HIPAA compliance priorities are shifting in 2025 as telehealth enforcement tightens following the pandemic's temporary flexibility. The Department of Health and Human Services' Office for Civil Rights emphasizes that providers must ensure telehealth platforms meet full security requirements, including encryption, secure logins, and patient consent for digital communications. The days of "good faith" exceptions are closing, and organizations that haven't updated their telehealth protocols face compliance issues. New guidance emphasizes encryption by default for data in motion and at rest, multi-factor authentication as standard expectation, and stronger requirements for monitoring access logs and detecting unauthorized entry into systems. Read more here.
Regulators are expanding enforcement against digital health apps and online platforms that share sensitive health data without proper consent, even though these companies fall outside HIPAA's scope. The FTC is actively enforcing the HITECH Act's Health Breach Notification Rule for non-HIPAA vendors of personal health records. State attorneys general in California and Washington are using both general deceptive trade practices laws and health-specific privacy statutes to investigate undisclosed data flows. Courts are reinterpreting wiretapping statutes more broadly, treating embedded SDKs and tracking scripts as potential interceptors of private communications. Health apps, APIs, and connected devices now fall under expanded regulatory scrutiny. Read more here.
Summary: FDA medical device enforcement has accelerated sharply in 2025 following a quiet January. By early September, FDA issued 19 warning letters citing Quality System Regulation violations for medical devices, already surpassing the same period in 2024. This enforcement surge breaks historical trends of decreased regulatory action under Republican administrations. FDA is focusing on Corrective and Preventive Action (CAPA) deficiencies, design control violations, and 510(k) discrepancies. Many recent warning letters include explicit commitments to follow-up inspections, signaling a shift toward ongoing oversight rather than one-time enforcement actions. Read more here.
State governments are rapidly advancing AI regulation with over 1,000 bills introduced this year, including approximately 280 that relate to health technology. Industry experts advise healthcare leaders to actively engage with state lawmakers, as many legislators have limited experience with healthcare technology. States like Texas, California, and Colorado have passed meaningful AI legislation with sector-specific healthcare provisions. The regulatory landscape varies significantly by state, creating compliance challenges for multi-state healthcare organizations. Healthcare organizations should implement risk-based assessments to ensure lower-risk AI applications can still flourish while maintaining appropriate oversight for higher-risk implementations. Read more here.
The Department of Health and Human Services has launched an aggressive enforcement initiative targeting healthcare entities that block patient information flow. Under the Trump Administration, information blocking has become a priority after being largely ignored previously. The 21st Century Cures Act of 2016 authorized ASTP/ONC and HHS OIG to take enforcement actions against those who block patient information. Healthcare providers participating in CMS programs could face disincentives, while other violations may result in civil monetary penalties. HHS is calling on patients, providers, and health IT companies to report suspected information blocking through ASTP/ONC's reporting portal. Read more here.
States are rapidly filling the federal AI regulation gap, with over 20 bills regulating provider use of AI introduced in 2025. Key laws passed include requirements for provider oversight, transparency mandates, and safeguards against bias. Four states passed laws prohibiting sole AI use in medical necessity denials, while others focus on clinical care guardrails. Texas enacted comprehensive AI governance laws (HB 149 and SB 1188) effective January 2026, requiring transparency in AI-assisted decision-making and prohibiting discriminatory AI use. Read more here.
In the first six months of 2025, 343 healthcare data breaches were reported to HHS, with the 10 largest breaches affecting over 21 million Americans. Major incidents included Episource (5.4 million affected), Blue Shield of California (4.7 million), and Yale New Haven Health System. Despite improved cybersecurity measures, healthcare organizations remain prime targets for cyberattacks. Experts emphasize that resilience and preparation are crucial for healthcare organizations. Read more here.
In the first five months of 2025, OCR announced ten HIPAA resolution agreements with penalties ranging from $25,000 to $3 million. Each case involved failures to conduct compliant HIPAA Security Rule risk analyses. OCR has announced 18 settlements and civil monetary penalties through July 2025, making this potentially a record-breaking year for HIPAA penalties. The enforcement initiative specifically targets risk analysis failures as the most commonly identified HIPAA Security Rule violation. Read more here.
