On this page
Ready to be survey-ready?
What compliance program management actually is
Compliance program management in healthcare is the continuous operating system that turns regulator expectations into daily workflows, evidence, and corrective action. It connects the OIG’s Seven Elements, CMS Conditions of Participation under 42 CFR 482, HIPAA Privacy and Security obligations enforced by HHS OCR, EMTALA, the False Claims Act, the Anti-Kickback Statute, and accreditor standards from The Joint Commission, DNV Healthcare, AAAHC, CARF, and HFAP into one survey-ready record. Done well, operators stop hunting binders the week before a site visit.
HHS-OIG refreshed its expectations in the General Compliance Program Guidance on November 6, 2023. It was the first new general guidance from OIG in 15 years, and it added recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance.
The numbers explain the urgency. The Department of Justice reported that over $5.7 billion of the more than $6.8 billion in False Claims Act settlements and judgments in FY 2025 involved the health care industry. That figure was a sharp jump from $1.8 billion in healthcare-related recoveries the year before, and healthcare made up 83% of all FCA recoveries in FY 2025. Compliance officers in Texas, Florida, and California are not running a paperwork drill. They are running the system that keeps the doors open.
The Seven Elements, mapped to evidence operators can actually pull
The OIG’s Seven Fundamental Elements read like a checklist, but operators have to translate each one into evidence a surveyor or investigator can hold:
- Written policies, procedures, and standards of conduct. Version history, owners, last review date, attestation logs.
- A compliance officer and committee. Charter, meeting minutes, board reports, escalation paths. OIG confirms the compliance officer should report to the CEO with direct access to the board, have equal stature to other senior leaders, and serve as advisor to the CEO, the board and senior leaders on compliance risks.
- Training and education. Role-based curricula, completion rates, attestations tied to HR.
- Effective lines of communication. Hotline intake records, non-retaliation policy, grievance logs.
- Internal monitoring and auditing. Chart audits, EOC rounds, mock surveys, exclusion screening run monthly.
- Enforcement through publicized disciplinary guidelines. Documented actions tied to policy and code of conduct.
- Prompt response and corrective action. CAPAs with owners, root cause analysis, effectiveness checks.
The GCPG also pushes leaders in a direction most compliance officers already saw coming. OIG specifies that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. Boards and executive teams are expected to demonstrate active oversight, and quality of care now sits inside compliance rather than next to it.
At AccrediCulture we help operators map each element to a live evidence stream. Policy versioning sits next to training attestations. Incidents and grievances flow into the same record as EOC rounds and CAPAs. Credentialing files with primary source verification live where the auditor expects them. One source of truth, not seven inboxes.
What recent enforcement is telling operators to fix
Three regulator signals deserve a place on every compliance committee agenda this quarter.
First, DOJ continues to lean on whistleblowers. The 1,297 qui tam suits filed in fiscal year 2025 broke the prior record set in 2024 of 980 such cases. If your staff in New York or Ohio cannot get a concern to compliance through a clean, non-retaliatory path, they will use the government’s path. As Deputy Attorney General Todd Blanche put it when DOJ released the FY 2025 numbers, “Stopping rampant fraud is a top priority, and this record-breaking year proves the False Claims Act remains one of the government’s most powerful weapons against fraud.”
Second, cyber risk is operational risk. The IBM Cost of a Data Breach Report 2024 put the average healthcare breach at $9.77 million, and healthcare held its place as the costliest industry for data breaches for the 14th year in a row. HIPAA Security, NIST 800-66 implementation guidance, and incident response readiness now belong in the middle of the compliance program, not on the edge.
Third, accreditors keep cycling through the most-cited standards. Joint Commission has long flagged medication management, infection control, environment of care, and life safety as the perennial trouble spots. Under Accreditation 360, the Environment of Care and Life Safety chapters consolidate into a new Physical Environment chapter, moving from 40+ standards and 450+ elements of performance down to 12 standards and 67 EPs, roughly a 75% reduction, and Accreditation 360 takes effect January 1, 2026 for hospitals and critical access hospitals. Infection Prevention and Control was the most frequently cited clinical chapter in the 2023-2024 cycle, impacting 77% of hospitals. Operators still running last cycle’s checklist will be caught flat-footed.
The operator translation is simpler than the regulator language. Document what you do, do what you document, and fix what breaks before someone else has to.
How operators run one without it owning their week
A working compliance program management approach has five moving parts that all reference each other:
- A single source of truth. Policies, attestations, incidents, grievances, EOC rounds, credentialing files, chart audits, and CAPAs in one place, mapped to specific CMS CoPs and accreditor chapters.
- A real-time risk picture. Annual risk assessment as the floor, not the ceiling. Monthly exclusion screening against the OIG List of Excluded Individuals/Entities, quarterly chart audit samples, ongoing incident and grievance trending feeding the next mock survey.
- Mock surveys you trust. A tracer that follows a real patient from intake to discharge across credentialing, medication management, EOC, infection control, and documentation. Findings flow straight to CAPA with owners and effectiveness checks.
