Most healthcare compliance programs are well designed but difficult to execute consistently. Physician arrangement risk remains fragmented across contracts, payments and teams, limiting visibility and control.
Regulators now expect risk-based oversight, ongoing monitoring and clear evidence that compliance is working in practice. Sustainable compliance depends on centralized data, consistent processes and embedded monitoring that can scale.
In this session, we break down where programs fall short, what regulators are actually looking for and how leading organizations are operationalizing compliance. Explore the full slide deck below for a deeper look at the frameworks and examples discussed.
At HCCA, we had the opportunity to speak with compliance leaders about a challenge that continues to surface across organizations of every size. The question is no longer whether a compliance program exists. It’s whether that program can stand up to scrutiny.
That shift is subtle, but it has real implications for how compliance teams operate day to day.
Our session, Sustainable Compliance: Using Data and Oversight to Drive Better Outcomes, focused on where programs tend to break down in practice and what it takes to close the gap between policy and execution.
In most organizations, physician arrangement data does not live in one place. It spans contracts, compensation structures, billing activity and multiple internal systems, each owned by different teams.
Legal, compliance, finance and operations may all play a role, but ownership is rarely unified. As a result, no single group has a complete view of risk.
That fragmentation creates a visibility gap that’s difficult to overcome. Teams are often making decisions based on partial information, and monitoring becomes inconsistent or reactive. In many cases, issues are not identified until after payments have already been made. This is where even well-designed compliance programs start to show strain.
Physician arrangements sit at the intersection of regulatory scrutiny, financial exposure and provider relationships. Each of these factors introduces its own level of risk, but together they create a level of complexity that’s difficult to manage without strong oversight.
From a regulatory standpoint, Stark Law and Anti-Kickback exposure remains a constant concern. Enforcement actions can result in significant financial penalties, but the impact does not stop there.
Reputation is also on the line. Public scrutiny can affect how organizations are perceived within their communities.
At the same time, these arrangements directly influence physician relationships. Misalignment or lack of oversight can create friction in partnerships that are critical to long-term success.
Layer in the variability of different arrangement types and compensation models, and the likelihood of error increases.
On paper, most compliance programs appear structured and well defined. Policies are in place, processes are documented and there is a clear intent to monitor risk.
In practice, execution often tells a different story.
Data remains fragmented across systems. Ownership is not always clearly defined. Monitoring may happen, but not consistently or with the depth required to surface meaningful risk.
Teams often believe they are aligned, but processes and decisions can vary across departments.
Regulators are increasingly focused on this gap. They are not evaluating whether a program exists. They are evaluating whether it’s working.
Guidance from the DOJ and OIG has made expectations more explicit. Compliance programs are expected to be risk-based, meaning organizations must demonstrate that they understand where their highest risk areas are and are prioritizing accordingly.
Monitoring is expected to be ongoing. A one-time review is not sufficient.
Documentation plays a central role. Organizations need to show how decisions are made, how risk is assessed and how issues are addressed over time.
Consistency also matters. Regulators are looking for alignment across teams, processes and controls.
Taken together, these expectations point to a broader shift. Compliance must be operationalized and embedded into how work gets done.
This is the shift many organizations underestimate. Regulators are not asking whether controls exist. They are asking whether those controls are actively working and consistently applied.
“While legal counsel may be involved in the initial structuring and drafting of these agreements, ongoing monitoring of compliance with the terms and conditions set forth in the agreements remains equally important from a fraud and abuse perspective.” – HHS-OIG General Compliance Program Guidance Document
If expectations are clear, the challenge lies in execution.
Responsibility is often distributed across teams, which makes accountability harder to enforce. There can also be hesitation to apply rigorous oversight to physician relationships due to their sensitivity.
At the same time, short-term operational priorities tend to take precedence over long-term risk management. In some environments, there is also an assumption that if issues are not immediately visible, they are not present.
These factors create friction that makes it difficult to move from reactive compliance to a more proactive, scalable approach.
Organizations that are making progress are not reviewing more for the sake of it. They are becoming more targeted in how they approach risk.
The first step is centralizing data across contracts, payments and related activities. This creates the visibility needed to identify patterns, inconsistencies and outliers.
From there, teams can apply a risk-based lens. Not every arrangement requires the same level of scrutiny. By prioritizing based on complexity, variability and financial exposure, organizations can focus their efforts where they will have the greatest impact.
Data does not replace human judgment. It strengthens it by providing a clearer foundation for decision-making.
Sustainable compliance is not a separate initiative. It’s built into everyday workflows. This ensures that oversight happens consistently and at the right points in time.
Processes are standardized across the organization, which reduces variability and improves alignment between teams.
Ownership is clearly defined, so accountability does not fall through the cracks.
Equally important, these processes are designed to scale. They are structured and repeatable, rather than dependent on manual effort that becomes harder to sustain over time.
A sustainable compliance program is not defined by the absence of issues. It’s defined by how effectively an organization can identify, manage and respond to risk.
That requires more than activity. It requires evidence.
Organizations need to demonstrate what they are monitoring, what they are finding and what actions they are taking as a result. They need to show consistency in how decisions are made and applied across the organization.
Ultimately, they need to be able to tell a clear, data-backed story about the effectiveness of their compliance program.
This is what builds defensibility in the eyes of regulators.
This recap highlights the key themes from our HCCA session, but the full presentation goes deeper into regulatory guidance, real-world examples and practical frameworks you can apply within your organization.
If you want to go deeper into the frameworks, regulatory expectations and practical examples discussed, explore the full slide deck below.