Proactive Compliance in Health Care: “Getting Ahead” of Enforcement in 2026 and Beyond
Client Alert | 10 min read | 07.08.26
As federal and state regulators alike continue to tout holding health care organizations accountable for alleged fraud, waste, and abuse as a top priority, ensuring compliance and minimizing enforcement risk has never been more imperative — or more challenging. Health care organizations operate at the intersection of rapid technological changes and within an increasingly complex regulatory landscape, where the rules governing scrutinized areas such as privacy, AI, billing integrity, and strategic transactions are being written, rewritten, and enforced in real time. Treating compliance as a periodic documentation exercise is simply not an option. Today, an effective risk mitigation strategy must be grounded in two complementary elements: a thorough understanding of evolving regulatory obligations and a candid internal assessment of potential points of exposure.
By identifying, addressing, and communicating with regulators about potential issues before those concerns prompt formal enforcement actions, health care organizations can curtail fraud, mitigate regulatory exposure, and cultivate more constructive relationships with regulators. The discussion that follows examines how this proactive approach might be deployed across three distinct and intersecting areas of heightened compliance risk: emerging AI and privacy regulations, enforcement against allegedly improper billing practices, and regulatory review of novel health care transactions.
Fraud enforcement has evolved; health care entities’ risk mitigation strategies must do the same.
Emerging Risk: AI and Privacy
Proactively maintaining compliance with the federal and state laws and regulations governing privacy and AI use can be compared to running preflight safety checks on a plane undergoing assembly on the runway: because technological innovation, commercial adoption, and regulatory updates are all occurring simultaneously, simply staying up to date on applicable laws presents an ongoing and imperative challenge for health care organizations.
Ensuring compliance is a different hurdle. Regulatory scrutiny is still evolving at the federal level, as the Trump Administration has opted for a strategy that prioritizes innovation and AI adoption. In December 2025, the administration issued an executive order (“Ensuring a National Policy Framework for Artificial Intelligence”) that called for the development of “a minimally burdensome national standard — not 50 discordant State ones” and further directed the U.S. secretary of commerce to evaluate and, if relevant, challenge state AI laws that appear to overreach the federally-established threshold. However, that national standard remains largely hypothetical — and, in the absence of a comprehensive AI or data privacy federal law, the states have taken point by creating a patchwork of regional regulatory regimes to protect consumer data privacy and govern AI use within and beyond the health care sector.
As of this writing, at least 20 states have enacted comprehensive personal data privacy laws. These broad state consumer privacy statutes govern how companies collect, process, and handle personal data, and grant consumers enforceable rights, including opt-out mechanisms, sensitive data protections, and the ability to challenge profiling decisions. States similarly stand as the primary drivers of AI policymaking, with AI legislation largely falling into two categories: sector-specific laws covering specific areas such as health care, insurance, chatbots, and political advertisements, and comprehensive AI frameworks that impose restrictions on AI tools and use cases deemed high risk.
These laws can have significant operational and process-design implications for affected health care organizations. On the payor side, at least five states — Arizona (HB 2175), Maryland (HB 820), Nebraska (LB 77), California (SB 1120), and Indiana (HB 1271) — have enacted laws requiring human oversight of AI-driven insurance coverage and downcoding decisions. Similar guardrails have been instituted for providers; laws in states such as Texas (TRAIGA), California (AB 3030), Utah (SB 149), and Illinois (HB 1806) expressly require providers to disclose their use of AI in clinical care and/or communications, with Illinois also requiring patient consent in some circumstances. Maine (LD 2082) takes a more restrictive approach, expressly barring providers from using AI to generate therapeutic communications, render treatment decisions, or independently interact with patients, while also requiring patient consent before deploying ambient listening or other AI-powered recording tools.
Moreover, state regulators’ approach to enforcing these rules has become increasingly cooperative. During the IAPP’s annual conference in March 2026, for example, enforcement officials from California, Connecticut, Indiana, and Delaware shared their current and upcoming personal data privacy priorities in the interests of better coordinating enforcement and sharing intelligence. It is anticipated that they would take a similar approach regarding appropriate transparency in the use of AI to address and enforce consumer protection concerns.
For health care organizations seeking to proactively mitigate fraud risk and avoid violating newly promulgated laws, awareness is power. Payors, providers, and other entities must remain up to date on regulatory regimes within their operational purview and actively take steps to align their operations with evolving regulations.
Recommendations:
-
- Expect regulations to change; remain up to date on evolving state and federal compliance obligations associated with new technologies, including AI.
