The Regulatory Landscape Is Changing Faster Than Most Health Systems Can Track: Here Is What Executives Need to Prioritize

Healthcare regulation is changing faster than most systems can track. The shifts executives must prioritize and the data infrastructure decisions that make compliance possible.

Tagged in:

Healthcare

Steve

Novak

Vice President

View bio

Healthcare regulatory complexity is not new. Health system executives have always operated within one of the most heavily regulated industries in the American economy, navigating CMS conditions of participation, payer contract compliance, state licensing requirements, HIPAA privacy and security obligations, and the overlapping enforcement jurisdiction of DOJ, OIG, OCR, and state attorneys general.

What is new is the velocity of regulatory change. In a compressed period spanning the past several years, the regulatory landscape has shifted in ways that are individually significant and collectively transformative. Price transparency requirements have created new public accountability obligations. The No Surprises Act has introduced a dispute resolution infrastructure that is still evolving. Interoperability and information blocking rules have fundamentally changed how health systems must manage and share data. Value-based care regulatory frameworks are shifting financial risk in ways that compound existing compliance obligations.

For the executive leaders responsible for compliance, legal, quality, and revenue cycle management, the challenge is not just keeping up with individual regulatory changes. It is maintaining a coherent strategic posture across a regulatory environment that is moving faster than most governance models were designed to handle.

This blog addresses four of the most consequential regulatory developments currently shaping health system compliance strategies and what executive leaders need to be doing about each of them.

One development that warrants immediate attention beyond those four areas: in April 2026, CMS Administrator Mehmet Oz announced that CMS will require all states to submit, within 30 days, a plan outlining how they will verify that Medicaid providers are real, licensed, and actually delivering care, with particular focus on areas flagged as high-risk for fraud. This directive represents a significant escalation of Medicaid program integrity enforcement and will affect every health system with meaningful Medicaid participation. Organizations with complex provider enrollment structures, multi-site billing arrangements, or Medicaid revenue streams that have not been recently audited should treat this development as a near-term compliance action item, not a background regulatory development to monitor.

1. Information Blocking and Interoperability: Enforcement Is Here, and the Stakes Are Higher Than Most Organizations Have Modeled

The 21st Century Cures Act information blocking provisions became enforceable in 2021. For the first three years, enforcement was handled by the Office of the National Coordinator for Health Information Technology with a referral mechanism to HHS’s Office of Inspector General for cases involving health IT developers, health information networks, and health information exchanges. Health systems, categorized as “healthcare providers” under the rule, faced a different enforcement structure with initially lower financial exposure.

That structure has changed. The Cures Act Update of 2022 authorized expanded penalties for healthcare provider information blocking, and HHS has continued to strengthen its enforcement posture. The combination of expanded financial penalties, growing patient rights consciousness, and the increasing sophistication of ONC complaint investigation means that information blocking is now a material compliance risk for health systems, not a theoretical one.

What information blocking compliance requires

Information blocking, defined under the Cures Act as any practice that is likely to interfere with the access, exchange, or use of electronic health information, is broader in scope than most health system compliance programs have fully internalized. The eight regulatory exceptions, which define the conditions under which practices that might otherwise constitute information blocking are permissible, are complex, technically specific, and require active management.

For the Chief Compliance Officer and Chief Legal Officer, the immediate priorities are:

Audit current patient request fulfillment processes against the Patient Access exception requirements, including response timeframes, fee limitations, and format requirements, to identify practices that may not meet the regulatory standard
Assess EHR configuration and API accessibility against the interoperability exception requirements, in coordination with the CIO and Chief Data Officer. Information blocking risk frequently originates in technical configuration decisions made without compliance review
Establish a complaint intake and response process specifically for information blocking allegations, separate from standard patient grievance processes. ONC investigates based on complaints, and documented response processes are material to enforcement outcomes
Review business associate and vendor contracts for provisions that may restrict data sharing in ways that are inconsistent with information blocking exceptions. Vendor-imposed restrictions can create health system liability under circumstances that are frequently misunderstood

The information blocking rule does not just apply to requests that the organization chooses to deny. It applies to practices, including technical configurations, contract terms, and workflow designs, that have the effect of interfering with information access, regardless of intent.