The FDA launched an unprecedented enforcement action, sending thousands of warning letters and approximately 100 cease-and-desist letters to pharmaceutical companies over misleading direct-to-consumer advertisements. Major companies including Eli Lilly, Novo Nordisk, and Hims & Hers received warning letters. The agency is also initiating rulemaking to close the "adequate provision" loophole that has allowed companies to conceal critical safety risks in broadcast and digital ads since 1997. Read more here.
The Department of Health and Human Services announced a major enforcement initiative targeting information blocking practices that restrict patient access to electronic health information. HHS Secretary Robert F. Kennedy Jr. directed increased resources toward enforcement, with violators facing civil monetary penalties up to $1 million per violation. The initiative targets healthcare providers, health IT developers, and health information exchanges that interfere with data access, exchange, or use. This marks a significant policy shift from the previous administration's approach. Read more here.
Multiple regulatory agencies are ramping up healthcare enforcement activities with coordinated efforts across cybersecurity, data privacy, and emerging technologies. The FTC has issued warnings to over 130 healthcare organizations regarding tracking technology risks, while OCR continues targeted enforcement initiatives. Healthcare organizations face increasing scrutiny for HIPAA violations, particularly around risk analysis failures and patient access rights. Industry experts anticipate continued aggressive enforcement as agencies adapt to technological advances and emerging compliance challenges in the healthcare sector. Read more here.
Healthcare compliance experts predict 2025 will be "especially busy" for chief compliance officers as multiple federal agencies coordinate enforcement efforts. The Department of Justice Antitrust Division, Federal Trade Commission, Cybersecurity and Infrastructure Security Agency, and HHS Office of Inspector General are working together on healthcare oversight. Key focus areas include online tracking technologies (with FTC warning 130+ healthcare organizations), cybersecurity practices, and AI governance. This multi-agency approach represents a significant escalation in healthcare regulatory enforcement compared to previous years. Read more here.
Healthcare organizations face significant HIPAA updates in 2025, including mandatory encryption of electronic protected health information (ePHI) at rest and in transit, simplified compliance requirements through removal of the "required" vs. "addressable" distinction, and harsher penalties for repeat violations. A recent survey of over 120 compliance leaders reveals that 63% of health plan respondents are prioritizing compliance strategies to address emerging challenges. The evolving regulatory landscape reflects growing concerns about data privacy, technological advancement, and the need for more robust cybersecurity measures in healthcare settings. Read more here.
The Government Accountability Office released a scathing report finding that CMS cannot assure hospital pricing data is sufficiently complete or accurate, despite implementing 1,287 enforcement actions since 2021. While CMS has issued over $4 million in penalties to 14 non-compliant hospitals, the agency does not routinely verify data quality, raising questions about usability. Stakeholders including health plans and researchers report difficulties accessing and using pricing information due to missing data, formatting inconsistencies, and questionable accuracy. The GAO recommends CMS assess data completeness and implement additional cost-effective enforcement measures. Read more here.
The Department of Health and Human Services announced a major enforcement initiative to combat information blocking practices that restrict patient access to their electronic health information. HHS Secretary Robert F. Kennedy Jr. directed increased resources toward enforcement, with violators facing civil monetary penalties up to $1 million per violation. The initiative targets healthcare providers, health IT developers, and health information exchanges that interfere with data access, exchange, or use. This marks a significant policy shift, as HHS stated that "information blocking was not a priority under the Biden Administration" but is now a key focus under the current administration's "Make America Healthy Again" promise. Read more here.
Healthcare organizations face a complex regulatory landscape in 2025 with increased focus on cybersecurity, AI governance, and interoperability. Industry experts predict continued pressure to protect patient data following high-profile breaches, while AI adoption accelerates in nonclinical workflows. The new administration may reduce federal oversight, particularly on financial regulations, but state-level AI governance laws continue expanding. Organizations must balance innovation with compliance as regulatory demands, security risks, and technology advancement create both opportunities and challenges. Read more here.
