EV Healthcare: The 2026 State of Compliance

Enforcement Intensity Is Rising — And Healthcare Is in the Crosshairs

• Federal agencies including the DOJ and HHS are actively prioritizing healthcare fraud, waste, and abuse enforcement, driven by the perception that healthcare costs are unsustainably high and that the sector represents a rich source of recoverable funds — making healthcare organizations uniquely vulnerable to enforcement scrutiny regardless of their existing compliance posture.
• With nearly $7 billion in False Claims Act recoveries in 2025 alone, the government has demonstrated both the appetite and the operational capability to pursue large-scale enforcement actions, signaling that de-emphasizing compliance at the executive level is a dangerous miscalculation that many C-suites are currently making.
• Compliance officers must resist the organizational pressure to scale back programs in the face of financial constraints, understanding that enforcement expectations are moving in the opposite direction — and that a well-resourced compliance function is among the most effective tools for avoiding the far greater cost of a government investigation.

Regulatory Ambiguity Has Become a Compliance Risk of Its Own

• The Supreme Court’s elimination of Chevron deference has fundamentally disrupted the compliance landscape, meaning that organizations can no longer safely rely on agency interpretations of statutes as a legal safe harbor — courts may independently interpret the underlying law, creating unpredictable legal exposure for organizations that believed they were operating within sanctioned guidance.
• Government agency brain drain — the loss of experienced personnel and their replacement by less seasoned staff — has introduced significant inconsistency into enforcement decisions, with some prosecutors advancing legal theories that courts have subsequently rejected, as illustrated by the Seventh Circuit’s rebuke of the government’s position on percentage-based compensation under the Anti-Kickback Statute.
• Compliance officers must build internal capabilities for independent legal analysis and scenario planning rather than relying exclusively on agency guidance, recognizing that the government’s interpretation of the rules is itself a moving target that may not reflect what courts ultimately hold to be correct.

Data Analytics Is the New Frontline of Federal Enforcement

• The government has dramatically increased its use of claims data analytics to identify potential fraud, waste, and abuse, moving away from a reliance on whistleblower-driven investigations toward systematic, data-driven pattern recognition that can surface billing irregularities across entire provider populations before a single complaint is filed.
• Medicare Part B providers in particular should be aware that their billing data is publicly available, and that the government regularly compares individual provider patterns against peer benchmarks — organizations that are statistical outliers in high-value billing codes are significantly more likely to receive enforcement scrutiny, regardless of whether their practices are legitimate.
• Compliance programs that have not yet invested in internal data analytics capabilities — the ability to view their own data through the lens the government would apply — are operating with a critical blind spot, leaving them unable to identify and remediate the same patterns that federal auditors are actively hunting for.

Audits Catch Errors; Detecting Fraud Requires a Different Lens

• Traditional compliance audits are structurally designed to verify accuracy within a sample of claims by checking that documentation supports the billing — but this approach contains an embedded assumption of good-faith documentation that makes it fundamentally unsuited to detecting fraud, where the documentation itself may be engineered to mislead.
• A landmark prosecution involving a dermatologist who systematically passed compliance audits by designing his patient records to appear normal on a per-claim basis illustrates the gap: fraud often lives not in any individual claim, but in statistically implausible patterns across a patient population that are only visible when volume and frequency data are examined comparatively.
• Compliance officers should supplement traditional auditing with a fraud-detection mindset that asks comparative questions — Is our volume of a particular procedure consistent with how peers practice? Are individual patients receiving services at implausible frequencies? — because an audit that only examines documentation may produce false assurance while missing the actual risk.

Perpetual Survey Readiness Has Replaced Cyclical Compliance Preparation

• The model of conducting an annual risk assessment, building a static work plan, and executing against it throughout the year is no longer viable in a regulatory environment where enforcement priorities, agency guidance, and organizational risk profiles are changing continuously — compliance programs must instead operate as living systems capable of real-time adaptation.
• Regulatory technology and AI tools now offer compliance teams practical pathways to continuous monitoring of regulatory changes, policy currency, and documentation accuracy, representing a meaningful opportunity to move the function toward true perpetual readiness without proportionally increasing headcount or budget.
• Organizations that maintain continuous compliance monitoring are better positioned not only to prevent violations but to demonstrate to regulators, courts, and in civil litigation that they exercised appropriate diligence — a distinction that can be determinative in whether an isolated incident is characterized as systemic failure or an isolated lapse.

