Healthcare compliance isn't a one-time checkbox. It's an ongoing discipline that touches every part of your practice — from how you document patient encounters to how you store records, train staff, and bill for services. And the stakes are high: noncompliance can result in audits, financial penalties, exclusion from payer networks, and in serious cases, legal action.
In our work with practices across the country, we see the same compliance gaps show up again and again. Here are the five most common — and what you can do about them.
Many practices created their compliance policies years ago and haven't revisited them since. Regulations change, payer requirements evolve, and new risks emerge. A policy manual that was adequate in 2019 may have significant gaps in 2026.
The fix: conduct an annual policy review. Compare your current documents against current federal and state regulations, payer requirements, and industry best practices. Pay special attention to areas like HIPAA privacy and security, OSHA workplace safety, and anti-kickback provisions. If you don't have written policies for key operational areas, that's a critical gap that needs immediate attention.
Having policies on paper is only half the equation. Your staff needs to understand them, and you need to be able to prove it. We frequently find practices where compliance training is informal, inconsistent, or entirely absent — and where there's no documentation to show who was trained, on what, and when.
The fix: implement a structured training program with documented sign-offs. Every employee should receive compliance training at onboarding and at least annually thereafter. Training should cover HIPAA, fraud and abuse, workplace safety, and any specialty-specific regulations that apply to your practice. Keep detailed records — they're your first line of defense in an audit.
Most practices understand the basics of HIPAA privacy — don't share patient information without authorization. But the HIPAA Security Rule, which governs how electronic protected health information (ePHI) is stored and transmitted, is where we see the most exposure.
Common gaps include: no formal risk assessment on file, unencrypted devices containing patient data, shared login credentials among staff, lack of audit trails for who accessed what records, and no documented incident response plan for potential breaches.
The fix: start with a formal HIPAA security risk assessment. The Office for Civil Rights has made it clear that this isn't optional — it's a requirement, and the absence of one is frequently cited in enforcement actions. From there, address the gaps the assessment identifies, prioritizing those that carry the greatest risk.
Billing errors aren't just a revenue problem — they're a compliance problem. Patterns of upcoding, unbundling, or billing for services not rendered can trigger audits from Medicare, Medicaid, and commercial payers. Even unintentional errors, if systematic, can result in significant financial penalties and reputational harm.
The fix: implement regular internal audits of your coding and billing practices. A sample review of claims on a quarterly basis can catch patterns before they become problems. Ensure your coding staff is current on CPT and ICD-10 updates, and consider bringing in an outside auditor annually for an independent review.
In many small to mid-sized practices, compliance is "everyone's job" — which in practice means it's no one's job. Without a designated compliance officer or a formal oversight structure, compliance activities tend to be reactive rather than proactive, and gaps accumulate unnoticed until something goes wrong.
The fix: designate a compliance officer, even if it's a part-time role or an external resource. This person should be responsible for maintaining the compliance program, conducting risk assessments, managing training, monitoring regulatory changes, and serving as the point of contact for compliance questions. For practices that don't have the internal bandwidth, a fractional COO or compliance consultant can fill this role effectively.
Compliance gaps rarely cause problems overnight. They accumulate quietly until an audit, a breach, or a disgruntled employee brings them to light. The practices that avoid these crises are the ones that treat compliance as an ongoing operational priority — not an afterthought.
A proactive compliance program doesn't have to be burdensome. It just needs to be intentional, documented, and consistently maintained. If you're not confident in where your practice stands, an outside assessment is a smart first step.
Concerned about compliance gaps in your practice? Our team specializes in compliance evaluations and gap analyses for healthcare providers. Get in touch to learn more.