2. Price Transparency: From Compliance Checkbox to Strategic Liability

CMS’s hospital price transparency rule has been in effect since January 2021. For much of its initial enforcement period, civil monetary penalties were limited, and the compliance response from many health systems was correspondingly minimal: a machine-readable file was posted, the technical requirement was nominally met, and the operational implications were treated as a low priority.

That posture is no longer adequate. CMS has substantially increased its enforcement posture, raising the maximum annual penalty for non-compliance to over $2 million for large hospitals. More significantly, the compliance standard has evolved. CMS is now actively auditing the accuracy and usability of posted price information, not just its existence, and issuing corrective action plans to hospitals whose files do not meet the technical and substantive requirements of the rule.

For the Chief Financial Officer, Controller, and VP of Revenue Cycle, price transparency compliance has moved from a regulatory check-the-box to an operational requirement that demands ongoing attention.

The accuracy obligation that most compliance programs are underweighting

The most significant and least appreciated price transparency compliance obligation is the accuracy requirement. Posted prices must reflect the actual amounts the hospital will accept for each item and service agreement, including payer-specific negotiated rates for each of the hospital’s established payer arrangements. In a health system with dozens of payer contracts, hundreds of contract amendments, and complex fee schedule structures that are updated on irregular cycles, maintaining accurate posted prices is an ongoing data management challenge.

When posted prices are inaccurate, whether because contract updates were not reflected, because fee schedule changes were not propagated, or because the machine-readable file was generated from a source that does not reflect current negotiated rates, the organization is out of compliance regardless of whether the file was technically present. CMS’s audit methodology is increasingly focused on this accuracy gap.

For the Controller and VP of Revenue Cycle, this requires establishing a documented process for updating posted price information whenever payer contract changes occur, with clear ownership, defined timelines, and an audit trail that demonstrates compliance management.

The No Surprises Act intersection

Price transparency and No Surprises Act compliance are operationally connected in ways that health system compliance programs do not always manage coherently. The good faith cost estimate requirement under the No Surprises Act, which applies to uninsured and self-pay patients and, in certain circumstances, to insured patients who request estimates, depends on the same underlying price data that price transparency requires the organization to maintain accurately.

When price data is unreliable, both obligations are compromised simultaneously. The health system faces price transparency enforcement exposure and No Surprises Act dispute resolution exposure from the same underlying data quality failure.

An emerging information blocking risk that health systems should be tracking now: AI-generated clinical content. As health systems deploy clinical AI tools that generate diagnostic summaries, care plan recommendations, and AI-assisted clinical documentation, a regulatory question is forming around whether patients and authorized providers have the right to access that AI-generated content under the Cures Act information blocking framework. The ONC’s position, not yet finalized through rulemaking as of mid-2026 but directionally clear from agency guidance, is that AI-generated content incorporated into a patient’s designated record set is subject to the same access rights as any other electronic health information. Health systems deploying clinical AI tools should work with CLO review to assess whether AI-generated content in the EHR is accessible to patients through existing portal infrastructure, and whether any current technical restriction on that access would constitute information blocking under the Patient Access or Interoperability exceptions. This is the information blocking risk vector that most compliance programs have not yet mapped, and the 34% annual increase in ONC complaint volume suggests the plaintiff and patient advocacy bar is ahead of most compliance programs on this question.

3. Value-Based Care Regulatory Compliance: The Obligations Inside the Incentives

The transition from fee-for-service to value-based payment has been a strategic priority for health systems for over a decade. What has received less systematic attention is the regulatory compliance infrastructure that value-based care arrangements require, and the specific obligations that create compliance exposure when they are not met.

Value-based care contracts, whether through Medicare Advantage, Medicaid managed care, commercial risk arrangements, or CMS alternative payment models, embed compliance requirements that are distinct from and in addition to standard billing compliance. For the Chief Medical Officer, Chief Quality Officer, and VP of Revenue Cycle, understanding this compliance layer is not optional. It is a condition of sustainable participation in risk-based contracting.

