Written by: Drew Duffy, MHA, FACHE, Founder & Managing Director

The promise of AI ambient scribes in healthcare is undeniable—reduced administrative burden, improved patient interactions, and enhanced documentation accuracy. However, as healthcare organizations rush to implement these revolutionary tools, a critical question emerges: How do we balance innovation with the stringent privacy and security requirements that govern healthcare data? The intersection of AI ambient scribes and HIPAA compliance represents one of the most complex regulatory challenges facing digital health leaders today.

The HIPAA Reality Check: Why AI Scribes Are High-Risk Territory

Behind the scenes, AI scribes handle a high volume of protected health information (PHI) in real time, across multiple modalities (e.g., audio, transcripts, structured EHR data). As a result, AI scribes fall under HIPAA regulations. This seemingly simple statement carries enormous implications for healthcare organizations.

Unlike traditional medical scribes who are physically present and bound by employment agreements, AI scribes operate as third-party technologies that process sensitive conversations between physicians and patients. “Technically, it's a third party listening into the conversation,” says Aaron Maguregui, a partner with the Foley & Lardner law firm who specializes in AI and healthcare technology.

This fundamental shift in how healthcare documentation occurs creates new categories of risk that organizations must address systematically.

The Financial Stakes: Understanding HIPAA Penalty Exposure

The financial implications of HIPAA non-compliance in the age of AI are staggering. Under HIPAA, unauthorized disclosure of PHI can lead to penalties ranging from $141 to $2,134,831 per violation. When AI systems process thousands of patient encounters daily, the potential for widespread violations—and corresponding financial exposure—multiplies exponentially.

Each improperly handled patient conversation, misrouted clinical note, or unauthorized data access incident represents a potential violation. The scale at which AI scribes operate means that compliance failures can affect hundreds or thousands of patients simultaneously, creating massive penalty exposure.

Key HIPAA Compliance Risks: The Hidden Pitfalls

Healthcare leaders implementing AI ambient scribes must navigate several critical risk areas that traditional documentation methods never presented.

Data Training and Model Development Violations

One of the most significant risks involves how AI vendors train their systems. If a vendor is training its model on customer data without patient authorization—or without a defensible treatment, payment, or health care operations basis—such use may constitute a HIPAA violation.

Many organizations unknowingly enter agreements where their patient data becomes part of broader AI training datasets, potentially violating HIPAA’s minimum necessary standard and patient consent requirements. This risk extends beyond initial implementation to ongoing system improvements and updates.

Documentation Accuracy and Patient Safety Risks

The intersection of clinical accuracy and HIPAA compliance creates complex liability scenarios. If PHI is inserted into the wrong chart or disclosed to the wrong individual, it could constitute a breach under HIPAA and state data breach laws. Inaccurate documentation may also jeopardize patient safety, potentially leading to malpractice exposure.

The automated nature of AI scribes can amplify these risks if proper safeguards aren’t in place.

Unauthorized Access and Data Breach Vulnerabilities

AI systems require large datasets, which often include PHI. This creates new attack vectors for cybercriminals, including cloud storage vulnerabilities, API security weaknesses, and data transmission risks.

The real-time nature of AI scribes means breaches can expose ongoing patient conversations, resulting in immediate and ongoing privacy violations.

Risk Management Strategies: Building Compliance Into AI Implementation

Implementing Human-in-the-Loop Safeguards

Organizations should implement human-in-the-loop review for all AI-scribed notes. This safeguard ensures every AI-generated clinical note undergoes human review before becoming part of the permanent medical record.

Protocols should define review timelines, designate responsible reviewers, and outline escalation procedures for questionable content. This oversight serves as both a quality-control mechanism and a HIPAA compliance safeguard.

Technical Security Controls

To remain HIPAA-compliant, AI scribes must include multiple layers of security:

• End-to-end encryption for audio capture and storage

• Secure API connections

• Role-based access controls

• Comprehensive audit logging

Regular penetration testing and security assessments should validate the effectiveness of these controls.

Vendor Due Diligence and Business Associate Agreements

Healthcare organizations must thoroughly vet AI vendors’ security practices and compliance history. Business Associate Agreements (BAAs) should specifically address AI-related risks, including:

• Explicit prohibitions on using organizational data for model training without authorization

• Breach notification requirements

• Audit rights

• Data deletion protocols

Regulatory Trends and Future Considerations

The regulatory landscape for AI in healthcare is evolving rapidly. Expect increased scrutiny from regulators, more detailed HIPAA guidance, and penalty structures that account for the scale of AI systems.

Building a Compliance Culture

Technical controls alone are not enough. Organizations must foster a privacy-first culture, supported by:

• AI-specific staff training

• Policies governing tool use

• Accountability mechanisms for compliance monitoring

Regular compliance audits should include AI systems, reviewing access logs, note accuracy, and vendor performance.

Emergency Response and Breach Management

Organizations must have AI-specific incident response plans, including procedures for immediate system shutdown, rapid patient impact assessment, and coordinated communication with vendors, patients, and regulators.

Best Practices for Sustainable Compliance

HIPAA compliance with AI scribes should be treated as an ongoing operational requirement, not a one-time project. Best practices include:

• Continuous monitoring and alerting

• Maintaining detailed compliance documentation

• Conducting regular staff training updates

• Establishing metrics such as audit findings, security incidents, and patient complaints

Conclusion: Balancing Innovation with Responsibility

AI ambient scribes represent a transformative opportunity for healthcare, but they also introduce complex privacy and security challenges. Leaders who approach these technologies with a compliance-first mindset—treating HIPAA requirements as design constraints rather than afterthoughts—will be best positioned to realize the benefits while safeguarding their organizations and patients.

The future of healthcare documentation depends on striking this balance: leveraging AI to reduce burdens and improve care, while upholding the trust that patients place in providers to protect their most sensitive information.

-Drew

At ClearPath Compliance, we help healthcare organizations navigate this exact challenge. From vendor due diligence and Business Associate Agreement reviews to developing HIPAA-aligned policies and training programs, our team ensures that innovation does not come at the cost of compliance. We partner with clinics and health systems to build secure, sustainable frameworks for adopting AI scribes—so providers can focus on patients, not paperwork.

About the Author
Drew Duffy, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing  Director, ClearPath Compliance

The American healthcare landscape has undergone a seismic shift over the past two decades. What was once a profession dominated by independent physicians has transformed into an industry where nearly 70% of doctors now work as employees of hospitals or large health systems. This consolidation, while offering certain advantages in terms of resources and administrative support, has created an unexpected consequence: a growing movement of physicians breaking away to establish innovative independent practices that are reshaping healthcare delivery for the better.

The Consolidation Challenge: When Bigger Isn't Always Better

Healthcare consolidation has fundamentally altered the physician-patient relationship. Large health systems, driven by efficiency metrics and standardized protocols, often prioritize volume over individualized care. Physicians find themselves constrained by rigid scheduling systems, limited appointment times, and administrative burdens that distance them from their primary mission: healing.

The numbers tell a sobering story. Average patient consultation times have decreased to 15–20 minutes in many consolidated systems, leaving physicians feeling rushed and patients feeling unheard. Administrative tasks now consume up to 40% of a physician’s time, leading to widespread burnout and job dissatisfaction. Meanwhile, patients navigate complex referral systems, face longer wait times for specialists, and often feel like just another number in an increasingly impersonal healthcare machine.