The Department of Labor announced the termination of COVID-19 healthcare rulemaking and suspended enforcement of COVID-19 recordkeeping and reporting requirements for healthcare workers, effective immediately. This represents a major policy shift from pandemic-era workplace safety obligations that have been in place since 2021. The enforcement stay affects healthcare facilities that were previously required to track and report COVID-19 workplace exposures under OSHA's Healthcare Emergency Temporary Standard. Read more here.
Tech Mahindra and Abacus Insights announced a strategic partnership to help healthcare payers navigate CMS Interoperability compliance requirements described as "10 times more complex" than previous mandates. The collaboration will streamline implementation of FHIR-based data exchange, reduce administrative burden, and help organizations meet tight regulatory deadlines. The partnership addresses the challenge of unifying siloed systems while accelerating Fast Healthcare Interoperability Resources (FHIR) deployment at the lowest total cost of ownership. Read more here.
Healthcare payers face mounting pressure to meet CMS Interoperability and Prior Authorization Final Rule requirements with staggered deadlines through 2027. Organizations must implement operational provisions by January 2026, including standardized denial reasons and prior authorization timeframes, while more complex API requirements take effect in January 2027. The rule requires FHIR-based Patient Access APIs, Provider Access APIs, and enhanced data sharing capabilities that are significantly more complex than previous interoperability mandates. Read more here.
Black Book Research reveals that 71% of healthcare providers are inadequately prepared for the September 30, 2025 deadline when key Medicare telehealth flexibilities expire. The study of 431 telehealth provider users found that without Congressional action, patients may lose home access to telehealth services, audio-only visits will end, and geographic restrictions will return. Organizations fear service disruption, compliance failures, and billing errors as the healthcare industry faces a return to pre-pandemic telehealth restrictions that could undo five years of digital health equity progress. Read more here.
The Department of Justice has updated its Corporate Compliance Program evaluation criteria to specifically address artificial intelligence and emerging technologies. Organizations must now demonstrate they are identifying, assessing, and managing risks associated with AI systems, including conducting technology-specific risk assessments and ensuring appropriate controls are in place. The guidance emphasizes integrating AI risk management into broader enterprise strategies and providing adequate workforce training on emerging technologies. This update reflects the DOJ's recognition that traditional compliance frameworks need enhancement to address AI's unique risks in healthcare settings. Read more here.
Over 60 AI-related healthcare bills were introduced across U.S. states in 2025, with four major laws passing that govern how payers and providers use artificial intelligence. States are implementing strict requirements for human oversight of AI decisions, transparency in AI usage, and bias testing for healthcare algorithms. California, Colorado, and Utah lead with comprehensive frameworks requiring healthcare organizations to maintain physician oversight of AI-driven medical decisions and implement robust governance structures. These state-level regulations are filling the gap while federal AI healthcare policies remain in development. Read more here.
The eyewear retailer Warby Parker faces a $1.5 million civil monetary penalty for HIPAA Security Rule violations following multiple credential stuffing attacks between 2018-2022. Nearly 198,000 customers had their protected health information compromised, including prescription data, names, and payment information. OCR found three key violations: failure to conduct proper risk analysis, inadequate security measures, and lack of system monitoring procedures. This penalty marks the first major HIPAA enforcement action under the current administration and demonstrates continued aggressive enforcement regardless of political changes. Read more here.
OCR announced a $175,000 settlement with BST & Co. CPAs, LLP, following a 2019 ransomware attack that exposed the protected health information of 170,000 individuals. The accounting firm, which serves as a HIPAA business associate for healthcare clients, failed to conduct adequate risk analysis required under the HIPAA Security Rule. This marks OCR's 15th ransomware enforcement action and highlights that business associates face the same compliance obligations as covered entities. The settlement includes a two-year corrective action plan requiring comprehensive risk management improvements. Read more here.
