The $5B Test: Why Healthcare Compliance Programs Keep Failing the Same Way

Federal and state regulations require every healthcare organization in the US to maintain a compliance program. Their failures have never cost so much. 

In FY 2025, the government recovered a record $6.8 billion through the False Claims Act, with $5.7 billion of that from healthcare alone. Whistleblower filings hit 1,297, a 32% increase over the previous record.

The enforcement pressure is coming from every direction: the Office for Civil Rights is citing the same risk analysis failures it has flagged for years, states are issuing six-figure mental health parity fines, and a proposed HIPAA security rule expected mid-2026 would eliminate the distinction between “addressable” and “required” controls entirely.

Organizations need to reframe the conversation, said Gerry Zack, a board member of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

“Risk awareness needs to begin at the top, and risk management needs to be an ongoing process that gets built into an organization’s culture,” Zack told CCI. “Part of this is our own fault. We’ve allowed the understanding of risk to be framed around avoidance. Risk should be viewed as a necessary element of accomplishing our goals, much like having a good steering system is essential to successfully driving a car.”

Designed for audit, not for operations

When Shannon Sumner, a healthcare compliance consultant at PYA, assesses an organization’s compliance program, she looks for one thing first: observable cultural impact. 

“The clearest sign of a program that exists only on paper is whether it genuinely shapes the organization’s behaviors and culture,” she said. “A meaningful compliance program should be responsive to the rapid changes in healthcare. It’s essential to examine whether policies, procedures and training align with current practices or if they are overly complex and hard to follow, making them less effective in guiding real-world actions.”

The gap shows up in enforcement, too. Organizations invest in written policies, training modules and annual risk assessments that satisfy an auditor. But the DOJ evaluates something different: whether the program actually influences how people behave.

Debbie Troklus and Sheryl Vacca, both board members of HCCA/SCCE, have watched this pattern repeat.

“Usually, it isn’t until they get into trouble that an organization will ramp up their compliance program,” they said in a written Q&A with CCI. “When the issues go away, it can be combined for ‘efficiency’ and loses the purpose and focus of the compliance program. When repeated issues occur, eventually the compliance program loses its credibility.”

The enforcement numbers tell a story that goes beyond individual enforcement actions. Healthcare has held the top spot in FCA recoveries for years, and the reasons are structural.

“Healthcare submits more claims for payment than any other sector I can think of, so the potential for false and fraudulent claims is greater, healthcare is approximately 18% of the GDP, and patients’ lives are involved,” said Rachel V. Rose, a Houston-based healthcare attorney.

Why employees are going outside

The 1,297 qui tam filings in FY 2025, a 32% increase over the previous record, represent more than an enforcement statistic. Qui tam provisions allow private whistleblowers to file lawsuits on behalf of the federal government and share in any recovery. 

Jane Yoon, co-chair of the data privacy and cybersecurity practice at Paul Hastings, sees a clear signal that points to internal dysfunction.

“This increasing volume confirms what many compliance officers already know: Many relators reported internally first and then turned to government channels after they felt their reports went unaddressed or were minimized, or worse, if they felt retaliation,” she said. “That pattern indicates opportunities to improve reporting, communication and internal investigation systems.”

For compliance professionals, the filing volume is a measure of how much trust employees place in internal reporting systems. 

“Many employees report internally first, often more than once,” Rose said. “It is when they are ignored or retaliated against that they seek outside counsel. Most people don’t rush into becoming whistleblowers.”

Zack identified three distinct trust failures that drive employees to bypass internal channels: “A lack of trust that reporters won’t be retaliated against, a lack of trust in the investigative process, and a lack of trust that management will do anything about the problem. None of these issues are new, yet they continue to plague most internal reporting systems, perhaps even more than ever.”

It’s worth noting that qui tam provisions themselves face an active constitutional challenge. A federal district court in Florida ruled them unconstitutional in 2024, the 11th Circuit heard oral argument on appeal in December 2025, and Eli Lilly has petitioned the Supreme Court to take up the question.

