Healthcare governance, risk, and compliance: an operator’s playbook for CMS, OCR, OIG, and Joint Commission readiness

May 29, 2026

Ready to be survey-ready?

See how AccrediCulture turns compliance into an operating system across every facility.

What healthcare GRC actually is, in one paragraph

Healthcare governance, risk, and compliance (GRC) is the integrated discipline of board-level oversight, enterprise risk identification, and adherence to the regulators who actually show up: CMS through its Conditions of Participation and state survey agencies, HHS Office for Civil Rights (OCR) on HIPAA Privacy, Security, and Breach Notification, the HHS Office of Inspector General (OIG) on the Seven Elements of an Effective Compliance Program, the Department of Justice on False Claims Act enforcement, the FDA and DEA on controlled substances and devices, and accreditors like The Joint Commission, DNV Healthcare, and HFAP. Operationalizing it means CCOs, COOs, and chief quality officers run policy management, incident and grievance tracking, credentialing and primary source verification, chart audits, environment of care rounding, emergency management drills, and corrective action plans out of one auditable command center. Five disconnected spreadsheets is not a GRC program. It is a slow-motion finding waiting for a surveyor to write it up.

The enforcement numbers operators should keep on the wall

The dollars tell you where regulators are spending their time. DOJ reported that False Claims Act settlements and judgments exceeded $2.9 billion in fiscal year 2024, and healthcare-related fraud accounted for roughly $1.68 billion of that total, the lion’s share. Anti-Kickback Statute (42 U.S.C. § 1320a-7b) and Stark Law (42 U.S.C. § 1395nn) cases continue to drive the biggest single settlements, including a $345 million Stark settlement tied to physician compensation above fair market value.

On the privacy side, OCR was busy. OCR received 30,256 new complaints in calendar year 2024 and resolved 785 breach investigations, issuing 22 financial penalties totaling roughly $9.9 million. The agency also opened its Risk Analysis Initiative in late 2024, citing a 264% jump in large breaches involving ransomware since 2018. And the cost of getting it wrong has not gotten any easier on the budget. IBM’s Cost of a Data Breach Report put the average healthcare breach at $9.77 million, the highest of any industry for the 14th year running.

What the OIG and Joint Commission expect, in plain language

The OIG put out its first major update in 15 years on November 6, 2023. The General Compliance Program Guidance reframes the Seven Elements and adds something operators should not skim past: the compliance committee should conduct an annual risk assessment, and the board should actively oversee the program. As Crowell & Moring summarized, the OIG calls for compliance officers to report directly to the CEO with access to the board, with quality of care folded into the compliance program rather than parked in a separate silo.

The accreditors point at the same problem set from a different angle. Joint Commission published the top five most frequently non-compliant requirements in the higher SAFER Matrix categories from 2023 surveys, led by IC.02.02.01, EP 2, infection prevention and control activities including intermediate and high-level disinfection of medical equipment. Environment of care, life safety, and suicide risk policies fill out the list. None of those are mysteries. They are documentation, rounding, and follow-through problems that show up because the evidence lives in too many places and the CAP never closed.

How operators actually run GRC as one program

An operator-grade GRC program treats the board’s risk register and the surveyor’s tracer methodology as two views of the same data. Here is how the surface area maps to what compliance officers, COOs, and chief quality officers own every day:

Policy management. One library, version controlled, attested by the workforce, mapped to TJC, CARF, AAAHC, COA, and CMS Conditions of Participation.
Incident and grievance tracking. Every patient grievance and every incident report routes to root cause analysis and, where needed, a CAP with an owner and a close date.
Credentialing and primary source verification. PSV completed before privileges are granted, re-credentialing on cycle, and the OIG List of Excluded Individuals/Entities checked at hire and monthly thereafter.
Chart audits. Sample by service line, score against the standard, feed the findings back into education and the CAP queue.
Environment of care and emergency management. EOC rounding logs, OSHA Bloodborne Pathogens compliance, and EM drills under the CMS Emergency Preparedness Rule at 42 CFR § 482.15.
HIPAA Security Rule risk analysis. Annual, documented, with risk management actions tied to findings, per NIST 800-66 Rev. 2.
Corrective action plans. A live CAP register with owners, due dates, and evidence of closure. Open CAPs are the single best leading indicator of survey risk.

The Joint Commission’s own guidance frames it well. Joint Commission Standard LD.03.01.01, EP 4 states, “Leaders develop a code of conduct that defines acceptable behavior and behaviors that undermine a culture of safety.” Boards and senior leaders own the tone. The platform makes the evidence findable on survey day.

This is what we mean by a command center. The CCO sees CAP closure rates. The COO sees EOC rounding completion. The chief quality officer sees chart audit pass rates by service line. The board sees one risk dashboard that ties HIPAA, fraud and abuse, accreditation, and patient safety together. One source of truth, continuously ready.

Frequently asked questions

What are the OIG’s seven elements of an effective compliance program?
Written policies and procedures including a code of conduct; a designated compliance officer and compliance committee; effective training and education; effective lines of communication including a confidential reporting mechanism; enforcement of standards through well-publicized disciplinary guidelines; internal monitoring and auditing; and prompt response to detected offenses with corrective action. The 2023 General Compliance Program Guidance adds annual risk assessments and explicit board oversight expectations.

How is GRC different from traditional healthcare compliance?
Traditional compliance often lives inside the compliance office as a separate function. GRC pulls governance (the board), risk (enterprise risk register, including clinical, financial, cyber, and accreditation), and compliance (regulator and accreditor adherence) into one program with shared evidence. The OIG explicitly integrated quality of care into compliance in 2023, which closes the historical gap between the CCO and the chief quality officer.

Who owns GRC in a healthcare organization, the board, the CCO, or the COO?
The board owns oversight. The CEO owns the program. The CCO runs it day to day and reports directly to the CEO with access to the board. The COO owns operational execution: environment of care, emergency management, incident and grievance workflows, credentialing turnaround. The chief quality officer owns clinical chart audit results and patient safety outcomes. The platform is what keeps all four roles looking at the same evidence.

What are the most common Joint Commission findings tied to weak governance?
Infection prevention and control (IC.02.02.01, EP 2), environment of care and life safety standards, medication management, and suicide risk policies (NPSG.15.01.01) consistently land in the higher SAFER categories. The pattern is usually the same: the policy exists, the evidence of consistent execution does not.

How do you measure GRC program maturity for board reporting?
Five operator metrics work well: CAP open vs. Closed counts with average days to close, percentage of policies attested by the workforce within the current cycle, credentialing and PSV turnaround time, EOC rounding completion rate, and HIPAA Security Rule risk analysis status with documented remediation. Trend each one quarterly. Boards understand trend lines.

References