Compliance guides for medical practices

Plain-language playbooks for the moments that matter — audit letters, breach windows, regulatory deadlines, specialty obligations. Every article is source-grounded against HHS, OCR, CMS, eCFR, NIST, and the state regulators we cite.

When the letter just arrived

Emergency Response

Time-bound playbooks for audit letters, breach windows, and regulator outreach. Open these when the clock is already running.

Emergency Response

Additional Documentation Request (ADR): How to Respond Inside the Window

Medicare ADR response windows are contractor-specific (45 days for MAC/SMRC/RAC, 30 days for UPIC). Miss the window and the claim auto-denies. Here is the procedure that actually works.

Emergency Response

Breach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402

After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.

Emergency Response

CMS Provider Enrollment Revocation (855): How to Appeal a Form CMS-855 Action

A CMS revocation under 42 CFR 424.535 carries a 60-day reconsideration window and a re-enrollment bar. Here is the appeal track that protects billing rights.

Emergency Response

DEA On-Site Inspection Response: What to Do When the DEA Arrives

A DEA diversion investigator at the front desk with a Form 82 Notice of Inspection is a controlled-event, not a normal audit. Here is what consent means, what the inspector can access, and what to do in the first 30 minutes.

Emergency Response

HHS HIPAA Breach Portal: How to File a Breach Notification

Filing through ocrportal.hhs.gov is the single most-visible compliance act a practice ever performs. Here is the form, the numbers, and the choices that drive the OCR response.

Emergency Response

HIPAA Breach Notification: The 60-Day Window Step-by-Step

From discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.

Emergency Response

HIPAA Subpoena Response: Court Order vs Administrative Subpoena (45 CFR § 164.512)

Court order, civil subpoena, grand-jury subpoena, DEA administrative demand — each triggers a different HIPAA response path. Identify the type before you produce a single record.

Emergency Response

The Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)

The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.

Emergency Response

Medicare TPE Audit: The 45-Day Response Window

Received a Medicare TPE letter from your MAC? You have 45 days from the ADR per claim. Sequence the response, address probe errors, and avoid Round 2.

Emergency Response

OCR Investigation Letter: Your 30-Day Response Playbook

Received an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.

Emergency Response

OIG Self-Disclosure Protocol: When to Use It, When to Hold Back

The OIG SDP is a powerful resolution tool but it is not the right move for every matter. Here is how the 2021-amended SDP works and when counsel uses it.

Emergency Response

Payer Pre-Payment Review: 14-Day Response Template

A commercial payer pre-payment review holds your claims and gives 14 days to respond. Pull every chart, map to payer policy, and protect appeal rights.

Emergency Response

RAC Audit Response: First 14 Days After the Letter

A Recovery Audit Contractor (RAC) letter starts a 45-day documentation clock and a 30-day discussion-request window (separate from the 120-day Redetermination appeal clock). Sequence the first 14 days correctly.

Emergency Response

Recent OCR Settlements: What HHS Actually Penalizes (2025)

Risk Analysis Initiative, ransomware, right-of-access. The deficiency patterns driving recent OCR Resolution Agreements and what they cost.

Emergency Response

SMRC Audit Response: The Supplemental Medical Review Contractor Window

An SMRC letter gives a 45-day documentation window and is shorter-fuse than RAC. Here is the response procedure and how the findings feed back to CMS and the MACs.

Emergency Response

UPIC Audit Response: What to Do First (and What Not to Touch)

A UPIC letter signals suspected fraud, not a routine review. Engage counsel before responding. Here is the procedure that preserves the practice.

Emergency Response

ZPIC / I-MEDIC Audit Response: What's Different from UPIC

ZPIC is the legacy FFS program-integrity contractor (now UPIC); I-MEDIC is the Part C and Part D investigations contractor. Counsel before response. Here is what to do first.

The everyday program

Compliance Foundations and Payer Program

The baseline obligations every practice carries — HIPAA documentation, BAAs, exclusion screening, payer credentialing, and program maintenance.

Compliance Foundations

Annual HIPAA Training Curriculum (What to Cover + How to Document)

A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.

