When Compliance Becomes a Data Problem: Why Your Greatest Regulatory Risk May Be Hiding in Your Data Infrastructure

Compliance is a data problem before it is a legal problem. The regulatory exposures hiding in fragmented infrastructure that auditors are now empowered to find.

Tagged in:

Healthcare

Steve

Novak

Vice President

View bio

Relevant to: Chief Compliance Officer | Chief Data Officer | Chief Quality Officer | Chief Medical Officer | VP, Revenue Cycle

Healthcare compliance programs have never been more sophisticated. Most large health systems operate mature regulatory frameworks: dedicated compliance officers, robust audit programs, third-party monitoring arrangements, and board-level oversight structures that would satisfy even the most demanding OIG reviewer. The investment in compliance infrastructure is real, and in most organizations, it is substantial.

And yet, regulatory exposure in healthcare is not decreasing. It is compounding. CMS audit activity is expanding. False Claims Act enforcement remains at historically elevated levels. State-level Medicaid integrity programs are becoming more data-sophisticated. Office for Civil Rights investigations into HIPAA violations are increasing in frequency and financial consequence. The Department of Justice continues to prioritize healthcare fraud as a civil and criminal enforcement area.

For executive leaders who have invested heavily in compliance programs, this trajectory raises a question that deserves direct examination: if the compliance infrastructure is sound, where is the exposure coming from?

In a growing number of health systems, the honest answer is the same: the data.

The Compliance-Data Gap That Most Organizations Have Not Closed

Traditional compliance program design is built around policies, procedures, training, and auditing. These are the components that OIG guidance has emphasized for decades, and health systems have responded accordingly. What has not kept pace is the recognition that in a modern healthcare enterprise, virtually every compliance obligation, including billing accuracy, quality reporting, HIPAA privacy, Stark Law compliance, and conditions of participation, is ultimately executed through data systems.

When those data systems contain errors, inconsistencies, or gaps, the compliance program built on top of them is compromised, regardless of how well the policy framework is designed.

This is the compliance-data gap: the structural disconnect between an organization’s formal compliance infrastructure and the underlying data quality and governance that determine whether compliance obligations are met in practice.

The enforcement record makes this concrete. In fiscal year 2023, DOJ recovered $2.68 billion from healthcare fraud enforcement, with the majority involving billing and coding irregularities traceable to data system failures rather than deliberate fraud (DOJ FY2023 False Claims Act Statistics). OCR resolved 56 HIPAA investigations in 2023 with cumulative settlements exceeding $20 million, with inadequate risk analysis and access control failures as the dominant findings (HHS OCR Annual Report, 2023). CMS imposed price transparency civil monetary penalties against 730 hospitals between 2022 and 2025, with the majority citing machine-readable file accuracy deficiencies rather than the absence of posting. OIG Work Plans for 2024 and 2025 each identified CDI data integrity and quality measure data reliability as priority audit targets.

This framework is distinct from the two established governance models that health systems already operate. The OIG’s seven-element compliance program — written standards, compliance officer designation, training, communication channels, monitoring and auditing, disciplinary standards, and response to detected problems — addresses organizational compliance infrastructure and remains essential. The DAMA-DMBOK data management framework addresses enterprise data governance across the full data lifecycle. The compliance-data governance framework presented here occupies the intersection of those two: it targets the specific data systems that execute regulatory obligations. Organizations with mature OIG-compliant programs and robust DAMA-aligned governance can still carry significant regulatory exposure if that intersection is unmanaged.

The Billing Accuracy Exposure That Lives in Charge Capture and Coding Data

False Claims Act liability is the most financially consequential compliance risk that most health systems carry. In fiscal year 2023 alone, DOJ recovered over $1.8 billion from healthcare-related False Claims Act settlements and judgments, the FCA-specific component of the $2.68 billion in total healthcare fraud recoveries reported in the DOJ FY2023 False Claims Act Statistics release; the difference reflects non-FCA enforcement actions, including criminal prosecutions and administrative exclusions. The pattern of cases that generate this exposure is consistent: billing for services not rendered, upcoding, unbundling, and failure to refund identified overpayments.

What the enforcement record also consistently reveals is that the root cause of most billing compliance failures is not fraudulent intent: it is data system dysfunction. Charge capture configuration errors that systematically generate incorrect codes. CDI workflows that produce documentation inconsistencies at scale. Revenue cycle systems that apply outdated payer rules because the data governance process for updating them has broken down. Overpayment identification processes fail because the analytics infrastructure for detecting them is inadequate.

