. While the rule introduces greater alignment with HIPAA—such as single consent for treatment, payment, and operations—it also preserves heightened protections for SUD counseling notes and legal disclosures. This post breaks down what has changed, what hasn’t, and what compliance teams should be doing now

When law enforcement enters a hospital, uncertainty can escalate into immediate compliance risk. From unconscious patients to unclear legal authority, these encounters expose gaps in policy, training, and escalation protocols. As regulators sharpen their focus, hospitals can no longer rely on judgment calls or informal practices. This post outlines why clear, written law enforcement protocols are now a compliance imperative—and what programs must address to protect patients,

Texas’s decision to abandon its lawsuit challenging the HIPAA Privacy Rule removes a major source of regulatory uncertainty for healthcare organizations. While recent court action vacated the 2024 reproductive health amendments, the core HIPAA Privacy Rule remains intact and legally resilient. For compliance leaders, this outcome reinforces HIPAA as the enduring baseline standard while highlighting the ongoing tension between state and federal privacy authority.

According to recent reporting, Kaiser Permanente agreed to pay at least $46 million  (potentially up to $47.5 million) to settle a class‑action lawsuit alleging it improperly shared patient data via tracking technologies embedded in its websites, mobile apps, and patient portals. Specifically: The health system used cookies, pixels, and other “web‑tracking tools” on pages likely to handle or display protected health information (PHI), rather than limiting them to purely publi