Compliance Foundations

Anti-Kickback Statute: What Medical Practices Actually Need to Know (42 USC § 1320a-7b(b))

The federal Anti-Kickback Statute is intent-based, criminal-grade, and the most common fraud-and-abuse theory in OIG enforcement. Here is what AKS actually prohibits, how the safe harbors function, and where practices get caught.

Compliance Foundations

Business Associate Agreement Template (2026) + Counterparty Tracker

A 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.

Compliance Foundations

Communicable Disease Reporting: CDC NNDSS + State Health Department Requirements

Federal 42 USC § 247b + CDC NNDSS + state reportable-disease lists: who reports, what conditions, timelines (immediate to weekly), and 45 CFR § 164.512(b) HIPAA permissibility.

Compliance Foundations

Domestic Violence Reporting for Healthcare Providers: When Reports Are Required

Most states do NOT mandate DV reporting by healthcare providers — but injury-by-weapon, child-witness, and elder-victim statutes do. State-by-state map + 45 CFR § 164.512(c).

Compliance Foundations

Drug-Exposed Newborn / Substance-Affected Infant Reporting (CARA + State Requirements)

Federal CAPTA + CARA (42 USC § 5106a): notification to CPS, Plan of Safe Care, state implementation in CA, TX, NY, FL, IL — plus 45 CFR § 164.512 and 42 CFR Part 2 layering.

Compliance Foundations

Healthcare Incident Response Plan — Template + Tabletop Exercise

A 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.

Compliance Foundations

Accounting of Disclosures (45 CFR § 164.528): Tracker + Procedure

A 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.

Compliance Foundations

HIPAA Contingency Plan Template — 45 CFR § 164.308(a)(7)

2026 HIPAA contingency plan template — 45 CFR § 164.308(a)(7) data backup, DRP, emergency mode, testing, and applications/data criticality analysis.

Compliance Foundations

HIPAA Encryption Policy Template (45 CFR § 164.312(a)(2)(iv) + (e)(2)(ii))

2026 HIPAA encryption policy template — 45 CFR § 164.312(a)(2)(iv) at-rest, § 164.312(e)(2)(ii) in-transit, NIST SP 800-111 algorithms, key management.

Compliance Foundations

HIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B))

2026 HIPAA mobile and BYOD policy template — 45 CFR § 164.310(d), § 164.308(a)(1)(ii)(B), NIST SP 800-124r2, enrollment and offboarding workflow.

Compliance Foundations

HIPAA Privacy Officer: Required Duties + Job Description Template (2026)

The 2026 HIPAA Privacy Officer role: what 45 CFR 164.530(a) requires, duties auditors look for, and a copy-paste job description for small practices.

Compliance Foundations

HIPAA Right of Access Requests (45 CFR § 164.524): Respond Inside 30 Days

A 2026 HIPAA right-of-access procedure citing 45 CFR § 164.524, the 30-day window, OCR Right of Access Initiative settlements ($3,500–$240,000 through 2025), and the patient response packet.

Compliance Foundations

HIPAA Security Officer: Required Duties + Job Description Template

Required duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.

Compliance Foundations

HIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))

A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.

Compliance Foundations

HIPAA Workforce Training Log Template (2026) — Annual + New Hire

The 2026 HIPAA workforce training log auditors expect: required topics, hire-date and annual cadence, exact log columns, state extras (CA, TX, FL).

Compliance Foundations

Information Blocking Rule (21st Century Cures Act): Compliance for Medical Practices

The ONC Information Blocking Rule reaches every healthcare provider, with the Part 171 exceptions and CMS-administered provider disincentives that hit MIPS payment. Here is what the rule actually prohibits, the exceptions that apply to practices, and how enforcement landed in 2024.

Compliance Foundations

Mandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)

Federal CAPTA + state mandates: who reports, what triggers the duty, timeline, penalties, and the 45 CFR § 164.512(b)/(c) HIPAA carve-outs that permit disclosure to CPS.

Compliance Foundations

Mandatory Elder & Vulnerable Adult Abuse Reporting for Medical Practices

Federal Elder Justice Act + state APS statutes: who reports, what counts as abuse or neglect, financial exploitation, timeline, and 45 CFR § 164.512(c) HIPAA permissibility.