- Understand how emerging technologies are being used by your organization, ensure that all use cases align with relevant regulations, and document all relevant processes. Regulators increasingly expect more than facially compliant policies and need evidence of a functioning compliance program with documented governance structures, traceable data flows, and demonstrated accountability at senior leadership levels.
- Proactively engage with regulators regarding self-identified issues regarding potential points of noncompliance. Regulators may be more open to resolving concerns amicably when a company demonstrates genuine cooperation; continuing noncompliant practices after receiving notice may substantially increase penalty exposure.
Existing Risk: Improper Billing
As regulators double down on their commitment to holding health care organizations accountable for alleged fraud, waste, and abuse, payors and providers alike face unprecedented pressure to validate that their billing practices have not resulted in improper overpayments. The U.S. Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) have ramped up that urgency in President Trump’s second term by pivoting from the government’s historically reactive approach to Medicare and Medicaid fraud to a more aggressive approach that leverages AI and data analytics to preemptively flag instances of potential fraud. As HHS Secretary Robert F. Kennedy Jr. described the policy shift in a February 2026 press conference: “For decades, Medicare fraud has drained billions from American taxpayers — that ends now. We are replacing the old ‘pay and chase’ model with a real-time ‘detect and deploy’ strategy, using advanced AI tools to identify fraud instantly and stop improper payments before they go out the door.”
While it is too early to assess the full scope and impact of this AI-empowered pivot, the galvanizing impact on enforcement is already evident: by the end of Q1 2026, CMS had already referred 62 cases of alleged billing fraud encompassing over $635 million in claims submitted to Medicaid, Medicare Advantage, and traditional Medicare to law enforcement for investigation.
Of course, federal health agencies are far from the only regulatory forces scrutinizing health care organizations’ billing practices. Businesses face exposure across a wide array of federal laws, from the False Claims Act (FCA), which imposes criminal and civil penalties for fraud against government programs and payors, to the Anti-Kickback Statute (AKS) and Stark Law, which prohibit doctors and patients from receiving or paying kickbacks in exchange for referrals. Like HHS and CMS, the U.S. Department of Justice (DOJ) recently indicated its interest in leveraging emerging technologies to curb fraud; on April 30, 2026, DOJ officially launched the Fraud Oversight through Careful Use of Statistics (FOCUS) initiative, which aims to recruit sophisticated data miners capable of flagging patterns indicative of potential fraud in public datasets, as qui tam relators.
Given the intensifying level of scrutiny, health care organizations should anticipate an uptick in investigations and enforcement actions. As the saying goes, “the best defense is a good offense.” Here, the best protection is a proactive compliance program. Health care organizations should evaluate whether their current programs follow guidance from HHS-OIG and DOJ, along with industry best practices. Compliance programs must be properly tailored to enterprise risk and emergent trends; operate with clear lines of communication internally; contain effective risk identification, audit, and investigation functions; and undergo periodic programmatic review. If misconduct is identified, health care organizations participating in government programs should also be mindful of self-reporting duties (e.g., statutory responsibility to report fraud to relevant government agencies when it occurs) under 42 CFR 422.503(b)(4)(vi)(G)(3) and 42 CFR 438.608(a)(7), respectively.
Fortunately, health care organizations are equally capable of leveraging advanced technologies to proactively self-identify potential misconduct and often already have access to internal data that may reveal problematic billing and referral patterns. Health care organizations can leverage data analytics and, in some cases, AI tools to proactively review internal records, flag improper patterns before they prompt enforcement, and satisfy self-reporting obligations, turning internal scrutiny into a tool for both revenue integrity and regulatory goodwill.
Recommendations
-
- Ensure that any fraud, waste, and abuse program addresses the full lifecycle of a potential matter, from detection and investigation through government engagement.
- Create a formalized, continuously updated risk assessment process that supports real-time claims monitoring, pre-payment review, and trend detection, ensuring that internal analytics keep pace with the organization’s evolving business profile and areas of exposure.
- Establish clear, institutionalized pathways for surfacing and reporting potential misconduct, both internally through compliance and partner or vendor relations functions and externally through defined referral channels to relevant state and federal authorities (e.g., HHS-OIG, state insurance departments, attorneys general, DOJ, etc.).
- Treat compliance programs as living systems subject to regular testing, audit, root cause analysis, and metric-driven performance review.
Potential Risk: Transactions and Contracting
In recent years, the health care ecosystem has become more competitive, consolidated, and cost-sensitive. Buffeted by economic pressures and intensifying patient needs, payors and providers alike are increasingly motivated to engage in strategic transactions and creative payment structures to facilitate growth, secure necessary resources or partnerships to remain afloat, enable efficiencies, drive constructive innovation, or otherwise advance their business objectives. However, health care transactions are subject to increasingly high levels of scrutiny and state and federal regulatory review that can be time-consuming — and incredibly burdensome — if not navigated properly. As the health care sector becomes increasingly consolidated, regulators have expressed greater interest in overseeing and validating health care transactions prior to finalization to ensure that any final deal will not constitute self-dealing or have a negative impact on the affected patient base’s ability to seek and receive care.