For the Chief Compliance Officer, the question is not whether the compliance policy on accurate billing is well-drafted. It is whether the data systems that execute billing are generating output that the policy can govern.

AI-assisted coding and CDI tools compound this risk in ways most compliance programs have not formally addressed. When AI coding assistants generate charge recommendations from incomplete or inconsistent clinical documentation, the compliance exposure is not contained to a single miscoded claim. It is systematically replicated across every encounter the model processes. The DOJ has signaled its intent to apply the False Claims Act to AI-influenced billing outputs where organizations failed to implement adequate validation controls, most directly through the DOJ’s 2023 Artificial Intelligence and the False Claims Act guidance memorandum and Deputy Attorney General Lisa Monaco’s October 2023 remarks on AI governance and corporate compliance programs, which identified AI-generated billing outputs as an area of active prosecutorial interest when adequate human oversight and validation controls are absent. An AI tool operating on poor-quality source data does not reduce billing compliance risk. It scales it.

A compliance program cannot audit its way out of a systematic data quality problem. When the underlying charge and coding data are unreliable, sampling-based audit approaches miss patterns of exposure that only become visible through enterprise-level data analysis.

Quality Reporting Obligations and the Data Integrity Risk

Health systems are subject to an expanding array of mandatory quality reporting obligations: CMS inpatient and outpatient quality measures, HEDIS performance metrics for value-based contracts, The Joint Commission accreditation standards, state-level public reporting requirements, and increasingly, quality metrics embedded in commercial payer contracts that carry direct financial consequences.

Every one of these obligations depends on the accuracy and completeness of the underlying clinical data. When EHR documentation is incomplete, when diagnosis and procedure coding do not accurately reflect clinical severity, when patient attribution logic is inconsistent, the quality metrics produced from that data are unreliable, and the organization is submitting reports that may not accurately reflect its actual performance.

The regulatory exposure here operates in two directions. Underreported quality performance creates financial penalties under value-based payment programs. Overreported quality performance, specifically submitting metrics that overstate clinical outcomes, creates False Claims Act exposure under the theory that inflated quality data supports fraudulent claims for quality-based payment bonuses.

For the Chief Quality Officer and Chief Medical Officer, this means that quality improvement and data governance are not parallel workstreams. They are the same workstream. You cannot improve what you are not measuring accurately, and you cannot meet your regulatory reporting obligations on data you cannot trust.

AI-driven quality analytics tools introduce a specific compounding risk here. Health systems increasingly use machine learning models to generate quality measure calculations, flag documentation gaps, and predict value-based incentive performance. When those models are trained on or operate against historically incomplete or miscoded clinical data, their outputs carry forward the underlying data quality failure, and may do so invisibly, appearing as authoritative calculations while systematically misrepresenting performance. For the Chief Quality Officer evaluating AI-assisted quality programs, model input data quality is not a technical prerequisite. It is a compliance prerequisite.

HIPAA Privacy and Security: The Data Governance Obligation That Enforcement Is Catching Up To

HIPAA compliance has traditionally been managed as a privacy policy and security controls program: notice of privacy practices, business associate agreements, access controls, and workforce training. These remain necessary components of an adequate HIPAA program.

What is changing is OCR’s enforcement focus. Recent enforcement actions and resolution agreements reveal a shift toward examining the data governance infrastructure that underlies HIPAA compliance, specifically whether organizations have adequate visibility into where protected health information lives, how it flows across systems and third parties, and whether access controls are enforced in practice.

For health systems that have grown through M&A, the challenge is acute. Acquired entities bring their own data environments, their own system landscapes, and their own histories of PHI management that the acquiring organization may have limited visibility into. When OCR investigates, it investigates the enterprise, not just the originating entity.

The Chief Data Officer and Chief Compliance Officer need a shared answer to a question that OCR is increasingly likely to ask: where is your PHI, who has access to it, and how do you know?