Compliance Foundations

Notice of Privacy Practices (NPP) Template — 2026

A 2026 Notice of Privacy Practices template aligned to 45 CFR 164.520, with every required header, the post-Dobbs reproductive-health content, and CMIA/HB 300 carveouts.

Compliance Foundations

The OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice)

The OIG's seven elements of an effective compliance program, what each one looks like in a 1–15-clinician practice, and how to document each in 2026.

Medicare & Payer

OIG LEIE Monthly Exclusion Screening: Process + Audit-Ready Logs

Monthly OIG LEIE and SAM.gov exclusion screening for every workforce member and vendor: the workflow, the log fields auditors require, and the escalation path.

Compliance Foundations

Patient HIPAA Complaint Handling: Internal Process + OCR Referral (45 CFR § 164.530(d))

Every covered entity must accept and document HIPAA complaints. The internal process is regulatory — not optional — and it is the single biggest driver of OCR referrals when missing.

Medicare & Payer

PECOS Provider Enrollment Verification (2026) — Quarterly Checklist

Quarterly PECOS provider enrollment verification workflow: who to check, the exact lookup steps, the audit log columns, and the revalidation escalation path.

Compliance Foundations

Security Risk Analysis Template (2026): What Auditors Actually Want

A 2026 HIPAA Security Risk Analysis template auditors actually read: NIST SP 800-30 scoring, ePHI asset inventory, every required 164.308 field, threat list.

Compliance Foundations

Stark Law (Physician Self-Referral): Compliance Basics for Designated Health Services

The Stark Law is strict-liability, civil-only, and triggers on Medicare claims for designated health services where a financial relationship exists. Here is what Stark actually prohibits, how the exceptions work, and where practices misread the in-office ancillary services exception.

Compliance Foundations

The Tarasoff Duty to Warn: State-by-State Rules for Healthcare Providers

Tarasoff v. Regents (1976) + Cal. Civ. Code § 43.92: when mental health and medical providers must warn or protect identifiable third parties — and the states that reject the duty.

Compliance Foundations

Healthcare Vendor Risk Assessment Template + Tier Matrix (45 CFR § 164.502(e), § 164.504(e))

2026 healthcare vendor risk assessment template — tier matrix, BAA tracking, NIST SP 800-161 supply chain, keyed to 45 CFR § 164.502(e) and § 164.504(e).

Rules that apply if you do this

Specialty Compliance

Specialty-specific obligations: pain management, telehealth, behavioral health, DME, clinical lab, and other regulated service lines.

Specialty Compliance

Ambulatory Surgery Center Compliance: CMS + State + Infection Control

42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.

Specialty Compliance

Behavioral Health Compliance: 42 CFR Part 2 + HIPAA Together

How SAMHSA's 42 CFR Part 2 framework for substance use disorder records overlays HIPAA after the 2024 final rule alignment, and what behavioral health practices must document.

Specialty Compliance

Cardiology Compliance: Imaging Safety + Stress Testing Documentation

IAC/ICANL accreditation, CMS stress-test LCDs, 42 CFR 482.26 hospital imaging, and the documentation patterns that survive RAC and TPE audits in cardiology.

Specialty Compliance

Dermatology Compliance: Mohs Documentation + Pathology Coordination

CMS Mohs MUE/CCI edits, AAD Appropriate Use Criteria, the documentation patterns that distinguish 17311 from 17313, and pathology TC/PC coordination.

Specialty Compliance

DME Documentation Requirements: Surviving a DMEPOS Audit

How CMS Pub. 100-08 Chapter 5, 42 CFR § 424.57 supplier standards, and UPIC and SMRC audit procedures govern DMEPOS documentation in 2026, with the exact records auditors request.

Specialty Compliance

Gastroenterology Compliance: ASC + Anesthesia + Pathology Coordination

How ASC Conditions for Coverage at 42 CFR Part 416, CMS Pub. 100-04 anesthesia rules, propofol monitoring documentation, USPSTF colorectal screening guidance, and TC/PC pathology splits apply to GI practices.