The Independent Practice Renaissance: A Return to Patient-Centered Care

Against this backdrop, a new generation of physicians is choosing a different path. These healthcare entrepreneurs are establishing independent practices that blend the best of traditional medicine with innovative approaches to care delivery. This isn’t simply a return to the past—it’s a reimagining of what healthcare can be when physicians have the freedom to prioritize their patients’ needs above institutional constraints.

Personal Benefits for Independent Practitioners

Autonomy and Clinical Freedom
Independent physicians enjoy unprecedented control over their practice patterns. They can spend adequate time with each patient, pursue continuing education in areas that interest them, and implement treatment protocols based on the latest evidence rather than institutional preferences. This autonomy translates into higher job satisfaction and reduced burnout rates.

Financial Independence
While the initial investment in starting an independent practice requires capital and business acumen, successful independent practitioners often enjoy greater long-term financial rewards. They retain control over their revenue streams, can diversify their services, and aren’t subject to the salary caps common in employed positions. Many report earning 20–30% more than their employed counterparts within five years of independence.

Work-Life Integration
Independent practitioners can design their schedules around their lives rather than institutional demands. This flexibility allows for better work-life balance, opportunities for family time, and the ability to pursue personal interests and professional development.

Professional Fulfillment
Perhaps most importantly, independent physicians report higher levels of professional satisfaction. They can practice medicine the way they were trained to—focusing on healing relationships, personalized care, and clinical excellence rather than productivity metrics.

How Independent Practices Are Transforming Healthcare

Personalized, Relationship-Based Care
Independent practices are returning to the fundamental principle that healthcare is a relationship between physician and patient. With more time per appointment and continuity of care, these practitioners can address the whole person rather than just symptoms. This approach leads to better health outcomes, increased patient satisfaction, and more effective preventive care.

Innovation and Agility
Unencumbered by bureaucratic approval processes, independent practices can rapidly implement new technologies and treatment approaches. From telemedicine platforms to cutting-edge diagnostic tools, these practices often lead the adoption of innovations that improve patient care. They can also quickly adapt to changing patient needs and market conditions.

Cost-Effective Care
Independent practices typically operate with lower overhead costs than large health systems. This efficiency allows them to offer competitive pricing while maintaining quality care. Many independent practices are exploring direct-pay models, membership-based care, and other innovative payment structures that reduce costs for patients while ensuring fair compensation for physicians.

Community Health Leadership
Independent practitioners often become deeply embedded in their communities, understanding local health challenges and developing targeted solutions. They’re more likely to participate in community health initiatives, provide care to underserved populations, and build partnerships with local organizations.

The New Twist: Technology-Enabled Independent Practice

Today’s independent practices aren’t simply returning to the medicine of the past—they’re leveraging technology to create the future of healthcare delivery. Electronic health records designed for small practices, artificial intelligence diagnostic tools, and patient engagement platforms allow independent physicians to provide sophisticated care while maintaining the personal touch that large systems often lack.

Telemedicine Integration
Independent practices can quickly implement comprehensive telemedicine programs, offering patients convenient access to care while expanding the practice’s reach beyond traditional geographic boundaries.

Data-Driven Insights
Modern independent practices use advanced analytics to track patient outcomes, identify health trends, and optimize treatment protocols. This data-driven approach, combined with clinical intuition, produces superior results.

Patient Engagement Technology
From mobile apps to patient portals, independent practices can implement tools that keep patients engaged in their health while streamlining communication and administrative tasks.

The Path Forward: Supporting the Independent Practice Movement

As healthcare costs continue to rise and patient satisfaction with large health systems declines, supporting independent practices becomes a strategic imperative for improving American healthcare. This requires several key changes:

Policy Support
Healthcare policy should recognize and support the value that independent practices bring to the healthcare ecosystem. This includes fair reimbursement rates, reduced regulatory burdens for small practices, and protection from anti-competitive practices by large health systems.

Education and Resources
Medical schools and residency programs should provide business training and entrepreneurship education to prepare physicians for independent practice. Professional organizations should offer resources, mentorship, and support networks for physicians considering independence.

Patient Education
Patients need to understand the benefits of relationship-based care and the value that independent practices bring to their health outcomes. This includes recognizing that slightly higher upfront costs may result in better long-term health and lower total healthcare expenses.

Conclusion: The Future Is Independent

The healthcare consolidation of the past two decades has taught us valuable lessons about the limitations of one-size-fits-all healthcare delivery. While large health systems will continue to play important roles in complex care and medical education, the future of healthcare lies in a balanced ecosystem that includes thriving independent practices.

Independent physicians who choose to establish their own practices aren’t just pursuing personal and professional fulfillment—they’re pioneering a return to patient-centered care that benefits everyone. By combining the intimacy and personalization of traditional medicine with the technological capabilities of modern healthcare, these practices represent the best path forward for American healthcare.

The choice for physicians isn’t between the past and the future—it’s between accepting the limitations of consolidated healthcare and embracing the potential of independent, innovative practice. For those with the vision and courage to pursue independence, the rewards extend far beyond personal satisfaction to encompass the profound impact they can have on their patients’ lives and their communities’ health.

The renaissance of independent practice isn’t just coming—it’s already here. And it’s transforming healthcare one patient, one physician, and one community at a time.

-Drew

At ClearPath Compliance, we understand the unique challenges of building and sustaining an independent practice. From compliance and credentialing to risk management and operational support, our mission is simple: to help providers focus on patients, not paperwork. If you’re ready to take the next step toward independence, we’re here to guide the way.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

For many Minnesota families, Allina Health clinics represent more than medical facilities—they're where healing begins, where trust is built, where life's most vulnerable moments unfold. But at dawn on June 3, 2025, something unprecedented happened outside these familiar walls: more than 600 primary-care clinicians—doctors, physician assistants, and nurse practitioners—stood together beneath rain-gray skies, not as protesters, but as professionals reaching a breaking point.

This wasn't about money. This wasn't about abandoning patients. This was about preserving the very soul of medicine itself.

The Quiet Revolution: Why Healthcare Heroes Are Standing Up

The story begins in October 2023, when 325 Allina clinicians voted to unionize, creating what many consider a watershed moment in healthcare labor relations. Since February 2024, these dedicated professionals have sat through nearly 40-45 bargaining sessions—hours upon hours of trying to communicate what seems impossible to convey: that they're drowning.

The informational picket represents "a necessary step to help Allina administration understand the need for continued negotiations"—but it's so much more than that. It's a cry from the heart of modern medicine, where practitioners who entered the field to heal are instead being asked to process.

The Human Cost of "Efficiency"

What drives a doctor to stand in the rain holding a picket sign? The answer lies in the daily reality of contemporary healthcare: the relentless pressure to see more patients in less time, to document every interaction for insurance purposes, to work late into the evening completing charts—what many call "pajama time"—just to keep up with administrative demands.

Recent studies show that physicians are 82.3% more likely to experience burnout than workers in other occupations, yet the system continues to demand more. Nearly half of physicians leaving the workforce cite burnout as a major reason, creating a crisis that extends far beyond individual suffering.

