Corporate compliance in healthcare: Risks for facilities

What does an effective healthcare compliance program look like? Explore regulations, risk areas, workforce obligations, and best practices.

Add Your Credit Card

Add your credit card to complete setup - once added, your facility will be automatically verified

Skip
HomeRight arrow iconFacilityRight arrow iconArticlesRight arrow iconCorporate compliance in healthcare: Risks for facilities
Office worker reviewing documents
Written by
Laila Ighani
March 18, 2026

Key takeaways:

  • Regulatory landscape: Healthcare compliance is complex, encompassing major laws like the False Claims Act, Anti-Kickback Statute, Stark Law, and HIPAA, which carry severe penalties for violations, including fines and federal program exclusion.
  • OIG's 7 elements: An effective compliance program requires written policies, strong leadership, annual training, clear communication, consistent enforcement, regular risk assessment/auditing, and a process for corrective action.
  • Key risk areas: Facilities must focus their compliance programs on critical risk areas, including billing, coding, and claims submission; referral relationships; patient privacy/data security; and workforce compliance.

$3 trillion. That’s how much healthcare spending will cost the U.S. federal government by 2036.

Healthcare is already the largest area of federal spending, currently accounting for nearly $2 trillion, according to the Committee for a Responsible Federal Budget.

Understandably, federal healthcare programs study claims with a magnifying glass and a fine-toothed comb, on the lookout for potential fraud or any other compliance breach.  

Facility administrators, compliance officers, and HR/credentialing managers want to comply. However, the regulatory landscape can be overwhelming—not to mention constantly changing.

Keep reading for a deep dive into corporate compliance in healthcare and learn how to build a successful compliance program for your organization.

What is corporate compliance in healthcare?

Corporate compliance is adherence to both a company’s internal policies and procedures and federal and state laws and regulations. 

In healthcare, corporate compliance encompasses processes and procedures to prevent waste, fraud, and abuse within a facility and to ensure adherence to legal, ethical, and professional standards. 

Corporate compliance protects a healthcare organization from fines and lawsuits. It also helps strengthen an organization’s reputation and financial viability through specific programs, such as Joint Commission accreditation and Medicare Advantage and Part D Star Ratings. 

Understand the healthcare regulatory landscape

Healthcare regulations are inherently complex and evolving, often involving ethical considerations, financial motivations, and legal implications. While the following regulations are designed to protect all parties involved, healthcare facilities can reduce risk exposure by becoming familiar and taking the necessary precautions. 

False Claims Act

The civil False Claims Act (FCA) allows the government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the government, including false records or statements. 

False claims include healthcare services not provided to a patient or not supported by their medical record.

Filing a single false claim may result in liability of up to 3 times the program’s loss. Furthermore, each service billed to Medicare or Medicaid counts as a claim. 

In short, liability can add up quickly. 

Anti-Kickback Statute

Under the Anti-Kickback Statute (AKS), entities involved in the federal healthcare program cannot engage in certain practices common in other business sectors, such as offering or receiving gifts to reward referrals. 

In other words, it is a criminal offense to knowingly offer or receive (directly or indirectly) any remuneration that would encourage the referral of an individual to a person for any item or service reimbursable under a federal healthcare program.

In the context of this statute, remuneration refers to anything of value, such as:

  • Cash
  • Cash equivalents
  • Cost-sharing waivers or subsidies
  • An opportunity to earn a fee
  • Items
  • Space
  • Equipment
  • Services

Violation of this federal statute is a felony punishable by a maximum fine of $100,000, up to 10 years' imprisonment, or both. Conviction also leads to mandatory exclusion from federal healthcare programs, including Medicare and Medicaid, as per the Office of Inspector General’s (OIG’s) screening requirements. 

Physician Self-Referral Law

Similarly, under the federal Physician Self-Referral Law (PSL), also known as the “Stark Law,” physicians cannot make referrals for certain designated health services payable by Medicare to an organization with which the physician (or an immediate family member) has a financial relationship, including: 

  • Ownership and investment interests
  • Compensation arrangements

The PSL is a strict-liability statute, meaning proof of intent to violate the law is not required. Penalties for physicians and entities that violate the PSL include fines and exclusion from participation in the federal health care programs. 

