Healthcare compliance challenges are constantly evolving, but two issues are always of concern: healthcare fraud and data privacy. Both need constant attention and a substantial amount of compliance resources.

Fraud allegations in billing are more common than ever before, says C. Timothy Gary, JD, an attorney with the Dickinson Wright law firm in Nashville, TN.

With the advent of the Affordable Care Act and the enhanced remedies for fraud, it seems like every billing dispute raised by both governmental auditors or commercial payers begins with the words “credible allegations of fraud” to enhance the leverage on the payer side, Gary says.

HIPAA’s Move to the Information Age

“Healthcare providers need to be more proactive than ever in putting compliance protections in place. They should regularly conduct penetration testing on their electronic data and operations systems,” Gary says.

“Also, they need to pay special attention to billing issues. They can have outside firms conduct billing audits utilizing the same protocols employed by CMS/OIG and their auditors. Best practices would dictate having these tests conducted at the direction of legal counsel by outside consulting companies so that the results remain privileged if problems are discovered.”

For HIPAA, the healthcare world has moved into the information age, with vast amounts of protected health information (PHI) being stored electronically and the constant battle between information security systems and hackers who either want to steal data or hold it for ransom, he notes. As more PHI is stored electronically, risk managers must devote more resources to protecting it, he says.

Balancing Compliance With Existing Laws

That task becomes even more important as data privacy is becoming increasingly regulated, explains Kirk J. Nahra, JD, partner with the law firm of Wiley Rein in Washington, DC.

“In the United States, we are seeing new challenges from a California state law, which is creating both substantial compliance challenges and is motivating entities at other levels, including other states and the federal government, to evaluate whether additional privacy laws are appropriate,” Nahra says. “Healthcare companies also have to balance compliance with a wide range of existing laws, which often create overlapping and sometimes inconsistent obligations.”

These challenges are particularly difficult for some kinds of new technologies where the application of today’s regulations are entirely unclear, Nahra says. There also are new compliance challenges when concepts of health broaden to include social determinants of health.

The healthcare industry also is seeing ongoing compliance challenges for companies in connection with data security and cybersecurity. There is a widespread view among regulators, consumers, and others that the healthcare industry is not strong enough on security protections, he says.

“Whether you agree or not, it is clear that there are tremendous challenges to stay at or ahead of the curve, as technology changes and hackers and others become more sophisticated. We also are seeing related challenges because of increasing technological and operational entanglements in the healthcare industry between different entities,” Nahra says.

“All of these entanglements create security risks, and the industry is trying to change how healthcare is provided while keeping these security risks to a manageable level.”


• C. Timothy Gary, JD, Dickinson Wright, Nashville, TN. Phone: (615) 780-1105. Email:

• Kirk J. Nahra, JD, Partner, Wiley Rein, Washington, DC. Phone: (202) 719-7335. Email: