Specializing in Healthcare Compliance
Compliance & Audit
Healthcare Compliance Is Not Optional—It’s Mission-Critical
If your organization delivers hospice, palliative, geriatric, skilled nursing, or specialized care for veterans, pediatrics, or individuals with disabilities, compliance is no longer a formality. It is the lifeline of your license, your funding, and your ability to operate.
Today’s post-acute care providers face unprecedented federal and payer scrutiny. If you bill Medicare, Medicaid, or commercial insurers, you are under direct oversight by CMS, HHS, OCR, and private payers—with zero tolerance for compliance lapses, delays, or documentation failures.
Failure is not hypothetical. It’s real. It’s accelerating. And it’s unforgiving.
What’s Required of You—Right Now. To protect revenue and maintain certification, providers must:
✅ Conduct documented Security Risk Analysis
✅ Achieve and maintain full HIPAA compliance
✅ Maintain audit-ready, defensible documentation
✅ Follow NIST, HITRUST, and healthcare-grade cybersecurity protocols
Why HCCP Exists
Healthcare Compliance Certification Professionals (HCCP) is the nation’s only concierge compliance firm focused solely on hospice and post-acute care. We work directly with your executive leadership, compliance officers, and MSPs to:
✅ Safeguard Medicare/Medicaid reimbursements
✅ Prepare for CMS, HHS, and third-party audits
✅ Align operations with HIPAA and Best Practices
✅ Conduct SRAs with enforceable corrective actions
✅ Protect your license and public trust
Noncompliance = Revenue Loss
This is not about checklists—it’s about survival. When compliance fails, consequences are immediate:
• Reimbursement suspensions
• Civil monetary penalties
• Involuntary Medicare/Medicaid termination
• Lawsuits, reputational damage, and operational shutdowns
Even a single outdated policy or incomplete risk assessment can trigger a full-scale audit and funding loss.
HCCP = Structure. Oversight. Results.
At HCCP, we don’t provide generic templates—we build compliance systems that stand up to real inspections.
We keep your organization:
✅ Structurally sound
✅ Audit-ready
✅ Revenue-secure
✅ Operationally resilient
HIPAA – Required
HIPAA: Two Core Rules Driving Compliance & Cybersecurity
- HIPAA Privacy Rule Governs the permissible uses and disclosures of PHI, ensuring patient rights and confidentiality.
- HIPAA Security Rule Requires Covered Entities and Business Associates to implement a comprehensive framework of safeguards for electronic PHI (ePHI):
✅ Formal risk assessments
✅ Strong controls and authentication
✅ Encryption of data in transit and at rest
✅ Defined incident response and breach
✅ Ongoing workforce training
✅ Written breach notification protocols
Your Risk Is Real. Your Response Must Be Decisive.
The failure to meet even one of these obligations can result in:
- Audit findings
- Funding suspension
- Civil monetary penalties
- Public breach notifications
- Termination from Medicare/Medicaid participation
At Healthcare Compliance Certification Professionals (HCCP), we don’t just identify gaps—we close them. We operationalize compliance, train your workforce, prepare your documentation, and ensure your organization is both audit-ready and breach-resilient.
CMS Safeguards – Required
Compliance Isn’t Optional—It’s a Federal Mandate
If your hospice organization receives reimbursement from Medicareor Medicaid, you are legally required to implement and maintain robust administrative, technical, and physical safeguards to protect Protected Health Information (PHI) and electronic PHI (ePHI).
These requirements are not advisory—they are binding conditions of participation under federal law.
CMS mandates strict compliance with:
- HIPAA Privacy, Security, and Breach Notification Rules
Regulating the use, disclosure, and safeguarding of patient health information. - The HITECH Act
Expands HIPAA by mandating breach notification, increasing federal enforcement authority, and authorizing tiered civil monetary penalties for noncompliance—up to $1.9 million per violation category, per year. - 42 CFR Part 2
Requires additional privacy protections for substance use disorder (SUD) treatment records—above and beyond standard HIPAA provisions—impacting many palliative and hospice care settings. - Periodic Security Risk Analyses (SRAs)
Required under HIPAA, the HITECH Act, and CMS's Promoting Interoperability program. These risk assessments must be current, documented, and address evolving cyber threats and system vulnerabilities.
CMS Reimbursement
What Medicare & Medicaid Require for Reimbursement:
Healthcare providers that bill Medicare or Medicaid must comply with strict federal standards established by the Centers for Medicare & Medicaid Services (CMS), the U.S. Department of Health and Human Services (HHS), and the Office for Civil Rights (OCR). These requirements are not suggestions—they are legal obligations tied directly to your eligibility for reimbursement.
What’s at Stake: Penalties, Enforcement & Funding Risk
Noncompliance is more than a paperwork issue—it is a regulatory violation with serious financial and operational consequences. Providers that fail to meet federal compliance requirements face:
- Civil Monetary Penalties (CMPs) issued by HHS OCR
- Loss of Medicare and Medicaid eligibility
- CMS or state recoupment of previously paid claims
- Mandatory breach notifications and public reporting
- Damage to organizational reputation and trust
- Corrective Action Plans (CAPs) and heightened audit oversight
Core Compliance Requirements
✅ HIPAA Compliance (Mandatory)
HIPAA is a federal condition of participation in all Medicare and Medicaid programs. To remain eligible, providers must:
- Safeguard Protected Health Information (PHI/ePHI)
- Implement administrative, physical, and technical controls
- Maintain privacy, security, and access control policies
- Conduct and document a current Security Risk Analysis (SRA)
✅ Security Risk Analysis (SRA) (Mandatory)
A properly documented SRA is a non-negotiable requirementunder both the HIPAA Security Rule and CMS Promoting Interoperabilityprograms. Every provider must:
- Identify and assess risks to patient health data
- Implement risk mitigation and remediation plans
- Show proof of annual review and continuous security improvement
Failure to complete an SRA can lead to denied incentive payments, audit findings, and sanctions.
✅ HITECH Act Compliance (Mandatory)
The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens HIPAA by requiring:
- Breach reporting for unauthorized disclosures
- Audit logs and electronic accountability measures
- Encryption and integrity controls for EHR systems
HITECH directly ties EHR adoption to compliance and ensures providers maintain transparency and accountability in their electronic systems.
Requirements & Strongly Recommended
Breach Notification Rule – Required
- Under HIPAA and HITECH, any breach involving 500+ individuals must be reported to:
- HHS within 60 days
- Affected individuals
- Sometimes the media
NIST Cybersecurity Framework (NIST CSF) – Strongly Recommended
- Referenced in HIPAA Security Rule guidance as a best practice.
- Used to:
- Identify and manage cybersecurity risks
- Improve infrastructure protection
- Prepare for audits and cyber events
CMS encourages alignment with NIST standards, especially NIST SP 800-53 and NIST SP 800-66 Rev. 1 (which maps directly to HIPAA).
What’s Not Federally Required—but Increasingly Expected
In today’s healthcare environment, many private payers, insurers, and strategic partners expect providers to adopt enhanced cybersecurity and compliance frameworks—even when they aren’t federally mandated.
- NIST 800-53 / 800-66 – Aligns with HIPAA; commonly referenced in audits and by partners
- HITRUST CSF – A widely accepted framework, often required by payers and business associates
- SOC 2 / ISO 27001 – Optional, but demonstrates a mature security posture for organizations working with sensitive data
Mandatory Rules
CMS Program Integrity Rules (Mandatory)
Providers must implement programs to detect and prevent fraud, waste, and abuse, and ensure timely, complete, and accurate documentation. CMS requires breach reporting procedures, FWA training, and strong data security practices. Noncompliance can lead to investigations, fines, or criminal charges.
Audit Readiness (Mandatory)
Providers must be ready for CMS and HHS audits—including TPE, RAC, UPIC/ZPIC, and HIPAA audits. Readiness includes maintaining compliance documentation, risk assessments, workforce training records, incident response plans, and Business Associate Agreements (BAAs).
State Medicaid Requirements (Mandatory, Varies by State)
Medicaid providers must also meet state-specific security and health IT standards, which may include additional encryption policies, data-sharing agreements, or state-level compliance programs.
OCR and CMS Audits – Required Compliance
- Both random and complaint-driven audits check for:
- Security risk analysis documentation
- Policies and procedures
- Business Associate Agreements
- Employee training logs
- Breach response and documentation
Eligible & Compliant
To remain eligible and operational, healthcare providers must meet key compliance and security requirements established by HHS, CMS, and OCR to avoid audit failures, financial penalties, and the loss of Medicare and Medicaid funding.
- Conduct Annual HIPAA Security Risk Analyses (SRAs) to identify vulnerabilities and update controls.
- Establish and Maintain Policies & Procedures for HIPAA Privacy, Security, and Breach Notification.
- Train All Staff Annually on HIPAA, cybersecurity, and incident response—before they access PHI.
- Maintain Comprehensive, Accurate Documentation for patient care, billing, and compliance activities.
- Implement Access Controls & Maintain Audit Logs to track all PHI access.
- Ensure Billing and Coding Compliance using accurate CPT/ICD codes and justifiable services.
- Perform Regular Internal Audits to proactively catch and correct compliance gaps.
- Maintain Audit Readiness with organized records available for routine, unannounced, or investigative audits.
- Secure Valid Business Associate Agreements (BAAs) with all vendors handling PHI.
