Compliance guides for medical practices
Plain-language playbooks for the moments that matter — audit letters, breach windows, regulatory deadlines, specialty obligations. Every article is source-grounded against HHS, OCR, CMS, eCFR, NIST, and the state regulators we cite.
When the letter just arrived
Emergency Response
Time-bound playbooks for audit letters, breach windows, and regulator outreach. Open these when the clock is already running.
Additional Documentation Request (ADR): How to Respond Inside the Window
Medicare ADR response windows are contractor-specific (45 days for MAC/SMRC/RAC, 30 days for UPIC). Miss the window and the claim auto-denies. Here is the procedure that actually works.
7 min readEmergency ResponseBreach Risk Assessment: The 4-Factor Analysis Required by 45 CFR 164.402
After a possible PHI incident, the four-factor breach risk assessment at 45 CFR 164.402 determines whether you notify. Do it in writing, do it on the record.
9 min readEmergency ResponseCMS Provider Enrollment Revocation (855): How to Appeal a Form CMS-855 Action
A CMS revocation under 42 CFR 424.535 carries a 60-day reconsideration window and a re-enrollment bar. Here is the appeal track that protects billing rights.
11 min readEmergency ResponseDEA On-Site Inspection Response: What to Do When the DEA Arrives
A DEA diversion investigator at the front desk with a Form 82 Notice of Inspection is a controlled-event, not a normal audit. Here is what consent means, what the inspector can access, and what to do in the first 30 minutes.
11 min readEmergency ResponseHHS HIPAA Breach Portal: How to File a Breach Notification
Filing through ocrportal.hhs.gov is the single most-visible compliance act a practice ever performs. Here is the form, the numbers, and the choices that drive the OCR response.
9 min readEmergency ResponseHIPAA Breach Notification: The 60-Day Window Step-by-Step
From discovery you have 60 calendar days to notify individuals, HHS, and possibly media. Here is the procedure that actually protects the practice.
7 min readEmergency ResponseHIPAA Subpoena Response: Court Order vs Administrative Subpoena (45 CFR § 164.512)
Court order, civil subpoena, grand-jury subpoena, DEA administrative demand — each triggers a different HIPAA response path. Identify the type before you produce a single record.
8 min readEmergency ResponseThe Medicare 60-Day Overpayment Rule: How to Comply (and What Triggers Worse)
The 60-day clock starts at identification. Miss it, and the overpayment becomes a False Claims Act violation. Here is the actual procedure.
8 min readEmergency ResponseMedicare TPE Audit: The 45-Day Response Window
Received a Medicare TPE letter from your MAC? You have 45 days from the ADR per claim. Sequence the response, address probe errors, and avoid Round 2.
8 min readEmergency ResponseOCR Investigation Letter: Your 30-Day Response Playbook
Received an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
8 min readEmergency ResponseOIG Self-Disclosure Protocol: When to Use It, When to Hold Back
The OIG SDP is a powerful resolution tool but it is not the right move for every matter. Here is how the 2021-amended SDP works and when counsel uses it.
10 min readEmergency ResponsePayer Pre-Payment Review: 14-Day Response Template
A commercial payer pre-payment review holds your claims and gives 14 days to respond. Pull every chart, map to payer policy, and protect appeal rights.
7 min readEmergency ResponseRAC Audit Response: First 14 Days After the Letter
A Recovery Audit Contractor (RAC) letter starts a 45-day documentation clock and a 30-day discussion-request window (separate from the 120-day Redetermination appeal clock). Sequence the first 14 days correctly.
8 min readEmergency ResponseRecent OCR Settlements: What HHS Actually Penalizes (2025)
Risk Analysis Initiative, ransomware, right-of-access. The deficiency patterns driving recent OCR Resolution Agreements and what they cost.
8 min readEmergency ResponseSMRC Audit Response: The Supplemental Medical Review Contractor Window
An SMRC letter gives a 45-day documentation window and is shorter-fuse than RAC. Here is the response procedure and how the findings feed back to CMS and the MACs.
10 min readEmergency ResponseUPIC Audit Response: What to Do First (and What Not to Touch)
A UPIC letter signals suspected fraud, not a routine review. Engage counsel before responding. Here is the procedure that preserves the practice.
7 min readEmergency ResponseZPIC / I-MEDIC Audit Response: What's Different from UPIC
ZPIC is the legacy FFS program-integrity contractor (now UPIC); I-MEDIC is the Part C and Part D investigations contractor. Counsel before response. Here is what to do first.