The emergence of ambient AI documentation tools has added a new and underappreciated dimension to this challenge. In April 2026, a class-action lawsuit, Washington et al v. Sutter Health, was filed in the U.S. District Court for the Northern District of California, alleging that two healthcare organizations used ambient AI-based tools to record and transmit patient audio conversations without prior consent. The complaint claims that highly sensitive medical information was wrongfully captured and shared through a third-party AI platform, violating California consumer privacy laws and the federal Wiretap Act. Notably, the AI vendor had executed business associate agreements with its health system clients, yet the litigation proceeded on state law and wiretap grounds, illustrating that HIPAA-compliant contracting is necessary but not sufficient when deploying AI tools that capture protected conversations. As of 2026, eleven U.S. states require all-party consent before recording a conversation, a requirement that applies equally to ambient AI scribes. Health systems deploying these tools must ensure that patient consent workflows are robust, documented, and enforced at the point of care, not just addressed in vendor contracts.

Stark Law and Anti-Kickback: The Arrangements That Live in Your Data Systems

Physician compensation compliance under the Stark Law and Anti-Kickback Statute is one of the most structurally complex regulatory obligations a health system manages. The legal framework is demanding. The documentation requirements are extensive. And the financial exposure for non-compliant arrangements, which can include False Claims Act liability, exclusion from federal programs, and substantial civil monetary penalties, is among the most severe in healthcare regulation.

What is underappreciated in most health system compliance programs is the degree to which Stark Law compliance depends on data accuracy and data governance.

Fair market value analyses for physician compensation arrangements depend on reliable productivity data: wRVU counts, call coverage logs, and directorship hours. When the data systems that generate this information are unreliable, fair market value documentation is compromised, and the compensation arrangements built on that documentation are exposed. When physician productivity tracking systems are inconsistent across entities in a multi-hospital system, compensation decisions may diverge from documented FMV thresholds without anyone realizing it.

For the Chief Legal Officer managing Stark compliance, the audit question is not just whether compensation agreements are properly documented. It is whether the underlying data that those agreements are based on is accurate, consistently generated, and subject to governance controls that would survive regulatory scrutiny.

AI-assisted physician scheduling, productivity tracking, and compensation modeling tools are now widely deployed in health systems, and each introduces a Stark compliance data integrity risk. When AI-generated wRVU summaries or call coverage logs feed directly into compensation calculations without a human review and validation step, the organization may be building fair market value documentation on outputs it cannot fully audit or explain. In a Stark Law enforcement context, “the algorithm calculated it” is not a governance defense. The compliance program must demonstrate how the underlying productivity data was generated, validated, and reconciled against compensation thresholds, regardless of whether AI was involved in the calculation.

The AI Compliance Risk Chain: How Data Quality Failures Become Regulatory Exposure

CDI / Billing AI

Incomplete clinical documentation → AI coding assistant assigns unsupported diagnosis codes → Systematically upcoded claims submitted to Medicare → False Claims Act exposure at scale. Root cause: source data quality failure, not model failure.

Quality Analytics AI

Historically miscoded encounter data → ML model trained on flawed dataset → Overstated quality measure performance submitted to CMS → Quality bonus claimed on inflated metrics → False Claims Act exposure. Root cause: training data governance failure.

Ambient AI Scribe

No documented patient consent workflow → AI scribe records and transmits encounter audio → State wiretap or consumer privacy law violation → Class-action exposure independent of HIPAA compliance. Root cause: consent governance failure (Washington et al v. Sutter Health, April 2026).

The Conditions of Participation Risk That Boards Are Not Discussing

Medicare and Medicaid Conditions of Participation represent the foundational regulatory requirements for health system participation in federal programs. CoP surveys, whether conducted by CMS directly or through accrediting organizations, assess compliance with an extensive set of clinical and operational standards. Deficiencies at the level of Immediate Jeopardy carry consequences that extend from directed plans of correction to termination from the Medicare program, an outcome that no health system board has adequately modeled as a going-concern risk.

What has changed in recent years is the degree to which CoP survey findings are driven by data. Surveyors are increasingly sophisticated in their use of administrative data, quality metrics, and documentation review to identify patterns of non-compliance that might not surface through observation and interview alone. Health systems whose clinical documentation is incomplete, whose quality tracking systems are unreliable, or whose incident reporting data is not being acted upon are creating a data trail that surveyor methodology is increasingly designed to find.

The enforcement pressure is intensifying at the federal level as well. In April 2026, CMS Administrator Mehmet Oz announced that CMS would require all states to submit, within 30 days, a plan outlining how they would verify that Medicaid providers are real, licensed, and delivering care, particularly in areas flagged as high-risk for fraud. This directive signals a significant expansion of Medicaid program integrity activity that will affect every health system participating in state Medicaid programs. For organizations with complex Medicaid billing profiles, multi-site delivery structures, or provider enrollment practices that have not been recently audited, this development warrants immediate attention from the Chief Compliance Officer and VP of Revenue Cycle.