  • Billing entities may be denied payment for services provided and subject to civil monetary penalties (CMPs) reaching $15,000 for each improper claim submitted. 
  • Physicians who violate the PSL may also be subject to additional fines per prohibited referral.
  • Providers entering into an arrangement that they know or should know circumvents the law may be subject to a CMP of up to $100,000 per arrangement.

Note: Some exceptions regarding financial relationships apply, granted certain requirements are satisfied.

HIPAA and data privacy

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards protecting sensitive health information from disclosure without a patient's consent. The United States Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement compliance requirements.

The Privacy Rule addresses the use and disclosure of individuals' protected health information (PHI) by "covered entities"—individuals and organizations subject to the rule.

These covered entities include:

  • Health insurance plans
  • Healthcare providers 
  • Healthcare clearinghouses
  • Business associates (non-members of covered entities’ workforces)

The Privacy Rule also protects individuals' rights to understand and determine how their health information is used. It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health. 

Additionally, the HIPAA Security Rule safeguards electronic protected health information (e-PHI), a subset of information covered by the Privacy Rule. 

The Security Rule applies to all individually identifiable health information a covered healthcare organization creates, receives, maintains, or transmits in electronic form—increasingly the norm in technological medical settings. It does not apply to protected health information transmitted orally or in writing.

HIPAA violations may incur civil monetary penalties ranging from $145 to $2,190,294 per violation, depending on the level of culpability. Intentional HIPAA violations can result in criminal penalties, leading to fines and potential imprisonment.

Medicare and Medicaid program integrity requirements

The Social Security Act provides that eligible entities under contract with the Centers for Medicare & Medicaid Services (CMS) must fulfill the following:

  • Review of the actions of individuals or organizations furnishing items or services under a state plan or any waiver to determine whether waste, fraud, or abuse has occurred, may occur, or may result in an unintended expenditure of funds
  • Audit of payment claims for items or services provided under a state plan, including cost reports, consulting contracts, and risk contracts
  • Identification of overpayments to individuals or organizations receiving federal funds 
  • Education or training of certain individuals and entities regarding payment integrity and quality of care

In turn, a Medicare Advantage (MA) organization is required to show commitment to compliance, integrity, and ethical values as demonstrated by the following:

  • Written standards of conduct, procedures, and policies that reflect the organization’s commitment to comply with all applicable federal and state standards
  • The designation of a healthcare compliance officer and a compliance committee that are accountable to senior management
  • Effective education and training between the compliance officer and organization employees
  • Effective means of communication between the compliance officer, the organization's employees, and MA-related contractors
  • Enforcement of standards through well-publicized disciplinary guidelines
  • Provision for internal monitoring and auditing that includes an assessment process to identify and analyze risks associated with failure to comply with all applicable Medicare Advantage compliance standards
  • Procedures for guaranteeing prompt response to detected offenses and development of corrective action initiatives relating to the organization's MA contract

The CMS oversees healthcare facilities’ continued compliance with the requirements for an MA organization. Medicare Administrative Contractors (MACs) analyze claims to determine adherence with Medicare coverage, coding, and billing rules, and take corrective action when providers are found non-compliant. 

If a facility has failed to comply with the terms of a previous year’s contract with CMS or has failed to complete a corrective action plan during the term of its contract, CMS may deny a future application. 

Similarly, CMS will monitor state implementation of and enforce compliance with Medicaid program integrity safeguards, such as reporting overpayments and fraud, and screening and enrolling managed care providers.

State-level regulatory obligations

In addition to federal guidelines and national accreditation standards, individual states have legislation that enforces specific standards on staffing levels, reporting requirements, mandatory registered nurse (RN) presence and supervision, etc. 

The following are some notable examples:

  • California establishes strict nurse-to-patient ratios for specific hospital units, including 1:1 in the operating room and 1:2 in intensive care units.
  • Maine requires the following direct care provider-to-resident ratios in nursing homes: 1:5 for day shifts, 1:10 for evening shifts, and 1:15 for night shifts.
  • In Washington, hospitals must maintain staffing committees where at least 50% of voting members are non-supervisory nursing staff providing direct patient care.

As with federal regulations, failing to comply with state laws can result in fines and other penalties. 

