Who Regulates Healthcare Compliance? A Complete Guide to Agencies and Law
- Home
- HIPAA Compliance Software
- Who Regulates Healthcare Compliance? A Complete Guide to Agencies and Law
Healthcare runs on trust. Patients trust that their records are safe, bills are accurate, and their providers follow the law. But who makes sure that actually happens?
The answer is federal agencies, state regulators, and accreditation bodies, each with its own area of authority over how healthcare organizations operate. And the stakes are real. In 2025, the U.S. Department of Justice recovered over $5.7 billion in healthcare-related fraud cases alone through the False Claims Act.
This article covers all the agencies responsible for regulating compliance in healthcare in the U.S., the federal laws they enforce, who is responsible in your organization, and how to be prepared for any future regulations before it’s too late.
Ready to Simplify HIPAA Compliance?
Who Regulates Healthcare Compliance?
Healthcare compliance is not controlled by a single agency. Instead, the regulatory framework is spread across a number of federal agencies, state-level agencies, and accreditation organizations. Each has a defined set of responsibilities, from protecting patient data to preventing fraud to enforcing workplace safety.
Understanding which agencies have authority over your organization is the first step toward building a compliance program that actually works.
Department of Health and Human Services (HHS)
The Department of Health and Human Services is the main federal agency responsible for public health in the United States. It oversees a wide range of programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).
HHS also houses several sub-agencies that directly regulate healthcare compliance, including the Office of Inspector General, the Office for Civil Rights, and the Centers for Medicare & Medicaid Services. Nearly every healthcare compliance regulation at the federal level connects back to HHS.
Office of Inspector General (OIG)
The HHS Office of Inspector General is the government’s lead agency for healthcare fraud, waste, and abuse. The OIG investigates individuals and organizations suspected of defrauding federal health programs. It also maintains the List of Excluded Individuals and Entities (LEIE), which healthcare organizations must check before hiring employees or contracting with vendors.
The OIG publishes compliance program guidance documents, issues advisory opinions on anti-kickback matters, and negotiates Corporate Integrity Agreements (CIAs) with organizations that settle fraud allegations. In 2023, the OIG released its updated General Compliance Program Guidance, which now serves as the standard reference for building a healthcare compliance program.
Office for Civil Rights (OCR)
The Office for Civil Rights enforces HIPAA’s Privacy, Security, and Breach Notification Rules. When a data breach occurs or a patient files a complaint about their health information being mishandled, OCR is the agency that investigates.
OCR can impose civil monetary penalties on organizations that fail to protect patient data. In 2025, the office resolved 21 enforcement actions involving settlements or civil monetary penalties, making it the second-highest annual total in OCR’s history, according to the HIPAA Journal.
Centers for Medicare & Medicaid Services (CMS)
CMS administers Medicare, Medicaid, and CHIP. But its role goes well beyond writing reimbursement checks. CMS sets the conditions of participation that hospitals and healthcare facilities must meet to receive federal funding. It also runs quality reporting programs and enforces rules around electronic health records, price transparency, and billing accuracy.
If a healthcare organization fails to meet CMS requirements, it risks losing access to federal healthcare program funding, which for many providers is their largest source of revenue.
Food and Drug Administration (FDA)
The FDA regulates the safety and effectiveness of drugs, biologics, medical devices, and food products. For healthcare organizations, FDA compliance touches everything from how medications are stored and dispensed to how clinical trials are conducted.
The FDA’s Office of Regulatory Affairs conducts inspections, monitors laboratory testing, and can pursue criminal enforcement through its Office of Criminal Investigations when public health is at risk.
Drug Enforcement Administration (DEA)
The DEA enforces federal laws around controlled substances. Any healthcare provider who prescribes, dispenses, or stores controlled substances must hold a valid DEA registration and follow strict handling, documentation, and storage requirements.
Violations may lead to fines, loss of prescribing privileges, and criminal prosecution. The DEA works closely with state licensing boards to investigate suspected diversion or misuse of controlled substances in healthcare settings.
Occupational Safety and Health Administration (OSHA)
OSHA, part of the U.S. Department of Labor, sets and enforces workplace safety standards. In healthcare, OSHA compliance covers a wide range of areas, including the handling of bloodborne pathogens, exposure to hazardous chemicals, radiation safety, and workplace violence prevention.