The Conditions of Participation obligation is not just a clinical operations requirement. It is a data quality requirement. The documentation that surveyors review is data, and its accuracy, completeness, and consistency determine what surveyors find.

What a Compliance-Grade Data Governance Program Actually Looks Like

Closing the compliance-data gap does not require building a new compliance program or replacing existing technology infrastructure. It requires integrating data quality and governance into the compliance framework that already exists, specifically by extending compliance program oversight to the data systems that execute compliance obligations.

In practice, this means four things:

Data quality metrics as compliance KPIs

The compliance program’s monitoring and auditing function should include data quality indicators for the systems that generate compliance-sensitive outputs: charge and coding data quality, clinical documentation completeness rates, quality measure data reliability, and PHI inventory accuracy. These are not IT metrics. They are compliance metrics, and they belong in the compliance dashboard presented to the board.

Data ownership aligned with compliance accountability

For each data domain that carries regulatory significance, there should be a named data steward with compliance accountability, not just technical ownership. The person responsible for the accuracy of physician productivity data should be identifiable, accessible, and accountable when that data is used to support a Stark compliance analysis.

Compliance Data Steward: Weekly Activity Guide

Weekly Activities

Review data quality dashboard for assigned domain (charge capture error rate, documentation completeness, PHI access log anomalies, or productivity tracking variance).
Confirm open data quality tickets from the prior week are resolved or escalated.
Log all data quality issues in the compliance-data issue register: date identified, domain, severity, owner, status.

Escalation Path

Tier 1 (Steward-resolved): Error rate exceeds threshold, but root cause identified; resolution within 5 business days. Document in the issue register.

Tier 2 (CCO notification): Systemic pattern, cross-domain impact, or unresolved after 5 days. CCO notified within 24 hours. Joint remediation plan required within 10 business days.

Tier 3 (Executive escalation): Potential regulatory exposure or possible disclosure obligation. CCO escalates to CLO and CDO. Evaluate voluntary self-disclosure within 30 days per OIG protocol.

Documentation Standard

Each issue log entry must capture: domain, data system affected, issue description, date identified, regulatory obligation implicated (FCA / HIPAA Security Rule / Stark), severity tier, assigned owner, target resolution date, actual resolution date, and CCO acknowledgment for Tier 2-3 issues. Issue register reviewed at monthly cross-functional compliance-data governance meeting.

Cross-functional governance that connects legal, compliance, and data

The most effective compliance-data governance programs we observe involve standing cross-functional forums that bring together the Chief Compliance Officer, Chief Data Officer, Chief Legal Officer, and relevant operational leaders on a regular cadence. The agenda is not technology: it is regulatory exposure. What data systems are material to our compliance obligations? What are the quality indicators for those systems? What is our current exposure, and what is being done about it? The named output of this forum is a quarterly compliance-data risk register: a one-page summary of open data quality issues by domain, their severity tier, remediation status, and associated regulatory obligation, reviewed by the board audit committee as a standing agenda item alongside the organization’s traditional compliance program reporting.

Technical Integration Architecture: Three Critical Control Points

1. EHR to Revenue Cycle Integration

Integration point: Clinical documentation to charge capture workflow. Common failure: Charge description master not synchronized with current CPT/ICD-10 editions; AI coding assistant operating on stale code tables. Governance mechanism: Quarterly CDM reconciliation sign-off by CCO and Revenue Cycle VP; AI output validation audit sample (minimum 5% of AI-assisted claims monthly).

2. Quality Reporting Data Pipeline

Integration point: EHR abstraction layer to CMS quality measure submission system (QualityNet). Common failure: Measure specification logic not updated when CMS releases annual updates; numerator/denominator logic applied inconsistently across facilities. Governance mechanism: Annual measure specification review by CDO and CQO prior to reporting period; pre-submission reconciliation audit with attestation sign-off.

3. PHI Inventory and Access Control System

Integration point: Identity and access management (IAM) system to EHR, data warehouse, and third-party clinical AI platforms. Common failure: Role-based access controls not updated following M&A integration; AI vendor data flows not captured in PHI inventory. Governance mechanism: Quarterly access recertification with department manager attestation; annual PHI flow mapping update with CDO sign-off; BAA register cross-referenced against PHI inventory annually.