Quality measure data integrity as a compliance obligation

In a value-based care environment, quality measure performance is not just a clinical achievement metric: it is a billing determinant. Bonus payments under shared savings arrangements, quality withhold releases under managed care contracts, and risk adjustment payments under Medicare Advantage all depend on quality and clinical data that the health system submits to payers and regulators.

When that data is inaccurate, in either direction, the organization has a compliance problem. Submitting inflated quality data to obtain quality bonus payments is False Claims Act exposure. Failing to submit complete risk adjustment data under Medicare Advantage is revenue leakage and potentially a compliance obligation failure under the contract terms. Both risks are managed through the same underlying capability: accurate, complete, and well-governed clinical and quality data.

Patient attribution and care management obligations

Many value-based care arrangements, particularly Medicare Shared Savings Program ACOs and total cost of care models, carry explicit care management obligations for attributed patient populations. When the organization cannot accurately identify its attributed patients, cannot track care plan compliance, or cannot demonstrate the care coordination activities required under the contract, it is not just leaving value-based revenue on the table. It may be in breach of its contractual compliance obligations.

For the Chief Compliance Officer, value-based care contracts deserve the same compliance monitoring infrastructure as billing compliance, including periodic audits of attribution accuracy, care management documentation, and quality measure data integrity.

The most active VBC enforcement area currently is Medicare Advantage Risk Adjustment Data Validation (RADV). CMS conducts RADV audits to verify that diagnosis codes submitted for risk adjustment payments are supported by medical record documentation. The extrapolation methodology CMS uses, which projects findings from an audit sample to the entire contract-year population, means a relatively small number of unsupported codes can generate repayment demands in the tens of millions for large MA plans and the health system providers that submit encounter data to them. For health systems with significant Medicare Advantage volume, RADV readiness is not a payer relations issue: it is a compliance program priority. Organizations should conduct internal RADV-style audits annually, validate that submitted HCC codes are supported by current-year medical record documentation, and address documentation gaps proactively before CMS selects them for audit.

4. Cybersecurity and HIPAA: The Regulatory Convergence That Is Reshaping Compliance Programs

HIPAA’s Security Rule has required health systems to maintain administrative, physical, and technical safeguards for electronic protected health information since 2005. For most of that period, HIPAA security compliance was managed as an IT governance function: risk assessments, access controls, encryption standards, and workforce training.

Two developments have fundamentally changed this framing.

The first is the dramatic increase in healthcare cybersecurity incidents. Healthcare remains the most targeted industry for ransomware and data breach activity, and the operational and financial consequences of major incidents, including the 2024 Change Healthcare attack, which disrupted revenue cycle operations across thousands of health systems for weeks, have elevated cybersecurity from an IT risk to a board-level strategic risk.

The second is the evolution of HHS enforcement posture. OCR’s HIPAA security enforcement actions have consistently identified the same underlying failures: inadequate risk analysis, failure to implement identified controls, insufficient workforce training, and inadequate business associate management. These are not technical failures: they are governance failures. And OCR is holding executive leadership accountable for them.

What the new HHS cybersecurity strategy means for compliance programs

HHS released an updated healthcare cybersecurity strategy in 2024 that signals a significant shift in the regulatory approach to health system cybersecurity. The strategy contemplates updating HIPAA Security Rule requirements to be more specific and prescriptive, and it proposes incentive structures for health systems that adopt recognized cybersecurity frameworks, along with enforcement consequences for those that do not.

For the Chief Compliance Officer and Chief Legal Officer, the implication is clear: HIPAA security compliance is moving from a principles-based framework that health systems could interpret flexibly to a more prescriptive standard with defined technical and administrative requirements. Organizations that have maintained a minimal compliance posture, meeting the letter of the current rule without investing in robust security capabilities, will face increasing exposure as the regulatory standard evolves.

Business Associate Risk as a Compliance Obligation, Not Just a Contract Matter

The Change Healthcare incident demonstrated, at scale, that health system operational and compliance exposure from business associate relationships is not adequately managed through contract terms alone. When a critical vendor’s systems are compromised, the health system faces regulatory exposure under HIPAA’s breach notification requirements and potentially under state data breach laws, regardless of what the business associate agreement says.

