By: Drew Duffy, MHA, FACHE

Introduction The upcoming 2025 Medicaid budget reductions are poised to create deep and lasting impacts across the U.S. healthcare system—particularly for small practices, rural clinics, and providers who serve low-income populations. With over 90 million Americans enrolled in Medicaid at some point in the past two years, these cuts are not merely fiscal; they carry substantial implications for access, continuity, and equity in care.

This article presents a comprehensive overview of the proposed changes, examines the vulnerable segments within the provider landscape, and outlines key strategies that healthcare organizations can adopt to navigate the impending challenges.

I. Context and Drivers of the 2025 Medicaid Cuts The 2025 federal budget proposal includes significant Medicaid reductions aimed at curbing long-term healthcare expenditures. Several macroeconomic and political factors have catalyzed these proposed changes:

• Post-Public Health Emergency (PHE) Redetermination: Following the expiration of the PHE, states have resumed annual eligibility verifications, resulting in widespread disenrollments.

• Transition to Block Grants and Waivers: Some states are exploring capped funding models through Section 1115 waivers, shifting financial risk to providers.

• Cost-Containment of Optional Benefits: States are reassessing the provision of services such as dental, vision, and behavioral health under the "optional benefits" category.

• Increased Federal Scrutiny: CMS is tightening enforcement around medical necessity, improper payments, and state Medicaid program audits.

The combined effect is projected to reduce federal Medicaid contributions by over $200 billion across the next decade.

II. High-Risk Provider Segments The ramifications of these budgetary contractions will not be evenly distributed. Certain provider categories are particularly vulnerable:

• Small and Independent Practices: Often reliant on Medicaid as a primary payer, these clinics may face immediate revenue shortfalls.

• Behavioral Health and SUD Treatment Providers: These providers, already underfunded, may see reduced support for vital services.

• Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs): Operating in underserved areas, these entities are more susceptible to reimbursement delays and care disruptions.

• Maternal, Pediatric, and Geriatric Specialists: Serving demographics heavily dependent on Medicaid, these providers could experience higher denial rates and administrative burdens.

• Clinics Serving Marginalized Communities: LGBTQ+, BIPOC, and immigrant-focused practices may struggle to retain care continuity as patient eligibility is terminated.

III. Compliance, Reimbursement, and Operational Risks As Medicaid funding contracts, enforcement activity often intensifies. Providers should anticipate the following compliance and operational challenges:

• Increased Prepayment Review and Denials: Expect elevated scrutiny of prior authorizations and coding accuracy.

• Documentation and Audit Vulnerabilities: Poor documentation can lead to recoupments, civil penalties, and exclusion.

• Eligibility Verification Complexities: Redetermination errors could lead to retroactive denials if staff are not trained appropriately.

• Revenue Cycle Volatility: Clinics may face cash flow interruptions due to longer processing times and reduced state funding matches.

IV. Strategic Recommendations for Providers Proactivity is key to mitigating the risks associated with the Medicaid cuts. Providers should consider the following actions:

1. Conduct a Payer Mix Analysis: Determine your clinic's Medicaid dependency and assess revenue diversification opportunities.

2. Update Eligibility and Billing Workflows: Train staff to manage redetermination, prior authorizations, and appeal processes efficiently.

3. Strengthen Compliance Infrastructure: Implement robust internal audit programs and regular documentation reviews.

4. Engage with Community Partners: Collaborate with local organizations to support patients during eligibility transitions.

5. Seek Federal and State Grant Support: Explore HRSA, ARPA, and state innovation funds for supplemental operational support.

6. Implement Scalable Telehealth Solutions: Use technology to reduce overhead while maintaining access and quality.

7. Consult with Reimbursement and Compliance Experts: External advisory can help avoid costly missteps and guide regulatory adaptation.

Conclusion The 2025 Medicaid cuts will be more than a fiscal correction; they will redefine the delivery landscape for providers who care for America’s most vulnerable. Clinics that respond strategically—by improving compliance, training staff, and streamlining operations—will be better positioned to sustain their mission.

At ClearPath Compliance, we support clinics through transitions like these, offering regulatory guidance, audit preparation, and strategic risk management tailored to Medicaid-participating providers. With over two decades of experience in healthcare compliance and operational resiliency, we help ensure your practice doesn’t just survive—it thrives.

-Drew

by: Drew Duffy, MHA, FACHE

Why the Time for Full Compliance Is Now

As of 2025, healthcare organizations can no longer afford to treat cybersecurity requirements under HIPAA as optional or open to interpretation. The long-standing distinction between “required” and “addressable” security standards is being redefined — and in some cases, eliminated altogether. Whether you’re a hospital system or a five-provider family clinic, the expectation is the same: implement the full spectrum of technical safeguards — including multi-factor authentication (MFA), encryption of ePHI, and access control measures — or face the legal, financial, and reputational consequences.

