Practical guidance for healthcare teams and business associates
Published: January 15, 2026 | Updated: March 8, 2026 | 16 min read
Healthcare Compliance at a Glance
- What this covers: HIPAA, HITECH, state privacy laws, FDA requirements, CMS participation rules, Joint Commission standards, and the points where those frameworks overlap.
- What most teams miss: The problem is rarely one law on its own. The hard part is mapping controls, documents, and review steps across many frameworks at once.
- What this guide helps you do: Build one compliance program that supports audit readiness, vendor oversight, incident response, and ongoing tracking.
- What to remember: When federal, state, payer, and accreditation rules differ, the strictest one sets the bar.
Healthcare Regulatory Compliance Overview
Healthcare compliance now covers many rules at once. Your practice must follow federal, state, and industry-specific laws. These laws overlap and interact in ways that demand a clear plan.
Compliance officers must manage:
- HIPAA
- HITECH
- State privacy laws
- FDA regulations
- CMS conditions
- Joint Commission standards
- Cybersecurity regulations
They often manage these at the same time.
The challenge is not just learning each law. It is also about managing their overlaps and conflicts. A policy that meets HIPAA may not meet state rules. A control that passes Joint Commission review may not meet CMS audit needs.
Groups that treat each law on its own create gaps, waste effort, and raise costs. This guide gives compliance officers a unified approach. It maps the major healthcare rules and shows where they overlap. It offers a practical way to build one program that covers everything.
Key Definitions
- HIPAA: The Health Insurance Portability and Accountability Act. It sets baseline federal rules for the privacy and security of protected health information (PHI).
- HITECH: The Health Information Technology for Economic and Clinical Health Act. It expanded HIPAA enforcement, breach notice duties, and business associate liability.
- OCR: The Office for Civil Rights within HHS. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules.
- CMS: The Centers for Medicare & Medicaid Services. CMS sets Conditions of Participation, payment rules, and survey standards for providers.
- Joint Commission: A major healthcare accrediting body. Its standards often overlap with HIPAA, CMS, and quality management rules.
- SaMD: Software as a Medical Device. Software that the FDA may regulate when it performs a medical function.
- QAPI: Quality Assessment and Performance Improvement. CMS uses this program to drive quality gains based on data.
- CoPs: Conditions of Participation. These are CMS rules providers must meet to take part in Medicare and Medicaid programs.
HIPAA: The Foundation of Healthcare Compliance
Privacy Rule, Security Rule, and Breach Notification
The Health Insurance Portability and Accountability Act (HIPAA) is a core health data law. Every group that handles health data (PHI) must follow three key HIPAA rules.
The Privacy Rule
The Privacy Rule sets standards for how PHI can be used and shared. It gives patients rights over their health data. It requires minimum needed use, privacy notices, and clear consent steps. Covered entities and business associates must follow Privacy Rule standards for all forms of PHI - electronic, paper, and oral.
The Security Rule
The Security Rule sets technical, physical, and admin safeguards for electronic PHI (ePHI). It requires risk reviews, access controls, audit logs, data accuracy checks, and secure data transfer. The Security Rule lets groups scale safeguards to their size. But that freedom often causes confusion. For more guidance, check our HIPAA Security Rule guide.
The Breach Notification Rule
The Breach Notification Rule requires you to notify affected people, HHS, and the media when unsecured PHI is breached. The rule sets specific timelines, content rules, and reporting tiers. See our guide on HIPAA Breach Notification compliance to prepare.
HIPAA Enforcement in 2026
Recent OCR enforcement themes stay the same:
- More scrutiny after incidents: Reported breaches often trigger a broader review of the full compliance program.
- Focus on systemic failures: OCR targets groups with widespread gaps, not just one isolated event.
- Patient access enforcement: OCR pursues organizations that fail to give patients timely access to their records.
- Ransomware accountability: Groups hit by ransomware must still show they had solid security steps and a documented risk analysis.
For a full overview of HIPAA rules, see our complete HIPAA compliance guide.
HITECH Act: Strengthening HIPAA
How HITECH Expanded HIPAA Regulations
The Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009. It grew HIPAA's scope and enforcement power. Many rules that groups link to HIPAA actually come from HITECH.