- Credentialing and PSV on a clock. Primary source verification with expirables tracked, re-credentialing on schedule, sanction screening tied to HRIS so the same file does not live in three systems.
- Board-grade reporting. A compliance dashboard the CEO and board actually read, with metrics tied to the Seven Elements and live evidence behind every line.
The reader test is simple. When a TJC surveyor in Pennsylvania asks for the last three EOC rounds, the most recent grievance closed, the policy that governs medication reconciliation with its version history, and the CAPA from the last incident, an operator should answer in minutes, not days. That is what continuous readiness looks like in practice.
One more reason the work compounds: Joint Commission has described the new Continuous Engagement model as a shift away from the traditional episodic “survey-every-three-years” approach toward a continuous partnership for quality improvement. Operators who already run with live evidence will recognize the model. Operators still building binders in the final 90 days will not.
Frequently asked questions
What are the seven elements of an effective healthcare compliance program per the OIG?
OIG lists them as written policies and standards of conduct, a designated compliance officer and committee, effective training and education, effective lines of communication, internal monitoring and auditing, enforcement through publicized disciplinary guidelines, and prompt response with corrective action. The November 2023 GCPG kept all seven and added recommendations for annual internal risk assessments, quality of care as a component of the compliance program, and emphasis on board and executive leadership oversight.
Who owns compliance program management, the compliance officer, COO, or quality leader?
The compliance officer owns the program, with a charter and direct access to the board. OIG specifies the compliance officer should report either to the CEO with direct access to the board or directly to the board, have equal stature to other senior leaders, and serve as advisor to the CEO, the board and senior leaders. The COO owns the operations the program governs. The chief quality officer or clinical director owns quality of care evidence that now sits inside compliance under the GCPG. The right answer is shared accountability with one named owner per element, not a turf war.
How is healthcare compliance program management different from general GRC?
General GRC treats compliance as document control and controls mapping. Healthcare adds live clinical evidence: medication reconciliation records, EOC rounds, infection control logs, primary source verification, incident reporting, patient grievances, and CMS-specific Conditions of Participation. A general framework will not survive a TJC tracer, a CMS validation survey, and an OCR breach investigation in the same quarter. A healthcare-grade program will.
What evidence do CMS and Joint Commission surveyors actually ask to see?
Policies with version history and review dates, training attestations tied to roles, completed EOC and life safety rounds, infection control practices and competencies, medication management records, credentialing files with PSV, incident and grievance logs with closure documentation, mock survey results, and CAPAs with effectiveness checks. They look for daily operation, not a binder built last week.
How often should we test our compliance program, and what does a mock survey cover?
Annual risk assessment is the OIG floor. A meaningful mock survey runs at least once per accreditation cycle, with focused tracers in between. A real mock survey follows a patient through admission, assessment, treatment, medication, environment of care, infection control, documentation, and discharge, and ends with written findings, owners, deadlines, and effectiveness checks. Anything less is theater.
Frequently asked questions
What are the seven elements of an effective healthcare compliance program under the OIG’s 2023 General Compliance Program Guidance?
Written policies and standards of conduct; a designated compliance officer and committee; effective training and education; effective lines of communication; internal monitoring and auditing; enforcement through publicized disciplinary guidelines; and prompt response with corrective action. The November 2023 GCPG kept all seven and added explicit expectations around annual internal risk assessments, board and executive oversight, and quality of care as part of compliance.
How big is False Claims Act exposure for healthcare right now?
DOJ reported that FCA settlements and judgments exceeded $6.8 billion in FY 2025, with more than $5.7 billion tied to the healthcare industry. Whistleblowers filed a record 1,297 qui tam suits, up from 980 the prior year, which means internal reporting channels and non-retaliation policies are no longer optional.
What changes January 1, 2026 under Joint Commission’s Accreditation 360?
Accreditation 360 launches first for hospitals and critical access hospitals. The Environment of Care and Life Safety chapters consolidate into a new Physical Environment chapter (about a 75% reduction in EPs in that area), 14 National Performance Goals replace the prior NPSGs and other requirements, and the optional Continuous Engagement model adds voluntary touchpoints between triennial surveys. Core expectations do not change; the labeling, structure, and emphasis on outcomes do.
What is the average cost of a healthcare data breach, and why does it belong in the compliance program?
IBM’s 2024 Cost of a Data Breach Report put the healthcare average at $9.77 million, the costliest of any industry for the 14th year in a row. That puts HIPAA Security, NIST 800-66 implementation, and incident response squarely inside the compliance program rather than treated as a separate IT problem.
References
- HHS-OIG, General Compliance Program Guidance (November 2023)
- U.S. Department of Justice, False Claims Act Settlements and Judgments Exceed $6.8B in Fiscal Year 2025
- IBM, Cost of a Data Breach Report 2024
- The Joint Commission, Accreditation 360: The New Standard FAQs
- ASHE, Joint Commission Standards Receive Significant Updates (Accreditation 360, effective Jan 1, 2026)
- McDermott, Joint Commission Announces Key Accreditation Updates for 2026 (Continuous Engagement model)