Organizations on both sides of a deal must consider whether the transaction will trigger notice and/or approval requirements from state and federal licensing agencies, whether state certificate of need laws will be implicated, and whether the transaction will require the submission of a new license application. Certain states require submissions and approvals to occur months prior to closing, which can potentially delay a deal. Many states have also implemented separate review and approval processes through the attorney general or other reviewing entity for health care transactions, particularly those involving nonprofits or private equity. Breadth of approval authority varies across states; some require a review of how the transaction will impact access and affordability of care, while others consider antitrust or other broader competition implications.
With heightened state and federal scrutiny of health care organizations as well as increasingly complex and creative corporate structures comes the risk that transactions will raise concerns of noncompliance with fraud and abuse (e.g., the FCA, AKS, and Stark Law) and antitrust laws. In a worst-case scenario, transacting parties might spend months, if not years, carefully crafting the terms of a deal or novel business model, only to have their final proposition fail to pass muster — or worse, raise fraud concerns that trigger an investigation — during a regulatory pre-closing review. The health care market, particularly with providers, has also seen an uptick in creative internal and external payment arrangements, new marketing approaches, and other programs in efforts to retain talent and improve the efficient and effective delivery of care to patients. These efforts can further raise fraud and abuse concerns and highlight the importance of early and thorough due diligence when considering a transaction.
However, organizations should not avoid pursuing novel business opportunities due to anxiety over the complex regulatory requirements. By proactively engaging with state and federal (e.g., CMS, OIG) regulators before a proposed transaction is finalized for official review, transacting parties can adapt flexibly to regulatory concerns and sidestep potential fraud concerns prior to any official rejection or enforcement.
-
- Before pursuing any novel payment arrangement, transaction, or business model, conduct a thorough multijurisdictional regulatory analysis to identify applicable state and federal requirements, including pre-transaction notification and approval obligations, that may affect deal structure or timeline.
- Rather than waiting for formal regulatory review to surface compliance concerns, seek proactive guidance from relevant federal regulators, including CMS and the OIG, on novel arrangements that could implicate the FCA, AKS, or Stark Law before those arrangements are finalized.
- When evaluating unconventional transactions or business models, engage experienced health care counsel at the earliest stages of deal development to assess potential fraud exposure and identify opportunities to seek advisory guidance before committing to a particular structure.
Looking Ahead: Preparing for a New Era of Enforcement
Across each of the three areas examined above, a consistent principle emerges: identifying, addressing, and communicating with regulators about potential issues prior to formal enforcement is more effective than responding to scrutiny after the fact. The regulatory landscape governing privacy, artificial intelligence, billing integrity, and strategic transactions continues to evolve rapidly, and the obligations it imposes on payors, providers, and other health care entities show no signs of becoming less demanding or less consequential.
To rise to the challenge, health care organizations will need to develop a compliance infrastructure grounded in two complementary commitments: a thorough, ongoing understanding of applicable regulatory obligations and a candid internal assessment of potential points of exposure. Entities that engage in constructive self-assessment will naturally be better positioned to curtail fraud, mitigate regulatory exposure, and cultivate more constructive relationships with the agencies that oversee them.
Contacts
Insights
Client Alert | 3 min read | 06.24.26
Two significant recent developments illustrate the Trump administration’s increasing focus on policing of hospital contracting practices that limit health plan network design flexibility. On June 16, 2026, the U.S. Department of Justice (DOJ) Antitrust Division and Ohio attorney general filed a proposed consent decree resolving their civil antitrust suit against OhioHealth. (Prior Alert) Two days later, the White House Council of Economic Advisers (CEA) released a memorandum quantifying the potential economic effects of a broader ban on the types of contracting restrictions at issue in the OhioHealth case and the DOJ's parallel suit against NewYork-Presbyterian. This alert updates our prior coverage of the OhioHealth complaint and summarizes both developments.
Client Alert | 6 min read | 06.16.26
What United States v. Bankman-Fried Means for Health Care Fraud Defense
Client Alert | 7 min read | 06.26.26
Federal Roundup: Updates for PBMs and Medicare Advantage Organizations
Client Alert | 5 min read | 05.12.26
NYDFS Ramps Up Health Care Cybersecurity Enforcement With $2.25 Million Settlement