10 min readThe everyday program
Compliance Foundations and Payer Program
The baseline obligations every practice carries — HIPAA documentation, BAAs, exclusion screening, payer credentialing, and program maintenance.
Annual HIPAA Training Curriculum (What to Cover + How to Document)
A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
10 min readCompliance FoundationsAnti-Kickback Statute: What Medical Practices Actually Need to Know (42 USC § 1320a-7b(b))
The federal Anti-Kickback Statute is intent-based, criminal-grade, and the most common fraud-and-abuse theory in OIG enforcement. Here is what AKS actually prohibits, how the safe harbors function, and where practices get caught.
9 min readCompliance FoundationsBusiness Associate Agreement Template (2026) + Counterparty Tracker
A 2026 HIPAA Business Associate Agreement template with every 45 CFR 164.504(e) required clause, plus the vendor tracker auditors expect alongside it.
10 min readCompliance FoundationsCommunicable Disease Reporting: CDC NNDSS + State Health Department Requirements
Federal 42 USC § 247b + CDC NNDSS + state reportable-disease lists: who reports, what conditions, timelines (immediate to weekly), and 45 CFR § 164.512(b) HIPAA permissibility.
8 min readCompliance FoundationsDomestic Violence Reporting for Healthcare Providers: When Reports Are Required
Most states do NOT mandate DV reporting by healthcare providers — but injury-by-weapon, child-witness, and elder-victim statutes do. State-by-state map + 45 CFR § 164.512(c).
8 min readCompliance FoundationsDrug-Exposed Newborn / Substance-Affected Infant Reporting (CARA + State Requirements)
Federal CAPTA + CARA (42 USC § 5106a): notification to CPS, Plan of Safe Care, state implementation in CA, TX, NY, FL, IL — plus 45 CFR § 164.512 and 42 CFR Part 2 layering.
8 min readCompliance FoundationsHealthcare Incident Response Plan — Template + Tabletop Exercise
A 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
11 min readCompliance FoundationsAccounting of Disclosures (45 CFR § 164.528): Tracker + Procedure
A 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.
12 min readCompliance FoundationsHIPAA Contingency Plan Template — 45 CFR § 164.308(a)(7)
2026 HIPAA contingency plan template — 45 CFR § 164.308(a)(7) data backup, DRP, emergency mode, testing, and applications/data criticality analysis.
10 min readCompliance FoundationsHIPAA Encryption Policy Template (45 CFR § 164.312(a)(2)(iv) + (e)(2)(ii))
2026 HIPAA encryption policy template — 45 CFR § 164.312(a)(2)(iv) at-rest, § 164.312(e)(2)(ii) in-transit, NIST SP 800-111 algorithms, key management.
9 min readCompliance FoundationsHIPAA Mobile Device & BYOD Policy Template (45 CFR § 164.310(d) + 164.308(a)(1)(ii)(B))
2026 HIPAA mobile and BYOD policy template — 45 CFR § 164.310(d), § 164.308(a)(1)(ii)(B), NIST SP 800-124r2, enrollment and offboarding workflow.
10 min readCompliance FoundationsHIPAA Privacy Officer: Required Duties + Job Description Template (2026)
The 2026 HIPAA Privacy Officer role: what 45 CFR 164.530(a) requires, duties auditors look for, and a copy-paste job description for small practices.
9 min readCompliance FoundationsHIPAA Right of Access Requests (45 CFR § 164.524): Respond Inside 30 Days
A 2026 HIPAA right-of-access procedure citing 45 CFR § 164.524, the 30-day window, OCR Right of Access Initiative settlements ($3,500–$240,000 through 2025), and the patient response packet.
11 min readCompliance FoundationsHIPAA Security Officer: Required Duties + Job Description Template
Required duties under 45 CFR 164.308(a)(2), a copy-ready 2026 HIPAA Security Officer job description, and what we see fail in practice.
7 min readCompliance FoundationsHIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))
A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.
8 min readCompliance FoundationsHIPAA Workforce Training Log Template (2026) — Annual + New Hire
The 2026 HIPAA workforce training log auditors expect: required topics, hire-date and annual cadence, exact log columns, state extras (CA, TX, FL).
8 min readCompliance FoundationsInformation Blocking Rule (21st Century Cures Act): Compliance for Medical Practices
The ONC Information Blocking Rule reaches every healthcare provider, with the Part 171 exceptions and CMS-administered provider disincentives that hit MIPS payment. Here is what the rule actually prohibits, the exceptions that apply to practices, and how enforcement landed in 2024.
