Enforcement Priorities in Healthcare Compliance
New Enforcement Focus --OIG's Heightened Scrutiny on Fraud, Waste, and Abuse
The regulatory spotlight on healthcare fraud, waste, and abuse (FWA) has never been brighter, with the HHS Office of Inspector General (OIG) leading a vigorous enforcement campaign (HHS-OIG, 2025b). The OIG's Strategic Plan for 2025-2030 underscores a commitment to fighting fraud, waste, and abuse, in addition to advancing innovation and promoting quality and safety within the healthcare system (HHS-OIG, 2025b). The first half of 2025 alone saw significant results, with over $16.6 billion in monetary impact from enforcement actions and thousands of investigations, exclusions, and criminal/civil referrals (Miller Shah LLP, 2025; HHS-OIG, 2025b). This level of activity signals a clear dedication to protecting federal healthcare programs and holding individuals and organizations accountable for misconduct (HHS-OIG, 2025b). The sheer scale of these enforcement actions in a short period underscores a fundamental shift towards a more aggressive and proactive regulatory environment (Miller Shah LLP, 2025; Fox Group, 2025).
A key area of the OIG's focus is on fraud risks associated with durable medical equipment, prosthetics, and billing practices for Medicare beneficiaries (Miller Shah LLP, 2025; Fox Group, 2025). The growth of remote patient monitoring (RPM) has also introduced new vulnerabilities that are under close scrutiny (Miller Shah LLP, 2025). The Medicare Advantage program, in particular, is a priority area where the OIG is targeting fraud, drug pricing and rebate schemes, and kickbacks related to prescription drugs (HHS-OIG, 2025a; Miller Shah LLP, 2025). In a significant development, the Department of Justice (DOJ) and HHS have recently revitalized their False Claims Act (FCA) Working Group to strengthen enforcement efforts against these fraudulent activities (Dorsey & Whitney, 2025; HHS & DOJ, 2025). This interagency collaboration signifies a coordinated effort to combat healthcare fraud from multiple angles, creating a formidable front against non-compliant practices (HHS-OIG, 2025a; DOJ, 2025).
The emphasis on technology-driven fraud is also a major theme in this new enforcement era (HHS-OIG, 2025b; Cooley LLP, 2025). The OIG is paying close attention to the manipulation of electronic health records (EHRs) to facilitate inappropriate billing (Miller Shah LLP, 2025; Cooley LLP, 2025). This means that healthcare providers must not only ensure the integrity of their billing processes but also the security and appropriate use of their EHR systems to avoid costly penalties (Miller Shah LLP, 2025). Given these heightened risks, healthcare providers are urged to implement robust compliance programs, which include regular billing accuracy checks, strict documentation standards, and proactive risk assessments (Fox Group, 2025; Cooley LLP, 2025). These measures are no longer optional but are considered essential safeguards against severe financial penalties and legal repercussions (Miller Shah LLP, 2025; HHS-OIG, 2025a). The strategic alignment of OIG's priorities with the DOJ's enforcement power, combined with a focus on both traditional and technologically enabled fraud, defines a new era of enforcement that demands a comprehensive and proactive approach from all healthcare organizations (HHS-OIG, 2025a; Fox Group, 2025).
Fairness and Access--Mental Health Parity, Antitrust, and Patient Billing
The regulatory environment in 2025 extends beyond a focus on fraud to encompass issues of fairness, market competition, and transparency within the healthcare system (Miller Shah LLP, 2025; Fox Group, 2025). One of the most significant areas of intensified scrutiny is the enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA). This law mandates that health plans must demonstrate parity in how they manage mental health and substance use disorder (MH/SUD) services compared to medical and surgical benefits (Miller Shah LLP, 2025). The goal is to eliminate discriminatory practices that have historically disadvantaged individuals seeking MH/SUD treatment (Fox Group, 2025). Compliance professionals must now prioritize a detailed review of health plan policies and practices to ensure they are meeting these standards, including verifying comparable utilization management practices and network access for MH/SUD services (Miller Shah LLP, 2025; Fox Group, 2025).
In parallel, the DOJ and FTC have intensified antitrust scrutiny in the healthcare sector, enforcing stricter merger reviews and addressing anti-competitive practices (Dorsey & Whitney, 2025; Cooley LLP, 2025). This initiative is designed to promote competition and ensure fair pricing and access to care for consumers (Dorsey & Whitney, 2025). A particular area of focus is the use of non-compete clauses in employment agreements, which can restrict workforce mobility and limit a provider’s ability to work for different organizations (Dorsey & Whitney, 2025; Cooley LLP, 2025). This type of practice can stifle competition by making it difficult for new healthcare entities to staff their operations (Cooley LLP, 2025). As a result, healthcare organizations must now carefully review employment agreements and merger plans for potential antitrust risks (Dorsey & Whitney, 2025). Simultaneously, new regulations are targeting rising healthcare and prescription drug costs, and implementing protections against surprise medical billing (Cooley LLP, 2025). The No Surprises Act, for example, is one such law aimed at protecting patients from unexpected costs (Cooley LLP, 2025). This requires healthcare providers to ensure transparent patient billing and disclosures, while also staying informed about evolving regulations on employer-sponsored healthcare leave benefits (Cooley LLP, 2025). The collective aim of these efforts is to create a more equitable, transparent, and competitive healthcare market for the benefit of both providers and patients (Fox Group, 2025; Miller Shah LLP, 2025).