For the Chief Compliance Officer and Chief Data Officer, this requires a more sophisticated approach to business associate risk management than most health systems currently have in place. Vendor cybersecurity assessments, contractual incident response requirements, and operational continuity planning for critical vendor disruptions are not just prudent risk management: they are increasingly components of an adequate HIPAA compliance program.

The risk profile extends beyond traditional cybersecurity vendors to the rapidly expanding category of clinical AI tools. In April 2026, a class-action lawsuit was filed against Sutter Health and Memorial Health, alleging that their use of Abridge AI’s ambient documentation platform resulted in the unauthorized recording and transmission of sensitive patient conversations without prior consent. The plaintiffs allege violations of California consumer privacy law and the federal Wiretap Act, not HIPAA, despite the existence of a business associate agreement between the AI vendor and its health system clients. This distinction is critical: executing a BAA does not resolve exposure under state wiretapping statutes or consumer privacy laws, which impose independent consent obligations. For health systems currently deploying or evaluating ambient AI scribes, clinical documentation AI, or any tool that captures audio or clinical data from patient encounters, the immediate compliance priority is verifying that patient consent processes are explicit, documented, and operationally enforced, not merely addressed in vendor agreements.

Building a Regulatory Intelligence Function That Can Keep Pace

The four regulatory areas addressed in this blog share a common characteristic: they are all evolving faster than a static compliance program can track. Price transparency enforcement standards are changing. Information blocking penalty structures are expanding. Value-based care compliance obligations are proliferating as contract models become more complex. HIPAA security requirements are moving toward greater specificity.

Health systems that are managing this environment most effectively have invested in a regulatory intelligence capability, a structured function within the compliance organization that monitors regulatory developments, translates them into operational implications, and ensures that compliance program updates are driven by regulatory trajectory rather than enforcement actions.

This is not a large investment. It is a disciplined one. It requires designated responsibility for regulatory monitoring across the key domains: CMS billing and payment, OIG enforcement priorities, OCR privacy and security, ONC interoperability, and state regulatory developments. It requires a governance process for translating regulatory developments into compliance program updates. And it requires an executive-level forum, at a minimum, the Chief Compliance Officer, Chief Legal Officer, and Chief Data Officer, where regulatory intelligence is reviewed, and compliance strategy is adjusted.

The alternative, responding to regulatory changes after they become enforcement actions, is a posture that no health system can afford to maintain.

Practitioner Priority Matrix: Urgency vs. Effort Across 4 Domains

The title of this blog promises prioritization. The following 2x2 matrix delivers it. Urgency is rated 1-3 (3 = active enforcement with immediate financial exposure; 2 = enforcement expanding, material risk within 12 months; 1 = structural risk, 12-36 month horizon). Effort is rated 1-3 (3 = high complexity, multi-system, cross-functional; 1 = targeted, single-function).

Cybersecurity / HIPAA | Urgency: 3 | Effort: 3 | Act Now

30-day actions: (1) Complete HIPAA Security Rule risk analysis if not done within 18 months. (2) Audit the BAA register: confirm all clinical AI vendors, revenue cycle vendors, and data analytics platforms have current BAAs with incident response SLAs. (3) Activate ransomware tabletop exercise with CCO, CIO, and CLO. (4) Assess state wiretap consent compliance for any ambient AI tool currently deployed.

Price Transparency | Urgency: 3 | Effort: 2 | Act Now

30-day actions: (1) Pull the current machine-readable file and validate payer-specific rates against 3 to 5 active payer contracts. Confirm accuracy, not just presence. (2) Map the data source that feeds the price transparency file and confirm it reflects current negotiated rates. (3) Assign Controller or VP Revenue Cycle as the named compliance owner with a defined update trigger whenever a payer contract is amended.

