As part of the 2025 National Health Care Fraud Takedown announced in June 2025, the Department of Justice established a Healthcare Fraud Data Fusion Center to combat emerging fraud schemes using artificial intelligence and advanced analytics. The center brings together experts from DOJ's Criminal Division, Health Care Fraud Unit Data Analytics Team, HHS-OIG, FBI, and other agencies to leverage cloud computing for rapid detection and prosecution. The Takedown resulted in charges against 324 defendants involving over $14.6 billion in alleged fraud, with the government seizing over $245 million in assets. In one case dubbed "Operation Gold Rush," the Data Analytics Team detected anomalous billing that prevented international criminals from receiving $4.45 billion of the $10.6 billion they attempted to fraudulently claim. The fusion center represents a new era of data-driven fraud prevention and aggressive prosecution. Read more here.
The FDA issued 44 warning letters related to medical devices in fiscal year 2025 (October 1, 2024 - September 30, 2025), with 38 of those concerning Quality System Regulations (21 CFR 820)—representing an 11-letter increase in QSR violations compared to fiscal year 2024. According to ECA Academy's November 2025 analysis, this represents a significant escalation in FDA enforcement, as the late 2010s and early 2020s typically saw only 11-21 warning letters annually. The surge in QSR-related citations indicates heightened FDA scrutiny of medical device manufacturers' quality management systems, including failures in risk analysis, CAPA processes, design controls, and manufacturing procedures. The increase signals that medical device companies must prioritize comprehensive quality system compliance to avoid costly enforcement actions and potential product seizures. Read more here.
PCL, a diagnostic laboratory, has agreed to pay over $9 million to settle allegations that it knowingly submitted false claims to Medicare for respiratory pathogen panels (RPPs) that were medically unnecessary or obtained through kickbacks. The Department of Justice announced the settlement on November 13, 2025, after investigating PCL's Marketing Services Agreement with a purported infection prevention company. The government alleged that PCL paid commissions to independent sales representatives based on the volume or value of referrals, violating the Anti-Kickback Statute. The settlement illustrates the government's continued emphasis on combating healthcare fraud using the False Claims Act, with potential violations including unnecessary testing and improper financial relationships with referral sources. The case serves as a reminder that healthcare organizations must ensure their business arrangements comply with federal fraud and abuse laws. Read more here.
Healthcare ransomware attacks are costing organizations an estimated $1.9 million per day in downtime, according to Comparitech's latest research. Since 2018, 654 ransomware attacks have targeted healthcare providers, compromising over 88.7 million patient records. Organizations experience an average of 17 days of downtime per incident, with 2022 seeing the highest disruptions at 27 days average. The cumulative cost of downtime over six years has reached an estimated $21.9 billion. Double-extortion tactics have become increasingly common, with threat actors not only encrypting systems but also exfiltrating large amounts of data to pressure organizations into paying ransoms, leveraging healthcare's reliance on operational continuity and urgent need to restore patient care access. Read more here.
Healthcare ransomware attacks surged dramatically in October 2025, with attacks increasing 115% from September (26 to 56 attacks). According to Comparitech's November 2025 report, the U.S. experienced a 33% increase in ransomware incidents, reaching 374 attacks. The Qilin ransomware group led with 186 attacks (22.7% of all published attacks), while healthcare providers faced the second-highest increase among all industries. Sinobi, a newer ransomware group emerging in mid-2025, specifically targeted U.S.-based healthcare organizations. The healthcare sector's 115% spike was second only to transportation's 109% increase, highlighting the continued vulnerability of medical facilities to cyber threats. Read more here.
The Trump administration and CMS are ramping up program integrity enforcement, with HHS estimating $32 billion in Medicare overpayments and $31 billion in Medicaid overpayments to fee-for-service providers in 2024. Between October 2020 and September 2023, CMS revoked Medicare billing privileges for nearly 8,500 providers, with fiscal year 2023 alone seeing over 2,500 providers terminated from state Medicaid programs. Medicare revocations often result in placement on the "preclusion list," preventing payment from Medicare Advantage plans and prescription reimbursement. President Trump and House Speaker Mike Johnson have emphasized targeting "fraud, waste and abuse" in these programs. Providers should prepare for increased enrollment actions, reimbursement audits, and extrapolated overpayment demands as federal agencies prioritize recovery efforts. Read more here.
Central Jersey Medical Center, a federally qualified health center that operates school-based health centers in Newark, New Jersey, is notifying individuals of a data breach from an August ransomware attack. The Perth Amboy-based organization provides dental, medical, and mental health services to students and adults in underserved communities. This incident highlights the ongoing vulnerability of FQHCs to cyberattacks—organizations that are often under-resourced from a cybersecurity perspective yet serve critical populations. Similar recent attacks include Cherry Street Services in Michigan (182,000 affected) and Petaluma Health Center in California (125,000 affected), with one FQHC in New York facing a $350,000 penalty following a 2021 ransomware incident. The pattern underscores how cybercriminals target healthcare organizations serving vulnerable populations who may have limited ability to invest in robust security infrastructure. Read more here.
The FDA issued a warning letter to fitness wearable company WHOOP regarding its "Blood Pressure Insights" feature, marking an escalation in regulatory scrutiny of wellness technology. Although WHOOP marketed the feature as a general wellness tool providing daily blood pressure estimates, the FDA determined that blood pressure monitoring is inherently tied to diagnosing hypertension and therefore constitutes a regulated medical device function. This action reflects a broader shift in FDA enforcement toward health-related features previously considered low-risk "general wellness" products. The warning follows similar 2024 safety communications about smartwatches and rings claiming to measure blood glucose without proper clearance, signaling heightened regulatory expectations for digital health products. Read more here.
New research from Comparitech reveals a 30% increase in ransomware attacks on healthcare businesses in 2025, with 293 attacks on healthcare providers through Q3. INC ransomware emerged as the most active threat actor with 39 attacks, followed by Qilin with 34 attacks. The U.S. remains the primary target, accounting for the overwhelming majority of incidents. Notably, Interlock ransomware was responsible for breaching the largest number of patient records among providers—2.7 million records—with most stemming from an attack on DaVita. The average ransom demand reached $514,000 for provider attacks and $532,000 for healthcare business attacks. Cybercriminals are increasingly shifting focus to third-party vendors and service partners as entry points to breach larger healthcare networks. Read more here.
