Compliance Risk Management Program: A Healthcare Operator’s Build Guide

June 16, 2026

Ready to be survey-ready?

See how AccrediCulture turns compliance into an operating system across every facility.

What a healthcare compliance risk management program actually is

A healthcare compliance risk management program is a documented, board-accountable system that identifies, scores, mitigates, and monitors regulatory and patient-safety risks across the seven OIG compliance program elements, and holds up under real scrutiny from CMS, The Joint Commission, OCR, and state licensing boards. The strongest versions live in one operational source of truth, not seventeen spreadsheets and a shared drive nobody updates.

The reference document for the field is the HHS-OIG General Compliance Program Guidance (GCPG), released November 2023. The GCPG provides updated descriptions of the seven elements of an effective compliance program that health care entities have long relied upon, and it includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance. That last clause matters. Compliance officers who report up to a board that actually reads the risk register get further than compliance officers who report into a vacuum.

A serviceable program touches all of this at once: CMS Conditions of Participation and Conditions for Coverage, TJC Leadership and Performance Improvement standards, DNV Healthcare NIAHO or CIHQ frameworks if those are your accreditor, the HIPAA Privacy, Security, and Breach Notification Rules, the False Claims Act, the Anti-Kickback Statute, the Stark Law, EMTALA, the DOJ Evaluation of Corporate Compliance Programs, the U.S. Sentencing Guidelines Chapter 8, and the cybersecurity expectations laid out in the NIST Cybersecurity Framework and HHS 405(d) HICP. State Medicaid Fraud Control Units and CMS UPIC contractors sit on top of all of it.

Why this matters right now: the enforcement picture in plain numbers

The DOJ’s annual scorecard is the cleanest read on where federal enforcement actually lands. Recoveries for FY 2024 exceeded $2.9 billion, approximately $1.7 billion of which involved the health care industry, and the US government has now collected over $78 billion in recoveries under the FCA since the statute was amended in 1986. The 979 qui tam lawsuits filed in FY 2024 marked the highest number in a single year. Whistleblowers are the engine. Build assuming the person who files the next qui tam already works for you.

HHS-OIG’s own ledger sits alongside that. The Fall 2024 Semiannual Report to Congress reported over $7 billion in expected recoveries and receivables, 1,548 enforcement actions, and the exclusion of 3,234 individuals and entities from federal health care programs during the second half of FY 2024. As HHS Inspector General Christi A. Grimm put it in the spring report, “To hold wrongdoers accountable, OIG doggedly pursues criminals whose schemes put federal funds at risk and endanger the public.”

On the privacy side, OCR’s calendar-year 2024 reports to Congress are sobering. OCR documented 663 large data breaches that occurred in 2024 and reported exposure or impermissible disclosure of PHI affecting 242,908,056 individuals across those incidents. Hacking and IT incidents accounted for 81% of all data breaches and 99.45% of affected individuals. And the dollar consequence: the average cost for a breach in healthcare was $9.8 million, a decline from 2023 when the price tag reached $10.9 million, and expenses from healthcare data breaches far outstrip other sectors, with finance, the second costliest industry for data breaches, reporting an average cost of $6.1 million.

On the accreditation side, The Joint Commission tightened the kit in 2024. TJC revised accreditation standards as of July 1, 2024, eliminating 200+ Elements of Performance, with the goal of less but more meaningful standards as healthcare organizations face inflationary pressures and labor shortages, eliminating EPs that go beyond CMS Conditions of Participation or OSHA workplace safety standards. Fewer EPs is not less work. It concentrates the surveyor’s attention on the ones that remain.

How to actually build the program: the seven OIG elements, translated into operator language

The GCPG keeps the same seven elements operators already know, with a sharper edge. OIG’s key new recommendation is that the compliance committee should conduct annual risk assessments to identify and address risk areas, including through policies and procedures, with common risk areas including billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians. Here is what each element looks like when you stop writing policy and start running it:

Written policies, procedures, and a code of conduct. One library. Version-controlled. Mapped to the standards they satisfy (CMS CoP tag, TJC EP, HIPAA rule). If a surveyor asks for your policy on patient grievances and your team opens three different SharePoint folders, you have a finding waiting to happen.
Compliance officer and compliance committee. OIG reiterates that every entity should designate a compliance officer with the authority, stature, access, and resources necessary to lead an effective compliance program, and that officer should report directly to the CEO with access to the board and must have sufficient funding.
Effective training and education. Track who took what, when, and on which version of the policy. The training matrix has to survive a DOJ subpoena, not just an HR audit.
Effective lines of communication. Anonymous reporting. A grievance pathway patients can actually find. An incident reporting workflow clinicians will actually use because it takes 90 seconds, not nine minutes.
Enforcement of standards through disciplinary guidelines. Consistent, documented, and applied the same to the medical director as to the front desk.
Internal monitoring and auditing. Chart audits, EOC rounds, EM drills, PSV reviews, exclusion checks against the OIG LEIE and state Medicaid exclusion lists, and a risk register that gets re-scored on a real cadence.
Response to detected offenses and corrective action. Root cause analysis, CAPA, follow-through, and a closure step that proves the fix held. This is where most programs fall down. The CAP gets written, signed, filed, and never re-verified.