The Department of Health and Human Services' Office for Civil Rights (OCR) has announced a record-breaking year for HIPAA enforcement, with 18 settlements and civil monetary penalties totaling millions of dollars by July 2025. This represents the most aggressive HIPAA enforcement activity in recent history, with OCR specifically targeting organizations that fail to conduct proper risk analyses under the HIPAA Security Rule. Healthcare data breaches affecting 500+ individuals dropped 34.1% month-over-month in July, yet enforcement actions continue to increase as OCR addresses its investigation backlog from previous years' incidents. Read more here.
Impacted payers have until January 1, 2026, to implement CMS Interoperability and Prior Authorization Final Rule provisions. The rule emphasizes improving health information exchange and prior authorization processes through technology to reduce provider and patient burden. With less than five months remaining, healthcare organizations must ensure their systems support real-time data exchange and streamlined prior authorization workflows to meet compliance deadlines. Read more here.
The Office of Research Integrity released updated Public Health Services Policies on Research Misconduct—the first amendments since 2005. The new rules address alleged misconduct in PHS-funded research, including NIH and CMS programs, and apply to all institutions receiving PHS funding for research activities. Effective January 1, 2025, with full regulatory requirements applicable by January 1, 2026, these changes significantly modify research misconduct proceedings and reporting requirements. Read more here.
CMS issued a final rule on April 4, 2025, modernizing Medicare Advantage and Part D programs for Contract Year 2026. Key changes include restricting MA plans' ability to reopen and modify previously approved inpatient hospital decisions—plans can only reopen for obvious error or fraud. The rule also implements changes to prescription drug coverage, the Medicare Prescription Payment Plan, and Star Ratings to ensure plans honor their prior authorization decisions. Read more here.
The HHS Office for Civil Rights announced its first enforcement action under a new "risk analysis enforcement initiative" targeting healthcare entities that fail to conduct required HIPAA Security Rule risk analyses. OCR stated that failure to conduct proper risk analyses leaves healthcare entities vulnerable to cyberattacks and emphasized this will be a continued focus area in 2025. This marks a shift toward more targeted enforcement of specific HIPAA Security Rule requirements. Read more here.
On August 6, 2025, the FDA issued warning letters to multiple companies, including Supergoop!, for marketing unapproved drug products without proper labeling compliance. The companies violated the Federal Food, Drug, and Cosmetic Act by making drug claims without FDA approval and must respond within 15 business days with specific corrective actions. This enforcement action demonstrates the FDA's continued focus on product labeling compliance and marketing claims violations. Read more here.
CMS is elevating most "cut points" used to calculate 2025 Medicare Advantage star ratings, with more than 60% of cut points increasing. This makes it more difficult for plans to score better or retain current ratings, potentially impacting the $11.8 billion in quality bonus payments CMS awards to Medicare Advantage carriers. Read more here.
Starting in 2023, DEA-registered physicians are required to complete a one-time, eight-hour training requirement on treating and managing patients with opioid or other substance-use disorders as part of the MATE Act. This requirement applies to all physicians applying for new DEA registration or renewing their DEA registration. This affects virtually all prescribing physicians and represents a significant new compliance burden. Read more here.
An HHS-OIG audit of 100 hospitals found that 37 did not comply with one or both Hospital Price Transparency rule requirements, with 34 hospitals failing to comply with machine-readable file requirements. OIG recommended CMS execute enforcement measures including warning notices, corrective action plans, and civil monetary penalties. Read more here.
CMS implemented stricter enforcement with a firm 90-day window for full compliance from the time CMS issues a corrective action plan request, replacing the previous system where hospitals could propose their own completion schedules. Hospitals now face routine penalties for failing to submit CAPs within 45 days or failing to come into compliance within 90 days. Read more here.
CMS announced it will increase its team of medical coders from 40 to approximately 2,000 by September 1, 2025 - a 50-fold increase. The agency will expand audits from ~60 MA plans annually to all eligible 550 MA plans, and increase record reviews from 35 per plan to between 35-200 records per plan. This represents the most comprehensive Medicare Advantage audit expansion in history. Read more here.