10 min readCompliance FoundationsMandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)
Federal CAPTA + state mandates: who reports, what triggers the duty, timeline, penalties, and the 45 CFR § 164.512(b)/(c) HIPAA carve-outs that permit disclosure to CPS.
9 min readCompliance FoundationsMandatory Elder & Vulnerable Adult Abuse Reporting for Medical Practices
Federal Elder Justice Act + state APS statutes: who reports, what counts as abuse or neglect, financial exploitation, timeline, and 45 CFR § 164.512(c) HIPAA permissibility.
8 min readCompliance FoundationsNotice of Privacy Practices (NPP) Template — 2026
A 2026 Notice of Privacy Practices template aligned to 45 CFR 164.520, with every required header, the post-Dobbs reproductive-health content, and CMIA/HB 300 carveouts.
9 min readCompliance FoundationsThe OIG's 7 Elements of an Effective Compliance Program (Applied to a Small Practice)
The OIG's seven elements of an effective compliance program, what each one looks like in a 1–15-clinician practice, and how to document each in 2026.
8 min readMedicare & PayerOIG LEIE Monthly Exclusion Screening: Process + Audit-Ready Logs
Monthly OIG LEIE and SAM.gov exclusion screening for every workforce member and vendor: the workflow, the log fields auditors require, and the escalation path.
8 min readCompliance FoundationsPatient HIPAA Complaint Handling: Internal Process + OCR Referral (45 CFR § 164.530(d))
Every covered entity must accept and document HIPAA complaints. The internal process is regulatory — not optional — and it is the single biggest driver of OCR referrals when missing.
9 min readMedicare & PayerPECOS Provider Enrollment Verification (2026) — Quarterly Checklist
Quarterly PECOS provider enrollment verification workflow: who to check, the exact lookup steps, the audit log columns, and the revalidation escalation path.
8 min readCompliance FoundationsSecurity Risk Analysis Template (2026): What Auditors Actually Want
A 2026 HIPAA Security Risk Analysis template auditors actually read: NIST SP 800-30 scoring, ePHI asset inventory, every required 164.308 field, threat list.
8 min readCompliance FoundationsStark Law (Physician Self-Referral): Compliance Basics for Designated Health Services
The Stark Law is strict-liability, civil-only, and triggers on Medicare claims for designated health services where a financial relationship exists. Here is what Stark actually prohibits, how the exceptions work, and where practices misread the in-office ancillary services exception.
9 min readCompliance FoundationsThe Tarasoff Duty to Warn: State-by-State Rules for Healthcare Providers
Tarasoff v. Regents (1976) + Cal. Civ. Code § 43.92: when mental health and medical providers must warn or protect identifiable third parties — and the states that reject the duty.
9 min readCompliance FoundationsHealthcare Vendor Risk Assessment Template + Tier Matrix (45 CFR § 164.502(e), § 164.504(e))
2026 healthcare vendor risk assessment template — tier matrix, BAA tracking, NIST SP 800-161 supply chain, keyed to 45 CFR § 164.502(e) and § 164.504(e).
12 min readRules that apply if you do this
Specialty Compliance
Specialty-specific obligations: pain management, telehealth, behavioral health, DME, clinical lab, and other regulated service lines.
Ambulatory Surgery Center Compliance: CMS + State + Infection Control
42 CFR Part 416 Conditions for Coverage, CMS State Operations Manual Appendix L, the ASC Infection Control Surveyor Worksheet, and where state ASC licensure tightens the standard.
9 min readSpecialty ComplianceBehavioral Health Compliance: 42 CFR Part 2 + HIPAA Together
How SAMHSA's 42 CFR Part 2 framework for substance use disorder records overlays HIPAA after the 2024 final rule alignment, and what behavioral health practices must document.
8 min readSpecialty ComplianceCardiology Compliance: Imaging Safety + Stress Testing Documentation
IAC/ICANL accreditation, CMS stress-test LCDs, 42 CFR 482.26 hospital imaging, and the documentation patterns that survive RAC and TPE audits in cardiology.
9 min readSpecialty ComplianceDermatology Compliance: Mohs Documentation + Pathology Coordination
CMS Mohs MUE/CCI edits, AAD Appropriate Use Criteria, the documentation patterns that distinguish 17311 from 17313, and pathology TC/PC coordination.
9 min readSpecialty ComplianceDME Documentation Requirements: Surviving a DMEPOS Audit
How CMS Pub. 100-08 Chapter 5, 42 CFR § 424.57 supplier standards, and UPIC and SMRC audit procedures govern DMEPOS documentation in 2026, with the exact records auditors request.