HHS's Office for Civil Rights has announced its 7th enforcement action under the new Risk Analysis Initiative, bringing total settlement payments to nearly $900,000. The initiative, launched in October 2024, targets healthcare organizations that failed to conduct accurate and thorough HIPAA Security Rule risk analyses. OCR Director stated that "failure to conduct a HIPAA Security Rule risk analysis leaves health care entities vulnerable to cyberattacks, such as ransomware." The settlements range from $25,000 to over $90,000, with all cases involving organizations that suffered ransomware attacks after failing to complete compliant risk assessments. This enforcement priority signals that OCR considers risk analysis foundational to cybersecurity compliance—not optional paperwork. Read more here.
As healthcare payors continue adopting AI for uses ranging from utilization and quality management to fraud detection and claims adjudication, states are focusing intensively on ways to mitigate potential harms to beneficiaries. Approximately 60 bills governing payer use of AI were introduced in 2025, but only four became law in Arizona, Maryland, Nebraska, and Texas. Notably, California Governor Newsom vetoed a significant bill (SB 1120) in October 2025 that would have established public reporting requirements for managed care plans and health insurers using AI for prior authorizations and utilization review functions. Additional California legislation (AB 1064) addressing AI companion chatbots for minors was also vetoed, with the Governor citing concerns about "broad restrictions" potentially leading to a total ban on these products for minors. This state-level regulatory activity is creating a complex patchwork of requirements that healthcare organizations must navigate, with different compliance obligations emerging across jurisdictions. Organizations using AI in healthcare operations must carefully track state-specific legislation, implement governance frameworks that can adapt to varying requirements, and prepare for continued regulatory evolution as states experiment with different approaches to AI oversight in 2026 and beyond. Read more here.
Healthcare organizations face significant challenges in monitoring AI tools at scale as recent guidance from the Joint Commission and the Coalition for Health AI (CHAI) emphasizes the critical importance of AI governance, safety event reporting, and vendor management to promote responsible AI use. The guidance highlights that while many health systems may have the expertise to monitor machine learning models, they often lack the necessary infrastructure and capabilities to do so effectively at scale. Industry leaders are advocating for building scalable, standardized monitoring systems rather than seeking regulatory carve-outs, expressing skepticism about proposals like the SANDBOX Act that would create waivers from certain regulatory provisions. Instead, experts recommend developing a CLIA-like model where industry relies on a distributed, federated network of organizations to build internal capabilities for quality control and quality assurance of AI. Healthcare organizations must establish robust governance frameworks, implement systematic monitoring of AI tools, ensure proper vendor management, and develop clear protocols for reporting AI safety events to maintain patient safety and regulatory compliance in this rapidly evolving landscape. Read more here.
CMS finalized major changes to nursing home enforcement policies in the FY2025 Skilled Nursing Facility rule, significantly expanding its authority to impose civil monetary penalties (CMPs) for health and safety violations. The most significant change allows CMS to impose both per-day and per-instance penalties simultaneously for the same deficiency—something that was previously prohibited. This provides CMS with greater flexibility to impose penalties that more directly reflect the health and safety impact on residents and incentivizes permanent correction of deficiencies. The revisions expand the types of CMPs that can be imposed while remaining within statutory daily limits, and CMS can still exercise discretion regarding a facility's financial condition when determining appropriate penalties. The changes also include stricter monitoring for low-performing facilities, with increased use of Special Focus Facilities designation to identify worst-performing nursing homes. CMS emphasized renewed focus on infection control practices with stricter enforcement of related regulations. These enforcement changes come alongside a 4.2% payment increase ($1.4 billion) for SNFs in FY2025. Nursing homes must strengthen their compliance programs, implement robust quality assurance systems, and ensure swift correction of deficiencies to avoid facing substantially higher penalties under this new enforcement regime. Read more here.
SimonMed Imaging, one of the country's largest outpatient radiology and medical imaging providers, suffered a massive ransomware attack in January 2025 that compromised sensitive data belonging to approximately 1.2 million patients. The Medusa ransomware group claimed responsibility, alleging they stole more than 200 GB of data including patient IDs, financial records, medical scans, and imaging files. The attackers gained access between January 21 and February 5, 2025, after a vendor alerted SimonMed to a potential security incident. The ransomware group reportedly demanded $1 million to delete the stolen files, or $10,000 per day to delay publishing the data. While SimonMed was later removed from the Medusa leak site (suggesting a possible ransom payment, though unconfirmed), the breach highlights the escalating threat of ransomware attacks targeting healthcare organizations and the critical importance of vendor risk management, robust cybersecurity measures, and comprehensive incident response capabilities. Read more here.
The Centers for Medicare & Medicaid Services launched a comprehensive oversight initiative in August 2025 to ensure that all Medicaid and Children's Health Insurance Program (CHIP) enrollees are U.S. citizens, U.S. nationals, or have satisfactory immigration status as required by federal law. CMS is now providing states with monthly enrollment reports identifying individuals whose citizenship or immigration status could not be confirmed through federal databases, including the Department of Homeland Security's Systematic Alien Verification for Entitlements (SAVE) program. States are required to review these cases, verify citizenship or immigration status of identified individuals, request additional documentation when necessary, and take appropriate actions including adjusting coverage or enforcing non-citizen eligibility rules. The first set of reports was sent to states in August 2025, with all states receiving reports over the course of a month. This initiative reflects CMS's commitment to enforcing federal eligibility rules, supporting state compliance, promoting transparency, and upholding the integrity of Medicaid and CHIP programs for future generations. Healthcare organizations and Medicaid managed care plans should prepare for increased scrutiny of enrollment verification processes and ensure robust compliance with federal eligibility documentation requirements. Read more here.
In the first five months of 2025, HHS Office for Civil Rights announced ten HIPAA resolution agreements spanning both the Biden and Trump administrations, involving organizations ranging from small physician groups to larger hospital authorities and IT service providers. Despite the diversity of organizations and underlying incidents, OCR's enforcement focus was strikingly consistent: each announcement indicated the resolution agreement was intended to cure defects in basic HIPAA Security Rule compliance, with common emphasis on each organization's failure to conduct thorough risk analyses. The monetary fines ranged from $25,000 at the low end to $3 million for a national medical supplier that suffered a major data breach after a phishing incident. Other penalties fell in between, with midsized providers typically agreeing to five- or six-figure fines. The underlying data breaches varied: several involved ransomware attacks, others were triggered by phishing schemes, and some involved ePHI left unsecured on internet-facing servers. However, in each instance, OCR's investigation revealed that the affected organization had not met the fundamental HIPAA Security Rule requirement to conduct an accurate and thorough risk analysis. Read more here.