Healthcare workers face some of the highest rates of workplace injuries in any industry. OSHA requires healthcare organizations to maintain injury and illness records, provide safety training to staff exposed to specific risks, and follow protocols aligned with Centers for Disease Control and Prevention guidelines.
Penalties for OSHA violations can reach up to $16,550 per serious violation and up to $165,514 for willful or repeated violations, based on the 2025 penalty adjustments from OSHA.
The Joint Commission (TJC) and Accreditation Bodies
The Joint Commission is a nonprofit organization that accredits and certifies hospitals and healthcare systems based on patient safety and care quality standards. While Joint Commission accreditation is voluntary, most hospitals pursue it because it is widely recognized as a mark of quality and is often tied to eligibility for federal funding.
Other accreditation bodies include the National Committee for Quality Assurance (NCQA), which evaluates managed care plans, and the Agency for Healthcare Research and Quality (AHRQ), which provides resources and research on improving patient safety. Accreditation does not replace regulatory compliance, but it adds an extra layer of accountability.
State-Level Regulatory Agencies and Licensing Boards
Beyond the federal level, each state has its own set of agencies that regulate healthcare. These typically include state health departments, medical licensing boards, pharmacy boards, and Medicaid Fraud Control Units (MFCUs).
State privacy laws can sometimes go further than federal regulations. Texas, for example, has a Medical Record Privacy Act that applies to any person or organization that collects or stores PHI involving a Texas resident, regardless of where that organization is located.
Healthcare organizations must track both federal and state requirements because state rules can fill gaps that federal regulations do not cover.
What Is Healthcare Compliance and Why Does It Matter?
Compliance in healthcare refers to adhering to all regulatory requirements applicable to any organization providing healthcare services. This includes handling patient information, submitting insurance claims, ensuring workplace safety, and more.
In basic terms, compliance is about following the rules. However, in healthcare, rules are complicated, multilayered, and always changing. These rules can come from various sources, such as federal agencies, state organizations, accrediting agencies, and payer contracts.
Why does it matter so much? Because the consequences of getting it wrong are serious. Poor compliance can lead to patient harm, financial fraud, data breaches, and legal penalties that can shut down an organization. On the other hand, strong compliance protects patients, reduces financial risk, builds trust with the community, and keeps the organization eligible for federal and state funding.
Healthcare is one of the most regulated industries in the country. The Bureau of Labor Statistics has consistently projected growth in compliance-related roles, reflecting the growing demand for professionals who can help organizations keep up with an ever-expanding set of rules.
Federal Laws and Regulations That Shape Healthcare Compliance
The Federal Government has passed a series of laws over the past several decades that define the rules healthcare organizations must follow. Each law addresses a different area, from patient privacy to fraud prevention to emergency care access.
The table below offers a quick reference before we walk through each law in detail.
Law / Regulation | Year Enacted | What It Covers | Enforced By |
HIPAA | 1996 | Patient data privacy and security | OCR |
HITECH Act | 2009 | Electronic health records, breach notification | OCR, CMS |
EMTALA | 1986 | Emergency treatment access | CMS |
ACA | 2010 | Compliance programs, insurance access | CMS, OIG |
False Claims Act | 1863 (amended) | Fraudulent claims to federal programs | DOJ, OIG |
Anti-Kickback Statute | 1972 | Financial incentives for referrals | OIG |
Stark Law | 1989 | Physician self-referrals | CMS |
MACRA | 2015 | Quality-based Medicare payments | CMS |
PCI DSS | 2004 | Payment card security | Card brands (contractual) |
Sunshine Act | 2010 | Financial transparency with drug companies | CMS |
HIPAA: Protecting Patient Privacy and Data Security
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, is probably the most well-known healthcare compliance law. It sets national standards for protecting patient health information.
HIPAA has three main rules that healthcare organizations must follow:
- The Privacy Rule governs how protected health information (PHI) can be used and shared. PHI includes anything that identifies a patient, from their name and address to their diagnosis and treatment records.
- The Security Rule requires technical, physical, and administrative safeguards to protect electronic PHI (ePHI). This includes access controls, encryption, audit logs, and workforce training.
