In today’s increasingly complex regulatory environment, organizations across many industries face escalating scrutiny from government enforcement agencies. These agencies are no longer evaluating programs based only on whether required elements exist on paper. Instead, they are examining whether compliance programs are sufficiently operationalized to identify, assess, and address risk before issues become enforcement matters.
Industries facing increased compliance scrutiny can learn from healthcare, which deals with extremely rigid compliance enforcement from the U.S. Department of Justice (DOJ) and the Health and Human Services Office of Inspector General (OIG). As a result, many healthcare organizations are reassessing how their compliance programs are structured, supported and evaluated. Now, program effectiveness relates not only to implications for regulatory and revenue risk but also for organizational credibility with regulators, payers, and governing bodies.
Federal enforcement trends consistently reinforce the expectation that compliance programs function as active, evolving risk management frameworks. When entities are under investigation, regulators evaluate whether organizations conducted meaningful risk assessments, devoted appropriate resources to compliance activities, and leveraged available data to assess whether controls are working as intended. A reactive posture, such as waiting for audit findings, complaints or enforcement inquiries, can indicate program weaknesses and significantly increase both regulatory exposure and fines and penalties.
This focus is reflected in federal guidance, including the DOJ’s Evaluation of Corporate Compliance Programs, the U.S. Sentencing Guidelines and the OIG’s General Compliance Program Guidance. Collectively, these resources indicate that organizations that demonstrate early risk identification, timely response and continuous program improvement are better positioned to mitigate penalties and limit the scope of corrective action should enforcement occur.
What compliance effectiveness looks like today
An effective compliance program for healthcare and many other industries begins with a clear understanding of organizational risk. Periodic, enterprise‑wide risk assessments are critical and should extend beyond just an inventory of regulatory requirements. Effective risk assessments consider operational, regulatory, and revenue risks throughout an organization and help organizations identify areas of exposure and potential control gaps before they result in overpayments, compliance failures or enforcement scrutiny.
Importantly, risk assessment results should inform compliance priorities and drive a focused, risk‑based compliance work plan. This approach also allows organizations to demonstrate that compliance efforts are intentional and responsive to their risk profiles.
Program structure and governance also remain equally important to overall program effectiveness. Effective compliance programs are supported by an engaged compliance committee that actively oversees organizational risk, regularly reviews compliance reporting, and helps set program priorities across departments. The committee should serve as a working committee focused on addressing organizational risks collectively rather than in silos. Visible involvement by senior leadership and the governing body is equally critical, reinforcing that compliance is an organizational responsibility and an expected component of operational decision‑making, not merely a function of the compliance department.
The compliance function must also have sufficient authority, independence and access to information to perform its responsibilities effectively. This includes access to clinical, operational and billing data needed to evaluate whether controls are functioning as intended, as well as the ability to elevate concerns and drive corrective action when issues are identified. Consistent leadership engagement and responsiveness to identified issues are often among the strongest indicators of whether compliance is viewed as a strategic priority or an afterthought.
Ultimately, regulators focus on how a compliance program operates in practice. Organizations should be able to demonstrate ongoing monitoring and auditing activities, consistent investigation of identified issues, and timely, well‑documented corrective action. This includes not only addressing the immediate issue but also assessing root causes and strengthening controls to prevent recurrence. Programs that incorporate lessons learned, adjust their approach over time, and can clearly show how prior issues informed program improvements are often viewed as more mature and effective in practice.
Proactive compliance and revenue integrity
The focus on how a compliance program functions in practice naturally extends to how organizations identify and manage risk across core business functions. Often overlooked in a compliance program is the extent to which they rely on and directly impacts revenue. In healthcare, an effective compliance program must be integrated into how the organization delivers care, documents services, and generates revenue. As organizations adopt more proactive, risk‑based compliance approaches, revenue integrity (RI) plays a critical role in identifying and managing not only operational and financial risk but compliance risk as well.
RI in healthcare is the practice of ensuring reimbursement is accurate and compliant. Because it directly affects clinical operations, billing and reimbursement, RI is a natural compliance partner. When compliance and revenue integrity operate in silos, issues are more likely to be identified after the fact through denials, audits, or external inquiries. Strong alignment of RI functions allows organizations to identify issues earlier and address concerns before they become bigger compliance or regulatory matters. As a result, many healthcare organizations are integrating compliance and RI efforts through shared data, coordinated oversight and aligned work plans to support early risk identification and proactive intervention.
Routine, risk-based coding auditing assists in the timely identification of compliance and revenue integrity issues and can also reduce financial exposure by limiting the scope of overpayments, reducing the need for broader repayment calculations or extrapolation, and minimizing operational disruption. Further, these proactive measures help healthcare organizations avoid additional consequences such as payer scrutiny, reputational harm, or litigation. Timely and appropriate corrective action also influences how regulators assess the effectiveness of an organization’s compliance program and reflects a culture of accountability and compliance.
Recent oversight strategies deployed by the OIG illustrate how the office expects these principles to be operationalized. In one matter, a healthcare organization entered into a Corporate Integrity Agreement with the OIG in connection with a False Claims Act settlement to resolve allegations related to medically unnecessary inpatient behavioral health services and improper billing practices. As part of the settlement, the organization agreed to a multi‑year agreement imposing enhanced compliance obligations, including independent claims reviews and requirements for identifying, reporting, and refunding overpayments. These requirements reflect regulators’ focus not only on whether issues occurred but also on whether organizations had effective mechanisms in place to oversee billing practices and manage revenue risks on a proactive basis. In contrast, in a recent audit, the OIG determined that an organization received an estimated $12.1 million in Medicare overpayments and revealed root causes of errors, including failures to consistently follow its billing policies and procedures, demonstrating how gaps in revenue processes, even absent intentional misconduct, can result in significant financial exposure and regulatory scrutiny.
Effective compliance programs and long-term success
Proactive compliance in all industries does not eliminate risk entirely; however, it allows organizations to manage risk in a more focused and defensible way. Regulators recognize that even well‑designed compliance programs cannot prevent every issue, but they do expect organizations to demonstrate active oversight, responsiveness and a commitment to continuous improvement.
As enforcement expectations continue to evolve, compliance programs are being viewed as more than a regulatory requirement. Early risk identification, supported by appropriate governance oversight and timely corrective action, helps protect revenue, strengthen internal controls and reinforce trust. It also positions organizations to demonstrate good‑faith compliance efforts if and when issues arise.
The shift away from reactive or overly routine compliance activities is well underway. Organizations that invest in proactive and integrated compliance programs, supported by ongoing risk assessment and operational support, are better positioned to reduce both regulatory and financial exposure. In today’s environment, proactive and effective compliance is no longer simply a best practice; it is an essential component of long‑term success.
Erin Walker is a manager at PYA specializing in HIPAA and regulatory compliance consulting matters. She advises clients on compliance program development, risk assessments, HIPAA Privacy and Security Risk Analyses, and policy implementation. A former HITRUST Authorized CSF Assessor, she also supports risk mitigation, regulatory compliance, and training initiatives.