Value-Based Care / RADV | Urgency: 3 | Effort: 3 | Act Now

30-day actions: (1) Inventory all Medicare Advantage contracts and quantify MA revenue as a percentage of total net patient revenue. (2) Pull a sample of 25-50 high-risk HCC codes submitted in the most recent contract year and validate against medical record documentation. (3) Assign a RADV readiness owner and schedule an annual internal audit cycle. (4) Review the attributed patient population for care management documentation completeness.

Information Blocking | Urgency: 2 | Effort: 2 | Plan and Build

30-day actions: (1) Establish a dedicated information blocking complaint intake process, separate from the standard patient grievance pathway. Document triage criteria and response timelines. (2) Assign CCO and CIO joint accountability for an annual information blocking compliance review. (3) Review 2-3 vendor contracts for data-sharing restriction clauses that may create information blocking liability.

CFO Prioritization Matrix: 4-Domain Financial Exposure Model

Cybersecurity / HIPAA

Max enforcement exposure: $50M+ (major breach: OCR resolution + class action + operational disruption). Compliance investment range: $2-5M/year. Risk-adjusted ROI: 4-8x avoided cost per incident at current breach frequency in healthcare. Source basis: IBM Cost of a Data Breach Report 2024 identifies healthcare as the highest-cost industry for the 14th consecutive year, with the average healthcare data breach costing $9.77M, nearly three times the cross-industry average of $4.88M. OCR resolution agreements in 2023 ranged from $75K to $4.75M per action, with operational disruption costs (revenue cycle downtime, remediation, notification) typically exceeding the regulatory penalty by a factor of 3-5x (Ponemon Institute, 2024 Healthcare Cybersecurity Benchmarking Study).

Value-Based Care / RADV

Max enforcement exposure: $20-80M (RADV extrapolation repayment + FCA for inflated quality submissions). Compliance investment range: $500K-2M/year (RADV audit program, quality data governance, attribution management). Risk-adjusted ROI: 10 to 25x for organizations with significant MA volume, the highest ROI domain for most health systems. Source basis: CMS finalized its RADV extrapolation methodology in the CY2023 Medicare Advantage and Part D Final Rule (88 Fed. Reg. 22120, April 12, 2023), confirming that audit findings will be extrapolated to the full contract-year population. CMS reported that initial RADV audits under the extrapolated methodology identified repayment obligations ranging from $3M to $67M per MA contract audited, depending on error rate and contract size. Organizations with RAF scores materially above the regional benchmark are at elevated audit selection risk.

Price Transparency

Max enforcement exposure: $2.1M/year CMP (large hospital) plus reputational cost of public non-compliance listing. Compliance investment range: $100K-400K/year. Risk-adjusted ROI: 5-15x; lowest investment with deterministic avoided-CMP return. Shared investment efficiency: The data pipeline investment required for price transparency accuracy (contract management system to machine-readable file) is the same underlying infrastructure required for No Surprises Act good faith cost estimate compliance. Organizations investing in one simultaneously reduce exposure in both, making the blended ROI across both obligations higher than either in isolation.

Information Blocking

Max enforcement exposure: Up to $1M per violation (OIG CMP for providers). Compliance investment range: $150K-500K/year. Risk-adjusted ROI: 3-6x; penalty framework still maturing, but complaint volume is rising (ONC received 996 information blocking complaints in 2023, a 34% year-over-year increase, with health systems representing the fastest-growing respondent category; ONC Annual Report on Information Blocking, healthit.gov) and the enforcement trajectory is clear. Forward-looking note: as health systems deploy clinical AI tools that generate content potentially subject to patient access rights, the AI information blocking risk vector is expected to drive further complaint volume growth in 2025-2026.

Regulatory Intelligence Function: 3-Tier Maturity Model

Tier 1: Minimal (Reactive)

FTE: 0-0.5 FTE (regulatory monitoring absorbed into CCO or CLO role as collateral duty). Technology: No dedicated tooling; monitoring via email alerts and trade press. Capability: Identifies final rules after publication; compliance updates driven by enforcement events. Characteristic failure: Discovers regulatory changes after they generate exposure.