Specialty Compliance

Infusion Center Compliance: USP 797/800 + Medication Handling

USP 797 and USP 800 govern sterile compounding and hazardous-drug handling. State enforcement varies. Here is the actual standard set infusion centers are measured against.

Specialty Compliance

OB/GYN Compliance: HIPAA + State Mandatory Reporting + Specialty Codes

ACOG documentation standards, state mandatory-reporting carveouts (CA, TX, NY, FL), HRSA Title X rules, and the global obstetric billing package — what OB/GYN audits sample first.

Specialty Compliance

Ophthalmology Compliance: ASC + Imaging + MIPS Documentation

How ASC Conditions for Coverage at 42 CFR Part 416, IRIS Registry MIPS reporting, ICD-10-CM laterality requirements, and CMS modifier 25 documentation rules apply to ophthalmology practices in 2026.

Specialty Compliance

Orthopedics Compliance: DME + ASC + Imaging Safety Stack

How DMEPOS supplier standards at 42 CFR 424.57, ASC Conditions for Coverage at 42 CFR Part 416, Stark in-office DME exceptions, and state radiation-control rules apply to orthopedic practices.

Specialty Compliance

Pain Management Compliance: DEA Registration + PDMP Requirements

How the DEA registration framework at 21 CFR Part 1304, state PDMP query mandates, and the DOJ's pain-practice enforcement posture apply to chronic-pain prescribers in 2026.

Specialty Compliance

Pathology Lab Compliance: CLIA Certificate Tiers + Documentation

How CMS administers CLIA at 42 CFR Part 493, the five certificate tiers (Waiver, PPMP, Registration, Compliance, Accreditation), and what pathology labs must document at each complexity level.

Specialty Compliance

Physical Therapy Medicare Compliance: Plan of Care + Documentation Rules

CMS Pub. 100-02 Chapter 15 §220 and 42 CFR 410.59 govern outpatient PT documentation, plan-of-care signatures, KX modifier thresholds, and TPE audit triggers.

Specialty Compliance

Podiatry Compliance: DME + X-ray + Medicare Routine Foot Care Rules

How the Medicare routine foot care exclusion at 42 CFR 411.15, DMEPOS supplier standards at 42 CFR 424.57 for orthotics and diabetic shoes, state radiation-control rules for in-office X-ray, and the narrow Stark in-office ancillary services exception at 42 CFR 411.355(b) apply to podiatry.

Specialty Compliance

Psychiatry Compliance: Controlled Substances + 42 CFR Part 2 + Telepsychiatry

DEA controlled-substance prescribing, 42 CFR Part 2 SUD confidentiality, the DEA/HHS fourth temporary telemedicine extension through December 31, 2026, and the documentation surveyors actually sample first.

Specialty Compliance

Radiology Imaging Safety Program: ACR, MQSA + State Requirements

How the FDA's MQSA framework at 21 CFR Part 900, ACR accreditation standards, state radiation-control programs, and CMS imaging billing rules together govern a radiology safety program.

Specialty Compliance

Sleep Medicine Compliance: AASM Accreditation + CMS Documentation

How AASM accreditation standards, the CMS NCD for home sleep apnea testing, polysomnography documentation rules, and DME PAP-therapy supplier standards apply to sleep medicine practices in 2026.

Specialty Compliance

Telehealth Compliance Post-PHE: Where the Rules Landed in 2026

How CMS Medicare telehealth flexibilities, DEA controlled-substance telemedicine rules, ONC standards, and state telehealth statutes interact for practices in 2026.

Specialty Compliance

Urology Compliance: Controlled Substances + ASC + In-Office CLIA

How DEA registration for in-office Schedule II prescribing, ASC Conditions for Coverage at 42 CFR Part 416, and CLIA certification at 42 CFR Part 493 for in-office urinalysis apply to urology practices.

Beyond the federal floor

State Compliance

State-specific compliance overlays for California, Texas, New York, Massachusetts, Florida, and others where state law goes further than HIPAA.

State Compliance

California Healthcare Compliance: CMIA + HIPAA — Where They Diverge

California's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.