In April 2025, HHS Office for Civil Rights announced its eighth enforcement action under the Risk Analysis Initiative, marking a significant milestone. Since the initiative's introduction in October 2024, it has resulted in combined settlement payments of nearly $900,000 from eight different healthcare organizations. The initiative was created after OCR's 2016-2017 compliance audit concluded that only 14% of covered entities were substantially fulfilling their regulatory responsibilities to safeguard electronic protected health information through risk analysis activities. Notably, the two most recent settlements were obtained in February 2025 and announced in April 2025, indicating that the Trump Administration is continuing to pursue this initiative first announced by the Biden Administration. The ongoing enforcement underscores the importance of healthcare organizations understanding the Security Rule's requirements and conducting proper risk analyses. Common deficiencies include failure to conduct comprehensive inventories of all systems that store or transmit ePHI, conflating HIPAA compliance gap assessments with risk analyses, and using template forms or generic tools that fail to account for the unique aspects of an organization's network. Read more here.
On September 17, 2025, the Joint Commission in collaboration with the Coalition for Health AI issued its first high-level framework on the responsible use of AI in healthcare. The Guidance on the Responsible Use of AI in Healthcare is intended to help hospitals and health systems responsibly deploy, govern, and monitor AI tools across organizations. Key requirements include: comprehensive risk and bias assessment (organizations must proactively identify and address risks and biases in AI tools, seeking vendor disclosures on known risks, limitations, and bias); ongoing quality monitoring (AI performance can drift as data inputs or algorithms change, requiring pre-deployment validation and post-deployment monitoring); education and training (clinicians and staff must receive training to ensure safe implementation); and voluntary, blinded reporting of AI safety-related events (the framework promotes confidential reporting of AI-related safety events to enable pattern recognition and field-wide learning). Read more here.
A February 2025 Executive Order titled "Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information" has significantly intensified enforcement of hospital price transparency rules. Since early 2025, CMS has already executed more enforcement actions than in all of 2024. However, the average penalty imposed has decreased significantly, suggesting a strategic shift toward broader but less severe enforcement aimed at encouraging widespread compliance without prohibitively high penalties. The Executive Order directs federal agencies to improve compliance oversight and ensure pricing data disclosed by hospitals is clear, consistent, and actionable. It also calls for standardization of pricing data across hospitals to facilitate comparison shopping, particularly for non-emergency or elective procedures. The order mandates more active enforcement, including public identification of hospitals that fail to meet transparency requirements. Read more here.
The FDA dramatically increased medical device enforcement in 2024, issuing 47 warning letters compared to 24 in 2023—a 96% surge. According to regulatory compliance data, this represents the highest enforcement level in recent years as FDA shifts away from its prior "integrative approach" and now issues warning letters more readily when companies fail to address 483 observations adequately. The top violations include Corrective and Preventive Action (CAPA) failures appearing in over 60% of enforcement actions, design control deficiencies, and complaint handling issues. The escalation from 483 observations to warning letters typically occurs when companies provide inadequate responses or fail to implement effective corrective actions. This dramatic increase signals heightened FDA enforcement priorities and demonstrates why proactive compliance strategies are essential for medical device manufacturers. Read more here.
On July 14, 2025, FDA issued a warning letter to WHOOP, Inc. claiming its Blood Pressure Insights (BPI) wearable feature constitutes an unapproved medical device requiring FDA clearance. WHOOP argues BPI qualifies as a general wellness product under FDA's own guidance, as it provides daily blood pressure estimations for performance insights rather than medical diagnosis. FDA's position that blood pressure measurement is "inherently associated" with disease diagnosis represents a significant departure from decades of regulatory precedent, raising concerns about FDA's evolving approach to consumer health technology. This comes just weeks after HHS Secretary Kennedy advocated for expanded consumer use of wearables like Apple Watch and WHOOP. Read more here.
A Government Accountability Office investigation published in October 2024 found that CMS lacks assurance that hospital pricing data disclosed under price transparency requirements are sufficiently complete and accurate. Despite enforcement actions from 2021-2023, GAO's analysis revealed CMS does not routinely verify that hospitals report prices on all services or for all health plans. The report recommends CMS assess whether pricing data quality is adequate for consumer use and implement additional enforcement activities as needed. This finding highlights ongoing challenges in making hospital pricing information truly usable for patients attempting to compare costs across facilities. Read more here.
CMS has significantly ramped up enforcement of hospital price transparency requirements, taking more enforcement actions since January 2025 than in all of 2024. New guidance issued May 22, 2025, prohibits hospitals from using the placeholder code "999999999" for estimated allowed amounts when negotiated rates are based on percentages or algorithms. Hospitals must now calculate and disclose actual dollar amounts using 12-month historical payment data or expected payment amounts. This represents a major shift toward broader but less severe enforcement designed to encourage widespread compliance with pricing disclosure requirements, continuing efforts that began under previous administrations to make healthcare costs more transparent for consumers. Read more here.
OCR announced a $182,000 settlement with Cadia Healthcare Facilities, five Delaware-based rehabilitation and long-term care providers, for impermissibly disclosing patient PHI through website testimonials. The investigation began after a September 2021 complaint revealed the facilities posted a patient's name, photograph, and treatment information as a "success story" without proper HIPAA authorization. This case serves as a critical reminder that covered entities must obtain valid written HIPAA authorization before posting patient information in testimonials or social media campaigns, regardless of the marketing benefits. Read more here.
The HHS Office for Civil Rights announced its ninth enforcement action under the Risk Analysis Initiative, settling with Comstar LLC for $75,000 following a ransomware incident that compromised 35,000 patient records. The Massachusetts-based medical billing company failed to conduct a comprehensive HIPAA Security Rule risk analysis before the March 2023 breach. This settlement reinforces OCR's ongoing focus on requiring HIPAA-regulated entities to proactively assess and manage privacy and security risks through documented risk analyses, updated protocols, and workforce training. Read more here.
The U.S. Department of Health and Human Services' Office for Civil Rights announced a settlement with BST & Co. CPAs, LLP, a New York accounting and consulting firm, concerning potential violations of the HIPAA Security Rule following a ransomware attack. This settlement marks OCR's 15th ransomware enforcement action and 10th enforcement action in OCR's Risk Analysis Initiative. BST, a HIPAA business associate that receives financial information containing protected health information from covered entities, discovered on December 7, 2019, that part of its network was infected with ransomware. OCR's investigation determined that BST had failed to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by BST. Under the resolution agreement terms, BST agreed to pay $175,000 to OCR and implement a corrective action plan monitored by OCR for two years. The corrective action plan requires BST to conduct an accurate and thorough risk analysis, implement a risk management plan, review and revise policies and procedures, provide workforce training, and submit regular compliance reports to OCR. This case reinforces that business associates are directly accountable under HIPAA and must comply with Security Rule requirements just like covered entities. Read more here.