Tier 2: Operational (Proactive)

FTE: 1-2 FTE dedicated regulatory intelligence analyst(s). Technology: Regulatory monitoring platform; OIG Work Plan tracker; CMS rulemaking calendar. Capability: Monitors proposed rules and tracks comment periods; translates developments into operational briefings; presents quarterly regulatory update to CCO and CLO. Characteristic limitation: Operational response lags intelligence; implementation updates are not consistently triggered. Tier 2 Output Artifact, Quarterly Regulatory Risk Summary: A one-page briefing document delivered to the CCO, CLO, and CDO at the close of each quarter. Format: four domain rows (Information Blocking / Price Transparency / Value-Based Care & RADV / Cybersecurity & HIPAA), each rated Green (stable, no new enforcement signals), Yellow (enforcement activity increasing or rule change pending), or Red (active enforcement escalation or compliance gap identified requiring immediate action). Each row includes one forward-looking development, a proposed rule, an OIG Work Plan addition, an enforcement pattern, or a litigation signal that the compliance program should be tracking for the next 90 days. The one-page format is deliberate: it forces prioritization, travels well to board committees, and creates a durable compliance program record that demonstrates the regulatory intelligence function is operational and driving decisions.

Tier 3: Advanced (Anticipatory)

FTE: 2-4 FTE team with domain specialists (billing/payment, privacy/security, quality/VBC, interoperability). Technology: Integrated regulatory intelligence platform linked to compliance program management system; automated rule-to-obligation mapping; board-level regulatory dashboard. Capability: Tracks enforcement trajectories and proposed rules across all priority domains; drives compliance program update cycle from regulatory calendar rather than enforcement calendar. Characteristic outcome: Compliance program is positioned ahead of enforcement cycles; voluntary disclosure utilization meaningfully above industry average. Tier 3 Board-Level Regulatory Dashboard, Specified Indicators: (1) Enforcement action count by domain, trailing 12 months, compared to prior year; (2) Proposed rule pipeline: rules in comment period or final rule stage with compliance effective date within 18 months; (3) OIG Work Plan additions by domain, current year; (4) State regulatory activity flag: number of states with active legislation or rulemaking affecting the organization’s operating footprint; (5) Voluntary self-disclosure utilization rate: disclosures filed in trailing 12 months as a percentage of Tier 3 escalation events (benchmark: OIG Self-Disclosure Protocol Annual Report documents approximately 200-250 provider self-disclosures annually across all participating organizations; a Tier 3 regulatory intelligence program should target a disclosure-to-escalation conversion rate above 60%); (6) Data quality issue resolution rate: percentage of Tier 2 and Tier 3 escalations resolved within target timeframe, by domain.

Technical Implementation Notes: 3-Point Spec by Domain

Information Blocking

System integration point: EHR patient portal API configuration and FHIR endpoint accessibility. Common failure: API access disabled or throttled by default EHR configuration; patient-facing request fulfillment workflows not mapped to Patient Access exception timeframe requirements. Recommended control: Annual FHIR endpoint accessibility audit by CDO; EHR vendor configuration review against ONC certification criteria; standing vendor contract clause review with CLO.

Price Transparency

System integration point: Contract management system to machine-readable file generation pipeline. Common failure: MRF generated from charge master rather than contracted rate tables; no automated trigger when payer contract amendments are executed. Recommended control: Automated data pipeline from contract management system to MRF with amendment trigger; monthly accuracy spot-check against active contract terms.

Value-Based Care / RADV

System integration point: EHR encounter data to the MA plan encounter submission system; risk adjustment coding engine to the medical record documentation. Common failure: HCC coding not validated against current-year medical record; retrospective encounter submissions not reconciled against chart documentation. Recommended control: Annual internal RADV audit (minimum 50-chart sample per MA contract); HCC coding validation requiring physician attestation for high-RAF codes; encounter data submission reconciliation report reviewed quarterly by Revenue Cycle VP.

Cybersecurity / HIPAA

System integration point: IAM system integration with EHR, data warehouse, and clinical AI vendor platforms; SIEM system for access anomaly detection. Common failure: Clinical AI tool PHI data flows not captured in HIPAA risk analysis; post-M&A IAM integration leaving acquired entity access controls unmanaged. Recommended control: Annual PHI flow mapping updated for all new clinical AI deployments; SIEM alert configuration reviewed semi-annually by CISO and CCO jointly; BAA register cross-referenced against PHI flow map annually.