With 11 new comprehensive privacy laws taking effect in 2025 and 2026, 20 states and approximately half of the U.S. population will be covered by state privacy laws by 2026. Five new laws took effect in January 2025 alone in Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. Read more here.
DOJ's Civil Division and HHS announced a new False Claims Act Working Group to coordinate referrals of potential FCA violations, marking a revival of a similar initiative from 2020. The Working Group will advance Trump Administration policy goals through FCA enforcement, including areas related to DEI policies and other executive order priorities. Read more here.
HHS proposed major updates to the HIPAA Security Rule in January 2025 requiring mandatory cybersecurity controls including annual penetration testing, removing the distinction between "required" and "addressable" security measures, and implementing stricter breach notification timelines. Read more here.
CMS finalized new standards requiring a "preponderance of the evidence" standard for terminating agent and broker agreements due to non-compliance and established new safeguards to protect consumers from improper enrollments. The rule also allows issuers to require payment of past-due premiums before effectuating new coverage. Read more here.
The DOJ announced criminal charges against 324 defendants including 96 doctors and licensed medical professionals for healthcare fraud schemes involving over $14.6 billion in intended losses - the largest healthcare fraud takedown in DOJ history. The government seized over $245 million in assets and CMS suspended billing privileges for 205 providers. Read more here.
Centers Health Care agreed to pay $6,063,500 to settle allegations that its 44 nursing facilities submitted false Medicare cost reports to federal regulators. The facilities either made false statements or omitted required material information in their submissions to the Centers for Medicare and Medicaid Services.
The affected facilities are located across New York, Rhode Island, Kansas, and Missouri.
This settlement underscores the critical importance of accurate Medicare cost reporting and robust internal controls. Healthcare providers must ensure their reporting processes include proper oversight to avoid similar violations of federal healthcare program requirements. Read more here.
Compliagent CEO Nick Merkin was quoted in AHC Media's online publication on a recent potential HIPAA breach by an ESPN reporter, who posted a photo of NFL player Jean Pierre-Paul's medical record on Twitter. Nick clarified that "There may arguably be issues of journalistic ethics or integrity to debate, but as a legal matter, the press is not covered by HIPAA." Read more here.
Compliagent Senior Consultant Natalie LeFlore was featured in Medical Device and Diagnostic Industry Magazine discussing HIPAA Compliance in "Are Your Medical Devices HIPAA Compliant?" In the article, Natalie explains the importance of continuity, and says that "Compliance with HIPAA is an ongoing effort coordinating a company’s people, processes, and technologies." Read more here.
Compliagent CEO Nick Merkin was cited as a Healthcare Privacy and Security Expert in Healthcare Dive, an online publication dedicated to covering breaking industry news. In the article, Nick discussed the affordability and accessibility of a new mobile security guide released by NIST and said that he would "love to see at least part of the guide targeted to smaller healthcare organizations with realistic spending constraints. Read more here.
Compliagent CEO Nick Merkin was featured as a guest columnist in McKnight's Long-Term Care News. Nick discussed the increased government scrutiny with physician contracts. "Simply put, if the regulators are unhappy with what they find, the penalties can be severe. Moreover, the OIG has made clear that physician contracting is going to be a matter of increased scrutiny in the coming years." Read more here.
Compliagent CEO Nick Merkin was quoted in Behavioral Health Magazine on the legal and ethical rules that apply when marketing case studies. Nick says that “the problem is that the HIPAA regulations are a catch-all,” and do not specifically address patient case study materials, posing a major risk to many organizations. Read more here.
Compliagent's Compliance Newsletter reported on the importance of medical necessity in relation to the law. According to recent reports, "The U.S. Department of Justice (DOJ) stated that the government has recovered over $24 billion from healthcare providers through False Claims Act cases since 2009." Read more here.