Dr. Kara Larson captured the essence of this struggle perfectly: clinicians feel less like masters of their profession and more like cogs in an increasingly impersonal machine. The sacred relationship between healer and patient—the very foundation of medicine—is being sacrificed on the altar of productivity metrics.

Beyond Minnesota: A National Awakening

Minnesota's clinician uprising isn't happening in isolation. Across the region, more than 400 nurse practitioners and physician assistants have unionized at Essentia Health facilities spanning northern Minnesota and Wisconsin. Healthcare workers nationwide are recognizing that individual excellence isn't enough when the system itself is broken.

Studies suggest burnout costs the healthcare system approximately $4.6 billion annually due to physicians leaving or reducing hours, while doubling the risk for patient safety issues. The price of ignoring these voices isn't just measured in dollars—it's measured in lives, communities, and the gradual erosion of everything we once held sacred about healing.

What We Witnessed: Love in Action

The June picket lines told a story that transcended typical labor disputes. These weren't career protesters; they were healers holding handmade signs, learning protest chants between patient visits. The scene was quietly powerful—clinicians who usually comfort others finding courage to advocate for themselves.

After their morning demonstration, they went inside to see patients. Because this was never about abandoning duty—it was about preserving their ability to fulfill it with dignity and excellence.

With 90% strike authorization support, the message was clear: patience has worn thin, but hope remains. This overwhelming solidarity speaks to something deeper than workplace dissatisfaction—it reveals professionals united in their commitment to both patient care and professional integrity.

The Path You Didn't Know Existed

If this story resonates with you—if you see yourself in these tired faces, these determined voices—then you're not alone. And more importantly, you have choices.

Many healthcare professionals believe their only options are to endure the current system or leave medicine entirely. But there's a third path: creating the practice you always envisioned, one that honors both your calling and your humanity.

The Renaissance of Independent Practice

Across the country, physicians are rediscovering the joy of medicine through independent practice. Not the isolating, overwhelming version of solo practice from decades past, but a new model—supported, connected, and sustainable. These practitioners are finding that smaller, patient-centered practices can actually provide better care while restoring professional satisfaction.

The barriers that once made independent practice daunting—credentialing complexities, regulatory compliance, administrative burdens—are no longer insurmountable. Support systems exist now that understand both the clinical and business sides of healthcare, created by people who've walked this path themselves.

Community Over Corporation

What makes the difference isn't just leaving a large system—it's finding the right kind of support to build something better. When healthcare professionals band together to share resources, knowledge, and encouragement, they create something powerful: a community of practice that values both excellence and sustainability.

This isn't about quick fixes or overnight transformations. It's about recognizing that your calling as a healer doesn't have to come at the cost of your own wellbeing, your family time, or your professional autonomy.

A Message of Hope and Solidarity

The rain-soaked picket lines in Minnesota represent more than a labor dispute—they represent a moment of awakening. Healthcare professionals are saying, collectively and courageously: "We deserve better. Our patients deserve better. And we're willing to stand up for both."

While physician burnout rates have improved from their pandemic peak of 62.8% to 45.2% in 2023, nearly half of all physicians still struggle with symptoms that compromise both their wellbeing and patient care. This isn't a statistic—it's a humanitarian crisis hiding in plain sight.

You Are Not Alone

To every healthcare professional reading this and feeling that familiar knot in your stomach, that Sunday night dread, that sense of losing yourself in a system that doesn't see you: your feelings are valid. Your struggle is real. And you are not alone.

The Minnesota clinicians who stood in the rain understood something profound: sometimes the most radical act of care is caring for yourself. Sometimes the most professional thing you can do is demand professionalism from those who employ you.

Moving Forward with Purpose

Change is possible, but it requires both courage and support. Whether that means advocating within your current system, exploring independent practice, or finding new ways to practice medicine that honor your values—the key is knowing you don't have to figure it out alone.

The support exists. The community exists. The path exists.

And sometimes that community is made up of people who’ve stood exactly where you are, people who’ve felt the exhaustion, seen the system’s cracks, and decided there had to be a better way. ClearPath was built by leaders from every corner of clinical operations—doctors, nurses, administrators, legal, IT and HR—each of us shaped by the same challenges you face today. We know the system is broken because we’ve lived it, and we came together not to sell, but to serve. That’s why you won’t find links or pitches here. If you ever need our help, you know find us. This is simply what happens when healthcare experts unite to help their peers step out from under the corporate giant and into something better.

A New Chapter Begins

The Minnesota picket wasn't an ending—it was a beginning. A recognition that healthcare's future depends on respecting and supporting those who dedicate their lives to healing others.

When we take care of the caregivers, everyone wins. Patients receive better care from fulfilled, energized professionals. Healthcare workers rediscover the joy that brought them to medicine in the first place. And communities benefit from sustainable, patient-centered healthcare that actually works.

Your calling to heal is sacred. Your need for professional respect and personal sustainability is valid. And your future in medicine—whatever form it takes—can be both meaningful and sustainable.

Because when healthcare workers thrive, healing becomes possible for everyone.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

As of September 1, 2025, Texas will implement significant legislative changes affecting non-compete agreements for healthcare providers. Senate Bill 1318 (SB 1318) introduces comprehensive reforms that will reshape how Direct Primary Care (DPC) and membership medicine clinics structure employment and contractor agreements with physicians, advanced practice providers, and other clinical staff. These changes warrant close attention from clinic leadership and compliance professionals to ensure contractual arrangements remain enforceable and aligned with evolving legal standards.

Key Provisions of SB 1318 Affecting Healthcare Provider Agreements

Limitations on Non-Compete Duration and Geographic Scope

SB 1318 establishes a maximum duration of twelve months for non-compete agreements executed by physicians and other healthcare practitioners. This is a significant restriction compared to prior arrangements, which often included longer or indefinite terms. The statute further limits enforceable geographic restrictions to a radius of five miles from the location where the provider primarily practiced during their tenure. These constraints aim to balance protection of legitimate business interests with the provider’s ability to maintain professional mobility within reasonable bounds.

Caps on Buyout Clauses and Compensation

The legislation imposes a cap on buyout provisions associated with non-compete clauses, limiting these amounts to no more than the total annual compensation the provider received in the preceding twelve months. This measure is designed to prevent disproportionate financial penalties that might otherwise restrict provider mobility. Clinics will need to revisit existing contracts to confirm that buyout amounts adhere to this new threshold.

Enforcement and “Good Cause” Termination Protections

Importantly, SB 1318 stipulates that non-compete agreements are unenforceable if the provider’s termination was without “good cause.” While the statute does not exhaustively define “good cause,” it generally refers to justifiable reasons such as documented misconduct or failure to perform contractual obligations. This provision protects healthcare providers from punitive restrictions following termination absent legitimate cause, thereby fostering fairer employment practices.

Expanded Scope of Applicability

Unlike previous laws that primarily addressed physicians, SB 1318 extends these restrictions to include dentists, nurse practitioners (including Advanced Practice Registered Nurses), and physician assistants. This broadening of scope reflects recognition of the evolving multidisciplinary nature of healthcare delivery in membership medicine and DPC models, where such providers constitute vital components of clinical teams.

Administrative Roles Exemption

Providers who function solely in administrative, leadership, or managerial capacities are exempted from the statute’s new limitations. Non-compete agreements involving such roles remain governed by prior statutes and are subject to more flexible enforcement standards.