Key HITECH additions are:
- Business associate direct liability: Before HITECH, only covered entities faced direct HIPAA liability. HITECH put BAs under the Security Rule and key Privacy Rule sections too.
- Breach notice rules: HITECH created the Breach Notification Rule. It requires covered entities and business associates to report breaches of unsecured PHI.
- Higher penalties: HITECH set up the current HIPAA fine structure. HHS updates fine amounts over time to match inflation.
- State attorney general enforcement: HITECH gave state attorneys general the power to bring civil actions for HIPAA breaches on behalf of residents.
- EHR adoption incentives: HITECH gave incentives for Electronic Health Records (EHRs) use while setting security standards for those systems.
- Audit program: HITECH directed HHS to run regular audits of covered organizations and business associates.
HITECH's Ongoing Relevance
Many groups treat HITECH as old news since its rules are now part of HIPAA enforcement. That view is a mistake.
HITECH's penalty hikes, business associate duties, and breach notice rules are still enforced. They show up often in settlement deals. Make sure your program covers HITECH rules along with core HIPAA rules.
State Privacy and Security Laws
Navigating the State Patchwork
HIPAA sets a federal floor for health data safety. But many states have passed laws that go further. Teams in more than one state must follow the strictest rules that apply. Learn how state privacy laws compare to federal HIPAA requirements.
Key areas where state laws may go beyond HIPAA:
- Breach notification timelines: Several states require notice within 30 days or less, vs. HIPAA's 60-day window.
- Data types covered: Some states protect data not covered by HIPAA - such as biometric data, genetic data, or consumer health data.
- Consumer health data: Washington, Connecticut, and other states passed consumer health data privacy laws. These apply outside of HIPAA.
- Encryption requirements: Some states require encryption rather than treating it as optional.
- Private right of action: Several state laws let people sue over privacy breaches. HIPAA has no such right.
- Penalty structures: States may stack their own fines on top of federal HIPAA fines.
Building a Multi-State Compliance Strategy
Teams working across many states should take these steps:
- Map relevant state laws for every state where you operate, have patients, or have employees.
- Find the strictest requirements across all relevant states.
- Build policies to the highest standard rather than maintaining separate policies for each state.
- Track new laws as state privacy regulations are changing fast.
- Work with legal counsel who focus on multi-state healthcare privacy law.
The trend toward stronger state privacy laws will not slow down. Groups that build flexible, high-standard programs today can adapt more easily when state rules change.
FDA Regulations for Healthcare Technology
Medical Device and Software Compliance
The Food and Drug Administration (FDA) regulates medical devices. This includes a growing class of software known as Software as a Medical Device (SaMD). Groups that make, deploy, or use regulated devices must follow FDA rules. These rules overlap with HIPAA in key areas.
Key FDA areas include:
- Quality System Regulation (QSR): Design and build controls for medical devices, including software testing standards.
- Cybersecurity guidance: FDA guidance requires makers to address security gaps throughout the device life cycle.
- Unique Device Identification (UDI): Tracking rules for medical devices that tie into asset tracking and security controls.
- Adverse event reporting: Rules for reporting device safety events that may overlap with HIPAA breach reporting.
- Electronic records and signatures (21 CFR Part 11): Requirements for systems that create, modify, maintain, or send electronic records used in FDA-regulated work.
Where FDA and HIPAA Overlap
The overlap between FDA and HIPAA creates real compliance issues. Here is where they meet:
- Connected medical devices that collect, store, or send ePHI must meet both FDA cybersecurity rules and HIPAA Security Rule protections.
- EHR systems used in clinical trials must meet both HIPAA privacy rules and FDA data accuracy standards.
- Incident response for a security event on a medical device may trigger both HIPAA breach notice and FDA adverse event reporting.
- Risk management for medical devices must cover both patient safety (FDA) and data privacy (HIPAA) risks.
Align your FDA quality and HIPAA programs to cut overlap and make sure controls meet both sets of rules.
CMS Conditions of Participation and Compliance Requirements
Medicare and Medicaid Compliance
The Centers for Medicare and Medicaid Services (CMS) sets Conditions of Participation (CoPs). Providers must meet these to join Medicare and Medicaid. These rules overlap with HIPAA in many areas.