- The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and, in some cases, the media when a breach of unsecured PHI occurs.
HIPAA applies to covered entities (health plans, healthcare providers, and healthcare clearinghouses) and their business associates, which are third-party vendors who handle PHI on their behalf.
HITECH Act: Strengthening Electronic Health Records Standards
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, was designed to accelerate the adoption of electronic health records (EHR) across the U.S. healthcare system. It also strengthened HIPAA enforcement by increasing penalties for data breaches and requiring periodic audits by OCR.
Under HITECH, organizations that experience a breach affecting 500 or more individuals must report it within 60 days. The Act also extended HIPAA requirements directly to business associates, making them independently liable for compliance failures.
EMTALA: Emergency Care Access Requirements
The Emergency Medical Treatment and Labor Act (EMTALA), passed in 1986, requires any hospital that participates in Medicare and has an emergency department to screen and stabilize any patient who arrives seeking emergency care, regardless of their ability to pay or insurance status.
EMTALA was created to stop “patient dumping,” the practice of turning away or prematurely discharging patients because they could not afford treatment. Violations can result in civil monetary penalties of up to $119,942 per violation for hospitals and physicians, according to the Congressional Research Service, along with civil lawsuits and exclusion from federal health programs.
The Affordable Care Act (ACA): Compliance and Ethics Program Mandates
The Patient Protection and Affordable Care Act (ACA), signed into law in 2010, is most known for expanding health insurance access. But it also had a direct effect on healthcare compliance.
The ACA requires healthcare providers to put in place a compliance and ethics program as a condition for receiving reimbursement from federally funded healthcare programs. It also established the Medicare Shared Savings Program, which created Accountable Care Organizations (ACOs) that tie reimbursement to quality of care rather than volume of services.
False Claims Act: Preventing Fraudulent Billing
The False Claims Act (FCA) dates back to the Civil War, but remains one of the government’s most used tools against healthcare fraud. It makes it illegal to knowingly submit a false claim to a federal program for payment.
The Act allows private citizens (often called whistleblowers) to file lawsuits on behalf of the government.
Anti-Kickback Statute (AKS): Prohibiting Improper Financial Incentives
The Anti-Kickback Statute prohibits healthcare professionals and organizations from offering, paying, soliciting, or receiving anything of value in exchange for referrals or business related to services covered by federal healthcare programs like Medicare and Medicaid.
This includes cash payments, free products, lavish gifts, and favorable contract terms. Penalties for violations can include fines of up to $100,000 per violation, up to 10 years in prison, and exclusion from federal health programs.
Stark Law (Physician Self-Referral Law)
The Stark Law prohibits physicians from referring patients for designated health services (such as lab tests, imaging, or home health) paid by Medicare or Medicaid to an entity where the physician or an immediate family member has a financial interest.
The law is a strict liability statute, meaning intent does not matter. Even accidental violations can result in penalties. When the ACA introduced ACOs that rewarded coordinated care, it created tension with the Stark Law. CMS and the OIG eventually issued waivers for certain provisions to allow ACOs to function without running afoul of self-referral restrictions.
MACRA and the Quality Payment Program
The Medicare Access and CHIP Reauthorization Act (MACRA), enacted in 2015, replaced the old fee-for-service payment model with a value-based approach. It created the Quality Payment Program, which includes the Merit-Based Incentive Payment System (MIPS) and Advanced Alternative Payment Models (APMs).
Under MIPS, physicians and healthcare organizations are evaluated on quality of care, cost, and use of health IT. Scores affect Medicare reimbursement rates, which means compliance with MACRA directly impacts revenue.
PCI DSS: Payment Card Security in Healthcare
The Payment Card Industry Data Security Standard (PCI DSS) is not a government regulation but a contractual requirement imposed by major credit card brands. Any healthcare organization that processes debit or credit card payments must comply with PCI DSS.
The technical requirements of PCI DSS are similar to the HIPAA Security Rule’s technical safeguards. Organizations that already comply with HIPAA’s security standards often find they meet most PCI DSS requirements as well. The main gap is in breach notification, where state data breach laws, rather than HIPAA, typically apply when payment data is compromised.