Compliance

The Incredible Shrinking Compliance Officer

by Mary Shirley

March 10, 2026

When the mandate grows and the headcount doesn't, we have more options than we think

Read moreDetails

The reporting structure question

The 2023 HHS OIG general compliance program guidance recommends that compliance officers maintain a direct reporting line to the board or CEO, independent of legal counsel.

In practice, the structure remains contentious. 

“I think that an unimpaired reporting line is still uncommon,” Zack said. “And by unimpaired, I mean that reporting to the board should not be complicated by legal’s control over budgeting, hiring and key aspects of operational decision-making. This undermines everything the compliance officer tries to do, including building trust in the internal reporting system.”

Sumner offered a more nuanced view. 

“In many cases, compliance reports to legal for administrative purposes but maintains a direct reporting line to the board,” she said. 

Common compensating controls in this structure include documented reporting processes, optional sessions with the board and CEO without management, a compliance committee charter that allows engagement with outside counsel and sufficient time for compliance presentations, Sumner said.

Still, what matters is whether the structure functions, Sumner said: “Regulators will test whether reporting relationships work in practice and not just on paper.”

The HIPAA rule that ends the workaround

The proposed HIPAA security rule updates eliminate the “addressable” versus “required” distinction that has allowed organizations to document why they chose not to implement certain controls.

“This shift carries meaningful legal and operational implications,” said Michelle Reed, co-chair of Paul Hastings’ data privacy and cybersecurity practice. “Organizations will need to revisit prior risk analyses and documented justifications for not implementing certain controls that were considered ‘addressable,’ as those justifications may no longer suffice under the proposed ‘required’ standard. From an enforcement standpoint, the change is likely to provide regulators with a more straightforward basis for assessing violations, potentially increasing exposure.”

Sumner was direct about how the sector has treated the distinction. 

“‘Addressable’ does not mean ‘optional,’ though some organizations have interpreted it that way,” she said. “With the increasing frequency and complexity of cyber attacks, risk-based reasoning for not implementing fundamental security measures, such as encryption at rest or multi-factor authentication, is no longer acceptable.”

Sharona Hoffman, a professor at Case Western Reserve University School of Law who has written extensively about HIPAA enforcement, supported the change in principle but cautioned against treating it as a comprehensive fix. 

“I think removal of the distinction is a good idea. It will clarify that none of the implementation specifications are optional,” she said. “However, this is not a comprehensive fix to the HIPAA compliance problem.”

What operational compliance actually looks like

The question for the sector is what the alternative looks like in practice.

Zack argued the shift starts with how organizations think about risk itself. 

“Once this culture shift occurs, transitioning from the dreaded annual risk assessment to a process that is more continuous in nature and embedded in operations becomes feasible,” he said.

Yoon pointed to what regulators are now expecting. Prosecutors, she noted, have increasingly asked companies about their own data mining and analytics efforts, and “compliance officers need to be prepared to explain how issues were identified, or missed, and once found, how they responded to these internal indicators.” 

The consequences of that gap are already visible. In February 2025, Health Net Federal Services and parent company Centene paid $11.2 million to settle allegations that the TRICARE contractor had ignored reports from both third-party security auditors and its own internal audit department flagging cybersecurity failures, while continuing to certify compliance to the government.

Troklus and Vacca said the accountability has to come from the top. 

“Culture change requires that boards take control of oversight for the compliance program and hold management accountable,” they wrote.

Boards need to be engaged and support the compliance function through appropriate resources, including data analytics capabilities, dedicated compliance budgets and access to outside resources when needed, Sumner said, adding that genuine redesign requires investment in both security and compliance functions. Organizations should thoroughly test how systems would perform during a cyber incident, Sumner said, noting that the new HIPAA requirements will demand documented evidence that risk analysis drives remediation — not just risk identification.

The enforcement data suggests the sector is running out of time to make the shift. With the DOJ’s new National Fraud Enforcement Division centralizing cross-agency coordination, the proposed HIPAA rule eliminating the last major workaround and qui tam filings signaling that employees have lost patience with internal channels, organizations still treating compliance as a documentation exercise are building a record that regulators will eventually read — and they may not like what they see.