8 min readSpecialty ComplianceGastroenterology Compliance: ASC + Anesthesia + Pathology Coordination
How ASC Conditions for Coverage at 42 CFR Part 416, CMS Pub. 100-04 anesthesia rules, propofol monitoring documentation, USPSTF colorectal screening guidance, and TC/PC pathology splits apply to GI practices.
10 min readSpecialty ComplianceInfusion Center Compliance: USP 797/800 + Medication Handling
USP 797 and USP 800 govern sterile compounding and hazardous-drug handling. State enforcement varies. Here is the actual standard set infusion centers are measured against.
9 min readSpecialty ComplianceOB/GYN Compliance: HIPAA + State Mandatory Reporting + Specialty Codes
ACOG documentation standards, state mandatory-reporting carveouts (CA, TX, NY, FL), HRSA Title X rules, and the global obstetric billing package — what OB/GYN audits sample first.
8 min readSpecialty ComplianceOphthalmology Compliance: ASC + Imaging + MIPS Documentation
How ASC Conditions for Coverage at 42 CFR Part 416, IRIS Registry MIPS reporting, ICD-10-CM laterality requirements, and CMS modifier 25 documentation rules apply to ophthalmology practices in 2026.
8 min readSpecialty ComplianceOrthopedics Compliance: DME + ASC + Imaging Safety Stack
How DMEPOS supplier standards at 42 CFR 424.57, ASC Conditions for Coverage at 42 CFR Part 416, Stark in-office DME exceptions, and state radiation-control rules apply to orthopedic practices.
10 min readSpecialty CompliancePain Management Compliance: DEA Registration + PDMP Requirements
How the DEA registration framework at 21 CFR Part 1304, state PDMP query mandates, and the DOJ's pain-practice enforcement posture apply to chronic-pain prescribers in 2026.
8 min readSpecialty CompliancePathology Lab Compliance: CLIA Certificate Tiers + Documentation
How CMS administers CLIA at 42 CFR Part 493, the five certificate tiers (Waiver, PPMP, Registration, Compliance, Accreditation), and what pathology labs must document at each complexity level.
10 min readSpecialty CompliancePhysical Therapy Medicare Compliance: Plan of Care + Documentation Rules
CMS Pub. 100-02 Chapter 15 §220 and 42 CFR 410.59 govern outpatient PT documentation, plan-of-care signatures, KX modifier thresholds, and TPE audit triggers.
8 min readSpecialty CompliancePodiatry Compliance: DME + X-ray + Medicare Routine Foot Care Rules
How the Medicare routine foot care exclusion at 42 CFR 411.15, DMEPOS supplier standards at 42 CFR 424.57 for orthotics and diabetic shoes, state radiation-control rules for in-office X-ray, and the narrow Stark in-office ancillary services exception at 42 CFR 411.355(b) apply to podiatry.
10 min readSpecialty CompliancePsychiatry Compliance: Controlled Substances + 42 CFR Part 2 + Telepsychiatry
DEA controlled-substance prescribing, 42 CFR Part 2 SUD confidentiality, the DEA/HHS fourth temporary telemedicine extension through December 31, 2026, and the documentation surveyors actually sample first.
10 min readSpecialty ComplianceRadiology Imaging Safety Program: ACR, MQSA + State Requirements
How the FDA's MQSA framework at 21 CFR Part 900, ACR accreditation standards, state radiation-control programs, and CMS imaging billing rules together govern a radiology safety program.
9 min readSpecialty ComplianceSleep Medicine Compliance: AASM Accreditation + CMS Documentation
How AASM accreditation standards, the CMS NCD for home sleep apnea testing, polysomnography documentation rules, and DME PAP-therapy supplier standards apply to sleep medicine practices in 2026.
9 min readSpecialty ComplianceTelehealth Compliance Post-PHE: Where the Rules Landed in 2026
How CMS Medicare telehealth flexibilities, DEA controlled-substance telemedicine rules, ONC standards, and state telehealth statutes interact for practices in 2026.
7 min readSpecialty ComplianceUrology Compliance: Controlled Substances + ASC + In-Office CLIA
How DEA registration for in-office Schedule II prescribing, ASC Conditions for Coverage at 42 CFR Part 416, and CLIA certification at 42 CFR Part 493 for in-office urinalysis apply to urology practices.
9 min readBeyond the federal floor
State Compliance
State-specific compliance overlays for California, Texas, New York, Massachusetts, Florida, and others where state law goes further than HIPAA.