This is not a recommendation. It’s a structural shift. And it demands serious attention.

Mandatory MFA, Encryption, and Access Controls: The End of “Addressable”

For years, HIPAA’s Security Rule allowed some flexibility around the implementation of specific safeguards. Under 45 CFR § 164.312, certain standards were labeled as “addressable,” meaning a covered entity could implement an alternative solution or document why a standard wasn’t reasonable or appropriate.

But in the 2025 proposed update to the HIPAA Security Rule (NPRM), that flexibility is being narrowed dramatically. In particular, MFA and encryption are no longer optional — they are now expected to be fully implemented across all systems handling electronic protected health information (ePHI), regardless of size, budget, or organizational complexity.

Let’s break this down:

Multi-Factor Authentication (MFA) — A New Standard, Not a Suggestion

What’s Changing:

• All users accessing ePHI must authenticate using two or more factors: something they know (password), something they have (authenticator app or hardware token), or something they are (biometric).

• SMS and voice codes are being discouraged due to known vulnerabilities.

• Google Prompt and similar push-notification systems are acceptable only when paired with a secure device enrollment process.

Why It Matters:

MFA is now considered a non-negotiable layer of protection. The days of relying on username + password alone — especially for cloud-based services like EHR platforms or email systems — are over. Credential theft and phishing have driven a surge in healthcare-related ransomware attacks, and the federal government is making it clear: organizations that skip MFA are in violation of their duty to protect patient data.

What You Must Do:

• Enforce MFA across all accounts that access ePHI — this includes physicians, nurses, billing staff, and administrative users.

• Disable access to non-compliant devices or accounts that bypass MFA.

• Require use of time-based one-time passcodes (TOTP) via apps like Google Authenticator or Authy.

Encryption in Transit and at Rest — Now Presumed Required

What’s Changing:

• Encryption of all ePHI during transmission (TLS/HTTPS for emails, secure FTP, VPN tunnels) and while stored (full disk encryption, encrypted databases, etc.) is now considered mandatory unless a demonstrable technical impossibility exists.

• The standard applies to cloud storage, mobile devices, external drives, and internal systems.

Why It Matters:

Any unencrypted ePHI is a liability — and under the new rules, failure to encrypt is presumed noncompliance unless rigorously justified and documented. This significantly raises the bar for what regulators will accept in a breach investigation.

What You Must Do:

• Implement full-disk encryption (e.g., BitLocker, FileVault) on all workstations and portable devices.

• Require TLS 1.2 or higher for all external communications containing PHI.

• Encrypt server storage, backups, and removable media.

Role-Based Access Controls — Lock Down What Doesn’t Need to Be Open

What’s Changing:

• Organizations must apply the principle of least privilege to all systems containing ePHI.

• Access logs, automatic timeouts, and re-authentication mechanisms are now considered essential.

Why It Matters:

If every staff member can access every record, your system is not compliant — it is wide open to internal threat, human error, and external exploitation.

What You Must Do:

• Create user roles that define the minimum access necessary based on job duties.

• Implement audit logs that monitor and retain records of access attempts.

• Use automatic logouts and session expiration controls.

How ClearPath Compliance Can Help

We understand that most clinics and practices are not IT firms — but they are expected to act like one when it comes to compliance. That’s where we come in.

We offer:

• Secure MFA Deployment — We configure and enforce app-based MFA (e.g., Google Authenticator) across all platforms, including EHR, cloud email, and file storage.

• Encryption Strategy & Rollout — From mobile devices to email to network drives, we ensure all PHI is encrypted in motion and at rest — in full alignment with 2025 guidance.

• Access Policy Engineering — We design and implement customized access control policies tailored to your workflows, staffing structure, and risk profile.

Our team brings over 20 years of healthcare compliance experience to each engagement, and we’ve helped providers of every size modernize without disruption.

❤️ A Note About Equity: Supporting Those Who Serve the Underserved

If you are a small clinic, community-based provider, or organization that primarily serves marginalized populations, or has a high volume of Medicare/Medicaid patients, we believe you deserve the same level of data security as any large system. As part of our founder’s commitment to equitable care access, we offer significantly reduced rates for qualifying practices.

Everyone deserves to be protected. We make sure you can be.

📣 Final Thoughts

HIPAA is no longer tolerating excuses. Whether you're still using outdated systems, relying on password-only logins, or haven't encrypted your devices — you are on borrowed time.

But you don’t have to navigate this alone.