Just 40% of Medicare Advantage prescription drug plans achieved four stars or higher for 2025, according to the Centers for Medicare & Medicaid Services - marking the third consecutive year of declining ratings. This represents a dramatic drop from 68% of plans meeting the threshold in 2022. Weighted by enrollment, only 62% of enrollees are in contracts with four-star ratings or better, down from 90% in 2022. The 2025 star ratings will impact 2026-year quality bonus payments, creating significant financial repercussions for MA plans. Only seven MA-PD contracts earned five-star ratings for 2025, down from 74 contracts in 2022. Most cut points have increased from 2024 to 2025, causing the average plan star rating to decrease from 4.07 to 3.92. More than one-third of plans rated in 2024 and 2025 decreased at least half a star. The declining ratings have prompted major insurers including UnitedHealth and Humana to sue CMS over the ratings methodology, specifically challenging call center measure calculations and CMS's unwillingness to share industry data with MAOs to ensure appropriate calculations. The star ratings system is designed to be increasingly challenging through rising cut points - the performance bar plans must surpass to score in a desired range. Read more here.
On January 7, 2025, the FDA issued groundbreaking draft guidance for AI-enabled device software functions (DSF), marking the first comprehensive recommendations covering the Total Product Life Cycle (TPLC) approach. The guidance represents the most significant regulatory development for AI medical devices to date, with over 1,250 AI-enabled devices already authorized through FDA pathways. The new framework requires detailed documentation including model descriptions, data lineage and splits, performance metrics tied to claims, bias analysis and mitigation strategies, human-AI workflow integration, ongoing monitoring plans, and Predetermined Change Control Plans (PCCP) for post-market updates. As of October 2025, FDA has approved 141 AI-enabled medical devices in 2025 alone, bringing the total to 1,250 authorized devices. The guidance applies immediately to marketing submissions and creates unprecedented regulatory clarity while establishing rigorous standards for safety, effectiveness, and equity in AI medical devices. Organizations that embrace these requirements as enablers rather than obstacles will lead the transformation of healthcare through artificial intelligence. Read more here.
Between 2024 and 2025, the healthcare sector experienced over 700 data breaches, exposing more than 275 million patient records - a staggering 63.5% increase from 2023 and the largest healthcare data exposure in U.S. history. The Change Healthcare ransomware attack alone affected 192.7 million individuals, making it the largest healthcare data breach ever reported. Threat actors such as RansomHub and ShinyHunters exploited widespread password vulnerabilities, with compromised credentials becoming the primary attack vector. Since 2020, the American Hospital Association reports that over 590 million medical records have been compromised, meaning nearly every U.S. citizen has been affected, many multiple times. The breaches followed familiar attack patterns: spearphishing attachments and password spraying for initial access, brute force attacks and stolen password stores for credential access, and ransomware deployments leading to data encryption and manipulation. Major incidents in 2025 include Yale New Haven Health (5.56 million affected), Episource (5.4 million), and Blue Shield of California (4.7 million), highlighting the growing threat from attacks on third-party vendors rather than hospitals directly. Read more here.
The U.S. Department of Health and Human Services' Office for Civil Rights has announced 10 HIPAA resolution agreements in just the first five months of 2025, with penalties ranging from $25,000 to $3 million. Every single settlement highlighted the organization's failure to conduct proper HIPAA Security Rule risk analyses. These settlements span both administrations and involve diverse organizations from small physician groups to large hospital authorities and IT service providers. The common thread: inadequate risk analysis. Beyond financial penalties, resolution agreements include detailed corrective action plans requiring several years of close regulatory monitoring, completion of comprehensive risk analyses, implementation of risk management plans, staff training updates, and regular security policy reviews. OCR has made risk analysis enforcement a focal point in 2025, sending a clear message that no organization is too large or too small to be held accountable for this fundamental HIPAA compliance requirement. Read more here.
The U.S. Department of Health and Human Services and FDA announced sweeping reforms in September 2025 to rein in misleading direct-to-consumer pharmaceutical advertisements. The FDA sent thousands of warning letters to pharmaceutical companies to remove misleading ads and issued approximately 100 cease-and-desist letters to companies with deceptive advertisements. FDA Commissioner Dr. Marty Makary stated that the FDA has permitted misleading drug advertisements for too long, distorting the doctor-patient relationship and creating increased demand for medications regardless of clinical appropriateness. The FDA is initiating rulemaking to close the "adequate provision" loophole created in 1997, which drug companies have used to conceal critical safety risks in broadcast and digital ads. Secretary Robert F. Kennedy Jr. emphasized that pharmaceutical ads "hooked this country on prescription drugs" and the administration will shut down that pipeline of deception. Over time, enforcement had waned with only one warning letter sent to pharmaceutical companies in 2023 and zero in 2024. The FDA will now aggressively deploy enforcement tools and is already implementing AI and tech-enabled tools to proactively surveil and review drug advertisements. Read more here.
The landscape for AI in healthcare is shifting dramatically as state legislators move beyond guidelines to establish concrete enforcement mechanisms. California's AB 489, signed September 2 and effective October 1, 2025, prohibits AI systems from using professional terminology and post-nominal letters (M.D., D.O., R.N.) suggesting users receive care from licensed healthcare professionals when no such oversight exists. Illinois enacted the nation's first statutory restriction on AI therapy, enforced by the Department of Financial and Professional Regulation with penalties up to $10,000 per violation. Nevada's AB 406, effective July 1, 2025, prohibits AI providers from certain representations. Texas Attorney General Ken Paxton opened an investigation on August 18, 2025, into AI chatbot platforms for potentially engaging in deceptive trade practices and misleadingly marketing themselves as mental health tools. The evolving patchwork of state laws creates complex compliance landscape for AI deployment in mental health and healthcare. Each statute draws clear boundaries between permitted, restricted, or prohibited activities, often hinging on the AI system's function and degree of human oversight. Healthtech companies should embed compliance considerations into early-stage product design rather than treating them as post-launch modifications. Read more here.