The thread connecting all seven is evidence. The OIG emphasizes the responsibility of the governing body to oversee the compliance program, the United States Sentencing Commission’s Guidelines require that an organization’s governing body be knowledgeable about the content and operation of the compliance and ethics program and exercise reasonable oversight of its implementation and effectiveness, and the benefits of an effective compliance program can include a reduction of up to 90% of the amount of a fine when violations occur. Ninety percent. That is the math case for doing this well.

The command-center view: what survey-defensible evidence actually looks like

Here is where most programs drift. The policy lives in one system. The chart audit findings live in another. Incident reports sit in a third. Credentialing files are in the medical staff office. The risk register is a spreadsheet on the compliance officer’s laptop. When a CMS validation survey or a TJC triennial lands, nobody can connect a risk to the policy that addresses it, the audit that tested it, the incident that proved the gap, and the corrective action plan that closed it.

That disconnect is the gap we help operators close at AccrediCulture. One operational source of truth where the risk register entry links to the controlling policy, the chart audits and EOC rounds that test it, the incidents and grievances that flag it, and the CAP that resolves it. Real-time visibility for the COO. Survey-ready packets for the compliance officer. Board-level reporting that does not require a week of formatting.

A few specific places this approach pays for itself:

Risk analysis under HIPAA. OCR explained in its 2024 report that there is a continued need for HIPAA-regulated entities to improve compliance, that noncompliance with the HIPAA Rules is often identified, that many data breaches could have been prevented through proactive compliance rather than addressing security issues after exploitation, and that some of the most common areas of noncompliance were the risk analysis, risk management, information system activity review, audit controls, and person or entity authentication standards. An enterprise-wide risk analysis tied to remediation tickets is the single highest-yield piece of evidence you can have on hand.
Credentialing and exclusion screening. Primary source verification at hire, ongoing OIG LEIE and state Medicaid exclusion checks, and re-credentialing on cycle. One missed exclusion screen on a billing provider is an FCA case in waiting.
Environment of care and emergency management. EOC rounds, EM drills, life safety logs, and ventilation/temperature monitoring data ready on demand. TJC surveyors routinely pull these on day one.
Incident and grievance management. Each event scored, trended, and connected back to the risk register. Trends drive the next chart audit, not the other way around.
Policy management. Effective dates, attestations, and version history that match what training records say staff received.

The DOJ’s Evaluation of Corporate Compliance Programs asks one core question of any program under investigation: is it well designed, adequately resourced and empowered, and does it work in practice? A command-center view answers that question on demand instead of after a 60-day document request.

Frequently asked questions

What are the seven elements of an effective healthcare compliance program under OIG guidance?
Written policies and procedures; a designated compliance officer and compliance committee; effective training and education; effective lines of communication including anonymous reporting; well-publicized disciplinary guidelines; internal monitoring and auditing with risk assessment; and response to detected offenses with corrective action. The OIG seven elements represent the minimum necessary requirements that healthcare organizations must have in place to address compliance standards. The 2023 GCPG adds an explicit expectation of annual risk assessments and board-level oversight.

How is a compliance risk management program different from enterprise risk management (ERM)?
ERM is the wider view: financial, strategic, operational, reputational, clinical, regulatory. A compliance risk management program is the regulatory and patient-safety subset of that, mapped to specific laws, accreditation standards, and survey expectations. ERM tells the board the strategy is at risk. The compliance risk program tells the COO which CMS tag, TJC EP, or HIPAA Security Rule standard is exposed and what the CAP looks like.

How often should a healthcare compliance risk assessment be refreshed?
OIG expects an annual refresh at minimum, with event-driven updates whenever something material changes: a new service line, a multi-site acquisition, a new EHR, a regulatory change, a serious incident, or a sentinel event. Multi-site operators typically run a rolling cadence so risk areas are touched on a quarterly basis instead of one giant lift each year.

Who owns the compliance risk management program: the Compliance Officer, the Board, or the Quality Committee?
The compliance officer runs it day to day. The board owns oversight. The quality committee owns the patient-safety risks that intersect with compliance. OIG is explicit that the compliance officer should report directly to the CEO with access to the board and must have sufficient funding to properly run a compliance program. If your compliance officer reports up through finance or billing, that is itself a finding.

What documentation will CMS, TJC, or DOJ actually ask to see during a survey or investigation?
The current risk register with scoring methodology; minutes of the compliance committee and board meetings where the risk register was reviewed; the most recent HIPAA Security Rule risk analysis and risk management plan; policies and procedures with effective dates and version history; training records keyed to those policies; chart audit findings and corrective actions; EOC and EM drill documentation; credentialing files with PSV evidence; OIG LEIE exclusion check logs; incident and grievance logs with trending; and every CAP with closure verification. If you can pull all of that from one system in under a day, you are continuously ready. If not, you have your first project.

References