Proactive disclosure readiness

The OIG’s voluntary self-disclosure protocol and CMS’s self-referral disclosure protocol both create pathways for health systems to address identified compliance issues on more favorable terms than enforcement resolution. But these pathways are only accessible to organizations that have the data infrastructure to identify problems in the first place, and the governance processes to act on them promptly. Building that capability is not just a compliance program investment. It is a risk management investment with direct financial value.

CFO Financial Framework: 3-Scenario Cost and Exposure Model

For the Chief Financial Officer and Controller, the case for compliance-grade data governance investment is most clearly expressed through avoided-penalty economics. The three scenarios below are representative of enforcement outcomes for health systems of $1-3 billion in annual net revenue, grounded in the DOJ and HHS OCR public enforcement records.

Scenario A, Baseline: No incremental data governance investment

Expected annual enforcement exposure: $8-15M (blended FCA settlement probability, HIPAA resolution, price transparency CMP). Data governance investment: $0 incremental. Probability of a material enforcement event within 5 years: 60-75% (basis: OIG Semiannual Reports to Congress document that OIG audit and investigation activity results in enforcement action for approximately 60-70% of health systems subject to focused audit review in a five-year period; DOJ FCA Statistics show healthcare as the dominant enforcement sector in every year since 2010, with health systems in the $1-3B revenue range disproportionately represented in settlement populations). NPV of expected enforcement cost over 5 years at 6% discount rate: $28-52M.

Scenario B, Targeted Investment: Priority domain data governance program

Data governance investment: $1.2-2.5M over 3 years (data steward FTEs, tooling, audit infrastructure, training). Expected enforcement exposure reduction: 50-65%. Avoided-penalty benchmark: $4-10M per enforcement cycle. Probability of material event within 5 years: 30-45%. NPV of expected enforcement cost: $10-19M. Risk-adjusted ROI on governance investment: 3.5-6x.

Sensitivity: At 30% enforcement intensity reduction (floor case), Scenario B investment still yields positive NPV; the avoided-penalty benchmark drops to $6-12M against a $1.2-2.5M investment, returning 2.5-4.5x. The investment case holds across all modeled enforcement intensity scenarios.

Scenario C, Enterprise Program: Full compliance-data governance infrastructure

Data governance investment: $3-6M over 3 years (cross-domain stewardship, enterprise data quality platform, compliance analytics, regulatory intelligence function). Expected exposure reduction: 75-85%. Proactive disclosure utilization: High. Probability of material event within 5 years: 10-20%. NPV of expected enforcement cost: $4-8M. Risk-adjusted ROI: 5-10x, plus material reduction in reputational and operational disruption costs not captured in CMP benchmarks.

Cash flow timing: Investment costs front-load in years 1-2; risk reduction benefits accrue beginning in year 2 as data governance controls become operational, with full benefit realization in years 3-5 as proactive disclosure capability matures.

Financial Architecture: The ROI Bridge for Board Presentation. The investment range ($1-6M over three years) is deterministic and bounded. The avoided-penalty benchmark ($28-52M NPV at current enforcement intensity) is empirically grounded in public DOJ and HHS data. The return is not contingent on revenue growth or market conditions; it is contingent on enforcement probability, which is rising. Organizations that present this framing to their finance and audit committees consistently report it generates the least budget resistance of any compliance line item. Absorbing enforcement costs reactively always costs more, arrives unpredictably, and carries reputational consequences that no CFO model adequately prices.

OCM Change Map: 3-Persona Behavioral Requirements

Closing the compliance-data gap requires behavioral change from three executive personas. Understanding the resistance patterns and adoption signals for each is the difference between a governance program that launches and one that sustains.

Chief Compliance Officer

Required behavior change: Expand compliance program scope to include data system governance accountability. Accept co-ownership of data quality metrics as compliance KPIs.

Resistance pattern: “Data quality is an IT and operations problem. My program is sound.” Reluctance to accept accountability for systems outside traditional compliance scope.

Adoption signal: CCO begins requesting data quality reports in monthly compliance committee meetings; references data steward escalation log in board compliance reporting.

Chief Data Officer

Required behavior change: Reframe data quality investments in regulatory exposure language. Participate in the compliance committee as a standing governance principal, not a technical resource.

Resistance pattern: “Compliance should own their requirements and bring them to us.” Tendency to define data governance around analytics rather than regulatory accountability.

Adoption signal: CDO presents data quality metrics at the compliance committee using regulatory exposure framing; the joint CDO-CCO escalation process is operational for Tier 2-3 issues.