The high level of HIPAA enforcement has continued in 2025, largely driven by OCR's new Risk Analysis Initiative focusing on Security Rule compliance. OCR closed 22 HIPAA investigations with financial penalties in 2024, though only 16 were announced before the administration change. The enforcement momentum has continued into 2025, with this year looking to be a record year for HIPAA enforcement. As of July 31, 2025, 444 large healthcare data breaches affecting 500 or more individuals have been reported to OCR—a 2% year-over-year increase. According to OCR's breach portal, more than 133 million individuals were affected by healthcare data breaches in 2023. Financial penalties for HIPAA violations range significantly, from relatively small settlements for Right of Access violations to multi-million-dollar penalties for systemic Security Rule failures. Penalty amounts increased considerably between 2015 and 2018, with Anthem Inc. paying $16 million in 2018—the largest ever financial penalty for HIPAA violations. Organizations must prioritize breach notification timelines, business associate oversight, and comprehensive risk assessments to avoid enforcement scrutiny. Read more here.
After a quiet January marked by administrative transition at the FDA, enforcement activity has accelerated dramatically in 2025. As of early September, the FDA has issued 19 warning letters citing violations of the Quality System Regulation for medical devices—already surpassing the total for the same period in 2024. The data reveals an agency reasserting its enforcement posture after a period of relative quiet. Warning letters are becoming more frequent, and many recent letters include explicit commitments to follow-up inspections, signaling a shift toward ongoing oversight rather than one-time reviews. The FDA is increasingly drilling down into legacy records and documentation prepared by prior owners, citing new owners for inadequate processes and inherited problems. Contract manufacturer oversight remains a recurring weakness in medical device operations, with recent warning letters revealing patterns of citations stemming from shared equipment, poor segregation, and lack of oversight. The FDA's use of AI tools like ELSA has enabled more precise targeting of high-risk facilities by analyzing complaint data, adverse event reports, and historical inspection outcomes. Read more here.
The U.S. Department of Health and Human Services Office for Civil Rights has announced its eighth enforcement action under the Risk Analysis Initiative, with combined settlement payments nearing $900,000 across eight healthcare organizations. Launched in October 2024, this initiative emphasizes the critical importance of conducting thorough HIPAA Security Rule risk analyses. OCR Director stated that failure to conduct proper risk analyses leaves healthcare entities vulnerable to cyberattacks like ransomware. The initiative continues under the Trump Administration despite being introduced under the Biden Administration, underscoring bipartisan commitment to this enforcement priority. Healthcare organizations must understand that risk analysis is not optional—it's the foundation for effective cybersecurity and ePHI protection. Organizations must conduct accurate assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The enforcement actions demonstrate OCR's position that template forms and generic tools often fail to account for unique organizational risks and may not satisfy regulatory requirements. Read more here.
HIPAA compliance priorities are shifting in 2025 as telehealth enforcement tightens following the pandemic's temporary flexibility. The Department of Health and Human Services' Office for Civil Rights emphasizes that providers must ensure telehealth platforms meet full security requirements, including encryption, secure logins, and patient consent for digital communications. The days of "good faith" exceptions are closing, and organizations that haven't updated their telehealth protocols face compliance issues. New guidance emphasizes encryption by default for data in motion and at rest, multi-factor authentication as standard expectation, and stronger requirements for monitoring access logs and detecting unauthorized entry into systems. Read more here.
Regulators are expanding enforcement against digital health apps and online platforms that share sensitive health data without proper consent, even though these companies fall outside HIPAA's scope. The FTC is actively enforcing the HITECH Act's Health Breach Notification Rule for non-HIPAA vendors of personal health records. State attorneys general in California and Washington are using both general deceptive trade practices laws and health-specific privacy statutes to investigate undisclosed data flows. Courts are reinterpreting wiretapping statutes more broadly, treating embedded SDKs and tracking scripts as potential interceptors of private communications. Health apps, APIs, and connected devices now fall under expanded regulatory scrutiny. Read more here.
Summary: FDA medical device enforcement has accelerated sharply in 2025 following a quiet January. By early September, FDA issued 19 warning letters citing Quality System Regulation violations for medical devices, already surpassing the same period in 2024. This enforcement surge breaks historical trends of decreased regulatory action under Republican administrations. FDA is focusing on Corrective and Preventive Action (CAPA) deficiencies, design control violations, and 510(k) discrepancies. Many recent warning letters include explicit commitments to follow-up inspections, signaling a shift toward ongoing oversight rather than one-time enforcement actions. Read more here.
State governments are rapidly advancing AI regulation with over 1,000 bills introduced this year, including approximately 280 that relate to health technology. Industry experts advise healthcare leaders to actively engage with state lawmakers, as many legislators have limited experience with healthcare technology. States like Texas, California, and Colorado have passed meaningful AI legislation with sector-specific healthcare provisions. The regulatory landscape varies significantly by state, creating compliance challenges for multi-state healthcare organizations. Healthcare organizations should implement risk-based assessments to ensure lower-risk AI applications can still flourish while maintaining appropriate oversight for higher-risk implementations. Read more here.
The Department of Health and Human Services has launched an aggressive enforcement initiative targeting healthcare entities that block patient information flow. Under the Trump Administration, information blocking has become a priority after being largely ignored previously. The 21st Century Cures Act of 2016 authorized ASTP/ONC and HHS OIG to take enforcement actions against those who block patient information. Healthcare providers participating in CMS programs could face disincentives, while other violations may result in civil monetary penalties. HHS is calling on patients, providers, and health IT companies to report suspected information blocking through ASTP/ONC's reporting portal. Read more here.
States are rapidly filling the federal AI regulation gap, with over 20 bills regulating provider use of AI introduced in 2025. Key laws passed include requirements for provider oversight, transparency mandates, and safeguards against bias. Four states passed laws prohibiting sole AI use in medical necessity denials, while others focus on clinical care guardrails. Texas enacted comprehensive AI governance laws (HB 149 and SB 1188) effective January 2026, requiring transparency in AI-assisted decision-making and prohibiting discriminatory AI use. Read more here.
In the first six months of 2025, 343 healthcare data breaches were reported to HHS, with the 10 largest breaches affecting over 21 million Americans. Major incidents included Episource (5.4 million affected), Blue Shield of California (4.7 million), and Yale New Haven Health System. Despite improved cybersecurity measures, healthcare organizations remain prime targets for cyberattacks. Experts emphasize that resilience and preparation are crucial for healthcare organizations. Read more here.
In the first five months of 2025, OCR announced ten HIPAA resolution agreements with penalties ranging from $25,000 to $3 million. Each case involved failures to conduct compliant HIPAA Security Rule risk analyses. OCR has announced 18 settlements and civil monetary penalties through July 2025, making this potentially a record-breaking year for HIPAA penalties. The enforcement initiative specifically targets risk analysis failures as the most commonly identified HIPAA Security Rule violation. Read more here.