At ClearPath Compliance, we help providers meet today’s standards — and prepare for tomorrow’s. Let us bring you into full alignment with the 2025 HIPAA framework, without disruption, confusion, or guesswork.

If you find our blogs and insights helpful, we invite you to visit our Contact Us page. Simply enter your name and email, and let us know you'd like to receive updates. You’ll be among the first to know when we publish new articles, resources, or important compliance news.

-Drew

By Drew Duffy

Founder, ClearPath Compliance

The COVID-19 pandemic permanently altered the healthcare regulatory landscape, and no area has seen more substantial post-pandemic scrutiny than emergency preparedness. As hospital systems navigate the new normal, the Centers for Medicare & Medicaid Services (CMS) has updated and re-emphasized the Emergency Preparedness Rule, signaling a more aggressive enforcement posture and higher expectations for clinical and critical access hospitals.

Below, we break down the key updates, enforcement trends, and practical compliance strategies for providers.

1. The Regulatory Backdrop: CMS's Renewed Emphasis on Emergency Preparedness

Originally finalized in 2016, the CMS Emergency Preparedness Rule (42 CFR § 482.15 for hospitals) requires participating providers and suppliers to establish and maintain comprehensive emergency preparedness programs. These programs must address all hazards, ensure continuity of care, and be reviewed and updated at least annually.

Post-COVID, CMS has made clear that emergency plans must go beyond theoretical exercises and reflect real-world events, such as pandemics, cybersecurity attacks, and climate-related disasters.

2. What’s Changed Since COVID-19?

While the Emergency Preparedness Rule’s core framework remains intact, CMS’s guidance and surveyor training post-COVID have led to practical changes in how compliance is evaluated:

A. Increased Focus on Infectious Disease Planning

CMS now expects emergency plans to explicitly address infectious disease outbreaks — not generically, but with reference to real lessons learned during COVID-19. Hospitals are expected to show:

• Infection control integration with emergency planning

• Surge capacity protocols

• Staffing contingency strategies

• PPE acquisition and burn-rate forecasting

B. Surveyor Guidance Emphasizes Operationalization

Surveyors are being trained to evaluate not just whether a hospital has a plan, but whether the plan is actively integrated into operations. Expect increased scrutiny of:

• Real-world drill outcomes

• After-action reports

• Policy updates reflecting those learnings

C. Updated Risk Assessments Must Reflect All-Hazards – Including Cybersecurity

The “all-hazards” approach now formally includes cybersecurity threats, ransomware events, and digital infrastructure failures. Hospitals must demonstrate that their risk assessments and response frameworks cover these domains.

D. Training & Testing: No Longer Just a Checkbox

Annual testing and staff training requirements have shifted in tone from a documentation exercise to a functional expectation. CMS expects that hospitals:

• Conduct two emergency preparedness exercises annually (one full-scale, one table-top or equivalent)

• Use actual events as part of their drill documentation when applicable

• Can demonstrate staff awareness and involvement at multiple levels

3. Compliance Risks and Deficiency Trends

Increased surveyor training and focus have led to a rise in condition-level deficiencies tied to emergency preparedness — especially in critical access hospitals. Common pitfalls include:

• Outdated risk assessments

• Failure to conduct or document required exercises

• Insufficient integration of infection control policies

• Inadequate communication plans with local and regional emergency management systems

For clinical and critical access hospitals already operating under resource constraints, these deficiencies can quickly escalate to citation risk, potential loss of deemed status, and even payment suspensions.

4. Strategic Compliance Recommendations

Given the renewed enforcement landscape, we recommend hospitals take the following actions:

✅ Conduct a Gap Analysis Immediately

Evaluate your current Emergency Preparedness Plan against:

• Updated CMS guidance (QSO-20-41 and beyond)

• Lessons learned from COVID-19 response

• Cybersecurity readiness

✅ Integrate Emergency Planning with Infection Control and Supply Chain Teams

Your Infection Preventionist, Supply Chain Officer, and Compliance Officer should be active contributors to emergency plan development and review.

✅ Document Real-World Events as Testing Equivalents

CMS allows real emergencies to substitute for required testing. Ensure that all such events are formally documented with:

• A timeline of actions

• Stakeholder roles

• Outcomes and after-action findings

✅ Re-train and Re-test Staff Annually

Develop role-specific emergency scenarios. For example, train ICU nurses on surge capacity protocols, or HIM staff on continuity of operations during a cyberattack.

✅ Engage Legal and Compliance Early

Emergency preparedness intersects with HIPAA, EMTALA, and accreditation standards. Legal and compliance leaders should proactively review policies for alignment.