State Compliance

Colorado Privacy Act for Medical Practices: Where It Stacks on HIPAA

Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) vs HIPAA: narrow health-data carve-out, AG-only enforcement, $20k per-violation cap, and CRS § 6-1-716 30-day breach window.

State Compliance

Connecticut CTDPA for Medical Practices: HIPAA Overlay + Penalty Math

Connecticut CTDPA (Conn. Gen. Stat. § 42-515) vs HIPAA: entity-level HIPAA exemption, 60-day breach window, $5k/violation AG enforcement, and Section 36a-701b detail.

State Compliance

Florida Healthcare Compliance: FIPA Breach Notification + State Specifics

Florida Information Protection Act (F.S. § 501.171) vs HIPAA: 30-day breach window, AG notice at 500 residents, $500k penalty cap, F.S. § 456.057 records rules.

State Compliance

Georgia Healthcare Compliance: Breach Notification + State Medical Records Rules

Georgia O.C.G.A. § 10-1-911 breach notification and § 31-33-2 medical records access vs HIPAA: no fixed breach window, 30-day record access, fee-cap exposure, and UDTPA private right of action.

State Compliance

Illinois Healthcare Compliance: BIPA, GIPA + State Medical Records Rules

Illinois BIPA (740 ILCS 14/) and GIPA (410 ILCS 513/) vs HIPAA for medical practices: where the state statutes bite harder, private right of action, and penalty math.

State Compliance

Massachusetts 201 CMR 17.00 for Healthcare: The Written Information Security Program

Massachusetts 201 CMR 17.00 vs HIPAA for medical practices: mandatory WISP, encryption requirements, M.G.L. c. 93H breach notice, 93A private right of action.

State Compliance

Michigan Healthcare Compliance: Identity Theft Protection Act + Patient Records

Michigan ITPA (MCL 445.61) and Medical Records Access Act (MCL 333.26261) vs HIPAA: $250-$750 per violation, HIPAA-compliance safe harbor at MCL 445.72(10), 30-day records access under MCL 333.26265(2).

State Compliance

Nevada SB 538 (Consumer Health Data): What It Means for Medical Practices

Nevada SB 538 (NRS 603A.400–550) vs HIPAA: broad consumer health data definition, geofence prohibition at NRS 603A.540, AG-only enforcement, entity-level HIPAA carve-out.

State Compliance

New Jersey Healthcare Compliance: NJ Identity Theft Prevention Act + State Specifics

NJ Identity Theft Prevention Act (N.J.S.A. 56:8-161) vs HIPAA for medical practices: encryption safe harbor, breach reporting to State Police, and N.J.A.C. 13:35-6.5 records rules.

State Compliance

New York SHIELD Act for Medical Practices: The Reasonable Safeguards Standard

NY SHIELD Act (Gen. Bus. Law § 899-bb) vs HIPAA for medical practices: reasonable safeguards, expanded breach scope under § 899-aa, 30-day notice outer bound, $250k AG penalty exposure.

State Compliance

Ohio Healthcare Compliance: Data Protection Act + State Specifics

Ohio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.

State Compliance

Pennsylvania Healthcare Compliance: Breach Notification + Practice Operations

Pennsylvania Breach of Personal Information Notification Act (73 Pa. C.S. § 2301) vs HIPAA: the concurrent AG notice rule, medical record retention, and where state law bites a PA practice.

State Compliance

Texas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA

Texas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.

State Compliance

Virginia CDPA for Medical Practices: Where It Stacks on HIPAA

Virginia Consumer Data Protection Act (Va. Code § 59.1-575) vs HIPAA: the HIPAA carve-out, what intake forms and marketing lists still trigger CDPA, and AG penalty math.

State Compliance

Washington's My Health My Data Act: Healthcare Practice Implications

Washington My Health My Data Act (RCW 19.373) vs HIPAA: broad consumer health data scope, geofence ban, private right of action, and where it reaches non-HIPAA data.

The Security Risk Analysis is the product underneath these guides

The guides explain what the rules say. The SRA is where you actually assemble the documentation a practice needs when the audit letter arrives — into one review-ready binder. It is an administrative documentation aid — not legal advice, not a compliance certification, not a guarantee.