The FDA launched an unprecedented enforcement action, sending thousands of warning letters and approximately 100 cease-and-desist letters to pharmaceutical companies over misleading direct-to-consumer advertisements. Major companies including Eli Lilly, Novo Nordisk, and Hims & Hers received warning letters. The agency is also initiating rulemaking to close the "adequate provision" loophole that has allowed companies to conceal critical safety risks in broadcast and digital ads since 1997. Read more here.
The Department of Health and Human Services announced a major enforcement initiative targeting information blocking practices that restrict patient access to electronic health information. HHS Secretary Robert F. Kennedy Jr. directed increased resources toward enforcement, with violators facing civil monetary penalties up to $1 million per violation. The initiative targets healthcare providers, health IT developers, and health information exchanges that interfere with data access, exchange, or use. This marks a significant policy shift from the previous administration's approach. Read more here.
Multiple regulatory agencies are ramping up healthcare enforcement activities with coordinated efforts across cybersecurity, data privacy, and emerging technologies. The FTC has issued warnings to over 130 healthcare organizations regarding tracking technology risks, while OCR continues targeted enforcement initiatives. Healthcare organizations face increasing scrutiny for HIPAA violations, particularly around risk analysis failures and patient access rights. Industry experts anticipate continued aggressive enforcement as agencies adapt to technological advances and emerging compliance challenges in the healthcare sector. Read more here.
Healthcare compliance experts predict 2025 will be "especially busy" for chief compliance officers as multiple federal agencies coordinate enforcement efforts. The Department of Justice Antitrust Division, Federal Trade Commission, Cybersecurity and Infrastructure Security Agency, and HHS Office of Inspector General are working together on healthcare oversight. Key focus areas include online tracking technologies (with FTC warning 130+ healthcare organizations), cybersecurity practices, and AI governance. This multi-agency approach represents a significant escalation in healthcare regulatory enforcement compared to previous years. Read more here.
Healthcare organizations face significant HIPAA updates in 2025, including mandatory encryption of electronic protected health information (ePHI) at rest and in transit, simplified compliance requirements through removal of the "required" vs. "addressable" distinction, and harsher penalties for repeat violations. A recent survey of over 120 compliance leaders reveals that 63% of health plan respondents are prioritizing compliance strategies to address emerging challenges. The evolving regulatory landscape reflects growing concerns about data privacy, technological advancement, and the need for more robust cybersecurity measures in healthcare settings. Read more here.
The Government Accountability Office released a scathing report finding that CMS cannot assure hospital pricing data is sufficiently complete or accurate, despite implementing 1,287 enforcement actions since 2021. While CMS has issued over $4 million in penalties to 14 non-compliant hospitals, the agency does not routinely verify data quality, raising questions about usability. Stakeholders including health plans and researchers report difficulties accessing and using pricing information due to missing data, formatting inconsistencies, and questionable accuracy. The GAO recommends CMS assess data completeness and implement additional cost-effective enforcement measures. Read more here.
The Department of Health and Human Services announced a major enforcement initiative to combat information blocking practices that restrict patient access to their electronic health information. HHS Secretary Robert F. Kennedy Jr. directed increased resources toward enforcement, with violators facing civil monetary penalties up to $1 million per violation. The initiative targets healthcare providers, health IT developers, and health information exchanges that interfere with data access, exchange, or use. This marks a significant policy shift, as HHS stated that "information blocking was not a priority under the Biden Administration" but is now a key focus under the current administration's "Make America Healthy Again" promise. Read more here.
Healthcare organizations face a complex regulatory landscape in 2025 with increased focus on cybersecurity, AI governance, and interoperability. Industry experts predict continued pressure to protect patient data following high-profile breaches, while AI adoption accelerates in nonclinical workflows. The new administration may reduce federal oversight, particularly on financial regulations, but state-level AI governance laws continue expanding. Organizations must balance innovation with compliance as regulatory demands, security risks, and technology advancement create both opportunities and challenges. Read more here.
The Department of Labor announced the termination of COVID-19 healthcare rulemaking and suspended enforcement of COVID-19 recordkeeping and reporting requirements for healthcare workers, effective immediately. This represents a major policy shift from pandemic-era workplace safety obligations that have been in place since 2021. The enforcement stay affects healthcare facilities that were previously required to track and report COVID-19 workplace exposures under OSHA's Healthcare Emergency Temporary Standard. Read more here.
Tech Mahindra and Abacus Insights announced a strategic partnership to help healthcare payers navigate CMS Interoperability compliance requirements described as "10 times more complex" than previous mandates. The collaboration will streamline implementation of FHIR-based data exchange, reduce administrative burden, and help organizations meet tight regulatory deadlines. The partnership addresses the challenge of unifying siloed systems while accelerating Fast Healthcare Interoperability Resources (FHIR) deployment at the lowest total cost of ownership. Read more here.
Healthcare payers face mounting pressure to meet CMS Interoperability and Prior Authorization Final Rule requirements with staggered deadlines through 2027. Organizations must implement operational provisions by January 2026, including standardized denial reasons and prior authorization timeframes, while more complex API requirements take effect in January 2027. The rule requires FHIR-based Patient Access APIs, Provider Access APIs, and enhanced data sharing capabilities that are significantly more complex than previous interoperability mandates. Read more here.
Black Book Research reveals that 71% of healthcare providers are inadequately prepared for the September 30, 2025 deadline when key Medicare telehealth flexibilities expire. The study of 431 telehealth provider users found that without Congressional action, patients may lose home access to telehealth services, audio-only visits will end, and geographic restrictions will return. Organizations fear service disruption, compliance failures, and billing errors as the healthcare industry faces a return to pre-pandemic telehealth restrictions that could undo five years of digital health equity progress. Read more here.
The Department of Justice has updated its Corporate Compliance Program evaluation criteria to specifically address artificial intelligence and emerging technologies. Organizations must now demonstrate they are identifying, assessing, and managing risks associated with AI systems, including conducting technology-specific risk assessments and ensuring appropriate controls are in place. The guidance emphasizes integrating AI risk management into broader enterprise strategies and providing adequate workforce training on emerging technologies. This update reflects the DOJ's recognition that traditional compliance frameworks need enhancement to address AI's unique risks in healthcare settings. Read more here.