Conclusion: A Moment of Recalibration

The post-COVID era is not about rewriting the Emergency Preparedness Rule, but about enforcing it with new urgency. Clinical and critical access hospitals must pivot from theoretical compliance to operational readiness. With CMS surveyors applying more rigorous standards and accrediting bodies following suit, the time to act is now.

Our team at ClearPath Compliance has deep experience helping hospitals navigate emergency preparedness audits, build resilient response plans, and meet CMS expectations. Contact us to schedule a compliance risk assessment or drill facilitation session.

Stay Compliant. Stay Prepared. Stay Operational.

As healthcare continues to evolve, compliance is no longer a back-office obligation — it's a core operational pillar. In 2025, maintaining compliance is not just about avoiding fines. It’s about building resilient systems, protecting your revenue, and demonstrating the integrity of your organization to regulators, payers, and the communities you serve.

🔎 The Federal Compliance Environment in 2025

Following the Office of Inspector General (OIG)’s updated General and Industry-Specific Compliance Program Guidance (GCPG and ICPGs) released in late 2024, regulators have made it clear: every healthcare entity — regardless of size — is expected to have a formal, documented compliance program.

These updates emphasize:

• Tailored compliance plans: Generic policies are no longer sufficient.

• Active oversight: Compliance is expected to be embedded in day-to-day operations.

• Documentation of training, audits, and follow-up: If it’s not written down, it didn’t happen.

This isn’t a new requirement — but in 2025, it is a renewed priority.

What’s Changed for Clinics and Rural Providers

In prior years, smaller practices and rural providers may have been overlooked in major enforcement actions. That’s no longer the case.

Changes in 2025 include:

• Insurance networks (including Medicaid MCOs) are auditing credentialing and compliance materials more thoroughly.

• CMS and OIG have shifted focus to ensure smaller facilities meet the same standards as larger systems.

• Funding and grant eligibility often require proof of current compliance structures.

This shift isn’t punitive — it reflects the reality that all healthcare providers play a role in preventing fraud, waste, abuse, and patient harm.

Compliance as an Operational Asset

The most successful clinics and hospitals today aren’t treating compliance as a burden — they’re using it to:

• Support clean claims and avoid billing delays

• Ensure provider credentialing is accurate and up-to-date

• Build trust with patients and referring partners

• Navigate audits and payer requests without disruption

In short, compliance supports operational stability.

It minimizes risk while helping you standardize policies, reduce confusion, and respond quickly when issues arise.

What Does an Effective Compliance Program Include?

An effective program is not about complexity — it’s about consistency and clarity. At a minimum, healthcare organizations should have:

1. Written Policies and Procedures

Tailored to your size and specialty, including HIPAA, billing, documentation, and patient rights.

2. Training and Education

All staff, including part-time and contract workers, should receive compliance training annually — with logs maintained for reference.

3. Risk Assessment and Monitoring

Basic internal reviews, even if informal, should occur regularly — such as chart audits, billing spot checks, or documentation reviews.

4. Clear Reporting Pathways

Staff need to know how to raise concerns — and feel confident those concerns will be taken seriously and handled professionally.

5. Responsive Action Plans

When an issue arises (e.g., a billing error or privacy breach), your response should be documented and prompt.

Regulatory Expectations Are Now the Baseline

What regulators are asking for in 2025 isn’t extravagant — it’s foundational. They want to see that healthcare organizations are:

• Aware of their obligations

• Making good-faith efforts to train staff and monitor operations

• Taking appropriate steps when issues surface

This means even small clinics and sole providers can meet expectations with the right tools, guidance, and systems in place.

Support Is Available — You Don’t Have to Do This Alone

At ClearPath Compliance, we specialize in helping providers implement practical, scalable compliance systems — without overwhelming your staff or disrupting care delivery.

We work with:

• Rural health clinics

• Mental health and MAT providers

• Critical access hospitals

• Emerging cannabis and integrative health practices

Whether you need a full compliance framework, help with credentialing prep, or a refresher for your current plan, we offer custom solutions built for the realities of small- to mid-size providers.

📞 Let’s Talk

If you’re unsure whether your current compliance setup meets 2025 expectations, let’s talk — no cost, no pressure.

📅 Book a Free Compliance Review
📧 info@clearpathcompliance.com
📞 1-888-996-8376

Let ClearPath help you align your operations with today’s standards — and get ahead of tomorrow’s.

© 2025 ClearPath Compliance. All rights reserved.
This article is intended for informational purposes only and does not constitute legal advice.