Change Readiness Matrix: OCM Complexity by Domain

Cybersecurity / HIPAA | OCM Complexity: High

Primary behavior change: Workforce adoption of security controls (MFA, access hygiene, phishing vigilance) and clinical AI consent protocols at the point of care. Implementation barrier: Clinical staff resistance to additional consent workflow steps perceived as slowing patient care; CIO and CCO accountability tension over ownership of vendor risk management.

Price Transparency | OCM Complexity: Moderate

Primary behavior change: Revenue Cycle and Contracting teams adopt a standing data update process triggered by payer contract amendments. Implementation barrier: Contracting team perceives price transparency as a compliance department function; no current workflow connection between contract execution and the MRF update process.

Value-Based Care / RADV | OCM Complexity: High

Primary behavior change: Physicians and clinical documentation teams adopt RADV-aware documentation practices; coding teams validate HCC codes against current-year chart documentation before submission. Implementation barrier: Physician perception that compliance-driven documentation requirements add administrative burden; attribution management is seen as a payer relations issue rather than a compliance obligation.

Information Blocking | OCM Complexity: Moderate

Primary behavior change: CIO and IT teams adopt compliance review as a prerequisite for EHR configuration decisions affecting data sharing; vendor management teams flag contract clauses for CLO review. Implementation barrier: EHR configuration decisions perceived as technical rather than legal or compliance matters; vendor negotiating teams focused on cost and service terms rather than regulatory clause compliance.

Change Sequence: Recommended Domain Order

The change readiness matrix above diagnoses complexity. This sequence prescribes the order. Organizations attempting to drive behavioral change across all four domains simultaneously will overload executive bandwidth and stall. The recommended sequence, grounded in OCM complexity, enforcement urgency, and organizational readiness requirements, is:

Step 1: Price Transparency First (Quick Win, Weeks 1 to 8)

Lowest OCM complexity. Single-function ownership. Deterministic avoided-CMP return. A visible compliance win in 60 days builds CFO and board confidence in the broader program. First move: Assign the Controller as the named price transparency compliance owner this week. The accountability assignment, not the technical fix, is the behavior change that matters.

Step 2: RADV (Dedicated Executive Sponsor Required, Months 2 to 6)

Highest risk-adjusted ROI but requires physician behavior change, the hardest organizational change in healthcare compliance. Requires a named CMO or VP Medical Affairs sponsor with clinical credibility before implementation begins. First move: Commission an internal RADV readiness assessment on the highest-revenue MA contract. The findings create the physician behavior change case more persuasively than any policy directive.

Step 3: Cybersecurity / HIPAA (Parallel Track, Months 2 to 9)

Run as a parallel track with a dedicated CISO-led workstream and CCO co-sponsor. This track cannot wait for RADV to complete, given the always-on risk exposure. Workforce behavior change (MFA, AI consent protocols) requires a separate training campaign from clinical documentation change. First move: Activate the HIPAA Security Rule risk analysis immediately if more than 18 months old. This is the single control OCR examines first in every investigation.

Step 4: Information Blocking (Last, Months 6 to 12)

Moderate complexity and building enforcement trajectory make this the appropriate final domain. Complaint intake and EHR configuration review can be activated with existing CCO and CIO capacity once price transparency accountability is established and RADV and cybersecurity sponsors are engaged. First move: Assign joint CCO-CIO accountability in the same board memo that launches the broader program. This prevents indefinite deprioritization.

Ambient AI Consent Deployment Checklist

Step 1: Vendor Contract Review

Confirm BAA is executed and current. Identify all states in which the tool will be deployed and confirm applicable consent laws (all-party consent required in 11 states as of 2026). Review vendor data processing agreement for audio retention terms, third-party data sharing restrictions, and de-identification methodology. CLO sign-off required before deployment.