Practical Implications for DPC and Membership Medicine Clinics

Contract Review and Revision

Given these statutory changes, clinics must prioritize thorough review of all existing non-compete agreements, particularly those set to renew or newly executed on or after September 1, 2025. Contracts exceeding the new temporal or geographic limits, or containing buyout provisions above the statutory cap, risk unenforceability. Timely revisions will help avoid costly legal disputes and uncertainty.

Impact on Staffing and Provider Retention

The restrictions on non-compete terms may influence retention strategies. Clinics will need to develop alternative approaches to encourage provider loyalty and minimize turnover, including competitive compensation, professional development opportunities, and positive workplace culture. Non-compete clauses will no longer serve as the primary mechanism to restrict movement, especially given the unenforceability clauses tied to terminations lacking “good cause.”

Recruitment and Competitive Landscape

With reduced enforceability of expansive non-compete provisions, providers may experience greater flexibility in pursuing opportunities with competing clinics or establishing independent practices. This dynamic may increase competition among membership medicine providers and necessitate innovative recruitment and retention efforts.

Compliance and Risk Management

Non-compliance with SB 1318 can expose clinics to legal challenges and damages. Therefore, integrating statutory requirements into compliance programs and ongoing risk management frameworks is essential. Clear documentation, transparent contract language, and regular policy updates will be critical components.

Additional Considerations: Telehealth and Membership Medicine

While SB 1318 primarily addresses non-compete agreements, Texas continues to refine other areas impacting membership medicine and DPC, particularly telehealth regulations. With the expansion of telehealth services accelerated by recent public health developments, providers should remain attentive to state licensing, prescribing, and reimbursement policies. Ensuring compliance in these domains complements contractual adherence and supports sustainable clinic operations. We will dive deeper on this topic in our next blog.

Conclusion: Preparing for SB 1318 Compliance

The enactment of Senate Bill 1318 marks a significant shift in Texas healthcare employment law, with direct implications for membership medicine and DPC clinics. Leadership should undertake proactive measures to review and amend agreements, update retention policies, and reinforce compliance infrastructure. While the law imposes new constraints, it also encourages fairer practices and enhanced provider autonomy.

ClearPath Compliance is positioned to assist clinics navigating these transitions. Through comprehensive contract audits, template development aligned with SB 1318 requirements, and strategic advisory services, ClearPath supports clinics in minimizing legal risk while fostering a stable, compliant practice environment.

For clinics seeking guidance tailored to Texas’s evolving regulatory landscape, ClearPath offers expert consultation and practical solutions designed to maintain operational resilience and provider satisfaction. We offer a free initial consultation. Feel free to reach out to us at: info@clearpathcompliance.org, or give us a call at 1-888-996-8376.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, CleaarPath Compliance

The direct primary care (DPC) model continues to evolve rapidly, with significant regulatory changes on the horizon and growing market demand across the Midwest. For practices serving patients in Minnesota, Wisconsin, and Iowa, understanding the nuances of billing optimization and revenue strategy has never been more critical—especially with the upcoming 2026 HSA compatibility changes that will reshape the landscape.

The Current DPC Revenue Landscape

Direct primary care operates on a fundamentally different financial model than traditional fee-for-service medicine. Instead of the complex web of insurance billing and reimbursements, DPC practices rely on predictable monthly membership fees that typically range from $55 to $150 for individual patients. Recent industry data shows that the median individual membership price has stabilized at around $80 per month as of 2022, reflecting gradual inflation adjustments from the $75 median observed in 2018.

This subscription-based approach offers several advantages for revenue optimization:

• Predictable monthly income allows for better cash flow management and strategic planning.

• Elimination of insurance billing reduces administrative overhead significantly, with practices reporting dramatic reductions in billing-related staff costs and claim processing delays.

Minnesota's Regulatory Landscape: Opportunities and Challenges

Minnesota presents a unique regulatory environment for DPC practices. Currently, Minnesota has no specific DPC legislation, which creates both opportunities and challenges for revenue optimization. Without explicit regulatory frameworks defining DPC as distinct from insurance, practices must navigate existing Minnesota Insurance Statutes carefully when structuring their billing models.

This regulatory ambiguity requires Minnesota DPC practices to be particularly strategic about their billing approaches. Practices should consider billing in arrears to protect against potential regulatory challenges, as recommended by industry experts who note that "the laws governing DPC practices in many states remain unclear."

Interestingly, Minnesota has previously explored innovative DPC models, including proposals for DPC Medicaid pilots with membership fees capped at "a weighted average of seventy dollars per month across all eligibility categories." While these initiatives haven't yet been implemented, they signal potential future opportunities for practices to expand their patient base through government partnerships.

Strategic Membership Fee Optimization

The most critical decision affecting DPC revenue is membership fee structure. Current market data reveals several key pricing strategies:

• Tiered Membership Models: Many successful practices offer age-based pricing tiers. Adult memberships typically range from $75-$150 monthly, pediatric memberships often cost $25-$50, and family packages can reach $200-$300 monthly. This approach maximizes revenue per household while remaining competitive.

• Value-Based Pricing: The most successful DPC practices align their pricing with the comprehensive value they provide. This includes unlimited office visits, direct physician communication, extended appointment times, basic lab work, and preventive care services. Practices should calculate the cost-equivalent of these services in traditional healthcare settings to justify their membership fees.

• Geographic Considerations: For practices in Minnesota, Wisconsin, and Iowa, demographic and economic factors influence optimal pricing. Rural areas may require lower entry-point pricing, while suburban markets can often support premium pricing for enhanced services.

In addition, investing in patient retention tactics—such as personalized communication, flexible scheduling, and member engagement programs—can reduce churn and increase lifetime value per member, further strengthening revenue stability.

The 2026 HSA Game-Changer

Perhaps the most significant development for DPC revenue optimization is the upcoming HSA compatibility legislation taking effect in 2026. This bipartisan Primary Care Enhancement Act will allow patients with HSA-qualified high-deductible health plans to contribute to HSAs while maintaining DPC memberships, provided the monthly DPC fee doesn't exceed $150 for individuals or $300 for families.

This change presents enormous revenue opportunities. With 61 million Americans currently using HSA-qualified plans, the potential patient pool for DPC practices will expand dramatically. Practices should begin preparing now by:

• Ensuring membership fees fall within HSA-compatible limits

• Developing marketing strategies targeting HSA users

• Training staff on HSA regulations and patient education

• Preparing documentation systems for HSA-eligible services

Revenue Diversification Strategies

Beyond membership fees, successful DPC practices optimize revenue through complementary services:

• Laboratory Services: Negotiating direct pricing with lab vendors allows practices to offer discounted testing to members while generating additional revenue. Many practices mark up lab costs modestly while still providing significant savings compared to traditional healthcare pricing.

• Procedure Add-ons: Minor procedures, injections, and specialized services can generate additional revenue while providing convenience to patients. Practices should develop transparent pricing for these services that reflects their value proposition.

• Corporate and Employer Partnerships: Establishing relationships with local employers can provide steady revenue streams through group memberships. Employers increasingly recognize DPC as a cost-effective employee benefit, particularly in markets like Minnesota where healthcare costs are a significant concern.

