2026 Compliance risk assessment

 

As you prepare to schedule your 2026 compliance risk assessment, here are several important considerations that can help you strategically prioritize and organize your work for the upcoming year. 


First, consider which risk areas your internal auditors, as applicable, may already be scheduling for 2026 as part of their internal audit process. This may have already been presented to the audit committee. Often, several compliance risk areas are already selected and incorporated into the internal audit plan. Aligning your compliance risk assessment with these existing efforts can help avoid duplication, reduce assessment fatigue across the organization, and strengthen collaboration between compliance, internal audit, and operational leaders. 


Additionally, consider sending a prequestionnaire to members of the compliance committee, senior leaders, and/or board or other directors. This allows you to gather early input on: 

  • Compliance risk areas of concern to leadership 
  • Areas perceived as emerging or increasing risks 
  • Areas believed to be well-controlled and stable 
  • Organizing themes that might influence your annual planning (e.g., strategic goals, new service lines, operational changes, major regulatory updates) 


This information helps ensure the assessment is aligned with organizational realities and leadership expectations while also encouraging engagement from key stakeholders.

 
Consider the following compliance risk areas and determine which would make the most sense to assess this year to establish if adequate controls are in place to mitigate the risks. Return to 

  1. HIPAA Privacy areas 
  2. HIPAA Security areas
  3. Billing and coding errors (Medicare/Medicaid) 
  4. False Claims Act exposure 
  5. Stark Law and Anti-Kickback Statute violations
  6. Poor clinical documentation
  7. Controlled substances and medication management 
  8. Patient safety and quality reporting errors
  9. Vendor and third-party relationships
  10. Credentialing and privileging failures
  11. Research compliance violations
  12. Patient rights and informed consent issues
  13. Emergency Medical Treatment and Labor Act
  14. Revenue cycle compliance
  15. Telehealth compliance risks
  16. Audits and survey readiness
  17. Financial conflicts of interest
  18. Medical devices and equipment compliance
  19. AI use in clinical or administrative processes
  20. Post-acute and care-continuum compliance (home health, hospice, skilled nursing facility)
  21. Marketing and communications compliance 
  22. Board and governance oversight practices 


A thorough and well-structured 2026 compliance risk assessment positions your organization to proactively identify vulnerabilities, strengthen internal controls, and ensure ongoing regulatory compliance. By coordinating with internal audit, gathering stakeholder insights early, and thoughtfully selecting risk areas based on both organizational maturity and emerging regulatory trends, you create a more efficient, focused, and value-driven assessment process. 
 

 

 

View all articles     Read the next article

Copyright © 2025 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.