Physician Payments Sunshine Act and CMS Open Payments
The Physician Payments Sunshine Act, part of the ACA, requires drug and medical device companies to report any payments or transfers of value made to physicians and teaching hospitals. CMS manages this data through its Open Payments program.
The goal is to create transparency around financial relationships that could influence medical decisions.
Who Is Responsible for Healthcare Compliance Inside an Organization?
Compliance is not a task that falls on one person alone. The OIG’s compliance guidance recommends that every healthcare organization, regardless of size, designate a compliance contact who is responsible for making sure compliance activities get done. But in practice, it takes the full organization working together to stay on the right side of the law.
The Chief Compliance Officer (CCO) and Compliance Teams
In larger organizations, the Chief Compliance Officer leads the compliance program. The CCO is typically responsible for developing policies, conducting risk assessments, coordinating audits, training staff, and serving as the main point of contact with regulators.
Many organizations also have dedicated compliance teams that handle day-to-day activities like reviewing billing practices, tracking regulatory updates, and managing incident reports. In smaller practices, the compliance contact might be the practice manager or a senior administrator who takes on this role alongside other duties.
The Board of Directors and Executive Leadership
The board of directors holds the highest level of accountability for compliance within any healthcare organization. Board members are expected to set the tone, review compliance reports, and make sure the organization has the resources it needs to meet regulatory requirements.
Executive leadership, including the CEO and CFO, plays a direct role as well. When leaders treat compliance as a priority, it sets expectations for the rest of the staff. When they do not, the organization becomes vulnerable to gaps that can lead to violations and penalties.
Legal, Risk Management, and Quality Improvement Departments
Compliance does not sit in one department. Legal teams help interpret regulations and advise on contracts. Risk management departments identify vulnerabilities and develop plans to reduce exposure. Quality improvement teams monitor clinical outcomes and make sure care meets professional standards.
Each of these groups contributes a different perspective. When they coordinate with the compliance officer, the organization has a much stronger defense against regulatory risks.
Why Every Employee Plays a Role in Regulatory Adherence
At the end of the day, compliance depends on what happens in daily operations. A front-desk employee who mishandles patient records, a coder who submits an inaccurate claim, or a nurse who skips a safety protocol can all trigger a compliance violation.
That is why training, clear policies, and open reporting channels matter at every level. Organizations should create an environment where employees feel safe reporting concerns without fear of retaliation. Anonymous reporting options, regular training sessions, and a clear set of written standards all help build that kind of environment.
The OIG’s Seven Elements of an Effective Compliance Program
The OIG has outlined seven elements that every healthcare compliance program should include. These are not legally required for all organizations, but the OIG strongly recommends them, and many federal and state regulators look for them during investigations. Organizations that follow these elements are better positioned to prevent violations and demonstrate good faith if issues arise.
Here is what each element covers:
- Written policies, procedures, and standards of conduct. This includes a code of conduct, billing procedures, data privacy rules, and patient care protocols. All documents should be in plain language, easy to access, updated regularly, and acknowledged by every employee in writing.
- A designated compliance officer and committee. The compliance officer should have direct access to leadership and the independence to report findings freely. Larger organizations should also form a compliance committee with members from different departments.
- Training, education, and communication. Training should be regular, role-specific, and cover relevant laws, internal policies, and reporting procedures. Anonymous reporting channels, such as a hotline or online portal, should also be in place.
- Internal monitoring, auditing, and reporting. Audits should target high-risk areas like billing accuracy, HIPAA compliance, and vendor management. Ongoing monitoring of claims data, policy acknowledgments, and incident trends is just as important.
- Enforcement through disciplinary guidelines. Consequences for violations should be clear, publicized, and applied equally at every level of the organization.
- Responding to detected offenses and taking corrective action. Organizations must investigate the root cause, fix the problem, and document every step. The OIG also encourages voluntary self-disclosure of potential fraud, which can reduce penalties.
- Screening employees against the OIG Exclusions List. Organizations must check the LEIE before hiring any employee, contractor, or vendor. Hiring an excluded individual can lead to fines of up to $20,000 per violation, triple repayment of claims, and exclusion from federal programs. Screening should happen at hire and at least annually after that.