• Telemedicine Integration: Incorporating telemedicine capabilities enhances member value while allowing practices to serve larger patient panels efficiently. This is particularly valuable for serving rural patients across Minnesota, Wisconsin, and Iowa.

Administrative Optimization for Maximum Efficiency

Revenue optimization in DPC isn't just about increasing fees—it's equally about reducing overhead and maximizing efficiency. Automated billing and invoicing systems reduce administrative burden while improving revenue cycle management. Modern DPC-specific practice management software can streamline membership management, automate renewals, and provide detailed financial analytics.

Examples of tools that support these goals include:

• Practice management platforms designed specifically for DPC workflows

• Automated membership billing and renewal systems

• Financial dashboards tracking key performance indicators (KPIs)

Practices should monitor metrics such as:

• Monthly recurring revenue (MRR) growth

• Patient acquisition cost

• Lifetime value per member

• Churn rates and retention analytics

• Average revenue per user (ARPU)

Marketing Investment for Sustainable Growth

Successful revenue optimization requires consistent patient acquisition. Digital marketing strategies specifically tailored to DPC practices have shown strong returns on investment. Search engine optimization, social media marketing, and content marketing help educate potential patients about DPC benefits while establishing practice credibility through patient testimonials and online reviews.

For practices in the Midwest market, local community engagement and physician referral relationships remain crucial for sustainable growth. Many successful practices report that word-of-mouth referrals from satisfied patients generate the highest-quality new members.

Looking Ahead: Positioning for Growth

As the DPC model continues to mature, practices that optimize their revenue strategies today will be best positioned for future growth. The combination of HSA compatibility, growing consumer awareness of DPC benefits, and increasing dissatisfaction with traditional insurance-based care creates unprecedented opportunities.

For Minnesota, Wisconsin, and Iowa practices, the key to successful revenue optimization lies in balancing competitive pricing with comprehensive value delivery, maintaining regulatory compliance in evolving legal environments, and building sustainable systems that can scale with growth.

The practices that thrive in this environment will be those that view billing and revenue optimization not as one-time decisions, but as ongoing strategic processes that adapt to changing market conditions while consistently delivering exceptional patient value.

By implementing these strategies while staying attuned to regulatory developments and market trends, DPC practices can build financially sustainable models that serve both their business objectives and their commitment to providing accessible, high-quality primary care.

How ClearPath Compliance Can Help Your DPC Practice Thrive

Navigating the evolving DPC revenue landscape and complex regulatory environment can be challenging. That’s where ClearPath Compliance steps in as your trusted partner. We specialize in helping Midwest direct primary care practices optimize billing and pricing strategies, ensuring compliance with current and upcoming regulations—including the critical 2026 HSA changes. Our tailored consulting services, practice management guidance, and compliance toolkits empower your clinic to streamline operations, maximize revenue, and deliver exceptional patient value. With ClearPath Compliance, you gain more than just expert advice—you gain a committed ally focused on helping your practice grow sustainably and confidently in today’s competitive healthcare market. Reach out to us today to learn how we can support your direct primary care journey. Reach us at info@clearpathcompliance.org or give us a call at 1-888—996-8376.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, CleaarPath Compliance

Direct Care Practices (DCP), also known as membership medicine or concierge medicine, continue to grow as an alternative healthcare model offering personalized, patient-centered care. However, as this model expands, so do regulatory and cybersecurity demands — especially in Minnesota, where recent 2025 healthcare compliance updates introduce new requirements affecting DCP providers.

This blog unpacks the latest Minnesota guidelines impacting membership medicine, with a focus on Multi-Factor Authentication (MFA) mandates and cybersecurity best practices that providers must understand to remain compliant, protect patient data, and sustain trust in this rapidly evolving sector.

Understanding Membership Medicine and Its Regulatory Landscape

Membership medicine practices operate on a model where patients pay a retainer or membership fee for enhanced access to their providers, often bypassing traditional insurance billing. This model fosters closer patient-provider relationships but also introduces unique compliance challenges:

• Patient Data Sensitivity: Many DCPs use modern technology platforms and electronic health records (EHR) tailored to small patient panels, increasing the cybersecurity risk profile.

• Regulatory Applicability: While some DCPs operate as cash-only or outside typical insurance frameworks, they are not exempt from federal HIPAA rules or state laws, especially when patient health information (PHI) is electronically stored or transmitted.

• Minnesota-Specific Requirements: The state has strengthened its healthcare privacy and security regulations, demanding more rigorous safeguards.

What’s New in Minnesota’s 2025 Healthcare Compliance?

Minnesota’s 2025 updates emphasize cybersecurity and patient data protection. Here are the key points relevant to DCP:

1. Mandatory Multi-Factor Authentication (MFA) for Healthcare Providers

• What is MFA? MFA requires users to verify their identity through two or more factors before gaining access to electronic systems containing PHI. These factors may include a password (something you know), a physical device or token (something you have), or biometric data (something you are).

• Minnesota’s MFA Mandate: Effective 2025, all healthcare providers accessing patient records electronically, including DCPs, must implement MFA on systems that handle PHI.

• Why MFA? It dramatically reduces the risk of unauthorized access due to compromised credentials, a common entry point for cyberattacks such as ransomware.

2. Expanded Data Breach Reporting Requirements

• Minnesota now requires faster notification timelines and more detailed reporting when breaches involving PHI occur.

• DCPs must have documented incident response plans aligning with these timelines.

3. Increased Oversight of Third-Party Vendors

• Contracts with EHR vendors, billing services, and other technology providers must include stringent cybersecurity and compliance obligations.

• DCPs should conduct due diligence on vendors’ MFA and security practices.

Why MFA Matters Deeply for Membership Medicine Providers

DCPs often rely on digital tools — from telehealth platforms to patient portals — making them prime targets for cybercriminals. Unlike larger health systems, smaller practices may lack dedicated IT security teams, increasing vulnerability.

Implementing MFA is not just a regulatory checkbox; it is a foundational security layer to:

• Prevent Unauthorized Access: Stolen or weak passwords alone no longer suffice to protect sensitive patient data.

• Build Patient Trust: Membership patients expect heightened privacy; security lapses could damage reputations irreparably.

• Avoid Financial and Legal Fallout: Data breaches risk costly penalties, lawsuits, and regulatory scrutiny.

Best Practices for DCP Compliance with Minnesota 2025 Guidelines

If you operate or manage a membership medicine practice in Minnesota, consider these steps:

1. Implement MFA Across All Systems with PHI Access

• Apply MFA not only to EHR logins but also email, administrative portals, and any remote access tools.

• Opt for hardware tokens or authenticator apps over SMS codes when possible, as they are more secure.

2. Update Policies and Staff Training

• Revise your cybersecurity policies to reflect MFA requirements.

• Train all team members on recognizing phishing attempts and the importance of strong authentication.

3. Conduct Regular Vendor Risk Assessments

• Confirm your technology partners comply with Minnesota’s 2025 standards, including their use of MFA.

• Require vendors to provide security attestations and audit reports.

4. Prepare for Incident Response

• Develop or update a breach response plan that meets Minnesota’s accelerated notification timelines.

• Test your plan with periodic drills to ensure readiness.