Outcome-Based Accountability Has Replaced Process-Based Compliance

• Regulators have fundamentally shifted their expectations, moving away from evaluating compliance programs based on the existence of policies, training programs, and documented procedures toward assessing whether those programs are producing measurable changes in organizational behavior — the government’s implicit position is that if something went wrong, the process simply wasn’t effective enough.
• A particularly common failure pattern in compliance effectiveness assessments is the compliance theater dynamic: organizations know a process is producing bad outcomes, they are educating and updating policies, but they are not achieving different results — and this pattern of sustained non-improvement is precisely what regulators interpret as evidence of an inadequate program.
• Compliance leaders must adopt a hypothesis-driven approach to program interventions — establishing a clear expected outcome before deploying an educational initiative or policy change, measuring progress against that benchmark, and escalating accountability to operational leadership when outcomes are not improving — because sustained effort without measurable results is not a defense the government will accept.

Resource-Constrained Compliance Demands Strategic Bets, Not Comprehensive Coverage

• No compliance program, regardless of its budget, can comprehensively address every risk on an expanding regulatory landscape — and attempting to do so produces programs that do everything inadequately; the only viable strategy for compliance officers operating under resource constraints is deliberate, evidence-based prioritization of the risks most likely to attract enforcement scrutiny.
• A useful framework for risk prioritization draws on publicly available enforcement intelligence: DOJ and HHS working group priority lists, OIG audit reports, False Claims Act settlement press releases, and Medicare benchmarking data each provide concrete signals about where the government is focusing its attention and what patterns it is actively pursuing.
• Risk prioritization decisions should be communicated explicitly to the board and executive leadership — including a clear articulation of which risks the program is not currently covering and why — because this transparency positions the compliance function as a strategic risk partner, creates shared accountability at the leadership level, and ensures that resource tradeoffs are made consciously rather than by default.

Cybersecurity Is a Compliance Imperative, Not an IT Problem

• Healthcare organizations hold more sensitive personal data — including Social Security numbers, dates of birth, and protected health information — than virtually any other sector, making them prime targets for ransomware and data breach attacks that can simultaneously trigger ransom demands exceeding standard insurance policy limits, state-specific breach notification obligations, class action exposure, and HHS Office of Civil Rights investigations.
• The costs of a cyber intrusion are fundamentally non-estimable in advance — organizations cannot predict ransom demands, whether attackers will release data, the scope of applicable notification requirements, or the full extent of reputational harm — which means framing cybersecurity investment as a risk mitigation imperative rather than an IT budget line item is both more accurate and more likely to secure meaningful executive support.
• Best practice requires structural integration of the cybersecurity function into the compliance framework — through mechanisms such as dotted-line reporting relationships between the Chief Security Officer and the compliance and privacy officer, CSO participation in management compliance committees, and proactive incident response planning — rather than siloed IT management that leaves compliance officers blind to their organization’s actual cyber exposure.

Breaking Down Silos Is the Most Urgent Structural Change in Compliance

• The modern compliance mandate — spanning fraud and abuse, cybersecurity, data privacy, 340B, revenue integrity, and AI governance — has outgrown the capacity of any single compliance function to manage comprehensively, making cross-functional coalition-building the single most impactful structural investment a compliance leader can make in 2026.
• The most effective compliance programs do not attempt to own all compliance-adjacent activities but instead cultivate strategic partnerships with revenue cycle, pharmacy, IT security, legal, and human resources — building the trust, shared language, and established workflows that allow the compliance function to mobilize quickly across organizational lines when risks emerge.
• Silo walls create compounding vulnerabilities: when data privacy is managed separately from cybersecurity, when revenue integrity operates independently of compliance, and when HR handles ethics matters without compliance involvement, organizations create the exact gaps that external auditors, plaintiffs’ attorneys, and government investigators are trained to find.

EHR Systems and AI Tools Are Creating New Enforcement Vulnerabilities

• The DOJ/HHS False Claims Act Working Group has identified manipulation of electronic health record systems to drive inappropriate utilization of Medicare-covered products and services as a priority enforcement area, and the growing adoption of generative AI and ambient listening technology to auto-populate clinical documentation has significantly amplified this risk — providers who sign off on records without fully reviewing AI-generated content remain personally and institutionally responsible for the accuracy of that documentation.
• A fundamental tension exists between operational efficiency and compliance integrity in EHR use: providers are under pressure to close charts quickly, yet the government’s expectation that each clinician carefully review and verify all chart entries before finalizing — including AI-generated content — is at odds with clinical workflow realities, creating prosecution risk even in the absence of fraudulent intent.
• Compliance programs should conduct proactive audits of how clinical staff are actually using EHR systems in practice — not how policy says they should — to identify the gap between documented expectations and real-world behavior before the government identifies it through claims data analysis, because it is that gap, not the policy itself, that will define the organization’s legal exposure.

Conclusion