Access to quality healthcare is a strategic imperative—and yet, for far too many Americans, it remains an elusive ideal. From the earliest community clinics founded on philanthropy to the complex multi‑payer systems of today, barriers persist that thwart timely, affordable care. In this blog post, we dissect the core dimensions of this struggle and explore practical, data‑driven approaches clinics and Critical Access Hospitals can implement immediately to alleviate access gaps.

Historical Context: A Legacy of Uneven Access

Since the establishment of the Hill–Burton Act in 1946, the U.S. has recognized the importance of distributing healthcare infrastructure equitably. Yet, despite decades of policy initiatives—from Medicare and Medicaid in the 1960s to the ACA in 2010—structural impediments endure:

• Geographic Maldistribution: Rural communities have historically depended on local hospitals and traveling physicians. Today, nearly half of rural hospitals operate at a financial loss, and hundreds face closure.

• Insurance Coverage Fluctuations: Public and private programs have expanded coverage, but dips in enrollment and coverage gaps still leave millions uninsured each year.

• Administrative Overhead: From paper‑based intake to siloed reporting systems, the cost and complexity of compliance continue to erode clinical bandwidth.

This legacy informs our present reality: systemic friction that undermines patient engagement and compromises health outcomes.

Four Dimensions of the Access Struggle

1. Coverage Gaps and Cost Barriers

• Uninsured and Underinsured Populations: Approximately 25 million Americans lack coverage at some point annually, and high‑deductible plans shift more financial risk onto patients.

• Deferred Care Consequences: Cost‑related nonadherence leads to delayed diagnoses, emergency department overuse, and escalated long‑term expenditures.

2. Rural and Underserved Community Challenges

• Infrastructure Vulnerability: With 432 rural hospitals deemed at risk of closure, residents often face 30–60 minute commutes for essential services.

• Provider Shortages: Fewer specialists and primary care providers exacerbate wait times and force reliance on telehealth, which itself is hampered by regulatory nuances.

3. Administrative Complexity

• Manual Processes: Patients juggle multiple forms, authorizations, and referrals—each administrative touchpoint introduces potential drop‑offs.

• Provider Burnout: Clinician time diverted to compliance and documentation diminishes capacity for direct patient interaction.

4. Socioeconomic and Cultural Factors

• Social Determinants of Health: Transportation insecurity, linguistic barriers, and digital divide issues disproportionately affect low‑income and minority populations.

• Trust and Engagement: Historical inequities and cultural mistrust can discourage routine care utilization, further widening health disparities.

Turning Friction into Forward Motion: Actionable Strategies

1. Digital Intake Transformation

   • Deploy patient‑centric online forms that pre‑populate known data, reducing check‑in time and data‑entry errors.

2. Automated Compliance Workflows

   • Leverage templated, rule‑based document generation for consent, incident reporting, and licensure renewals—minimizing manual handoffs.

3. Holistic Revenue Cycle Optimization

   • Align billing and coding processes with payer requirements to reduce denials, surprise bills, and patient financial distress.

4. Targeted Staff Enablement

   • Implement modular, plain‑language training programs that reinforce compliance “must‑dos” while illustrating operational efficiencies.

By integrating these measures, providers can reclaim clinical capacity, accelerate patient throughput, and bolster community trust—delivering care where and when it’s needed most.

ClearPath Compliance specializes in empowering clinics and Critical Access Hospitals to operationalize these strategies. Through tailored digital workflows, automated reporting, and staff enablement, we drive administrative excellence that directly translates into expanded access and improved patient experience.

Next Steps: Contact ClearPath Compliance at 1‑888‑996‑8376 or visit www.clearpathcompliance.com

© 2025 ClearPath Compliance. All rights reserved.

By Drew Duffy ClearPath Compliance

Introduction

Telehealth has evolved from a temporary solution during the COVID-19 pandemic to a permanent fixture in modern healthcare delivery. As we move further into 2025, healthcare providers must adapt to a rapidly changing regulatory environment to ensure compliance and continue delivering quality care.

1. Reinstatement of Pre-Pandemic Restrictions

The Centers for Medicare & Medicaid Services (CMS) has begun reinstating certain telehealth policies that were relaxed during the public health emergency. These changes include:

• Geographic Restrictions: Telehealth services are now limited to rural areas and specific healthcare settings.

• Eligible Providers: Only certain healthcare professionals are authorized to offer telehealth services.

• In-Person Visit Requirements: Some services now require an in-person visit within a specified timeframe.

These reinstatements aim to balance the convenience of telehealth with the need for in-person evaluations in certain situations.

2. Expansion of Telehealth Services

Despite the reinstatement of some restrictions, there have been notable expansions in telehealth services:

• Coverage for Additional Services: Medicare now covers a broader range of telehealth services, including physical therapy and occupational therapy.