Compliagent CEO Nick Merkin was featured as a guest columnist in Bloomberg BNA's "Health Care Fraud Report" discussing "What the OIG's New Compliance Guidance Means for Health Care Organizations' Boards of Directors." Nick says "it is crucial for health care organization boards of directors to understand the new OIG guidance and to invest the time and resources to execute their corporate responsibilities." Click here to access the full article [PDF].
Compliagent Clinical Consultant Kathleen Mace spoke at Long Beach / South Bay CAHF Chapter Meeting on "ICD 10 - What You Do Not Know May Hurt You" on July 9, 2015 at the Long Beach Petroleum Club. Kathleen discussed what needs to be done in preparation for ICD implementation and what to expect for SNFs. Read more here.
Compliagent Business Development Manager Buddy Liberman was featured as a guest columnist in JSA Search Inc.'s "Nationwide Recruiting Firm" Newsletter discussing how to "Network Your Way to Success." In the column, Buddy stresses the fact that "relationships are uniquely important for healthcare professionals in the long term care industry" and gives a few easy tips on how to make the most of your networking events. Read the full article here.
Compliagent Clinical Consultant Kathleen Mace was featured as a guest columnist in McKnight's Long-Term Care News. Kathleen discussed the importance of "Creating a Just Culture" in the healthcare industry. Read more here.
Compliagent CEO Nick Merkin was featured in Physician's Money Digest on the topic of ICD-10 implementation and what it means for the healthcare industry. Nick was quoted as stating that Compliagent "really encourages people to think of ICD-10 integration as a dynamic process." Read more here.
Compliagent COO Paige Pennington was a panelist presenting "Women in Healthcare" on June 4, 2015, at The Buddy System event hosted by Montclair Royale Assisted Living in Montclair, CA. To attend The Buddy System's next event, please click here to contact Buddy Liberman.
Compliagent CEO Nick Merkin spoke at The International Association of Privacy Professionals KnowledgeNet, a forum on healthcare privacy issues, on June 11, 2015. Nick discussed Compliagent's role in healthcare privacy advancement and policy development. Read more here.
Compliagent Senior Consultant Natalie LeFlore spoke at Health Care Executive - SoCal's "A Day of Learning" at Hoag Memorial Hospital in Newport Beach, CA on May 16, 2015. Natalie discussed the benefits of healthcare compliance as both an industry and a career. Read more here.
Compliagent CEO Nick Merkin and Clinical Consultant Kathleen Mace presented at The National Readmissions Summit 2015 in Anaheim, CA on the topic of "Readmission Prevention and the Law: What All Providers Should Know." Read more here.
Compliagent CEO Nick Merkin participated in an expert panel discussion hosted by Sun City Gardens Retirement Housing Foundation on the topic of "Kickbacks and Referral Fees: Where has the Line Gone?" Read more here.
Compliagent CEO Nick Merkin was featured as a contributor in Corporate Compliance Insights, providing guidance on "What Healthcare Organizations Need to Know About Educating and Training Their Board of Directors." Read more here.
COO Paige Pennington spoke at The Institute for Medical Leadership's "Chief of Staff Boot Camp," a three-day program for Medical Staff Leaders that gives them the tools to succeed in an ever-advancing industry. Compliagent also helped sponsor the event! Read more here.
CEO Nick Merkin and COO Paige Pennington spoke on Physician Contracting in Long-Term Care Facilities at the annual CAHF Convention and Expo in Palm Springs, CA. Read more here.
Compliagent CEO Nick Merkin was featured in CEOCFO Magazine. Nick explains the inspiration for Compliagent: “We quickly realized that the 'old school' law firm structure – with its reactive rather than proactive professional service model - was obsolete and ineffective for what the industry needed. We set out to do things differently." Read more here.
Sr. Compliance Consultant Natalie LeFlore spoke at Health Care Executive's "A Day of Learning," an informative day of presentations for Healthcare Administration students. Natalie presented the benefits of Healthcare Compliance as both a program and an industry. Read more here.