Key CMS compliance areas include:
- Patient rights: CMS requires policies protecting patient privacy and data privacy that align with - and sometimes go beyond - HIPAA Privacy Rule requirements.
- Quality review and performance improvement (QAPI): Groups must run full quality programs that include data review and performance tracking.
- Medical records: CMS requires accurate, complete, and timely medical records with proper privacy controls.
- IT requirements: CMS has set rules for EHR use, data sharing, and interoperability that overlap with HIPAA Security Rule needs.
- Emergency readiness: CMS emergency rules overlap with HIPAA backup planning rules.
- Conditions of Payment: Billing and coding compliance rules that carry their own fine structures.
CMS Audits and Surveys
CMS compliance is enforced through surveys run by state survey agencies and accrediting groups. These surveys look at:
- Policy and procedure documentation
- Staff training records and competency reviews
- Physical setting and safety measures
- Patient care quality measures
- Privacy and data safety practices
Groups that match their HIPAA records to CMS survey needs make audits smoother and lighten the load on staff.
Joint Commission Standards
Accreditation and Beyond
The Joint Commission is a major accrediting body for US hospitals and health systems. Getting accredited is optional. But many groups rely on it as a mark of quality, safety, and survey readiness.
Joint Commission standards that tie into compliance include:
- Information Management (IM) standards: Rules for data accuracy, privacy, and security that line up with HIPAA Security Rule needs.
- Leadership (LD) standards: Rules for oversight, compliance programs, and ethical behavior.
- Human Resources (HR) standards: Rules for staff training and credentials that overlap with HIPAA workforce rules.
- Performance Improvement (PI) standards: Rules for data-driven quality work that link to CMS QAPI needs.
- Environment of Care (EC) standards: Physical security and safety rules that overlap with HIPAA physical safeguards.
- Emergency Management (EM) standards: Emergency readiness rules that match HIPAA backup planning.
Leveraging Accreditation for Compliance
Joint Commission work shows a focus on quality and safety. You can use this work to your benefit:
- Map Joint Commission standards to HIPAA, CMS, and state regulations to find overlaps.
- Use Joint Commission survey findings to spot compliance gaps across all frameworks.
- Line up your records and evidence for Joint Commission surveys with what regulatory audits need.
- Train staff on combined standards rather than rules for each framework.
Framework Overlap and Integration
Mapping Common Requirements
The major healthcare rules share a lot of common ground. Mapping these overlaps is key to smooth compliance. One control can meet many rules at the same time.
Common Requirements Across Frameworks
| Requirement Area | HIPAA | HITECH | Joint Commission | State Laws |
|---|---|---|---|---|
| Risk assessment | Required | Enhanced | Required | Varies |
| Access controls | Required | Required | Required | Often required |
| Encryption | Addressable | Emphasized | Expected | Often required |
| Audit logging | Required | Required | Required | Often required |
| Incident response | Required | Required (notification) | Required | Required |
| Workforce training | Required | Required | Required | Often required |
| Business continuity | Required | Required | Required | Varies |
| Documentation retention | 6 years | 6 years | Varies (3+ years) | Varies |
| Patient rights | Required | Enhanced | Required | Often enhanced |
Identifying Unique Requirements
The overlap is large, but each framework also has unique rules you must address:
- HIPAA: Minimum necessary rule, de-identification rules, patient access rights.
- HITECH: BA breach notice, penalty tiers, meaningful use rules.
- CMS: Quality measures, payment conditions, survey readiness.
- Joint Commission: Tracer method compliance, sentinel event reporting, patient safety goals.
- FDA: Design controls, device labeling, adverse event reports.
- State laws: State-specific breach timelines, consumer health data protections, and private right of action.
Building a Unified Compliance Approach
Implementing a Compliance Program Framework
A unified approach cuts overlap, lowers costs, and gives better safety than separate programs for each law. Building this takes a clear, step-by-step method.
What to Do First
- List every framework that applies to your team. Include HIPAA, HITECH, relevant state laws, CMS rules, accreditation standards, vendor contracts, and FDA rules if devices or regulated software are involved.
- Map those rules to one control catalog so you can see where a single policy, safeguard, or review step meets multiple duties.
