Blog Post

Risk Assessment for Skilled Nursing Facilities: Understanding Compliance Requirements

Strategic Management Services, LLC June 2025

Nursing facilities are the backbone of American healthcare, with 15,000 facilities caring for 1.2 million residents. ¹But from ongoing staffing shortages to data privacy concerns, the industry faces a range of growing regulatory risks – and many organizations struggle to identify exactly what is required to stay compliant.

This article uses the latest CMS compliance guidance to explore the most common challenges nursing facilities face – and how they can overcome them. Based on our experts’ decades of combined experience, we explain how a range of urgent risks can be identified and mitigated with the right processes.

But first, let’s establish exactly what compliance risk means in this context.

Key Compliance Risks for Nursing Facilities

The Office of Inspector General (OIG) recently updated previous compliance guidance for nursing facilities with a 111-page document. While this is clearly exhaustive and detailed, our experts suggest the most common risks it presents can be broken into four key categories:

1. Quality of Care and Quality of Life

Providing high-quality, resident-centered care is not only a regulatory requirement but also an ethical foundation for nursing home operations. Compliance risks in this area often stem from:

Staffing requirements: Nursing facilities may fail to meet the latest federal staffing mandates requiring a minimum number of registered nurses (RN) and nursing assistants to be present within a facility.² Regulations require every facility to meet or exceed a minimum of 3.48 hours per resident day for total nurse staffing, including but not limited to:
- A minimum of 0.55 hours per resident day for registered nurses; and
- A minimum of 2.45 hours per resident day for nurse aides.
Medication Management: Overuse of antipsychotics or lack of oversight in administering prescriptions can trigger audits and enforcement. Research suggests the majority of medication-related errors occur at the points of ordering medications (39%) and administering medications (38%).³
Neglected care plans: Failure to assess, document, and execute individual care plans can be viewed as providing substandard care. The CMS requires nursing facilities to:
- Provide effective and person-centered care for residents that meets professional standards of quality care
- Addresses the medical, nursing, mental and psychosocial needs of residents and includes reasonable objectives and timetables
- Provides an ongoing program to support residents in their choice of activities designed to meet interests and support physical, mental, and psychosocial well-being.

2. Medicare and Medicaid Billing

Billing compliance remains one of the most scrutinized areas for nursing facilities. While the vast majority of improper Medicare payments related to nursing facilities are the result of insufficient documentation, the latest compliance guidelines point to a wider set of issues – including:

Upcoding – where incorrect medical codes are submitted to inflate health plan reimbursements
Duplicate billing – where errors lead to the same treatment of patients being billed multiple times
Incorrect cost reports – where treatment costs may be misreported and, therefore, reimbursements wrongly calculated
Insufficient or missing clinical documentation – where conditions are reported to health plans but cannot be proven

Each of these can lead to compliance issues, with billing errors often leading to False Claims Act violations – which can lead to nearly $15,000 in fines.⁴

3. Anti-Kickback Measures

Care coordination under value-based care (VBC) models can raise red flags if not structured appropriately. The Anti-Kickback Statute (AKS) prohibits remuneration that could influence referrals for federally reimbursed services. Risk areas include:

Referrals between providers without fair market value contracts: Engaging in referral arrangements where compensation does not reflect fair market value can be construed as an inducement for referrals, violating the AKS.
Shared savings arrangements without proper safeguards: Participating in shared savings programs that lack adequate safeguards to prevent improper inducements can lead to compliance issues. It’s essential to ensure these arrangements are structured to comply with legal requirements and do not incentivize inappropriate reductions in services.
Incentives provided to care navigators or discharge planners: Offering incentives to individuals responsible for patient referrals, such as care navigators or discharge planners, can be problematic if these incentives are intended to influence referral decisions. Such practices may violate the AKS if not carefully structured to comply with regulatory exceptions or safe harbors.

4. Data Privacy and HIPAA

The HIPAA Privacy and Security Rules continue to apply to all nursing facilities handling protected health information (PHI). In light of proposed updates requiring multifactor authentication and stronger encryption protocols, facilities must now prepare for elevated expectations around cybersecurity readiness.

The OIG emphasizes the importance of implementing comprehensive policies and procedures to safeguard PHI, including conducting regular risk assessments, providing ongoing staff training, and establishing robust incident response plans.

Failure to comply with these requirements can result in significant penalties and compromise resident trust. Violations are enforced using a Tier system to determine the breach’s severity and the facility’s responsibility, with potential fines of over $2 million, along with the prospect of appearing on the “HIPAA Wall of Shame” and even being hit with jail time.⁵

Compliance Bottlenecks: Why Nursing Facilities Struggle to Stay Compliant

Despite the best intentions, many nursing facilities fall short of meeting compliance standards. Nearly 18% of facilities received non-compliance penalties in 2019 – with some experiencing fines over $830,000.⁶ This is explained by three key factors:

1. Changing Requirements

Federal and state regulations are continuously evolving, often outpacing the ability of organizations to implement necessary updates. For instance, the OIG has issued updated compliance program guidance for nursing facilities, highlighting new risk areas and recommending enhanced compliance measures.