Digital and e-Everything --Protecting Patient Data Amid Technological Advances
The healthcare industry’s rapid adoption of digital tools and services has fundamentally reshaped how patient care is delivered, but it has also introduced a complex and ever-evolving set of compliance challenges (Miller Shah LLP, 2025; Fox Group, 2025). In 2025, the imperative to protect patient data has never been more critical, with federal and state regulators intensifying their focus on cybersecurity and privacy (Fox Group, 2025). The expansion of telehealth and digital health services has led to a corresponding increase in enforcement efforts aimed at protecting patient health information under HIPAA and other related laws (Miller Shah LLP, 2025). This signals a clear message to all healthcare entities that their digital infrastructure must be as secure as their physical facilities (Fox Group, 2025). The risks are no longer theoretical; they are a daily reality for providers and a top concern for regulators (Cooley LLP, 2025).
A key area of recent scrutiny involves the use of online tracking technologies by healthcare providers (Fox Group, 2025). These technologies, such as pixels, cookies, and other web analytics tools, are often embedded on websites and patient portals to track user behavior and collect data (Miller Shah LLP, 2025). While they may be intended for marketing or improving website functionality, they can inadvertently capture and transmit protected health information (PHI) to third parties without a patient’s explicit consent or a proper Business Associate Agreement (BAA) in place (Fox Group, 2025). For instance, a tracking pixel could potentially collect information about a patient's search for a specific medical condition on a hospital’s website, a clear violation of privacy regulations if that data is shared with a third-party advertising platform (Cooley LLP, 2025). This has prompted a significant increase in enforcement and guidance from regulatory bodies, making it essential for healthcare entities to reassess their digital footprint and scrutinize all online tools and monitoring technologies to ensure they align with strict privacy and security standards (Fox Group, 2025). This requires a renewed focus on strengthening data security protocols and conducting thorough risk assessments to identify and mitigate these vulnerabilities (Cooley LLP, 2025).
Furthermore, the human element remains a significant risk factor in data breaches (Fox Group, 2025). This makes it essential for compliance professionals to ensure that employees are properly trained on privacy and cybersecurity best practices (Fox Group, 2025). Training should go beyond basic, annual refreshers to cover the specific risks associated with new technologies and digital tools, such as the dangers of phishing emails, the secure use of mobile devices, and the proper handling of patient information in a telehealth setting (Fox Group, 2025). Policies governing the use of these digital resources must be robust, regularly updated, and clearly communicated to all staff (Fox Group, 2025). The digital landscape is further complicated by the emergence of state-level policy activism, as various states are enacting their own regulations on health data access, reproductive health privacy, and the use of artificial intelligence (AI) in healthcare (Fox Group, 2025). This creates a "patchwork compliance landscape" for multi-state healthcare organizations, demanding continuous monitoring of state-specific laws and the implementation of adaptive compliance programs tailored to each jurisdiction (Cooley LLP, 2025). Navigating these multi-jurisdictional requirements and seeking legal consultation is a necessity to ensure comprehensive data protection in an increasingly complex digital world (Fox Group, 2025).
The digital frontier of healthcare compliance requires a holistic and proactive strategy that addresses the full lifecycle of electronic health information (Fox Group, 2025). This includes not only protecting data at rest and in transit through robust encryption and access controls, but also ensuring that all digital tools, from scheduling apps to patient portals, are configured to maintain privacy by default (Cooley LLP, 2025). A strong compliance program must be built on a foundation of regular and comprehensive risk assessments that identify new and evolving threats, such as those posed by generative AI and the Internet of Medical Things (IoMT) (Fox Group, 2025; Cooley LLP, 2025). These assessments should not be static, but rather a dynamic process that evolves alongside technology (Fox Group, 2025). Additionally, a culture of compliance must be cultivated through ongoing and engaging employee training that empowers every staff member to be a guardian of patient privacy. This integrated approach, which combines robust technical safeguards, clear policies, and continuous education, is the only way to effectively manage the complex and ever-changing risks of the digital health age (Fox Group, 2025).
Holistic Compliance: From Risk Assessment to Documentation
In 2025, the hot topics in healthcare compliance collectively point to a clear and urgent need for a holistic and strategic approach to compliance management (Fox Group, 2025). The regulatory focus is multifaceted, encompassing everything from fraud prevention and equitable mental health coverage to market competition, patient data protection, and adherence to a complex web of federal and state laws (Fox Group, 2025). For compliance professionals, the path forward is not about reacting to individual issues as they arise, but about building a robust and adaptable program that can anticipate and effectively respond to these challenges (Fox Group, 2025). This approach moves beyond a checklist mentality, instead viewing compliance as a core function of the organization's strategic and operational framework (Fox Group, 2025).