For instance, Washington hospitals that fail to submit staffing plans, staffing committee charters, or corrective action plans by the relevant deadline may be subject to penalties of up to $10,000 per month for failure to comply.

The OIG's 7 elements of an effective compliance program

The Office of Inspector General (OIG) provides seven core elements for an effective healthcare compliance program designed to prevent, detect, and correct non-compliance: implementing written policies, designating a compliance officer/committee, training, open communication, auditing/monitoring, enforcing standards, and prompt response to issues.

At first glance, the OIG’s 7 elements of successful compliance programs may seem like no-brainers. Of course, healthcare facilities should have written policies, educate staff, and maintain open lines of communication. However, each element is nuanced. 

Here are some OIG tips to help healthcare organizations meet each compliance element.

1. Written policies and procedures

  • An organization’s CEO or board can demonstrate commitment to compliance with a signed introduction in the code. 
  • Healthcare entities should also review their codes when a new CEO is hired.
  • Organizations should review policies and procedures at least annually to reflect any modifications to applicable statutes, regulations, and federal healthcare program requirements.

2. Compliance leadership and oversight

  • If a compliance officer also serves as a privacy officer, they should have sufficient staff and resources to fulfill the additional duties associated with that expanded role.
  • New members of a compliance committee should receive training on the committee’s duties and responsibilities, and understand the expectations of their role.
  • The board should provide the compliance officer with enough power, independence, and resources to implement, maintain, and monitor the healthcare organization’s compliance program, and to advise the board on the entity’s compliance operations and risks.

3. Training and education

  • All of a healthcare entity’s medical staff—including employees and contractors, as well as board members and officers—should receive training at least annually on the organization’s compliance program and potential compliance risks.
  • Training sessions could cover diverse topics, such as billing, coding, documentation, medical necessity, beneficiary inducements, and gifts. They should be relevant to each person’s roles and responsibilities. 
  • Training materials should be catered to all members of the designated audience, including versions in several languages, as required.

4. Effective lines of communication

  • Facilities should protect whistleblowers and address issues before they escalate. 
  • Frequent communication with the compliance officer for a given department or employees of the same supervisor may uncover possible compliance or human resources issues.
  • Compliance officers should remain involved in all healthcare compliance investigations in which counsel takes the lead, such as those involving substantial legal violations.

5. Enforcing standards: Consequences and incentives

  • Organizations should establish appropriate consequences for noncompliance and incentives for compliance.
  • Consequences may involve remediation, sanctions, or both. 
  • Incentives can encourage compliance performance and innovation.
  • Healthcare organizations should find ways to recognize individuals who raise substantiated concerns that result in the mitigation of harm or risk. This can be done in the individual’s performance review if it cannot be done publicly. 

6. Risk assessment, auditing, and monitoring

  • Healthcare entities should conduct compliance risk assessments at least annually.
  • Organizations participating in or affected by government healthcare programs should focus their compliance risk assessment on violations of program requirements and other actions (or failures to act) that may affect their ability to comply with those requirements.
  • These participating organizations should also ensure that any claims, reviews, and audits include a description of the medical necessity of the item or service by an appropriately credentialed clinician, as this is a condition of payment under Medicare.

7. Responding to detected offenses and developing corrective action initiatives

  • Compliance officers will inevitably receive audits or monitoring results that raise concerns or receive reports through disclosure programs that require investigation. If they do not, the compliance officer should consider conducting a review of the compliance program's effectiveness.
  • Even if material violations of applicable law do not incur monetary loss, corrective action and reporting to CMS or the state’s Medicaid program are still necessary to protect the integrity of the applicable program and its enrollees.
  • When there is evidence of misconduct, healthcare entities should report the incident promptly (within 60 days of determining that credible evidence of a violation exists). Prompt action demonstrates the organization’s willingness to work with governmental authorities to correct and remedy problems. 

Key compliance risk areas for healthcare facilities

Clearly, healthcare facilities must comply with regulations at various levels: federal, state, facility type, and internal policies. Organizations must also comply with a slew of mandates and policies regulating every aspect of healthcare: admission, discharge, billing, coding, staffing, supervision, the list goes on.

Don’t throw your hands up just yet! 

A successful compliance program is within your reach. You simply must get organized. Here are some key risk areas to be mindful of and cover in your facility’s compliance program.