California Healthcare Compliance: CMIA + HIPAA — Where They Diverge
California's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
9 min readState ComplianceColorado Privacy Act for Medical Practices: Where It Stacks on HIPAA
Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.) vs HIPAA: narrow health-data carve-out, AG-only enforcement, $20k per-violation cap, and CRS § 6-1-716 30-day breach window.
8 min readState ComplianceConnecticut CTDPA for Medical Practices: HIPAA Overlay + Penalty Math
Connecticut CTDPA (Conn. Gen. Stat. § 42-515) vs HIPAA: entity-level HIPAA exemption, 60-day breach window, $5k/violation AG enforcement, and Section 36a-701b detail.
9 min readState ComplianceFlorida Healthcare Compliance: FIPA Breach Notification + State Specifics
Florida Information Protection Act (F.S. § 501.171) vs HIPAA: 30-day breach window, AG notice at 500 residents, $500k penalty cap, F.S. § 456.057 records rules.
10 min readState ComplianceGeorgia Healthcare Compliance: Breach Notification + State Medical Records Rules
Georgia O.C.G.A. § 10-1-911 breach notification and § 31-33-2 medical records access vs HIPAA: no fixed breach window, 30-day record access, fee-cap exposure, and UDTPA private right of action.
8 min readState ComplianceIllinois Healthcare Compliance: BIPA, GIPA + State Medical Records Rules
Illinois BIPA (740 ILCS 14/) and GIPA (410 ILCS 513/) vs HIPAA for medical practices: where the state statutes bite harder, private right of action, and penalty math.
8 min readState ComplianceMassachusetts 201 CMR 17.00 for Healthcare: The Written Information Security Program
Massachusetts 201 CMR 17.00 vs HIPAA for medical practices: mandatory WISP, encryption requirements, M.G.L. c. 93H breach notice, 93A private right of action.
9 min readState ComplianceMichigan Healthcare Compliance: Identity Theft Protection Act + Patient Records
Michigan ITPA (MCL 445.61) and Medical Records Access Act (MCL 333.26261) vs HIPAA: $250-$750 per violation, HIPAA-compliance safe harbor at MCL 445.72(10), 30-day records access under MCL 333.26265(2).
10 min readState ComplianceNevada SB 538 (Consumer Health Data): What It Means for Medical Practices
Nevada SB 538 (NRS 603A.400–550) vs HIPAA: broad consumer health data definition, geofence prohibition at NRS 603A.540, AG-only enforcement, entity-level HIPAA carve-out.
8 min readState ComplianceNew Jersey Healthcare Compliance: NJ Identity Theft Prevention Act + State Specifics
NJ Identity Theft Prevention Act (N.J.S.A. 56:8-161) vs HIPAA for medical practices: encryption safe harbor, breach reporting to State Police, and N.J.A.C. 13:35-6.5 records rules.
8 min readState ComplianceNew York SHIELD Act for Medical Practices: The Reasonable Safeguards Standard
NY SHIELD Act (Gen. Bus. Law § 899-bb) vs HIPAA for medical practices: reasonable safeguards, expanded breach scope under § 899-aa, 30-day notice outer bound, $250k AG penalty exposure.
9 min readState ComplianceOhio Healthcare Compliance: Data Protection Act + State Specifics
Ohio Data Protection Act (Ohio Rev. Code § 1354) vs HIPAA: the affirmative defense framework, named cybersecurity frameworks, and what Ohio breach notification adds.
8 min readState CompliancePennsylvania Healthcare Compliance: Breach Notification + Practice Operations
Pennsylvania Breach of Personal Information Notification Act (73 Pa. C.S. § 2301) vs HIPAA: the concurrent AG notice rule, medical record retention, and where state law bites a PA practice.
11 min readState ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA
Texas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.
8 min readState ComplianceVirginia CDPA for Medical Practices: Where It Stacks on HIPAA
Virginia Consumer Data Protection Act (Va. Code § 59.1-575) vs HIPAA: the HIPAA carve-out, what intake forms and marketing lists still trigger CDPA, and AG penalty math.
8 min readState ComplianceWashington's My Health My Data Act: Healthcare Practice Implications
Washington My Health My Data Act (RCW 19.373) vs HIPAA: broad consumer health data scope, geofence ban, private right of action, and where it reaches non-HIPAA data.
8 min readThe Security Risk Analysis is the product underneath these guides
The guides explain what the rules say. The SRA is where you actually assemble the documentation a practice needs when the audit letter arrives — into one review-ready binder. It is an administrative documentation aid — not legal advice, not a compliance certification, not a guarantee.