Equally, recent audits revealed that 20% of skilled nursing facilities did not properly disclose one or more related parties on their Medicare cost reports, while 50% did not properly adjust some of their related-party costs.⁷ This underscores the need for facilities to stay abreast of regulatory changes and ensure timely compliance.

2. Complexity and Scale

The regulatory landscape for nursing facilities encompasses a vast array of requirements, including those from the CMS and HIPAA. The OIG’s Compliance Program Guidance for Nursing Facilities highlights that the sheer volume and granularity of these regulations can overwhelm even well-staffed compliance departments.

Recent surveys found that 53% of healthcare compliance teams feel overwhelmed with changing requirements.⁸ However, nursing facilities are not simply battling evolving regulations; they also face an uphill battle to access the resources they need.

3. Resource Shortages

Nursing facilities face significant resource shortages. The average facility currently loses money through Medicaid, receiving just 82 cents for every dollar of care provided.⁹ Equally, nursing facilities report a staffing turnover of ¹⁰ – an extremely high volume, which helps to explain why ¹¹ of facilities currently meet mandatory staffing levels.¹²

As a result, there is limited funding to cope with compliance issues:

They cannot maintain compliance-trained staff and must constantly offer new hires training
They lack the budget to hire full-time compliance specialists or remediate issues

But there is plenty to be hopeful about, as even heavily underfunded facilities can improve their compliance with the right approach to risk management.

3 Ways to Combat Risk Within Nursing Facilities

The most effective compliance programs aren’t reactive—they’re proactive. Risk assessments and structured risk management frameworks allow organizations to stay ahead of enforcement trends and mitigate operational gaps.

Consider the following approaches:

1. Competency-Based Training

Our experts suggest that staffing shortages and the burden of extensive compliance training can be alleviated through competency-based training:

Role-specific and risk-targeted: Training should be customized based on the employee’s responsibilities and the specific compliance risks they may encounter. For example, billing staff should receive in-depth guidance on Medicare and Medicaid documentation requirements, while clinical staff should be trained in patient rights, infection control, and medication management.
Reinforced through simulations or case-based learning: Real-world scenarios and role-playing exercises help reinforce critical thinking and ethical decision-making, especially in high-risk areas like reporting suspected abuse or handlingPHI.
Aligned with audit findings and performance data: Use findings from internal and external audits to refine training priorities, ensuring ongoing relevance and risk mitigation. Facilities should document training attendance and track post-training assessments to evaluate effectiveness.

2. Risk Review and Monitoring Processes

Effective programs maintain a continuous feedback loop to identify and address compliance vulnerabilities. Key practices include:

Conducting regular internal audits and mock surveys: These help ensure that care delivery, documentation, billing, and physical environment standards align with CMS and state requirements. Audits should be scheduled randomly and include multidisciplinary participation.
Leveraging analytics to detect unusual billing or care patterns: Data analytics can flag anomalies such as spikes in therapy hours, sudden changes in medication regimens, or discrepancies in staffing ratios. Predictive analytics can also assist in anticipating areas of future risk.
Reviewing incident reports and resident complaints for systemic issues: Aggregate data from grievances, adverse events, and falls can help pinpoint trends. The facility’s compliance officer should be involved in root cause analyses and in driving corrective action plans.

3. Reporting Best Practices

Robust reporting mechanisms are essential for surfacing risk before it escalates. Best-in-class facilities:

Encourage anonymous internal reporting through hotlines or digital forms: Make it easy and safe for staff, residents, and families to report concerns without fear of retribution. Ensure all personnel are educated on how and when to use these channels.
Maintain clear policies on retaliation and follow-up: The organization should have written policies that prohibit retaliation and define timelines for response. These should be consistently enforced and communicated to staff during onboarding and annual refreshers.
Track resolution timelines and root cause analyses for each reported issue: Establish a formal workflow for managing reports, from intake through resolution, and review metrics regularly at compliance committee meetings. Documenting and learning from each issue is essential to building a culture of accountability and improvement.

Take Control of Compliance with Strategic Management Services

Most nursing facilities struggle to find the time or internal expertise to run truly effective risk assessments – or implement the right steps to improve compliance. That’s why so many rely on Strategic Management Services to deliver expert support to their specific needs.

From compliance audits to billing assessments, our team will identify the most urgent risks to your organization and patients. We then help you remediate these issues to improve your posture and avoid non-compliance fines.

Want to protect your patients and reputation?

Book a Consultation

Resources:

Subscribe to blog