Top 5 Healthcare Compliance Priorities for Boards in 2025

Over the past years, the global healthcare industry has witnessed substantial regulatory pressure. In a recent survey by the Deloitte Center for Health Solutions, 45% of healthcare executives reported that regulatory uncertainty is likely to influence their strategies in 2025. With regulatory changes expected to intensify, 63% of health plan respondents revealed they are prioritizing compliance strategies this year — including federal, state, and local compliance.

Overseeing compliance strategies is part of the role of the board of directors. Directors are expected to ensure adequate resources for compliance programs are provided, and that their facilities are delivering utmost healthcare services. While obligations may differ between healthcare facilities, being informed of the recent and upcoming compliance priorities is imperative.

What is Compliance in Healthcare: Enemy or Ally?

Non-compliance in healthcare comes with varying consequences — depending on the nature of the infractions or obligations of the entity or individual. These often result in operational disruption, data breaches, and even chances of misdiagnosis or inappropriate health treatment.

That said, understanding compliance laws and regulations is more important than ever. In Convene’s 2024 webinar, “Collaborate, Innovate, Dominate: Mastering the Boardroom”, it was emphasized, “Compliance can be viewed as an enemy or an ally. The first is a fight, and the second is embracing and looking for unexpected opportunities.”

This highlights two contrasting approaches to regulatory adherence. When compliance is seen as an enemy, it may lead to a reactive, adversarial relationship with regulations and eventually, minimal compliance. Conversely, treating it as an ally creates a proactive attitude toward complying with laws and finding opportunities for improvement. Conclusively, boards must embrace a forward-looking perspective on compliance.

Top 5 Healthcare Regulatory Compliance Priorities for Boards in 2025

From increasing regulatory scrutiny to changing patient expectations, healthcare boards are always met with new compliance challenges every year. In 2025, five critical compliance priorities require more attention than others.

1. Anti-Kickback Statute and Stark Law

In November 2024, the US Department of Justice (DOJ) scrutinized a $1.3 million settlement agreement of a Florida ophthalmology practice to resolve kickback allegations of false claims for transcranial doppler (TCD) ultrasounds. Such fraudulent claims are perfect examples of violations of the Anti-Kickback Statute and the Stark Law.

The Anti-Kickback Statute is a criminal law that prohibits the exchange of anything of value. This involves all medical providers in a position to make referrals for“any item or service for which payment may be made in whole or in part under a Federal health care program.”

In other words, the statute’s provisions are violated when a medical item or service is knowingly and willfully offered with the intent to induce referrals. Violations can result in felony charges with fines of up to $100,000 per kickback and exclusion from participating in Medicare, Medicaid, and other federal healthcare programs.

The Stark Law, on the other hand, is a strict liability law that prohibits physicians from making improper referrals for designated health services payable by Medicare or Medicaid. Such designated health services include prescription drugs, hospital services, lab testing, and medical equipment.

Unlike the AKS, the Stark Law does not require proof of intent to induce referrals. Violators can face fines of up to $15,000 for each provided service and $100,000 for circumvention schemes. They are also required to refund any Medicare or Medicaid funds received for services.

How to stay compliant?

Keeping watch on financial misconduct in physician referrals and service arrangements is one way to prevent violations of the Anti-Kickback Statute and Stark Law. A healthcare board should ensure all physician and vendor contracts are reviewed, preventing improper inducements. Mandating periodic audits of financial relationships is another way to ensure compliance with safe harbor provisions and Stark Law exceptions.

2. Health Insurance Portability and Accountability Act (HIPAA)

The healthcare industry was one of the top targets of cyberattacks in 2024. Some cases include ransomware attacks, phishing campaigns, and supply chain attacks. According to the HIPAA Journal, more than 600 data breaches of 500+ healthcare records were reported in the same year.

In December 2024, the HHS’ Office for Civil Rights (OCR) issued its first update to the HIPAA Security Rule since 2013 — strengthening cybersecurity protections for electronic protected health information (ePHI). This update, following the publication of a Notice of Proposed Rulemaking (NPRM), incorporates key provisions from the HIPAA Privacy Rule=made to strengthen reproductive health care privacy.

The final rule, released on January 6, 2025, includes the publication of voluntary cybersecurity best practices and strategies for stronger cybersecurity enforcement. Compliance with HIPAA is also required for third-party vendors that handle protected health information (PHI). These may include contractors, IT specialists, accountants, lawyers, and so on.

HIPAA violations can result in civil or criminal penalties, each with tiers of penalties based on the violation’s severity. For instance, civil fines go up to $2,134,831 per violation, while the maximum criminal penalty can lead up to 10 years in jail. Beyond such penalties, non-compliance can result in cybersecurity consequences including data breaches and ransomware attacks that can endanger patient care and disrupt operations.

How to stay compliant?

Compliance with HIPAA requires proper security of patient health information. This can be done by implementing annual penetration tests and threat detection systems to safeguard ePHI. It is also ideal to conduct regular privacy audits on access logs, data-sharing practices, and third-party vendor security measures. A role-specific HIPAA training can also keep employees aware of the importance of safeguarding patient data.

3. False Claims Act (FCA)

Introduced in 1863, the False Claims Act (FCA) was enacted “to prevent and punish frauds upon the Government of the United States”. This civil enforcement statute uses a “qui tam” provision, allowing private citizens to file lawsuits against fraudulent contractors on the government’s behalf and receive a portion of the recovered funds.

FCA also targets contractors who neglect to return overpayments from Medicare and Medicaid. Under the False Claims Act, civil penalties per violation range from $13,946 to $27,894, which are adjusted annually to reflect inflation.

