Top 10 Healthcare Compliance Concerns in 2026
The healthcare industry is never short on compliance concerns, but 2026 presents an unusually complex set of challenges. Rapid technological change, increased regulatory scrutiny, and severe resource limitations leave many leaders feeling unsure where to focus their efforts.
One of the best ways to solve this problem is to look at your peers’ biggest compliance concerns. Because while there are many compliance risk areas in healthcare, the 2025 Healthcare Compliance Benchmark Survey reveals ten key factors that leaders say they plan to prioritize this year.
These concerns are listed in descending order and can be used in planning the 2026 Compliance Office Work Plan:
1. HIPAA Privacy Risks
Violations of protected health information (PHI) and data breaches are seven times more likely to result in regulatory action than fraud and abuse violations. According to the 2025 Compliance Benchmark Survey, this is the single highest risk area for healthcare compliance.
Most Compliance Officers have a responsibility for HIPAA Privacy; their most common concerns include:
- Knowledge Gaps: Many Compliance Officers are concerned that their workforce does not fully understand what constitutes PHI, minimum necessary, or permissible disclosures
- Patient Rights: Others fear they will fail to meet HIPAA timelines or scope for patient rights
- External Risk: Many cite fears about Business Associates mishandling PHI or a lack of adequate safeguards within external organizations.
- Safeguards and Vetting: New tools involving PHI may be deployed without proper vetting; outdated policies
- Outdated Policies: Many organizations worry that their Compliance Program lacks adequate measures to handle emerging threats, particularly from AI and AI-augmented cybercrime.
2. Referral Compliance
Many financial or non-financial relationships with individuals or entities can refer, influence, or generate business for healthcare providers. But with the current administration’s aggressive enforcement of fraud cases, Compliance Programs prioritize firm measures to meet all legal and regulatory standards.
Referral relationships sit at the center of several high-risk fraud and abuse laws and directly affect patient trust, payment integrity, and organizational survival. The vast majority of enforcement actions by the Office of Inspector General (OIG) and the Department of Justice (DOJ) involve such relationships, implicating the Anti-Kickback Statute (AKS) or Stark Law.
Virtually all OIG Corporate Integrity Agreements are based upon AKS settlements. Reviewing and monitoring arrangements needs to be a priority. The OIG recommends having an Arrangements Database that keeps track of the process of developing and managing contracts with referral sources.
3. Cybersecurity Threats
Healthcare continues to be among the most targeted sectors for cyberattacks, including ransomware, data theft, medical device breaches, phishing, and email breaches, with attacks growing in sophistication. As digital adoption continues, these threats only grow; most leaders expect the frequency, sophistication, and potential cost of attacks to increase in 2026.
Healthcare providers in the 2025 Compliance Benchmark Survey ranked this, along with HIPAA Privacy, as a top compliance concern for 2026. Providers build, maintain, and expand cyber defenses to keep PHI, electronic health record (EHR) systems, telehealth platforms, and remote access points secure.
4. Rapid Regulatory Change
Healthcare regulation is already vast and complex, but it is also evolving quickly to address emerging new risks and expectations. Compliance Officers cite this as a major concern in 2026; the pace and complexity of evolving laws and regulations require constant monitoring and timely implementation of new policies and procedures.
A few examples of these changes include:
- Responding to new federal and state privacy/security standards
- Stricter HIPAA enforcement
- Regulatory reviews
- Audits and investigations
- Changes in billing codes
Without help in adapting their Compliance Programs, many leaders will struggle to stay ahead of these changes. This could include working with expert consultants, accessing fractional staffing support, or rapidly developing new policies.
5. Compliance Staffing Shortages
In the 2025 Healthcare Compliance Benchmark Survey, many respondents reported concerns about maintaining adequate staffing to meet the compliance obligations, particularly given the limited pool of professionals with healthcare-specific regulatory expertise.
The most common challenges include staff shortages and managing remote workforces. These create compliance concerns for several reasons:
- Inadequate or misaligned staffing directly undermines the ability to prevent, detect, and respond to compliance risks
- Regulators increasingly view staffing levels as a measure of whether a compliance program is truly effective as insufficient staffing often results in burnout
- Staffing shortages place more pressure on existing staff and can contribute to burnout
6. Compliance Resource Constraints
Staffing shortages are exacerbated by shrinking or static budgets that don’t reflect the growing compliance burden organizations face. The gap between responsibilities and available resources can slow risk assessments, incident responses, and ongoing monitoring efforts.
Many Compliance Officers told us they are not confident they can meet their current compliance obligations with limited budgets. Many find it difficult to adequately justify resource needs to executive leadership, particularly when other departments face similar budget constraints. But the range of compliance responsibilities is very wide, requiring specialized expertise that stretches the capabilities of small Compliance Department teams.
7. Third-Party & Vendor Risk Management
Third-party and vendor risk management is a critical compliance concern because healthcare organizations are legally and operationally responsible for the actions of the vendors, contractors, and partners they rely on. This is true even when misconduct occurs outside the organization’s direct control.
Healthcare organizations increasingly outsource key functions, which expands compliance risk. Ensuring that vendors comply with compliance-related requirements and HIPAA was reported as a significant concern among Compliance Officers.
8. Billing, Coding, and Claims Processing
Claim development, submission, and compliance revenue cycle management are the second most frequent set of areas involved in fraud and abuse enforcement. Billed services must be properly supported by clinical documentation, or they will not meet payer coverage criteria. Mistakes or intentional misclassification can trigger audits, False Claims Act investigations, and significant penalties.
This makes billing, coding, and claims processes a major compliance concern for healthcare organizations. Compliance Officers must have systems in place to avoid:
- Up- and under-coding
- Using higher-level E/M codes without supporting medical decision-making or time documentation
- Billing complex procedures when simpler codes apply
- Chronic under-coding masks systemic errors
- E/M coding errors and modifier misuse
- Improper attribution of services between physicians and non-physician practitioners
- Duplicate, unbundled, or fragmented billing
9. Artificial Intelligence (AI) Compliance
Healthcare organizations are embracing AI across their operations, from automating administrative tasks to potentially revolutionary clinical use cases. While AI offers significant operational and clinical advantages, the challenge is ensuring implementation of proper governance, validation, and ethical oversight.
AI-driven systems offer powerful compliance support but create unique governance challenges, including ensuring fairness, transparency, auditability, and HIPAA compliance when managing sensitive health data. Compliance Officers express concern as to how they can effectively provide oversight while their organization is harnessing AI.
10. Technology & Digital Transformation Risks
Rapid adoption of new technologies, including EHR upgrades, cloud migration, and telehealth systems, introduces significant compliance risk. Without strong governance, training, and change-management, organizations face interoperability issues, implementation failures, and operational disruptions.
Technology and digital transformation risks are a critical compliance area because technology now underpins how healthcare organizations deliver care, store data, bill payers, engage patients, and make decisions. Each of these functions carry distinct compliance obligations.
For Compliance Officers, technology risk is no longer strictly an IT issue; it is a regulatory, legal, and governance risk.
For more information on this topic, contact Richard Kusserow at [email protected].