• Audio-Only Telehealth: CMS has permanently expanded the definition of "interactive telecommunications system" to include two-way, real-time audio-only communication, allowing providers to offer services to patients who may not have access to video technology.

These expansions aim to increase access to care, particularly for patients in underserved areas.

3. Interstate Licensure Compacts

To address the challenges of providing telehealth across state lines, several licensure compacts have been established:

• Interstate Medical Licensure Compact (IMLC): Allows physicians to practice in multiple states with a single license.

• Nurse Licensure Compact (NLC): Permits nurses to practice in member states without obtaining additional licenses.

These compacts facilitate the delivery of telehealth services across state lines, improving access to care for patients in various regions.

4. Enhanced HIPAA Compliance Requirements

The U.S. Department of Health and Human Services (HHS) has proposed new regulations to enhance cybersecurity protections for electronic protected health information (ePHI) under HIPAA. Key proposed changes include:

• Mandatory Annual Technical Inventories: Healthcare providers must conduct annual inventories of their technical systems.

• Enhanced Vendor Oversight: Business associates must notify entities within 24 hours of activating a contingency plan.

• Mandatory Multi-Factor Authentication (MFA): Providers must implement MFA for accessing ePHI.

• Encryption Standards: All ePHI must be encrypted both at rest and in transit.

These proposed changes aim to strengthen security controls and reduce breach risks, ensuring greater protection of ePHI.

5. State-Specific Regulations

In addition to federal regulations, healthcare providers must navigate state-specific laws that govern telehealth practices. These laws can vary significantly and may include:

• Consent Requirements: Some states require explicit patient consent for telehealth services.

• Prescribing Regulations: Certain states have specific rules regarding the prescription of medications via telehealth.

• Record-Keeping Mandates: States may impose additional documentation requirements for telehealth encounters.

It's essential for providers to familiarize themselves with the telehealth regulations in each state where they practice to ensure compliance.

Conclusion

The telehealth landscape in 2025 presents both opportunities and challenges for healthcare providers. By staying informed about the latest regulatory changes and implementing robust compliance strategies, providers can continue to offer high-quality care while mitigating legal and financial risks.

At ClearPath Compliance, we specialize in helping healthcare organizations navigate the complexities of telehealth regulations. Contact us today to learn how we can support your compliance efforts.

Sources:

• Reuters: Top 10 takeaways from the new HIPAA security rule NPRM

• MarketWatch: 67 million Medicare recipients face 'chaos' if Congress cuts telehealth benefits

• Wipfli: New healthcare policies and regulations 2025

• Seabridge Health: Recent Updates in Telehealth Regulations (2025)

• HHS.gov: HIPAA and Telehealth

By Drew Duffy | ClearPath Compliance Founder/CEO

The Quiet Compliance Killer

In the complex world of healthcare regulation, the most dangerous threats often come from the least obvious places. While most practices focus heavily on HIPAA training, audit prep, and coding accuracy, many overlook a crucial blind spot: third-party vendor risk.

From your billing company to your IT provider to the cloud service that stores patient documents — these “behind-the-scenes” vendors could be exposing your practice to regulatory violations, data breaches, or even federal penalties.

And in 2025, the stakes have never been higher.

A Regulatory Crackdown on Vendor Oversight

Over the past 18 months, regulators at the Office for Civil Rights (OCR), Centers for Medicare & Medicaid Services (CMS), and even the Federal Trade Commission (FTC) have sharpened their focus on third-party vendors in healthcare. This is largely in response to several high-profile data breaches — including Change Healthcare’s February 2024 ransomware attack, which exposed sensitive health information tied to nearly 1 in 3 Americans [1].

In a 2024 statement, OCR Director Melanie Fontes Rainer said:

"Covered entities cannot outsource accountability. Business associates must be monitored, audited, and held to the same privacy and security standards as internal staff." [2]

Translation: You’re responsible for your vendors. And in 2025, regulators are coming to verify that you know it.

Real-World Risks for Small Practices

Let’s break this down with examples that directly impact smaller providers and clinics:

Vendor TypeCompliance RiskIT & Cloud StoragePoorly secured servers can lead to HIPAA breaches or data lossBilling & RCM FirmsImproper coding, unverified licenses, or kickback exposure under the Stark and Anti-Kickback lawsTelehealth PlatformsUnvetted APIs or third-party data analytics without BAAsMarketing VendorsSharing patient data for testimonials or ad targeting = HIPAA violationCredentialing ServicesFalsified documents or inconsistent monitoring can expose you to liability

The No-Surprises Act Connection

The No Surprises Act also makes vendors a potential source of legal exposure — especially in how they manage cost estimates, out-of-network data, or coordination with insurance carriers. If your outsourced vendors don’t comply with federal guidelines for transparency, your name ends up on the penalty notice.