- Run a gap analysis against that unified map and prioritize fixes by patient impact, legal exposure, and audit risk.
Step 1: Regulatory Inventory
List every rule, standard, and law that applies to your team. Include federal laws, state laws, standards, contracts like BAAs, and industry standards.
Step 2: Requirements Mapping
Map each framework's rules to a single control catalog. Group them by area - access control, encryption, training, and so on. Find where one control can meet more than one rule.
Step 3: Gap Analysis
Compare your current controls to the unified map. Find gaps where controls are missing or too weak. Rank those gaps by risk and how much they expose you to regulators.
Step 4: Control Implementation
Build and put in place controls that meet the strictest rule in each area. This covers all frameworks without keeping separate control sets.
Step 5: Documentation Integration
Keep unified records that map each control to every framework rule it covers. This speeds up audit prep and shows full compliance to any auditor.
Step 6: Continuous Monitoring and Improvement
Set up ongoing tracking to check how well controls work across all frameworks. Use findings from audits, incidents, and rule changes to keep improving.
The Compliance Program Elements
Every healthcare compliance program needs seven core parts. HHS OIG guidance outlines these:
- Written policies and procedures that cover all relevant rules.
- Compliance officer and committee with authority, resources, and visibility across the team.
- Training and education that covers all relevant frameworks, tailored to job roles.
- Effective communication channels, including anonymous reporting options.
- Internal tracking and auditing with regular checks of how well controls are working.
- Enforcement through discipline with consistent, documented results for rule-breaking.
- Response and corrective action steps for identified compliance issues.
Set up these parts to cover all relevant frameworks. Do not build separate systems for each one.
Audit Readiness Across Frameworks
Preparing for Multiple Audit Types
Healthcare groups face audits from many sources. Each has its own format, goals, and timeline:
- OCR HIPAA audits: May be triggered by breach reports, complaints, or random selection. They focus on HIPAA Privacy, Security, and Breach Notification requirements.
- CMS surveys: Run by state survey agencies or accrediting bodies. They focus on conditions of participation.
- Joint Commission surveys: Unannounced triennial surveys using tracer method.
- State regulatory audits: Vary by state. May focus on licensure, privacy, or specific regulations.
- Payor audits: Insurance companies and managed care organizations may audit compliance with contract requirements.
- Internal audits: Self-reviews that find and fix issues before external auditors do.
Building an Audit-Ready Culture
Audit readiness is not a yearly event. It is an ongoing habit. Groups that stay audit-ready face less disruption and get better results.
Key audit readiness habits:
- Centralized documentation: Keep a central store of compliance records that is organized, current, and easy for auditors to review.
- Proof collection: Collect proof of compliance actions on a regular basis. Do not scramble to gather records before an audit.
- Mock audits: Run regular internal mock audits using the methods and standards of each expected outside audit.
- Staff readiness: Train staff on audit steps and what to expect so they can answer auditor questions with confidence.
- Findings tracking: Keep a central system for tracking audit findings, corrective actions, and fix timelines across all audit types.
- Tracking changes: Watch for rule changes, enforcement actions, and audit trends so you can stay ahead of what auditors look for.
Documentation Best Practices
Good records are the backbone of compliance. Auditors judge your program by what you can show in writing.
Key records include:
- Current policies and procedures with version history and approval logs
- Risk assessments with findings, remediation plans, and progress tracking
- Training records showing finish dates, content covered, and test results
- Incident reports and review records with notes on how issues were resolved
- Business associate agreements and vendor management records
- Access control records including role setups, access reviews, and change logs
- Audit logs from systems that hold ePHI
- Meeting minutes from compliance committee and oversight actions
Keep all records for the longest holding period that applies across all frameworks. For HIPAA-related records, that is six years.
Emerging Compliance Challenges
Artificial Intelligence and Machine Learning
AI and machine learning in healthcare create new compliance challenges that cut across many frameworks:
- HIPAA implications: AI systems that process PHI must follow the minimum necessary standard. De-identification must be strong enough to block re-identification through AI analysis.
- FDA regulation: AI/ML-based clinical decision support tools may count as medical devices under FDA rules.
- Bias and equity: CMS and accreditation standards now address health equity. Teams must check AI systems for bias.
