Top 10 Concerns for Compliance Officers in 2026

The following are the top 10 concerns identified by Compliance Officers in the 2025 Healthcare Compliance Benchmark Survey and other source authorities. These concerns are listed in descending order and can be used in planning the 2026 Compliance Office Work Plan.

1. HIPAA Privacy. Most Compliance Officers have a responsibility for HIPAA Privacy. According to the 2025 Compliance Benchmark Survey, this is the  highest risk area in healthcare compliance. Violations of protected health information (PHI) and data breaches are seven times more likely to result in regulatory action than fraud and abuse violations.  Among the concerns to be addressed includes a workforce that does not fully understand what constitutes PHI, minimum necessary, or permissible disclosures; failure to meet HIPAA timelines or scope for patient rights; mishandled PHI or a lack of adequate safeguards by Business Associates; new tools involving PHI being deployed without proper vetting; outdated policies; and improper sharing of PHI across related entities.
2. Referral Source Arrangements. These are any financial or non-financial relationships with individuals or entities that are able to refer, influence, or generate healthcare business. Compliance with legal and regulatory standards are critically important in healthcare because these relationships sit at the center of several high-risk fraud and abuse laws and directly affect patient trust, payment integrity, and organizational survival. The vast majority of enforcement actions by the Office of Inspector General (OIG) and the Department of Justice (DOJ) involve such relationships implicating the Anti-Kickback Statute (AKS) or Stark Law. Virtually all the OIG Corporate Integrity Agreements are based upon AKS settlements. Reviewing and monitoring arrangements needs to be a priority. The OIG recommends having an Arrangements Database that keeps track of the process of developing and managing contracts with referral sources.
3. Data Privacy Risks & Cybersecurity. Healthcare providers in the 2025 Compliance Benchmark Survey ranked this, along with HIPAA Privacy, as a top compliance concern for 2026. Healthcare continues to be among the most targeted sectors for cyberattacks, including ransomware, data theft, medical device breaches, phishing, and email breaches, with attacks growing in sophistication. Providers must defend PHI, electronic health record (EHR) systems, telehealth platforms, and remote access points. Protecting patient data must remain a critical organizational priority. As digital health adoption grows, so do the frequency of attacks, increasing the risk of HIPAA violations and costly penalties.
4. Keeping Abreast of a Rapidly Changing Regulatory Environment. Staying current with regulatory changes and interpreting these shifts was reported as a major concern for Compliance Officers. The pace and complexity of evolving laws and regulations require constant monitoring and timely implementation of new policies and procedures. This includes responding to new federal and state privacy/security standards, stricter HIPAA enforcement, regulatory reviews, audits and investigations, regulatory updates, changes in billing codes, and increased fraud enforcement.
5. Staffing Issues. In the 2025 Healthcare Compliance Benchmark Survey, many respondents reported concerns about maintaining adequate staffing to meet the compliance obligations, particularly given the limited pool of professionals with healthcare-specific regulatory expertise. Challenges include staff shortages and managing remote workforces. Staffing issues are critically important for Compliance Officers because inadequate or misaligned staffing directly undermines the ability to prevent, detect, and respond to compliance risks. Regulators increasingly view staffing levels as a measure of whether a compliance program is truly effective as insufficient staffing often results in burnout.
6. Resource Constraints. Many Compliance Officers reported concerns about meeting obligations with limited budgets.  The gap between responsibilities and available resources can slow risk assessments, incident responses, and ongoing monitoring efforts. The range of compliance responsibilities is very wide, requiring specialized expertise that stretches the capabilities of small Compliance Department teams. Many find it difficult to adequately justify resource needs to executive leadership, particularly when other departments face similar budget constraints.
7. Third-Party & Vendor Risk Management. Third-party and vendor risk management is a critical compliance concern because healthcare organizations are legally and operationally responsible for the actions of the vendors, contractors, and partners they rely on, even when misconduct occurs outside the organization’s direct control. Healthcare organizations increasingly outsource key functions, which expands compliance risk. Ensuring that vendors comply with compliance related requirements and HIPAA was reported as a significant concern among Compliance Officers.
8. Billing, Coding, and Claims Processing. Accurate claim development, submission, and compliance revenue cycle management remain major Compliance Officer concerns. It is the second most frequent area involved in fraud and abuse enforcement. Billed services must be properly supported by clinical documentation or they will not meet payer coverage criteria. Mistakes or intentional misclassification can trigger audits, False Claims Act investigations, and significant penalties. Compliance Officers must guard against up and under coding; using higher-level E/M codes without supporting medical decision-making or time documentation; billing complex procedures when simpler codes apply; chronic under-coding masking systemic errors; E/M coding errors and modifier misuse; improper attribution of services between physicians and non-physician practitioners; and duplicate, unbundled, or fragmented billing.
9. Artificial Intelligence (AI). AI is a growing concern for Compliance Officers as it is rapidly being developed and deployed by healthcare organizations. While AI offers significant operational and clinical advantages, the challenge is ensuring implementation of proper governance, validation, and ethical oversight. AI-driven systems offer powerful compliance support but create unique governance challenges, including ensuring fairness, transparency, auditability, and HIPAA compliance when managing sensitive health data. Compliance Officers express concern as to how they can effectively provide oversight while their organization is harnessing AI.
10. Technology & Digital Transformation Risks. Rapid adoption of new technologies including EHR upgrades, cloud migration, and telehealth systems, introduces significant compliance risk. Without strong governance, training, and change-management, organizations face interoperability issues, implementation failures, and operational disruptions. Technology and digital transformation risks are a critical compliance area because technology now underpins how healthcare organizations deliver care, store data, bill payers, engage patients, and make decisions. Each of these functions carry distinct compliance obligations.  For Compliance Officers, there is a growing appreciation that technology risk is no longer strictly an IT issue; it is a regulatory, legal, and governance risk.

For more information on this topic contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.