In December 2024, New York-based health insurer Independent Health agreed to pay up to $98 million to settle allegations that it submitted false diagnoses to Medicare to inflate payments. In a press release, the US Department of Justice (DOJ) accused the insurer of creating a subsidiary — DXID LLC — to retroactively search medical records and query physicians for diagnoses. This fraudulent activity to benefit from federal programs is a clear violation of the False Claims Act.

A similar case happened at the start of 2024, wherein a Florida cancer treatment and research center paid $19.5 million to resolve allegations they billed federal healthcare programs for patient care items and services.

How to stay compliant?

Appointing a compliance officer to oversee billing practices and conduct reviews to detect discrepancies is an effective way to prevent fraudulent claims. Healthcare boards must also consider having a whistleblower system to encourage employees to report suspected violations. For proper review of billing policies, hiring external legal counsel periodically can be an option.

4. OSHA Standards

In 2024, the Occupational Safety and Health Administration (OSHA) announced that they would be releasing a proposed standard on workplace violence prevention in healthcare facilities. This will apply to work performed in hospitals, medical centers, mental health centers, nursing homes, residential treatment centers, and private homes with home health aides on duty.

The proposed rule may require healthcare employers to develop a written workplace violence prevention policy, perform regular hazard assessments, and take drastic steps to mitigate hazards. As OSHA defines it, workplace violence refers to “any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that occurs at the work site.”

Penalties for non-compliance depend on the type of violations, as classified by OSHA. These include:

• “Other-than-serious” violations — Unlikely to cause death or serious physical harm.
• “Serious” violations — There’s a probability that death or serious physical harm could result from a hazard.
• “Willful” violations — Intentional or knowing violations of OSHA standards.
• “Repeat” violations — Those similar to previous violations for which the employer has been cited previously within the last three years.

Fines will depend on the type of violation and the employer’s history of compliance. On average, fines per violation can reach up to $70,000.

How to stay compliant?

Any healthcare setting must develop a proactive safety culture that involves employee feedback mechanisms for reporting hazards and unsafe practices. To better ensure OSHA compliance, schedule regular facility inspections on PPE use, ergonomic practices, and hazard labeling. In addition, boards should establish and oversee emergency preparedness plans to address workplace violence and chemical or biological hazards.

5. Emergency Medical Treatment and Labor Act (EMTALA)

Under the Emergency Medical Treatment and Labor Act (EMTALA), everyone has the right to access emergency services, regardless of their ability to pay. This means patients should be able to receive proper medical screening exams and stabilizing treatment or provide hospital transfer, if needed.

The EMTALA exists to prevent hospitals that receive Medicare funding from refusing treatment to patients with emergency medical conditions. Improper transfer before stabilization, and inducing patients to leave the hospital are also prohibited.

The act was further enforced when the HHS and the Centers for Medicare & Medicaid Services (CMS) published resources on EMTALA requirements to the public last year. CMS also revealed they are partnering with hospital and provider associations to share the training materials and best practices. Hence, helping hospitals meet their EMTALA obligations.

On January 10, 2025, the Catholic Medical Association, represented by Alliance Defending Freedom lawyers, filed a lawsuit against the Biden administration. The lawsuit challenges the administration’s interpretation of EMTALA, arguing it compels doctors to perform abortions, even when state laws prohibit them.

According to Biden’s administration, the EMTALA grants them authority to override state pro-life laws. The ADF, however, contends that EMTALA does not mandate abortions as they are not considered life-saving treatments in all cases.

This case is an example of ongoing uncertainty among healthcare providers navigating the intersection of state laws, federal directives, and even ethical obligations. Therefore, emphasizing the need for clear guidelines and balanced policies in 2025 and beyond.

How to stay compliant?

To promote EMTALA compliance, boards may require quarterly reviews of Emergency Department (ED) practices to ensure proper screening, stabilization, and transfer procedures. Make sure to also conduct post-incident reviews to investigate patient grievances or disputes related to ED services. Hence, taking corrective actions to avoid repeat violations.

Building a Culture of Healthcare Compliance: How Convene Empowers Boards

Healthcare compliance is more than adhering to regulations; it’s about creating a foundation of trust that drives organizational success. As highlighted in the Convene webinar, “Compliance is a matter of trust at the end of the day. It ultimately ends up being an internal trust matter, and an external trust matter with regulatory agencies and others that have a say and a stake in how we organize and run our businesses.”

This dual role of compliance — forging trust internally and externally — is key to building a culture of integrity, transparency, and accountability that benefits both employees and the communities they serve.

As healthcare settings evolve, compliance must remain at the forefront of organizational priorities. However, achieving compliance in a fast-changing regulatory landscape requires more than good intentions — it demands effective communication, informed decision-making, and robust, modern tools.

Effective communication, for one, helps foster a shared understanding of compliance obligations across all levels. On the other hand, informed decision-making enables leadership to proactively address risks and maintain a resilient compliance framework. Lastly, modern tools (e.g. compliance or board management software) can streamline monitoring, reporting, and training processes. This allows organizations to stay ahead of regulatory changes.

The Future of Compliance Starts with Convene

Besides being a regulatory obligation, compliance acts as a cornerstone of trust and ethical governance. Convene, a leading board portal, is designed to help boards turn compliance from a challenge into an opportunity.

Built on industry-leading security standards, Convene offers no-fail board confidentiality and regulatory compliance. Address threats across all attack surfaces with Convene’s security features — role-based access control, multi-factor authentication, document multi-level encryption, advanced password policies, and more.

Beyond security, Convene also provides boards with the tools to collaborate on organization policies and decision-making. With its pre- to post-meeting capability, boards get access to real-time document editing and sharing, secure video conferencing, and hassle-free signing workflow. Voting and approvals are made easier with users being able to record, track, and archive resolutions for better board transparency. Learn more about Convene’s other features here.

Ready to transform how your healthcare board manages compliance? Book a demo with our team now!