The cornerstone of this proactive strategy is the program risk assessment, which serves as the foundational document for the entire compliance infrastructure (Fox Group, 2025). A truly effective risk assessment is not a one-time event; it is a systematic, ongoing process that evaluates both internal and external factors to identify and prioritize potential vulnerabilities (Fox Group, 2025). This process should begin with a comprehensive analysis of the organization's specific operations, followed by a detailed review of the current regulatory environment (Fox Group, 2025). Based on the hot topics discussed in this analysis, a risk assessment in 2025 must systematically evaluate areas such as fraud, waste, and abuse risks related to new technologies like remote patient monitoring, potential violations of the False Claims Act, and the impact of the newly revitalized DOJ and HHS working groups (Fox Group, 2025; Dorsey & Whitney, 2025). Furthermore, it must scrutinize the organization’s adherence to mental health parity laws, its privacy and security controls for patient data, and its responsiveness to the complex landscape of state-specific regulations on reproductive health and AI (Fox Group, 2025; Miller Shah LLP, 2025). The outcome of this assessment is not just a list of risks, but a clear, prioritized roadmap for action (Fox Group, 2025).
Following a thorough risk assessment, it is imperative to translate those findings into actionable strategies that are integrated into the fabric of the compliance program (Fox Group, 2025). This means aligning the identified risks with the seven core elements of an effective compliance program, as outlined by the OIG (Fox Group, 2025). For instance, if the risk assessment highlights vulnerabilities in billing for durable medical equipment, the organization must take concrete steps, such as updating its policies and procedures, providing targeted training to billing staff, and implementing specific monitoring and auditing protocols for that service line (Fox Group, 2025). Similarly, if the assessment reveals a lack of documentation to support mental health parity, the compliance program must mandate a review of clinical documentation standards and provide education to providers on the new requirements (Fox Group, 2025). This systematic approach ensures that the program is not a generic, off-the-shelf solution, but a tailored and dynamic framework that directly addresses the organization's unique risk profile (Fox Group, 2025).
Finally, and perhaps most critically, proper documentation is the linchpin of a strong compliance program (Fox Group, 2025; Miller Shah LLP, 2025). Documentation is not merely a formality; it is a strategic tool that demonstrates due diligence and can protect your organization in the event of a government inquiry (Fox Group, 2025). Meticulously documenting how all regulatory requirements are met, how risks are mitigated, and how the program is proactively adjusted is essential (Fox Group, 2025). This includes maintaining records of the risk assessment process itself--its methodology, findings, and the resulting action plan (Fox Group, 2025). It also requires keeping detailed records of all compliance activities, such as training logs, policy updates, internal audit reports, and the corrective actions taken to address any identified issues (Miller Shah LLP, 2025). The combination of a robust, data-driven risk assessment and comprehensive, meticulous documentation is the only way to demonstrate to regulators that your organization is committed to a culture of compliance (Fox Group, 2025). By prioritizing this holistic and proactive approach, healthcare providers can transform a period of regulatory intensity into an opportunity to strengthen their operations, build public trust, and secure their long-term viability (Miller Shah LLP, 2025).
References
Dorsey & Whitney. (2025, July 9). DOJ & HHS announce reinvigoration of False Claims Act working group and healthcare fraud enforcement priorities. Retrieved August 7, 2025, from"https://www.dorsey.com/newsresources/publications/2025/07/doj-hhs-fca-working-group.
HHS & DOJ. (2025, July 2). DOJ-HHS False Claims Act working group. Retrieved August 7, 2025, fromhttps://www.hhs.gov/about/agencies/ogc/guidance/false-claims-act-working-group/index.html.
HHS Office of Inspector General (OIG). (2025a, June 30). 2025 national health care fraud takedown. Retrieved August 7, 2025, from .
HHS Office of Inspector General (OIG). (2025b, June 17). HHS-OIG's spring 2025 semiannual report to Congress. Retrieved August 7, 2025, from https://oig.hhs.gov/newsroom/videos/hhs-oigs-spring-2025-semiannual-report-to-congress.
Miller Shah LLP. (2025, July 2). HHS–OIG flags $16.6 billion in healthcare fraud in the spring 2025 report. Retrieved August 7, 2025, from https://millershah.com/blog/hhs-oig-healthcare-fraud-2025-report/.
U.S. Department of Justice. (2025, June 30). National health care fraud takedown results in 324 defendants charged in connection with over $14.6 billion in alleged fraud. Retrieved August 7, 2025, from https://www.justice.gov/opa/pr/national-health-care-fraud-takedown-results-324-defendants-charged-connection-over-146.
Fox Group. (2024, May 4). Healthcare compliance training [Video]. YouTube. Retrieved August 7, 2025, from https://www.foxgrp.com.
Cooley LLP. (2025, July 30). 'Whole-of-government approach' targets healthcare fraud from every angle. Retrieved August 7, 2025, from https://www.cooley.com/news/2025/2025-healthcare-fraud-enforcement.