What You Should Be Doing Right Now

Here's what ClearPath Compliance recommends all healthcare providers implement immediately:

1. Review All Business Associate Agreements (BAAs)

• Ensure each is current, signed, and explicitly defines security expectations.

• Include a right to audit clause whenever possible.

2. Vet Vendors Like You’d Vet an Employee

• Check licensing, insurance, references, and data protection practices.

• Use a standardized vendor risk checklist — we can provide one.

3. Audit Your Critical Vendors Annually

• Especially for billing, IT, and cloud storage partners.

• Document everything — OCR considers written records essential.

4. Limit Data Access

• Follow the “minimum necessary” rule with vendors just as you would internally.

• Use role-based access and data encryption wherever possible.

5. Train Your Staff

• Staff should know how to spot a suspicious vendor request or data access pattern.

• Ensure everyone understands the importance of vendor security awareness.

Closing Thought

You may trust your vendors — but that won’t protect you if something goes wrong.

In 2025, federal agencies are making it crystal clear: outsourced does not mean off the hook. The healthcare organizations that stay ahead are the ones who treat vendor risk with the same urgency as HIPAA compliance or audit readiness.

At ClearPath Compliance, we help clinics like yours identify hidden risks, tighten policies, and build a defensible posture against government scrutiny. Don’t let a trusted partner become your weakest link.

📚 Sources:

1. HHS Statement on Change Healthcare Cyberattack

2. OCR Director Remarks on Business Associate Oversight

3. FTC Health Breach Notification Rule Update

© ClearPath Compliance 2025
Need help reviewing your vendor risk? Call us at 1-888-996-8376 or Contact Us for a free consultation.

July 17, 2025

Under the Microscope: Looming Medicare & Medicaid Overhauls That Could Shake Your Practice to Its Core

In April 2025, Washington unveiled a flurry of Medicare and Medicaid policy shifts that—while touted as cost‑containment and quality‑of‑care measures—carry the potential to undercut patient access and saddle providers with new layers of risk. From radical payment‑model rewrites to unprecedented data‑sharing pacts, these changes demand immediate attention. Without a proactive strategy, healthcare organizations could find themselves scrambling to stay compliant—or worse, fighting for their financial survival.

1. Medicare’s Double‑Edged Payment Proposals

On July 15, 2025, CMS floated a rule that would boost physician fees by up to 3.8% in 2026—but only for those in certain alternative payment models. Others would see a smaller 3.3% increase, effectively rewarding large, value‑based systems over small or independent practices . More ominously, on July 16, 2025, CMS proposed an $8.1 billion increase in hospital outpatient payments—yet simultaneously slashing reimbursement for high‑cost services like chemotherapy, in a push toward “site‑neutral payments” that pay the same whether care is delivered in a hospital or a private office.

These shifts are far from benign:

• Winners & Losers: Practices unable to join advanced payment models risk seeing their Medicare revenue fall further behind peers.

• Operational Overhaul: Changing reimbursement indices and billing codes will strain EHR and billing teams, raising denials and compliance flags.

• Patient Impact: Site‑neutral cuts may force hospitals to shift oncology and other specialty services back to outpatient clinics ill‑equipped to handle complex cases.

2. Medicaid on the Chopping Block—and Under ICE Surveillance

While providers grapple with Medicare’s mixed bag, Medicaid now faces two parallel storms: massive federal spending cuts and a controversial data‑sharing deal. In April 2025, the U.S. House budget resolution set the stage for $880 billion in Medicaid cuts over the next decade, a move that experts warn could strip coverage from millions and destabilize safety‑net hospitals.

At the same time, this July, CMS quietly agreed to grant ICE access to 79 million Medicaid records, including names, Social Security numbers, and addresses—ostensibly to detect fraud, but decried by advocates as a “privacy betrayal” that could deter vulnerable populations from seeking care.

The combined effect is terrifying:

• Coverage Cliff: State agencies, facing leaner federal dollars, may tighten eligibility, increase premiums, or slash optional benefits like dental and vision.

• Trust Erosion: Families who fear deportation could avoid necessary treatments, fueling public‑health crises and uncompensated‑care burdens.

• Compliance Minefield: Healthcare entities must navigate conflicting obligations—protect patient privacy under HIPAA while honoring a federal subpoena to hand over data.

3. Why You Can’t Afford to Wait

These policy changes aren’t distant threats—they’re unfolding now. Practices that delay will face:

• Revenue Shock: Misaligned billing workflows and missed opportunities to qualify for advanced payment models.