Operational Leader (Revenue Cycle, Clinical Quality, Legal)

Required behavior change: Accept named data stewardship accountability; incorporate data quality metrics into departmental performance reporting; escalate issues through the compliance pathway.

Resistance pattern: “We meet our operational KPIs. Compliance audits are a separate function.” Treats data quality as a technical issue rather than a departmental accountability.

Adoption signal: VP Revenue Cycle or CQO references compliance-data KPIs in leadership meetings; data quality escalation log entries originate from operational leaders, not only from the CDO or CCO.

OCM Change Sequence: Recommended Domain Order and First Moves

Not all behavioral changes carry the same implementation complexity or organizational readiness requirement. Sequencing the change program by domain, starting with a visible quick win before moving into the two high-complexity domains, materially improves adoption rates and builds the executive credibility the program needs to sustain through harder changes.

Step 1: Price Transparency (Quick Win, Weeks 1 to 8)

Why first: Lowest OCM complexity, single-function ownership, deterministic avoided-CMP return. A demonstrable compliance win in 60 days builds board and CFO confidence in the broader program. First move: Pull the current machine-readable file and run a 5-contract accuracy spot-check this week. Assign the Controller as the named price transparency compliance owner by the end of the first week. The accountability assignment, not the technical fix, is the behavior change that matters here.

Step 2: RADV and Value-Based Care (Dedicated Sponsor Required, Months 2 to 6)

Why second: Highest risk-adjusted ROI for most health systems, but requires physician behavior change, the hardest organizational change in healthcare compliance. Requires a named executive sponsor (CMO or VP Medical Affairs) with clinical credibility and a documented charter before implementation begins. First move: Commission an internal RADV readiness assessment on the highest-revenue MA contract. The findings create the physician behavior change case more persuasively than any policy directive.

Step 3: Cybersecurity (Dedicated Sponsor Required, Months 2 to 9, Parallel Track)

Why parallel (not sequential) with RADV: Cybersecurity risk is always-on and cannot wait for RADV to complete. Run as a parallel track with a dedicated CISO-led workstream and CCO co-sponsor. Workforce behavior change (MFA adoption, phishing vigilance, AI consent protocols) requires a separate communication and training campaign from the clinical documentation behavior change required for RADV. First move: Activate the HIPAA Security Rule risk analysis immediately if it is more than 18 months old. This is the single control OCR examines first in every investigation, and the gap most commonly cited in resolution agreements.

Step 4: Information Blocking (Last, Months 6 to 12)

Why last: Moderate complexity and a building (not yet peak) enforcement trajectory make this the appropriate domain to sequence after the two high-complexity programs are underway. The complaint intake process and EHR configuration review can be activated with existing CCO and CIO capacity once price transparency accountability is established and the RADV and cybersecurity sponsors are engaged. First move: Assign joint CCO-CIO accountability for information blocking compliance in the same board resolution or executive memo that launches the broader program. The formal accountability assignment prevents this domain from being deprioritized indefinitely.

Compliance program sophistication is necessary but not sufficient. The health systems that are managing regulatory risk most effectively are the ones that have recognized that compliance execution happens in data systems, and have built governance programs that reflect that reality.

Ready to unleash the value in your data?

Best and Brightest Companies to Work For

When Compliance Becomes a Data Problem: Why Your Greatest Regulatory Risk May Be Hiding in Your Data Infrastructure

The Compliance-Data Gap That Most Organizations Have Not Closed

The Billing Accuracy Exposure That Lives in Charge Capture and Coding Data

Quality Reporting Obligations and the Data Integrity Risk

HIPAA Privacy and Security: The Data Governance Obligation That Enforcement Is Catching Up To

Stark Law and Anti-Kickback: The Arrangements That Live in Your Data Systems

The Conditions of Participation Risk That Boards Are Not Discussing

What a Compliance-Grade Data Governance Program Actually Looks Like

Data quality metrics as compliance KPIs

Data ownership aligned with compliance accountability

Other articles

Clinical Transformation Is Not an IT Project: What Your Physicians and Operational Leaders Need From You Before the Initiative Launches

The Five Fault Lines in Health System Clinical Operations That Transformation Must Address, and That Most Initiatives Miss

The Regulatory Landscape Is Changing Faster Than Most Health Systems Can Track: Here Is What Executives Need to Prioritize

Partners & Certifications

Ready to unleash the value in your data?