- Encrypt Data and Secure Backups for PHI at rest and in transit, with routine restoration testing.
- Stay Updated on Regulatory Changes from HHS, CMS, and OCR and adjust practices accordingly.
- Establish a Documented Incident Response Plan with clear timelines and notification protocols.
Special Note
Recent audits by the U.S. Department of Health and Human Services (HHS) have revealed that over 80% of covered entities and business associates failed to conduct a proper Security Risk Analysis (SRA), a critical requirement under the Health Insurance Portability and Accountability Act (HIPAA).
While specific data on the percentage of healthcare providers failing Medicare audits solely due to incomplete SRAs, the high failure rate in SRAs suggests a significant compliance gap that could impact audit outcomes.
It's important to note that failing to perform or adequately document an SRA can lead to substantial consequences, including financial penalties and the loss of Medicare and Medicaid funding. For instance, organizations that did not meet the Meaningful Use or Merit-based Incentive Payment System requirements due to inadequate SRAs faced significant reimbursement penalties.
Given these findings, healthcare providers should prioritize conducting comprehensive and up-to-date SRAs to ensure compliance and safeguard their funding sources.
Is Your Hospice Ready for a Federal Audit?
The Compliance Mandate
Why Compliance Isn’t Optional
If your hospice provides care under Medicare, compliance is not a formality—it is a federal mandate. Hospice providers are now under intense scrutiny by CMS, OIG, and OCR. Certification failures, audit findings, and improper billing are triggering fines, recoupments, and even Medicare exclusion.
HCCP exists to protect providers from this exact outcome.
The Regulatory Reality
What’s Happening Now
- 40% of hospices failed to comply with Medicare billing or care delivery standards.
Source: HHS OIG Compliance Review Summaries, 2023 - $190 million in improper payments were made by Medicare between 2017–2021 due to invalid outpatient billing during hospice periods.
Source: OIG Audit A-01-21-00500, March 2024 - Over 7,000 unannounced hospice site visits were conducted by CMS in 2023. Nearly 400 providers were flagged for enforcement action.
Source: CMS Press Release, Hospice Modernization Initiative, May 2023 - $162 million recovered via audits by CMS Recovery Audit Contractors in a single year.
Source: CMS Recovery Audit Program Report to Congress, FY2019 - Civil penalties of $500 to $10,000 per instance can be issued by CMS for noncompliance with the Conditions of Participation.
Source: CMS State Operations Manual, Chapter 3
What This Means for Your Organization
Compliance failures can result in:
- Termination from the Medicare program
- Recoupment of paid claims (overpayments)
- Civil monetary penalties
- Loss of licensure or certification
- Damage to reputation and referral relationships
Common causes of failure include:
- No current Security Risk Assessment (SRA)
- Incomplete or outdated HIPAA policies
- Missing staff training documentation
- Inconsistent documentation or billing errors
How HCCP Protects You
We help hospice providers achieve and maintain full Medicare compliance through:
- HIPAA and CMS CoP alignment
- Audit readiness strategies
- Certification documentation development
- Cybersecurity and risk assessments
- Remediation and policy enforcement
We do not sell software—we deliver outcomes: certification, audit defense, and operational protection.
Our Service Packages
We offer four levels of support, from initial assessment to executive-level certification defense:
- Gold Tier – Assessment Package
A foundational review of your HIPAA posture, SRA, and CMS compliance risks. Includes baseline reporting and a certification roadmap. - Platinum Tier – Remediation Package
Corrective actions, policy updates, advanced SRAs, CoP alignment, and staff readiness training. Ensures audit-defensible documentation. - Diamond Tier – Executive Readiness Package
Full certification strategy, penetration testing, executive tabletop exercises, and real-time risk dashboards. Ideal for at-risk or multi-location providers. - Senior Advisor Package
Embedded strategic oversight. Direct support through audit events, monthly reviews, and board-level briefings.
[See Full Package Details]
Next Steps
Request Your Certification Review Today
We’ll provide a complimentary readiness conversation to determine where your organization stands—and how to fix critical gaps before CMS finds them.
[Schedule Your Strategy Call]
HCCP is your national partner for hospice compliance, certification, and audit defense.
© 2025 Healthcare Compliance Certification Professionals
Healthcare Compliance Certification Professionals (HCCP) provides national, non-clinical compliance and certification support services exclusively to hospice providers, including HIPAA compliance, Security Risk Assessments (SRA), Medicare documentation, staff training, and audit preparedness. Based in Maryland, HCCP does not provide medical care and operates independently from the Centers for Medicare & Medicaid Services (CMS), the U.S. Department of Health and Human Services (HHS), and all other regulatory agencies. Our mission is to help hospice organizations meet and maintain Medicare compliance standards with confidence, clarity, and accountability.