Billing, coding, and claims submission

  • Put deadlines on the calendar and set up reminders.
  • Include descriptions of the medical necessity of each item or service to ensure payment.
  • Include regular reviews in your compliance program to keep billing and coding practices up-to-date and conduct regular internal billing and coding audits.

Referral relationships and financial arrangements

  • Ensure referrals are not made to entities with which there are financial relationships.
  • Refer to Social Security Laws Sec. 1877. [42 U.S.C. 1395] (a) Prohibition of Certain Referrals for a list of applicable exceptions.

Patient privacy and data security

  • Use the downloadable Security Risk Assessment (SRA) Tool developed by the Office of the National Coordinator for Health IT (ONC) and the HHS Office for Civil Rights (OCR) to help you carry out a security risk assessment as required by the HIPAA Security Rule. This tool was created with medium and small providers in mind; it may not be appropriate for larger organizations.
  • Refer to the mapping tool developed by the National Institute of Standards and Technology (NIST), the Cybersecurity Framework Crosswalk. This tool helps facilities identify security gaps and technical safeguards, develop cybersecurity strategies, and maintain compliance across regulatory standards.

Workforce compliance

  • Ensure nurse credentialing compliance, including background checks and license verification, on all in-house and temporary staff, and set up procedures to repeat these checks regularly.
  • Make use of a contingent workforce through staffing platforms and temp agencies as needed to maintain compliance with mandated ratios and hours per resident day (HPRD).
  • For long-term care facilities: Submit quarterly PBJ data to the CMS to inform the five-star quality ratings and monitor compliance with federal staffing standards.

Healthcare staffing platforms, such as Nursa, help facilities maintain compliance with both of these aspects by connecting organizations directly with qualified per diem clinicians in their area and by automating credential verification before shifts.

Strengthen your compliance program—regardless of facility size

All healthcare organizations need comprehensive corporate compliance programs. Period.

Smaller facilities likely won’t have a full-time compliance officer, but they still must have specific people in charge of creating, implementing, and overseeing the programs.

Although large institutions do have compliance officers, they must also ensure sufficient staff and resources to fulfill their essential duties.

When it comes to compliance, you can never have too much information, so stay on the learning path.  

Up next?

Assess your readiness for the Joint Commission survey—including its new safe staffing goal—and learn how to prepare for accreditation.

Sources:

FAQs

this is a question

this is the answer

Laila Ighani
Blog published on:
March 18, 2026

Laila Ighani is a senior editor at Nursa, specializing in comprehensive guides on nursing finance, career development, and staffing solutions for facilities. With a background in educational psychology and holistic health, she creates practical resources designed to help healthcare professionals navigate their paths and achieve better work-life balance.

Ready to Get Started?
Begin Posting Shifts on Nursa

Facilities who use Nursa fill 3 times as many open per diem shifts, on average, compared to trying to fill the shifts themselves.
Start posting jobs and shifts today.

Sign Up

Featured Articles

A nursing professional at a job fair
Healthcare staffing trends to watch in 2026
January 9, 2026
An administrative meeting at a healthcare facility
How to get buy-in with leadership for per diem staffing
January 13, 2025
A nurse helping her elderly patient
Is Nursa a Staffing Agency? How Nursa Works
September 2, 2024
A nurse attending a career fair
9 best practices for recruiting nurses at your facility
February 28, 2025
A nurse walking outside with a middle-aged patient
The nurse staffing shortage: Causes, impact, and solutions
October 31, 2025
A nurse caring for a patient
How to Use Nursa in Your Nurse Recruitment Strategy
September 9, 2024
See All Articles
TRUSTED by 2,500+ Facilities, 31 states and counting
Legacy Village Logo
Intermountain Healthcare Logo
Life care Centers Of America Logo
Image.
Cascadia Healthcare Logo
Image.
Briefcase purple icon

Join 1.300+ Facilities

The smartest facilities use Nursa to fill in shifts in 28 states and counting. Join to get staffing solutions now.

Sign Up
Building Purple Icon

Post Your Jobs Today

Facilities who use Nursa fill 3 times as many open per diem shifts, on average, compared to trying to fill the shifts themselves.

Post Jobs