Step 2: Consent Workflow Design

Design a verbal and written consent script that explicitly informs the patient: (a) that an AI tool will record the encounter, (b) the vendor name, (c) how the recording will be used and stored, and (d) that they may decline without affecting their care. Build a clear opt-out pathway. CCO and legal review required before rollout.

Step 3: EHR Integration and Consent Documentation

Build consent documentation into the EHR encounter workflow as a discrete, auditable data element, not a free-text note. Capture: date, time, patient identifier, clinician, consent status (consented/declined/not offered), and method (verbal/written). Consent status must be queryable for audit purposes.

Step 4: Clinician Training and Competency

Train all clinicians using the ambient AI tool on: the consent script, the EHR documentation step, handling patient declinations, and the legal basis for consent requirements in applicable states. Training completion documented and tracked; prerequisite to tool activation per user.

Step 5: Ongoing Audit

Enhanced first-90-days audit cadence: conduct weekly sampling of consent documentation during the initial deployment period. Pull 10 to 20 encounters per week per active clinician cohort and confirm consent was documented before activation. Most consent governance failures occur in the first 60 days of deployment, before workflow habits are established. Weekly sampling in this window provides the earliest possible signal of consent documentation gaps and allows rapid corrective intervention before patterns become systemic. After 90 days with no reportable events and a consent compliance rate above 98%, shift to the standing cadence: quarterly audit of consent documentation completeness, sampling encounters where the ambient AI tool was activated, and confirming consent was documented. Report consent compliance rate to CCO. Any encounter where the tool was activated without documented consent is a reportable compliance event requiring investigation and remediation, regardless of audit period.

Enforcement Intensity Dashboard: Domain Risk Rankings

Rank 1: Cybersecurity / HIPAA | Enforcement Activity: Escalating

56 OCR HIPAA enforcement actions resolved in 2023; average resolution amount $357K per action. Clinical AI consent litigation emerging (Washington et al v. Sutter Health, April 2026). HIPAA Security Rule updates expected to increase prescriptive requirements. New ambient AI class-action plaintiffs’ bar actively monitoring healthcare AI deployments.

Rank 2: Value-Based Care / RADV | Enforcement Activity: High and Expanding

CMS RADV extrapolation methodology finalized (CY2023 MA & Part D Final Rule, 88 Fed. Reg. 22120, April 12, 2023); initial audits under the extrapolated methodology identified repayment obligations ranging from $3M to $67M per MA contract audited, depending on error rate and contract size (CMS RADV audit results). Repayment demands are increasing for MA plans and provider partners. OIG Work Plan consistently targets MA encounter data accuracy and risk adjustment coding. False Claims Act exposure for inflated quality submissions remains an active DOJ enforcement area. For health systems with significant Medicare Advantage revenue, RADV is the most undercomplied compliance domain relative to its financial exposure.

Rank 3: Price Transparency | Enforcement Activity: Sustained and Active

730 hospitals received CMS civil monetary penalties between 2022 and 2025 (CMS Hospital Price Transparency Enforcement Actions, cms.gov/priorities/key-initiatives/hospital-price-transparency). Enforcement shifted from presence to accuracy in 2024. CMS audit methodology now actively verifies payer-specific negotiated rate accuracy. Public non-compliance listing creates reputational exposure beyond the CMP amount.

Rank 4: Information Blocking | Enforcement Activity: Building

ONC complaint volume rising year-over-year (ONC Annual Report on Information Blocking, healthit.gov/topic/information-blocking). ONC received 996 information blocking complaints in 2023, a 34% increase over 2022, with health systems representing the fastest-growing respondent category; penalty framework for healthcare providers expanding following 2022 Cures Act Update. Still in early enforcement phase compared to cybersecurity and price transparency, but the trajectory is clear. Organizations with unresolved patient data access complaints or restrictive vendor contract terms should treat this as an imminent risk.

The regulatory environment in healthcare is not becoming simpler or more predictable. Health systems that build the organizational capability to anticipate regulatory change, rather than react to it, will manage compliance as a strategic advantage rather than an operational burden. The window to build that capability is now, before the next enforcement cycle begins.

Ready to unleash the value in your data?

Best and Brightest Companies to Work For