Health Care Compliance in 2026: What Compliance Leaders Need to Know
PYA and Foley & Lardner hosted the 8th Annual “Let’s Talk Compliance” conference on January 22, 2026. Panelists included Foley attorneys and PYA subject matter experts. The event was hosted by Foley partner, Jana Kolarik, and PYA consulting principal, Angie Caldwell. Below are key takeaways from session 1. The recorded session and presentation can be accessed here.
The compliance story for 2026 is not a “return to normal.” It’s an acceleration. Across civil and criminal enforcement priorities, program integrity audits, and provider compensation scrutiny, the throughline is clear: regulators are prioritizing fraud prevention, expecting stronger internal controls from providers, and deploying more coordinated and sophisticated tools to detect outliers and pursue recoveries. At this recent webinar, experts from Foley & Lardner and PYA outlined where government focus is directed and what health care organizations can do to stay ahead.
False claims enforcement will remain a key priority.
The Department of Justice (DOJ) reported that False Claims Act (FCA) settlements and adjustments reached the highest single-year total in the statute’s history in 2025, with no signs of slowing in 2026. Whistleblower activity remains pervasive and government resourcing translates into higher enforcement volume, meaning that organizations should plan for sustained scrutiny.
The DOJ-HHS FCA Working Group’s focus areas are a roadmap for enforcement risk.
The DOJ-Department of Health and Human Services (HHS) FCA Working Group has called out focus areas including Medicare Advantage (MA), kickbacks, pricing issues, barriers to patient access, materially defective medical devices impacting patient safety, and manipulation of Electronic Health Records (EHR) systems to drive inappropriate utilization. Providers, payors, and life sciences companies should update their compliance risk assessments to explicitly map controls to these categories.
OIG funding signals stronger enforcement and rising program integrity pressures.
Federal enforcement priorities are backed by substantial resources, with HHS-Office of Inspector General (OIG) requesting more than $450 million for Fiscal Year 2026 and identifying $50 billion in potential savings through payment recovery and program improvements. OIG is amplifying its focus on cost savings through audits and evaluations that identify large-scale payment vulnerabilities and improvements to the program. For organizations, especially those heavily reliant on Federal health care program reimbursement (e.g., Medicare, Medicaid, MA, Medicaid managed care, Tricare), OIG work plans can foreshadow where audits and extrapolated overpayment demands may land next.
Corporate Integrity Agreements (CIAs) will continue to expand in scope and influence compliance expectations.
CIAs are becoming more structured and expansive with broader review requirements that now commonly include focused arrangements (i.e., certain types of arrangements that present high risk, such as those with referral sources), claims analyses, and health information technology (HIT) components. This scope reflects OIG’s expectations for robust auditing, monitoring, documentation, and escalation protocols. Even if organizations are not under a CIA, the “CIA standard” is likely to become the community standard for what robust compliance looks like, raising the bar for what regulators view as adequate oversight and internal controls – and a potentially mitigating factor for the provider when something goes awry.
UPIC audit activity remains high, underscoring the need for strong response plans.
Unified Program Integrity Contractor (UPIC) audits remain active, targeting areas like high-level Evaluation & Management (E/M) codes, remote monitoring services including remote physiologic monitoring (RPM) and remote therapeutic monitoring (RTM), and care management services such as chronic care management (CCM) and principle care management (PCM), extended institutional stays that may not be medically necessary, and urine drug screens. Because UPIC actions can lead to payment suspensions and assessed overpayments, organizations must maintain strong documentation and a clear appeals strategy. Audit readiness should include technical coding accuracy, disciplined documentation, informed governance and oversight, and a playbook for escalation and appeals.
Stark Law Group Practice Standards continue to pose provider compensation compliance risks.
Physician organizations will continue to face compliance risk under the strict liability framework of the Federal Physician Self-referral Law (commonly known as the Stark Law) and its Group Practice Standards with regard to the In-Office Ancillary Services Exception (IOASE). Entities need to ensure that they are structured to comply with all nine (9) standards of the Group Practice Standards at inception and on a continuing basis. Entities may consider the Stark employment exception if compliance with Group Practice Standards/IOASE is not viable.