- Transparency: Patients and regulators want clear answers on how AI affects care choices.
Interoperability and Data Exchange
Federal rules now require healthcare groups to share data through standard APIs. These rules create new compliance needs:
- Making sure data exchange follows HIPAA privacy and security rules
- Managing patient consent and access rights for sharing data
- Securing API endpoints against unauthorized access attempts
- Watching third-party app access to your data
Telehealth and Remote Care
Telehealth grew fast after 2020. That growth created lasting compliance challenges:
- Making sure telehealth platforms meet HIPAA security rules
- Meeting state licensure needs for cross-state telehealth visits
- Securing the home offices of remote healthcare workers
- Managing patient consent and records for virtual visits
Primary Sources
- HIPAA and HITECH: 45 C.F.R. Parts 160 and 164, HHS OCR guidance, breach portal records, and settlement deals.
- CMS rules: Conditions of Participation, survey guidance, and Medicare and Medicaid program manuals from CMS.
- FDA rules: 21 C.F.R. Part 11, medical device quality system rules, and FDA device cybersecurity guidance.
- Joint Commission standards: Current accreditation guides, survey materials, and National Patient Safety Goals.
- State law overlays: State privacy, breach notice, and consumer health data laws that apply where you operate.
Regulatory Compliance FAQ
How do we prioritize when multiple frameworks have conflicting requirements?
True conflicts between healthcare rules are rare. Most seem to come from different levels of detail. When rules seem to clash, follow the strictest one. That usually covers the rest.
If a real conflict exists, talk to legal counsel. Write down your analysis and your choice. Reach out to the relevant agency for guidance when facing a genuine conflict.
What is the most efficient way to manage compliance across multiple frameworks?
Build one compliance program with a single control catalog. Map each control to every framework rule it meets. This cuts overlap, lowers costs, and gives full coverage.
Use a shared risk review method, combined records, and cross-team compliance groups. Address all relevant frameworks in a joined-up way.
How often should we conduct compliance reviews?
At minimum, run a full risk review once a year. Update it when major changes happen in your group, your tech, or the rules. Some frameworks may call for more frequent reviews.
Internal audits should happen at least once a year. High-risk areas may need more frequent reviews. Use ongoing tracking to add to regular reviews.
Do small healthcare organizations need to comply with all these frameworks?
The relevant frameworks depend on your size, type, and what you do. All groups that handle PHI must follow HIPAA. CMS rules apply to Medicare and Medicaid members. Joint Commission standards apply to accredited groups. State laws apply based on where you operate.
Small groups may face fewer relevant frameworks. But the ones that apply must be fully met. A unified approach helps small teams get the most from limited compliance resources.
How should we handle a regulatory change that affects multiple compliance frameworks?
Set up a process that tracks changes across all relevant frameworks. When a change occurs, check its impact on your control catalog. Find any gaps or updates needed. Then update policies, inform affected staff, and record your review and response.
Cross-check changes against your framework map. This ensures that a change in one area is handled across all related controls.
Regulatory Compliance Takeaways
Healthcare compliance in 2026 calls for a clear, unified approach. Your program must cover the full range of relevant rules. Teams that build one program for HIPAA, HITECH, state laws, FDA, CMS, and accreditation run more smoothly and stay more audit-ready.
Multi-framework compliance takes skill, resources, and steady effort. The best approach is one control set, one records system, and one review process mapped across all frameworks that apply. That cuts overlap and holds up better during audits.
Key stat: Healthcare organizations are subject to at least four overlapping federal regulatory frameworks: HIPAA, HITECH, the FTC Health Breach Notification Rule, and CMS Conditions of Participation. Organizations that map controls across all applicable frameworks in a single compliance program spend less time on audit preparation and experience fewer enforcement gaps.
Compliance Program Resources
- HIPAA Audit-Proof Checklist
- OCR Audit Program Guide for Healthcare
- Building a Healthcare Compliance Culture
Key stat: Healthcare organizations are subject to at least four overlapping federal regulatory frameworks: HIPAA, HITECH, the FTC Health Breach Notification Rule, and CMS Conditions of Participation. Organizations that map controls across all applicable frameworks in a single compliance program spend less time on audit preparation and experience fewer enforcement gaps.