Over 60 AI-related healthcare bills were introduced across U.S. states in 2025, with four major laws passing that govern how payers and providers use artificial intelligence. States are implementing strict requirements for human oversight of AI decisions, transparency in AI usage, and bias testing for healthcare algorithms. California, Colorado, and Utah lead with comprehensive frameworks requiring healthcare organizations to maintain physician oversight of AI-driven medical decisions and implement robust governance structures. These state-level regulations are filling the gap while federal AI healthcare policies remain in development. Read more here.
The eyewear retailer Warby Parker faces a $1.5 million civil monetary penalty for HIPAA Security Rule violations following multiple credential stuffing attacks between 2018-2022. Nearly 198,000 customers had their protected health information compromised, including prescription data, names, and payment information. OCR found three key violations: failure to conduct proper risk analysis, inadequate security measures, and lack of system monitoring procedures. This penalty marks the first major HIPAA enforcement action under the current administration and demonstrates continued aggressive enforcement regardless of political changes. Read more here.
OCR announced a $175,000 settlement with BST & Co. CPAs, LLP, following a 2019 ransomware attack that exposed the protected health information of 170,000 individuals. The accounting firm, which serves as a HIPAA business associate for healthcare clients, failed to conduct adequate risk analysis required under the HIPAA Security Rule. This marks OCR's 15th ransomware enforcement action and highlights that business associates face the same compliance obligations as covered entities. The settlement includes a two-year corrective action plan requiring comprehensive risk management improvements. Read more here.
The Department of Health and Human Services' Office for Civil Rights (OCR) has announced a record-breaking year for HIPAA enforcement, with 18 settlements and civil monetary penalties totaling millions of dollars by July 2025. This represents the most aggressive HIPAA enforcement activity in recent history, with OCR specifically targeting organizations that fail to conduct proper risk analyses under the HIPAA Security Rule. Healthcare data breaches affecting 500+ individuals dropped 34.1% month-over-month in July, yet enforcement actions continue to increase as OCR addresses its investigation backlog from previous years' incidents. Read more here.
Impacted payers have until January 1, 2026, to implement CMS Interoperability and Prior Authorization Final Rule provisions. The rule emphasizes improving health information exchange and prior authorization processes through technology to reduce provider and patient burden. With less than five months remaining, healthcare organizations must ensure their systems support real-time data exchange and streamlined prior authorization workflows to meet compliance deadlines. Read more here.
The Office of Research Integrity released updated Public Health Services Policies on Research Misconduct—the first amendments since 2005. The new rules address alleged misconduct in PHS-funded research, including NIH and CMS programs, and apply to all institutions receiving PHS funding for research activities. Effective January 1, 2025, with full regulatory requirements applicable by January 1, 2026, these changes significantly modify research misconduct proceedings and reporting requirements. Read more here.
CMS issued a final rule on April 4, 2025, modernizing Medicare Advantage and Part D programs for Contract Year 2026. Key changes include restricting MA plans' ability to reopen and modify previously approved inpatient hospital decisions—plans can only reopen for obvious error or fraud. The rule also implements changes to prescription drug coverage, the Medicare Prescription Payment Plan, and Star Ratings to ensure plans honor their prior authorization decisions. Read more here.
The HHS Office for Civil Rights announced its first enforcement action under a new "risk analysis enforcement initiative" targeting healthcare entities that fail to conduct required HIPAA Security Rule risk analyses. OCR stated that failure to conduct proper risk analyses leaves healthcare entities vulnerable to cyberattacks and emphasized this will be a continued focus area in 2025. This marks a shift toward more targeted enforcement of specific HIPAA Security Rule requirements. Read more here.
On August 6, 2025, the FDA issued warning letters to multiple companies, including Supergoop!, for marketing unapproved drug products without proper labeling compliance. The companies violated the Federal Food, Drug, and Cosmetic Act by making drug claims without FDA approval and must respond within 15 business days with specific corrective actions. This enforcement action demonstrates the FDA's continued focus on product labeling compliance and marketing claims violations. Read more here.
CMS is elevating most "cut points" used to calculate 2025 Medicare Advantage star ratings, with more than 60% of cut points increasing. This makes it more difficult for plans to score better or retain current ratings, potentially impacting the $11.8 billion in quality bonus payments CMS awards to Medicare Advantage carriers. Read more here.
Starting in 2023, DEA-registered physicians are required to complete a one-time, eight-hour training requirement on treating and managing patients with opioid or other substance-use disorders as part of the MATE Act. This requirement applies to all physicians applying for new DEA registration or renewing their DEA registration. This affects virtually all prescribing physicians and represents a significant new compliance burden. Read more here.
An HHS-OIG audit of 100 hospitals found that 37 did not comply with one or both Hospital Price Transparency rule requirements, with 34 hospitals failing to comply with machine-readable file requirements. OIG recommended CMS execute enforcement measures including warning notices, corrective action plans, and civil monetary penalties. Read more here.
CMS implemented stricter enforcement with a firm 90-day window for full compliance from the time CMS issues a corrective action plan request, replacing the previous system where hospitals could propose their own completion schedules. Hospitals now face routine penalties for failing to submit CAPs within 45 days or failing to come into compliance within 90 days. Read more here.
CMS announced it will increase its team of medical coders from 40 to approximately 2,000 by September 1, 2025 - a 50-fold increase. The agency will expand audits from ~60 MA plans annually to all eligible 550 MA plans, and increase record reviews from 35 per plan to between 35-200 records per plan. This represents the most comprehensive Medicare Advantage audit expansion in history. Read more here.
With 11 new comprehensive privacy laws taking effect in 2025 and 2026, 20 states and approximately half of the U.S. population will be covered by state privacy laws by 2026. Five new laws took effect in January 2025 alone in Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. Read more here.
DOJ's Civil Division and HHS announced a new False Claims Act Working Group to coordinate referrals of potential FCA violations, marking a revival of a similar initiative from 2020. The Working Group will advance Trump Administration policy goals through FCA enforcement, including areas related to DEI policies and other executive order priorities. Read more here.
HHS proposed major updates to the HIPAA Security Rule in January 2025 requiring mandatory cybersecurity controls including annual penetration testing, removing the distinction between "required" and "addressable" security measures, and implementing stricter breach notification timelines. Read more here.
CMS finalized new standards requiring a "preponderance of the evidence" standard for terminating agent and broker agreements due to non-compliance and established new safeguards to protect consumers from improper enrollments. The rule also allows issuers to require payment of past-due premiums before effectuating new coverage. Read more here.
The DOJ announced criminal charges against 324 defendants including 96 doctors and licensed medical professionals for healthcare fraud schemes involving over $14.6 billion in intended losses - the largest healthcare fraud takedown in DOJ history. The government seized over $245 million in assets and CMS suspended billing privileges for 205 providers. Read more here.