Compensation oversight will be critical to mitigate Stark Law and AKS risk.
Strong compensation oversight requires consistent annual reviews, clear thresholds tied to organizational risk tolerance, and transparent processes that reinforce Stark Law and Federal Anti-Kickback Statute (AKS) compliance. When thresholds signal potential issues, organizations need a structured response plan that accounts for investigations, communication, potential disclosure, as well as contract terms that allow fair market value (FMV) corrections. Without disciplined oversight, even small operational gaps, such as miscalculated wRVUs, unclear contracts, or misaligned pay structures, can escalate into significant regulatory and financial risk exposure.
In an environment where enforcement activity continues to accelerate, the most effective compliance strategy remains straightforward: prevention. A well-structured compliance program, scaled appropriately, supported by routine risk assessments, adequately staffed, and reinforced through ongoing auditing, monitoring, and governance, continues to be the strongest defense against financial, operational, and reputational risk. By investing in strong foundations now, providers can reduce exposure, respond more confidently when issues arise, and build the resilience needed to navigate the regulatory pressures ahead.
FAQ
What are the biggest health care compliance trends to watch in 2026?
Regulators are accelerating enforcement across the FCA, program integrity audits, and provider compensation arrangements. Agencies are prioritizing fraud prevention, demonstrating an expectation for stronger internal controls, and relying upon data-driven tools that allow the enforcers to identify outliers more efficiently.
Why is FCA enforcement expected to remain strong?
The DOJ reported record FCA settlements and judgments in 2025, and staffing and resources remain high going into 2026. With ongoing whistleblower activity and expanded government capabilities, providers should expect continued scrutiny and sustained enforcement volume.
What is the DOJ-HHS FCA Working Group focusing on in 2026?
Key focus areas include Medicare Advantage, kickbacks, pricing practices, patient access barriers, defective medical devices, and manipulation of EHR systems. Organizations should align internal controls and risk assessments to these priorities.
How does OIG’s increased funding impact compliance risk?
HHS-OIG’s requested budget for FY 2026 exceeds $450 million, paired with a publicly stated goal of driving $50 billion in savings through recovery and program improvements. This means more audits, more data analysis, and greater likelihood of extrapolated overpayment demands.
How are CIAs changing?
CIAs now include broader review requirements—such as focused arrangements reviews for high risk arrangements (such as those with referral relationships), claims analyses, and HIT-related oversight. Even for organizations not under a CIA, these standards increasingly define what regulators view as a robust compliance program.
What areas are UPIC audits targeting in 2026?
UPICs continue to focus on high-level E/M coding, RPM/RTM, CCM/PCM, extended hospital stays, and urine drug screens. Because UPIC findings can lead to payment suspensions and overpayments, strong documentation and a clear appeals strategy are essential.
Why do the Stark Law’s Group Practice Standards continue to present compliance risk?
Stark Law’s strict liability structure and the complexity of the Group Practice Standards (in connection with the In-Office Ancillary Services Exception) make compliance challenging. Organizations may need to evaluate alternative Stark Law exceptions (e.g., the employment exception) if consistent adherence is not feasible.
What are best practices for compensation governance in 2026?
Effective governance includes (at least) annual compensation reviews for physician and other referral source arrangements, clearly defined thresholds, transparent processes, and contract terms that permit FMV adjustments. Proactive oversight helps prevent issues tied to miscalculated wRVUs, unclear contract terms, or misaligned pay structures.
How can organizations strengthen their overall compliance posture?
A strong compliance foundation remains the most effective risk-mitigation and avoidance tool. Key elements include routine risk assessments, adequate staffing, disciplined auditing and monitoring, timely investigations, and governance structures that show compliance is fully integrated into operations.
What should compliance leaders prioritize to stay ahead of enforcement trends?
Compliance leaders should focus on prevention: validating compensation practices, preparing for audits, mapping controls to DOJ-HHS focus areas, and monitoring OIG work plans for early indicators of enforcement direction.
Stay Connected
For more information on our “Let’s Talk Compliance” insights, subscribe to our “Let’s Talk Compliance” blog and podcast series. Please reach out to one of the presenters and authors if you have any questions and be on the lookout for our upcoming podcast episode that dives deeper into this topic.