5. Document Everything

• Maintain detailed records of MFA implementation, staff training, vendor compliance, and incident management for audits.

Looking Ahead: The Future of DCP Compliance in Minnesota

With cyber threats growing more sophisticated, Minnesota’s 2025 healthcare rules represent just the beginning of a more robust regulatory environment. Membership medicine providers who proactively embrace MFA and comprehensive cybersecurity measures will be best positioned to safeguard their patients, their practice, and their professional reputation.

Staying informed and agile in your compliance approach will be critical as new technologies and regulations emerge.

How ClearPath Compliance Can Help

At ClearPath Compliance, we specialize in supporting innovative healthcare models like Direct Care Practices to navigate complex compliance landscapes. From HIPAA and Minnesota-specific regulations to cybersecurity frameworks and MFA implementation guidance, our expert team partners with providers to build secure, sustainable, and patient-focused practices.

This blog is the first in a series dedicated to helping DCP and membership medicine providers stay ahead of the complex and ever-changing regulatory and operational environment. Our next post will focus on how telehealth and virtual visits impact your membership practice, including compliance considerations and best practices.

Whether you’re just starting your membership medicine journey or looking to sharpen your compliance strategy for 2025 and beyond, we’re here to help you focus on what matters most — your patients.

If you want a tailored consultation or help setting up MFA and security policies aligned with Minnesota’s new healthcare mandates, reach out to us at info@clearpathcompliance.org or call 1-888-996-8376.

About the Author
Drew Duffy, MD, MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director

Healthcare providers across the country are already grappling with burnout, turnover, and talent shortages. Unfortunately, 2026 isn’t offering much relief—just new expectations.

Recent CMS and HRSA guidance hint at increasing scrutiny on staffing patterns, particularly in outpatient settings that rely heavily on allied health professionals and contractors. States like Minnesota are already piloting reforms tied to staffing minimums and credential transparency, and the ripple effect is likely to reach even the smallest practices.

So what’s changing—and how can your clinic prepare?

The Road Ahead: Key Workforce Compliance Shifts Coming in 2026

1. Credentialing Verification Timelines Will Tighten
   Payers and regulators are pushing for faster, more reliable credentialing. Delays in verification can result in claims holds, audit flags, or even suspension of reimbursement.

2. Documentation Standards for Roles and Responsibilities
   Expect clearer expectations on role definitions, scope-of-practice documentation, and task delegation—especially for medical assistants, LPNs, and contract staff.

3. Increased Oversight of Third-Party Staffing Arrangements
   Clinics using locums or staffing firms may be required to demonstrate that those entities meet the same onboarding, HIPAA, and background standards as in-house hires.

4. Workforce Reporting Requirements
   HRSA-funded clinics and Medicaid providers may be required to submit annual staffing reports—including data on vacancies, turnover, and workforce composition.

5 Steps Clinics Can Take Now

1. Conduct a Role Audit
Review every position in your clinic—from front desk to clinical support—to ensure each has a defined scope, supervision plan, and documentation trail.

2. Tighten Your Credentialing Process
Don't wait until a payer demands it. Make sure credentials are verified at hire, tracked, and re-verified on a regular cycle.

3. Review Employment and Contractor Agreements
Ensure language addresses compliance obligations, supervision, data access, and termination protocols. (Yes, this includes locums and per diems.)

4. Start Tracking Turnover and Vacancy Rates
Even small clinics benefit from basic HR metrics. Knowing where you’re losing staff—and why—can help you fix problems before regulators take notice.

5. Standardize Your Onboarding Protocols
From OSHA training to HIPAA attestations, every new team member should go through a consistent, documented onboarding process.

Future-Proofing Doesn’t Have to Be Overwhelming

The coming changes aren’t about punishing clinics—they’re about protecting patients and improving care quality. But navigating new rules, especially while short-staffed, can feel daunting.

At ClearPath Compliance, we help clinics like yours stay ahead of the curve—without burning out your team. Whether you need help refining credentialing workflows, reviewing HR policies, or just a second set of eyes on your staffing documentation, we’re here to help.

📌 Final Thought:

Healthcare’s greatest asset is its people. The more we invest in protecting and supporting our workforce, the more resilient our clinics—and our compliance programs—become.

-Drew

About the Author
Drew Duffy, MD (not practicing), MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

On July 31, 2025, a new federal tax and spending bill was enacted that permits patients with high-deductible health plans (HDHPs) to use Health Savings Accounts (HSAs) to pay for Direct Primary Care (DPC) and concierge membership fees. This is a pivotal policy change: until now, IRS interpretations effectively prohibited using HSA funds for retainer-based care models.

Key implications for your clinic:

• Lower financial barrier for patients: Membership fees can now be funded pre‑tax, making your practice more affordable and attractive to cost-conscious patients and employers.

• Greater employer adoption expected: Employers can now subsidize memberships as part of their benefit packages, leveraging HSA compatibility to reduce taxable income.

• Strategic growth window: Clinics offering membership-based care models are likely to see increased demand, as patients seek more personalized, accessible care—without giving up HSA benefits.

⚖️ State-Level Regulation: The Minnesota Example

While the federal HSA shift is promising, membership medicine remains governed at the state level, and not all states treat Direct Primary Care the same. Understanding your state’s stance is essential for legal compliance.

📍 In Minnesota:

Minnesota does not yet have a specific law that formally exempts DPC practices from insurance regulation. However, the state has historically taken a cautious but permissive stance when DPC contracts are:

• Clearly labeled as non-insurance agreements

• Paid for in flat monthly or annual fees

• Not tied to third-party insurance billing

Minnesota law defines insurance broadly, and if a membership clinic includes services that are traditionally billed per unit or appear risk-bearing (e.g., unlimited services for a flat rate), the state could classify it as engaging in insurance activity—especially if the clinic markets to employer groups.

Key Risks for Minnesota Practices:

• Marketing language matters: Avoid phrases like “unlimited care” or “covered benefits.” Instead, describe services as “access to care” or “ongoing primary care engagement.”

• No current safe harbor statute: Unlike states like Washington or Idaho, Minnesota does not have a codified legal “safe zone” for DPC. This means that legal compliance hinges on the interpretation of existing insurance laws.

• Employer arrangements require caution: Offering DPC memberships to employee groups without formal review could trigger scrutiny under the state’s insurance licensing rules.

Action Steps for Minnesota Clinics:

• Work with legal counsel to review your membership agreement annually.

• Ensure services provided match the contract exactly—no unlisted or implied care benefits.

• Keep documentation that shows your clinic does not assume risk in the same way as an insurer.

• Use patient disclosures that clearly explain this is not health insurance.

📲 Telehealth Caution: Multistate Limitations Still Apply

Even if your practice is based in Minnesota, many membership clinics offer virtual care across state lines. However, the post-pandemic relaxation of interstate telemedicine rules is fading, and licensure now matters again.

If your patients live or move out of state:

• You must be licensed in the patient’s location at the time of the virtual visit.

• You may need to adjust documentation and consent practices for each state’s standards.

• You should ensure HIPAA-compliant technology is being used, especially as the Department of Health and Human Services (HHS) rolls out updated 2025 telehealth guidance.