Common Healthcare Compliance Violations and How Regulators Respond
Knowing who enforces healthcare compliance is just one part of the puzzle. The knowledge of why regulations may be enforced and how the enforcing agency operates is vital in determining compliance priorities.
One of the most common compliance problems is related to coding and billing errors. These can be accidental mistakes made by staff members and even deliberate acts of fraud, which may bring serious legal consequences.
The most common triggers include overbilling for services not rendered, billing at a level higher than the actual service rendered, duplicate claims, and waiving copayments from patients without the appropriate documentation.
CMS tracks improper payment rates across Medicare claims and publishes reports that organizations can use to spot patterns in their own billing before an audit happens.
HIPAA Breaches and OCR Enforcement Actions
HIPAA breaches happen more often than most organizations expect. They can result from cyberattacks, employee errors, lost devices, or even improper use of website tracking tools.
When OCR receives a breach report or a patient complaint, it investigates and can impose civil monetary penalties based on a tiered system.
Tier | Level of Culpability | Minimum Fine Per Violation | Maximum Fine Per Violation | Annual Cap |
1 | Lack of knowledge | $145 | $73,011 | $2,190,294 |
2 | Reasonable cause | $1,461 | $73,011 | $2,190,294 |
3 | Willful neglect, corrected within 30 days | $14,602 | $73,011 | $2,190,294 |
4 | Willful neglect, not corrected | $73,011 | $2,190,294 | $2,190,294 |
Note: These figures are based on the HHS Federal Register, 2026. Penalty amounts are adjusted annually for inflation and may change.
Beyond fines, OCR often requires organizations to enter into corrective action plans that mandate specific improvements to their privacy and security practices over a set period.
Anti-Kickback and Stark Law Violations: Real-World Penalties
Anti-Kickback and Stark Law violations carry some of the steepest penalties in healthcare compliance. They often involve financial relationships between providers, referral arrangements, and vendor contracts that cross legal lines.
A few examples of how regulators have responded:
- Stark Law violations trigger penalties of up to $15,000 per claim, plus up to three times the amount improperly claimed.
- The DOJ’s largest healthcare fraud takedown in 2025 charged 324 individuals across 50 federal districts in schemes involving more than $14.6 billion in false claims, including kickback-related charges.
OIG Exclusions, Corporate Integrity Agreements, and Settlement Outcomes
When the OIG determines that an organization has committed fraud or abuse, the consequences extend beyond fines. The most common outcomes include:
- Exclusion from federal programs: The organization or individual is banned from participating in Medicare, Medicaid, and other federal health programs.
- Corporate Integrity Agreements (CIAs): As part of a civil settlement, the organization agrees to specific compliance obligations for a set period, typically three to five years. These can include hiring an independent monitor, conducting annual audits, and providing regular reports to the OIG.
- Self-disclosure settlements: Organizations that voluntarily report violations through the OIG’s self-disclosure protocol may receive reduced penalties compared to those caught through investigation.
In 2025, 900 individuals or entities were excluded from federal healthcare programs, and criminal recoveries through Medicaid Fraud Control Units alone exceeded $1.3 billion, according to the OIG’s annual report.
The Consequences of Non-Compliance in Healthcare
Failure to adhere to healthcare regulations leads to consequences that extend far beyond financial penalties. As much as fines attract media attention, there are other, more serious consequences associated with non-compliance.
Monetary penalties can range from a few thousand dollars per violation up to tens of millions for sustained or willful non-compliance. The False Claims Act allows the government to recover up to three times the amount of damages caused by fraudulent claims.
Criminal charges are also on the table for serious offenses. Individuals convicted of healthcare fraud can face up to 10 years in prison, and if a patient is harmed as a result, that sentence can increase to 20 years or more. Physicians can lose their medical licenses, and organizations can lose their ability to participate in Medicare and Medicaid.
The impact on reputation is another factor to consider. When a healthcare provider is found to have violated data protection regulations, defrauded their patients, or exhibited poor practices, patients lose faith and seek out alternative medical practitioners. Rebuilding trust after a public enforcement action can take years.
