According to recent reporting, Kaiser Permanente agreed to pay at least $46 million (potentially up to $47.5 million) to settle a class‑action lawsuit alleging it improperly shared patient data via tracking technologies embedded in its websites, mobile apps, and patient portals. Specifically: The health system used cookies, pixels, and other “web‑tracking tools” on pages likely to handle or display protected health information (PHI), rather than limiting them to purely publi

CVS’s $37.76 million settlement over insulin pen dispensing is more than a headline—it’s a clear enforcement signal. Allegations of overdispensing, inaccurate days-of-supply reporting, and systemic billing failures highlight how packaging, dosing complexity, and automation can quietly create compliance risk. For pharmacies, health systems, and payers, the case reinforces why billing accuracy, documentation, and operational oversight are non-negotiable.

Many healthcare organizations still treat the HIPAA Security Risk Assessment as a compliance checkbox. That approach is increasingly risky. In today’s threat environment, a thorough security risk assessment is the foundation of a modern information security program—helping organizations identify vulnerabilities, prioritize resources, and protect not just PHI, but the financial, operational, and strategic data that keeps the organization running.

A shocking whistleblower case revealed that Independent Health and its subsidiary DxID inflated risk scores through unsupported diagnoses, improper coding sources, and pressured provider addenda. The result: nearly $100 million returned to Medicare. This blog breaks down how the scheme worked, why it failed, and what compliance professionals must learn from it.

OIG’s new Information Blocking Enforcement Alert signals a shift from education to action. With penalties now in play, compliance teams must reassess workflows, exceptions, vendor contracts, and staff training to ensure EHI flows appropriately. This is a key moment for compliance, IT, privacy, and operations to align around safe, timely access to health information.

In today’s complex regulatory landscape, compliance and risk management can no longer work in silos. Each provides essential data and context to the other—compliance identifies risks, while risk management prioritizes them. Together, they create a proactive defense that protects healthcare organizations from costly penalties, reputational damage, and governance gaps while strengthening overall organizational resilience.

In this episode of Compliance Deconstructed, we unpack fiduciary responsibilities and board governance essentials. Jessica Zeff and Elvan Baker explain how compliance officers can support their boards, clarify duty of care and loyalty, and create structures that promote transparency and accountability. Whether you're new to board management or facing governance challenges, this episode offers practical, actionable insight.

The Three Lines of Defense model defines clear roles in managing healthcare compliance and risk. Operational teams own the process, compliance provides oversight, and internal audit ensures accountability. When these roles align, organizations reduce risk, strengthen governance, and create programs that prevent issues before they arise—building a sustainable culture of accountability and continuous improvement.

AI tools promise faster, cheaper prior authorization decisions—but at what cost? The UnitedHealth lawsuit highlights how algorithms can increase denials and harm patients when oversight lags behind innovation. Compliance leaders must ensure AI decisions remain transparent, clinically sound, and patient-centered. The goal isn’t to reject technology—it’s to balance efficiency with ethical, accountable care.

The expanding DOJ investigation into UnitedHealth now spans Medicare billing, PBM practices, and provider relationships—signaling a new era of compliance risk. For healthcare organizations, the message is clear: documentation, internal audits, and oversight across interconnected business lines must be airtight. Transparency and proactive compliance aren’t just protective—they’re strategic necessities.

DOJ data shows a record-breaking 979 whistleblower lawsuits filed under the False Claims Act in 2024—a 30% jump over the previous high. For healthcare organizations, this surge signals a growing culture of accountability and risk. Strengthening internal reporting systems, training, and response processes can reduce exposure and transform whistleblower activity into an opportunity to reinforce trust and compliance culture.

OIG’s recent audits of Remote Patient Monitoring reveal patterns that mirror the risks emerging in Remote Therapeutic Monitoring. From missing documentation to billing inconsistencies, the findings offer a roadmap for compliance professionals. RTM programs must strengthen oversight, validate vendor practices, and monitor billing trends to prevent audits and safeguard reimbursement integrity.

Rehab and outpatient therapy providers face strict documentation rules, payer audits, and new quality reporting mandates. Too often, quality improvement and compliance oversight remain separate—leading to inefficiency and risk. Aligning the two ensures defensible documentation, stronger outcomes, and reduced audit exposure. By integrating audits, case reviews, and outcome measures, therapy organizations can thrive under growing regulatory and quality demands.

In home health and hospice, compliance and quality can’t operate in silos. Survey readiness, value-based purchasing, and patient experience all hinge on aligning these efforts. By integrating QAPI and compliance work plans, conducting joint root cause analyses, and delivering shared training, agencies can reduce redundancy, strengthen care, and stay resilient under scrutiny—while keeping patient outcomes at the center.

In skilled nursing, compliance can’t just mean survey readiness. With CMS’s quality-driven payment models, facilities must integrate compliance and quality efforts to stay competitive. Aligning audits, documentation, and training ensures stronger oversight, better outcomes, and improved resident trust. A unified approach helps SNFs reduce risk, avoid duplication, and succeed under increasing regulatory and quality expectations.

Quality and compliance are often treated as separate functions, but healthcare organizations are strongest when they work together. By aligning goals, sharing data, and collaborating on initiatives, compliance and quality teams can reduce risk, improve patient safety, and meet regulatory expectations. Building a culture of shared accountability creates stronger programs and better outcomes for patients and providers alike.

AI deregulation could make innovative tools more accessible and affordable for therapists—but it comes with risks. Without regulatory oversight, therapists may face greater responsibility for patient safety, privacy, and ethical use. From liability exposure to erosion of trust, the burden shifts directly onto practitioners. Compliance-minded therapists must vet tools carefully, maintain oversight, and safeguard patient well-being in a changing AI landscape.

AI deregulation could give physician practices faster access to innovative tools and lower costs—but at a price. Without regulatory guardrails, practices face greater patient safety risks, liability exposure, and financial strain. Smaller practices, with limited staff and budgets, may struggle most. Compliance leaders must prepare internal vetting, oversight, and training processes to balance the benefits of innovation with the risks of deregulation.

AI deregulation could shift safety and oversight responsibilities from regulators to hospitals—placing Critical Access Hospitals at heightened risk. Without external validation, CAHs may face greater patient safety risks, liability exposure, and operational strain. Compliance leaders must prepare stronger internal governance to protect quality, equity, and financial stability in a deregulated AI environment.

Weakening FDA oversight of AI in healthcare could increase regulatory gaps, patient safety risks, and liability exposure. From unvalidated tools to adaptive AI model drift, the absence of strong oversight would force healthcare organizations to bear full responsibility for validation, monitoring, and accountability. Compliance professionals must strengthen governance now to prepare for this shifting landscape.