🔍 Summary of Key Compliance Issues for Membership Clinics in 2025

Here are the three most critical compliance areas your practice should monitor:

1. HSA Rule Changes:
Patients with high-deductible health plans can now use Health Savings Accounts (HSAs) to pay for direct primary care and concierge membership fees. This creates a significant opportunity for clinics to expand access and market their services as HSA-compatible. If your clinic hasn’t yet updated patient-facing materials or employer outreach strategies to reflect this change, now is the time.

2. Minnesota State Law on DPC:
Minnesota has not enacted a specific law exempting direct primary care practices from insurance regulation. That means your contracts must be written carefully to avoid being classified as an unlicensed insurance product. Avoid promising “unlimited” care or listing benefits that resemble insurance coverage. Instead, emphasize access to care and transparency. Work with legal counsel to ensure your agreements reflect Minnesota’s current interpretation of insurance statutes.

3. Telehealth Across State Lines:
As federal pandemic-era flexibilities expire, telehealth is once again governed by traditional state licensure rules. If you see patients virtually outside Minnesota, you must be licensed in their state at the time of service. Review where your patients live or travel and adjust your policies accordingly. Failure to do so could lead to disciplinary actions or liability.

🔍 Final Thoughts

Membership medicine is gaining momentum. With expanded HSA eligibility and rising patient demand for personalized care, clinics like yours are uniquely positioned for growth. But that growth must be legally sustainable.

At ClearPath Compliance, we monitor these changes daily—so you don’t have to. We help Minnesota clinics:

• Ensure legal alignment for membership agreements,

• Stay current with state-level regulations,

• Navigate telehealth compliance, and

• Structure employer offerings that won’t invite regulatory action.

Need help reviewing your membership contract or marketing language? Let’s make sure your practice is compliant, competitive, and ready for the next chapter in direct care.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

The healthcare industry is under siege. While medical professionals remain focused on patient care, cybercriminals are increasingly targeting the very systems that support life-saving treatments. The statistics are sobering healthcare data breaches now average $9.7 million per incident—more than double the cross-industry average—and attacks are only accelerating.

The Perfect Storm: Why Healthcare Is a Prime Target

Healthcare organizations store what hackers want most: full identity profiles, financial details, and sensitive medical records—each of which can sell for hundreds of dollars on the dark web. Unlike credit card data, medical records contain immutable personal details, retaining value indefinitely.

Many clinics are vulnerable due to:

• Outdated or unsupported systems

• Limited cybersecurity funding

• Overworked staff with minimal training on security protocols

By 2025, more than 68% of healthcare IoT devices are expected to remain unpatched—leaving critical holes for attackers to exploit.

Beyond the Balance Sheet: The Real-World Impact

A ransomware attack doesn’t just cause financial strain. It disrupts appointments, delays diagnoses, and in urgent cases, endangers lives. In 2024 alone, over $133.5 million was paid out to ransomware groups—but that doesn’t account for regulatory fines, legal costs, or long-term reputation damage.

When systems go down:

• Providers must revert to paper documentation

• Patient care is delayed

• Emergency departments may divert patients

These aren’t just IT issues—they’re patient safety concerns.

2025 Threats Keeping Security Experts Awake

The threat landscape is evolving fast, and the risks are real:

• Third-Party Vendor Breaches – Your clinic is only as secure as your software and billing partners.

• IoT Device Weaknesses – Many network-connected medical devices lack basic security.

• AI Manipulation – As AI tools become integrated, they become new attack surfaces.

• Sophisticated Phishing – Social engineering attacks now convincingly mimic coworkers, vendors, and even regulators.

New Regulations Are Coming—Is Your Practice Ready?

Regulators are responding. In 2024, the FDA finalized new cybersecurity guidance for medical device manufacturers. Now in 2025, the proposed Healthcare Cybersecurity Improvement Act could make baseline cybersecurity a Medicare Condition of Participation and allocate $100 million to help smaller facilities catch up.

This marks a shift toward mandatory compliance—meaning failure to act could lead to exclusion from federal programs.

Building Your Clinic’s Cybersecurity Foundation

Every clinic—regardless of size—should take the following steps:

• Risk Assessments: Evaluate vulnerabilities across systems, devices, and staff training.

• Multi-Factor Authentication (MFA): A simple but powerful barrier to unauthorized access.

• Incident Response Plan: Be prepared to act quickly and contain damage.

• Ongoing Staff Training: Human error is the #1 security risk.

• Vendor Oversight: Require proof of cybersecurity compliance from all partners.

• Secure Backups: Ensure quick recovery from system failures or attacks.

The Cost of Inaction

Cybersecurity is often seen as a cost center—but in truth, it’s a safeguard. Comprehensive protection for a small or midsize practice may run $10,000–$50,000 annually. Compared to the $9.7 million average cost of a breach—and the ROI becomes clear.

The Bottom Line

Cyber threats are no longer an “if”—they’re a “when.” Clinics that take proactive steps today will be far better equipped to survive the challenges of tomorrow.

This is about more than just data. It’s about protecting your patients, your team, your license, and your future.

Need support evaluating or improving your cybersecurity readiness?
ClearPath Compliance offers risk assessments, vendor management strategies, and ongoing compliance support tailored for small and mid-sized clinics.

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

A Quiet Shake-Up in Healthcare Compliance

While most of the headlines in 2025 have focused on AI, staffing shortages, and hospital closures, another critical shift is happening under the radar: a proposed revamp of the HIPAA Security Rule.

These changes represent the most significant overhaul to HIPAA’s technical requirements in more than a decade. And for clinics just getting off the ground, the implications are real—especially if you’re planning to accept Medicare, Medicaid, or insurance of any kind.

But this isn’t a sky-is-falling moment. It’s a reality check. If you’re preparing to launch or grow a clinical practice, understanding what’s coming (and how to prepare for it) can save you from future penalties, patient trust issues, or worst-case scenario: a breach you weren’t equipped to prevent.

What’s Actually Changing?

The proposed updates to the HIPAA Security Rule aren’t about adding red tape for the sake of it. They’re a response to real threats: ransomware attacks, third-party vendor breaches, and outdated tech in healthcare settings.

Here are a few of the biggest proposed changes that providers—especially those starting fresh—should have on their radar:

🔐 Multi-Factor Authentication (MFA)
Any system that stores or transmits ePHI (electronic protected health information) would be required to use MFA. That means no more logging into your EHR or billing platform with just a password.

📁 Data Encryption at Rest and In Transit
If your patient data isn’t encrypted—both when it’s stored and when it’s sent—it may soon be considered a compliance failure. Encryption used to be labeled an “addressable” standard under HIPAA, but these changes would make it mandatory.

🧩 Asset Inventories and Technical Safeguards
Clinics will need to maintain a formal inventory of their hardware, software, and network configurations that impact ePHI. It’s not just about knowing what tools you use—it’s about knowing what risks they carry.

🔄 Incident Response and Recovery
You’ll need to have an actual, documented plan for what happens if your data is compromised. That includes how staff report the issue, who’s responsible for containment, and how you notify patients and regulators. Tabletop exercises (mock breaches) may become standard best practice.

🤝 Third-Party Vendor Risk Oversight
If your billing, EHR, or scheduling system is run by an outside vendor—and it probably is—you’ll be expected to vet their safeguards and ensure they notify you of any incident within a tight timeframe. Blaming the vendor won’t be a valid excuse.