Centers Health Care agreed to pay $6,063,500 to settle allegations that its 44 nursing facilities submitted false Medicare cost reports to federal regulators. The facilities either made false statements or omitted required material information in their submissions to the Centers for Medicare and Medicaid Services.
The affected facilities are located across New York, Rhode Island, Kansas, and Missouri.
This settlement underscores the critical importance of accurate Medicare cost reporting and robust internal controls. Healthcare providers must ensure their reporting processes include proper oversight to avoid similar violations of federal healthcare program requirements. Read more here.
Compliagent CEO Nick Merkin was quoted in AHC Media's online publication on a recent potential HIPAA breach by an ESPN reporter, who posted a photo of NFL player Jean Pierre-Paul's medical record on Twitter. Nick clarified that "There may arguably be issues of journalistic ethics or integrity to debate, but as a legal matter, the press is not covered by HIPAA." Read more here.
Compliagent Senior Consultant Natalie LeFlore was featured in Medical Device and Diagnostic Industry Magazine discussing HIPAA Compliance in "Are Your Medical Devices HIPAA Compliant?" In the article, Natalie explains the importance of continuity, and says that "Compliance with HIPAA is an ongoing effort coordinating a company’s people, processes, and technologies." Read more here.
Compliagent CEO Nick Merkin was cited as a Healthcare Privacy and Security Expert in Healthcare Dive, an online publication dedicated to covering breaking industry news. In the article, Nick discussed the affordability and accessibility of a new mobile security guide released by NIST and said that he would "love to see at least part of the guide targeted to smaller healthcare organizations with realistic spending constraints. Read more here.
Compliagent CEO Nick Merkin was featured as a guest columnist in McKnight's Long-Term Care News. Nick discussed the increased government scrutiny with physician contracts. "Simply put, if the regulators are unhappy with what they find, the penalties can be severe. Moreover, the OIG has made clear that physician contracting is going to be a matter of increased scrutiny in the coming years." Read more here.
Compliagent CEO Nick Merkin was quoted in Behavioral Health Magazine on the legal and ethical rules that apply when marketing case studies. Nick says that “the problem is that the HIPAA regulations are a catch-all,” and do not specifically address patient case study materials, posing a major risk to many organizations. Read more here.
Compliagent's Compliance Newsletter reported on the importance of medical necessity in relation to the law. According to recent reports, "The U.S. Department of Justice (DOJ) stated that the government has recovered over $24 billion from healthcare providers through False Claims Act cases since 2009." Read more here.
Compliagent CEO Nick Merkin was featured as a guest columnist in Bloomberg BNA's "Health Care Fraud Report" discussing "What the OIG's New Compliance Guidance Means for Health Care Organizations' Boards of Directors." Nick says "it is crucial for health care organization boards of directors to understand the new OIG guidance and to invest the time and resources to execute their corporate responsibilities." Click here to access the full article [PDF].
Compliagent Clinical Consultant Kathleen Mace spoke at Long Beach / South Bay CAHF Chapter Meeting on "ICD 10 - What You Do Not Know May Hurt You" on July 9, 2015 at the Long Beach Petroleum Club. Kathleen discussed what needs to be done in preparation for ICD implementation and what to expect for SNFs. Read more here.
Compliagent Business Development Manager Buddy Liberman was featured as a guest columnist in JSA Search Inc.'s "Nationwide Recruiting Firm" Newsletter discussing how to "Network Your Way to Success." In the column, Buddy stresses the fact that "relationships are uniquely important for healthcare professionals in the long term care industry" and gives a few easy tips on how to make the most of your networking events. Read the full article here.
Compliagent Clinical Consultant Kathleen Mace was featured as a guest columnist in McKnight's Long-Term Care News. Kathleen discussed the importance of "Creating a Just Culture" in the healthcare industry. Read more here.
Compliagent CEO Nick Merkin was featured in Physician's Money Digest on the topic of ICD-10 implementation and what it means for the healthcare industry. Nick was quoted as stating that Compliagent "really encourages people to think of ICD-10 integration as a dynamic process." Read more here.
Compliagent COO Paige Pennington was a panelist presenting "Women in Healthcare" on June 4, 2015, at The Buddy System event hosted by Montclair Royale Assisted Living in Montclair, CA. To attend The Buddy System's next event, please click here to contact Buddy Liberman.
Compliagent CEO Nick Merkin spoke at The International Association of Privacy Professionals KnowledgeNet, a forum on healthcare privacy issues, on June 11, 2015. Nick discussed Compliagent's role in healthcare privacy advancement and policy development. Read more here.
Compliagent Senior Consultant Natalie LeFlore spoke at Health Care Executive - SoCal's "A Day of Learning" at Hoag Memorial Hospital in Newport Beach, CA on May 16, 2015. Natalie discussed the benefits of healthcare compliance as both an industry and a career. Read more here.
Compliagent CEO Nick Merkin and Clinical Consultant Kathleen Mace presented at The National Readmissions Summit 2015 in Anaheim, CA on the topic of "Readmission Prevention and the Law: What All Providers Should Know." Read more here.
Compliagent CEO Nick Merkin participated in an expert panel discussion hosted by Sun City Gardens Retirement Housing Foundation on the topic of "Kickbacks and Referral Fees: Where has the Line Gone?" Read more here.
Compliagent CEO Nick Merkin was featured as a contributor in Corporate Compliance Insights, providing guidance on "What Healthcare Organizations Need to Know About Educating and Training Their Board of Directors." Read more here.
COO Paige Pennington spoke at The Institute for Medical Leadership's "Chief of Staff Boot Camp," a three-day program for Medical Staff Leaders that gives them the tools to succeed in an ever-advancing industry. Compliagent also helped sponsor the event! Read more here.
CEO Nick Merkin and COO Paige Pennington spoke on Physician Contracting in Long-Term Care Facilities at the annual CAHF Convention and Expo in Palm Springs, CA. Read more here.
Compliagent CEO Nick Merkin was featured in CEOCFO Magazine. Nick explains the inspiration for Compliagent: “We quickly realized that the 'old school' law firm structure – with its reactive rather than proactive professional service model - was obsolete and ineffective for what the industry needed. We set out to do things differently." Read more here.
Sr. Compliance Consultant Natalie LeFlore spoke at Health Care Executive's "A Day of Learning," an informative day of presentations for Healthcare Administration students. Natalie presented the benefits of Healthcare Compliance as both a program and an industry. Read more here.