How Healthcare Organizations Can Stay Ahead of Regulatory Changes
Regulations in healthcare do not stay still. New rules are proposed, existing ones are updated, and enforcement priorities shift from year to year. Organizations that only react to changes after they take effect put themselves at risk. The ones that stay ahead build compliance into their daily operations.
- Building a culture of compliance from the top down. A compliance program is only as strong as the commitment behind it. When board members and executive leaders treat compliance as a priority, it sets the standard for everyone else. This means funding the program properly, giving the compliance officer real authority, and holding all staff to the same standards.
- Conducting regular risk assessments and internal audits. Risk assessments help organizations figure out where they are most vulnerable, from billing practices to data security to vendor relationships. Internal audits follow up by testing whether current controls are working. The goal is to catch problems early, before a regulator does.
- Using compliance software to centralize oversight. Tracking compliance across multiple regulations, departments, and locations is difficult to do with spreadsheets and manual processes. The right software gives organizations a single place to manage policies, assign tasks, track progress, and prepare for audits. In healthcare compliance, if it is not documented, it did not happen.
How ComplyAssistant Helps Healthcare Organizations Meet Regulatory Requirements
ComplyAssistant is a healthcare-specific GRC (Governance, Risk, and Compliance) platform built to help organizations manage the full scope of their compliance obligations from one place. For 25+ years, the company has served hospitals, health systems, clinics, long-term care facilities, physician practices, and managed service providers across the United States.
What the platform covers:
- HIPAA, HITECH, NIST, HITRUST, PCI DSS, and many additional frameworks for compliance tracking
- Risk assessments, internal audits, and corrective action management
- Policy management, distribution, version control, and employee acknowledgment
- Vendor and business associate agreement management
- Incident tracking and reporting
- Reminders, task assignments, and audit-ready documentation
For organizations looking to bring their compliance program into a single, organized system, ComplyAssistant offers a way to reduce manual work, stay on top of regulatory changes, and keep audit documentation in order without the confusion of scattered spreadsheets and disconnected processes. Contact the ComplyAssistant professionals to see how they can work for your organization.
Wrapping Up!
Healthcare compliance is not managed by a single agency or a single law. It is the combined result of federal regulators like HHS, the OIG, OCR, CMS, and the FDA working alongside state agencies, accreditation bodies, and the organizations themselves.
Knowing who regulates healthcare compliance and what they expect is the foundation of any effective compliance program. The cost of falling behind is real. Billions of dollars in penalties, program exclusions, criminal charges, and lost patient trust are on the line every year.
But staying compliant does not have to be overwhelming. Understand the laws, assign responsibility, train your team, monitor your operations, and document everything. That is what keeps patients safe and organizations out of trouble.
Frequently Asked Questions (FAQs)
What is the main agency that regulates healthcare compliance?
The Department of Health and Human Services (HHS) is the main federal agency overseeing healthcare compliance in the United States. Within HHS, the Office of Inspector General (OIG) handles fraud prevention, the Office for Civil Rights (OCR) enforces HIPAA, and the Centers for Medicare & Medicaid Services (CMS) sets conditions for participation in federal health programs.
What is the difference between HIPAA and HITECH?
HIPAA (1996) set national standards for protecting patient health information. The HITECH Act (2009) strengthened HIPAA by increasing breach penalties, extending requirements to business associates, and promoting electronic health record adoption.
Who enforces HIPAA compliance?
The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA’s Privacy, Security, and Breach Notification Rules. OCR investigates complaints, conducts compliance reviews, and can impose civil monetary penalties. State attorneys general can also bring enforcement actions for HIPAA violations under certain circumstances.
What happens if a healthcare organization is non-compliant?
Consequences depend on the type and severity of the violation. They can include financial penalties ranging from thousands to millions of dollars, criminal prosecution, loss of medical licenses, exclusion from Medicare and Medicaid, corrective action plans, and reputational damage. In serious cases, individuals can face prison time.
How often do healthcare compliance regulations change?
There is no fixed schedule. Individual regulations may not change frequently on their own, but because healthcare organizations must comply with many different laws at once, the combined effect can feel like a constant stream of updates. In any given year, there are usually multiple changes across HIPAA, CMS requirements, OSHA standards, state laws, and other regulatory areas. Staying current requires ongoing monitoring and regular reviews of your compliance program.