• Legal Exposure: Privacy lapses or flawed consent processes could trigger hefty civil penalties.

• Operational Chaos: Untrained staff and outdated policies will struggle under shifting audit criteria and enforcement priorities.

4. ClearPath Compliance: Your Strategic Shield

At ClearPath Compliance, we’ve distilled our decades of healthcare regulatory expertise into an Integrated Response Framework designed to neutralize these threats and bolster your competitive edge:

1. Advanced Revenue Optimization

• Analyze your current Medicare billing mix and identify high‑yield alternative payment models you qualify for.

• Remap EHR coding workflows to preempt denials under new site‑neutral and fee‑schedule rules.

2. Medicaid Program Resilience

• Conduct state‑by‑state impact assessments to forecast coverage changes and adapt enrollment strategies.

• Develop patient‑centric consent protocols and vendor agreements that safeguard privacy—even when federal data‑requests arrive.

3. Regulatory & Audit Readiness

• Revise privacy policies and train staff on handling ICE subpoenas without violating HIPAA.

• Perform mock audits for both Medicare and Medicaid regulations, ensuring your documentation survives heightened scrutiny.

4. Advocacy & Stakeholder Engagement

• Craft white‑papers and testimony to influence state budget committees on Medicaid funding decisions.

• Facilitate community outreach programs that reassure patients and preserve trust in your practice.

Don’t get blindsided by the next wave of policy mandates. Call ClearPath Compliance at 1‑888‑996‑8376 or visit clearpathcompliance.com to schedule your free 30‑minute strategic consultation. Together, we’ll transform regulatory upheaval into an opportunity for growth and reinforce your status as a trusted healthcare leader.

Drew Duffy,  MHA, FACHE

By A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance

What Is the Stark Law?

The Stark Law, also known as the Physician Self-Referral Law, prohibits physicians from referring Medicare patients to entities they have a financial relationship with—unless an exception applies. Its core goal is to prevent conflicts of interest that could drive up healthcare costs or compromise care.

What Changed in 2024?

In April 2024, the Centers for Medicare & Medicaid Services (CMS) implemented key updates to the Stark Law under the CY2024 Medicare Physician Fee Schedule Final Rule. These changes reflect CMS’s continuing efforts to modernize healthcare regulation under value-based care models.

1. Expanded Flexibility for Value-Based Arrangements

CMS has broadened exceptions for:

• Shared savings programs

• Coordinated care models

• Health tech-enabled partnerships

Implication:
Physician practices and clinics entering into care coordination or quality improvement programs now have more legal protection when financial relationships are involved — as long as they’re structured properly.

Tip: If you're participating in an ACO or using digital tools for shared care, this rule may now protect you more than it did in 2023.

2. Clarification on "Commercial Reasonableness"

CMS clarified what counts as commercially reasonable — a core requirement for many Stark Law exceptions. The 2024 definition now explicitly allows arrangements that result in losses, as long as they still make sense from a business and care perspective.

Implication:
Medical groups no longer need to worry that unprofitable arrangements automatically violate Stark Law — as long as they have a logical, documented purpose (e.g., expanding access in rural areas).

Tip: Keep a clear justification in writing for any agreements that don’t look profitable on paper.

3. Tighter Language Around Indirect Compensation

New guidance narrows down the criteria for what qualifies as indirect compensation—meaning more arrangements may now fall under the Stark Law than before.

Implication:
Organizations that work with management companies, staffing agencies, or other third-party vendors must re-evaluate their indirect relationships. Many arrangements that flew under the radar now require a formal review.

Tip: If you contract out billing, staffing, or tech services, revisit those agreements now.

Why This Matters to Small Clinics and Independent Providers

You might think Stark Law is only for hospitals or large systems — but it absolutely affects:

• Solo practitioners

• Multi-specialty groups

• Concierge practices

• Clinics participating in Medicare

Failure to comply can mean:

• Civil penalties up to $15,000 per service

• Exclusion from federal programs

• Reputational harm

How to Stay Compliant in 2024

• Review your contracts (especially tech, staffing, or shared-revenue agreements)

• Document your commercial reasoning

• Know your value-based care exceptions

• Consult a compliance specialist (like ClearPath Compliance) if you’re unsure

📚 Sources

1. CMS CY2024 Final Rule (Medicare Physician Fee Schedule)

2. Federal Register: Stark Law Revisions

3. OIG Stark Law Overview

🧠 Final Thought

Regulations are evolving. So should your compliance strategy.
If you're unsure how these changes impact your practice, ClearPath Compliance is here to help.

Written by A. Calder Nash, contributing policy and compliance analyst at ClearPath Compliance.