What This Means for Clinics in the Startup Phase

If you're a new or soon-to-be clinic owner, these updates can feel overwhelming. But in many ways, you’re in a better position than established practices to build smart systems from the start. Here's why:

• You don’t have to untangle legacy tech. You can choose HIPAA-compliant platforms with MFA, encryption, and access controls baked in from day one.

• You’re building processes fresh. It’s much easier to adopt incident response planning and routine audits when you’re not reversing bad habits.

• Your vendor choices matter. Selecting trustworthy partners and understanding their breach response policies now prevents painful problems later.

The key is this: compliance isn’t a one-time box to check—it’s a system of small, strategic decisions made over time. Those decisions become your safety net when something (inevitably) goes wrong.

So… What Should a Startup Clinic Do Now?

Here are a few smart, doable steps to get aligned with the proposed rule—whether or not it’s finalized exactly as written:

• Choose software with built-in security (MFA, encryption, access logging).

• Create a written incident response plan. Even a one-pager is better than nothing.

• Vet your vendors. Ask about their security posture and breach protocols.

• Get signed Business Associate Agreements (BAAs) from every vendor who handles or accesses protected health information.
  Under the new rule, BAAs are not optional. They help legally define responsibility, ensure safeguards are in place, and protect your clinic in the event of a breach or data handling issue.

• Run a basic risk assessment. Even if you’re small, you need to document what systems you use and how they’re protected.

• Start training your team. A culture of compliance beats a binder on a shelf every time.

-Drew

Where ClearPath Compliance Comes In

At ClearPath, we help new clinics set up with all of this in mind. From credentialing and compliance policies to HR templates and system selection, we build the foundation that lets providers focus on care—not constant paperwork.

We don’t just hand you a HIPAA binder. We design your clinic’s compliance ecosystem around the Seven Elements of an Effective Compliance Program, as outlined by HHS, with tailored tools, training, and support to help you stay ready—without getting overwhelmed.

If you’re planning to launch or expand a clinical practice in 2025, now’s the time to get this right. Let’s make sure your systems are future-proofed—before future penalties arrive.

💬 Ready to get started?
We offer flexible consulting options, tiered setup packages, and fee reductions for providers serving low-income or underserved patients. Let’s talk about what your clinic needs—no pressure, no fluff, just real support. For more information please visit our about us tab, or the contact us form. You can also just give us a call at 1-888-996-8376.

About the Author
Drew Duffy, MD (not practicing), MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape

By: Drew Duffy, MHA, FACHE

From dental offices to IV lounges, OSHA’s compliance spotlight is expanding. Here’s what your clinic needs to know.

The Occupational Safety and Health Administration (OSHA) is no longer focused solely on large hospitals and inpatient facilities. As of 2025, outpatient clinics — including primary care, specialty practices, mobile health units, and even IV therapy centers — are firmly in OSHA’s crosshairs.

Many small healthcare providers mistakenly believe they are too small to trigger attention. But in reality, OSHA has expanded its enforcement in precisely your direction, with several key changes in inspection priorities and compliance expectations.

Let’s break down what’s happening, why it matters to your practice, and what you can do about it — before a complaint, injury, or audit lands you on OSHA’s radar.

🚨 Why OSHA Is Paying More Attention to Clinics in 2025

1. Increased Enforcement of National Emphasis Programs (NEPs)
   OSHA continues to prioritize certain workplace hazards via NEPs — focused campaigns that direct inspectors to industries with known risks.
   Healthcare is now a high-priority industry under multiple NEPs, including:
   • Respiratory protection (post-COVID focus)
   • Workplace violence prevention
   • Bloodborne pathogens and sharps injuries
   • Heat illness prevention (especially for mobile or outdoor services)
   Even clinics without a history of incidents may be subject to random inspections or follow-up if OSHA is investigating other nearby healthcare employers.

2. Post-COVID Fallout: Compliance Gaps in Small Clinics
   The pandemic exposed serious gaps in how small providers protect staff — especially around PPE, exposure control, and hazard communication. In 2024–2025, OSHA began following up with outpatient clinics that previously self-reported deficiencies or received citations under the Emergency Temporary Standards.

3. State-Level Enforcement in Minnesota Is Stepping Up
   Minnesota operates its own OSHA plan (MNOSHA), which tends to be more proactive than federal OSHA. Clinics in Minnesota face a higher likelihood of inspection, especially if:
   • You offer procedures involving sharps, anesthesia, or blood products
   • You’ve had staff injuries or filed workers’ comp claims
   • A patient, vendor, or employee files a complaint

🧯 5 Core OSHA Risks in Outpatient Clinics

Even if your clinic looks clean and professional, it may be out of compliance on paper — and that’s all OSHA needs to issue fines or require mandatory correction.

1. No Written OSHA Program
   Does your clinic have a written Exposure Control Plan, Hazard Communication Plan, or Emergency Action Plan?
   If not, you’re already out of compliance. These documents are required for any workplace where staff could be exposed to blood, chemicals, or emergency scenarios — including medical clinics, dental offices, mobile IV lounges, and wellness spas.

2. Missing or Incomplete Bloodborne Pathogen Training
   Are your employees trained annually on bloodborne pathogen safety and sharps handling?
   OSHA requires annual, documented training. Staff who handle even a single lancet, needle, or blood specimen fall under this rule.

3. Lack of Respiratory Protection Program
   If you require or allow N95 or KN95 use in your clinic, do you have a written Respiratory Protection Program (RPP)?
   Without an RPP — including fit testing and medical clearance where required — your clinic may be violating both federal and MN OSHA standards.

4. Failure to Post Required Notices or Report Injuries
   Is your OSHA 300 log up to date? Do you know which injuries must be reported within 24 hours?
   Many clinics fail to file injury logs, especially if they’re small. But if a staff member is hospitalized, loses an eye, or suffers amputation — even if they’re treated and return to work — you must report within 24 hours.

5. Workplace Violence Prevention: A New Requirement
   Do you have a plan to prevent, report, and respond to workplace violence or threats?
   This is especially relevant for behavioral health clinics, urgent care, and clinics serving high-risk populations. OSHA now considers workplace violence a foreseeable hazard in healthcare — meaning you must actively plan for it.

🧠 OSHA and Mental Health Clinics: A Growing Focus Area

Mental health clinics, counseling centers, and behavioral health providers face unique OSHA compliance challenges that are often overlooked.

While many think OSHA only applies to settings with obvious physical hazards, behavioral health settings have distinct risks that OSHA is increasingly scrutinizing, including:

• Workplace violence and staff safety: Behavioral health clinics report higher incidents of patient aggression, verbal threats, and physical assaults. OSHA now classifies workplace violence as a foreseeable hazard in healthcare, requiring clinics to have formal prevention and response plans.

• Staff burnout and ergonomic concerns: Long hours, high emotional stress, and inadequate breaks can lead to musculoskeletal injuries and mental fatigue — all OSHA-relevant workplace health issues.

• Confidentiality and workspace design: Maintaining patient privacy while ensuring staff safety requires thoughtful clinic layout and policies that comply with OSHA’s standards for environmental safety.

Minnesota’s MNOSHA has been particularly active in visiting behavioral health providers to verify workplace violence prevention policies and evaluate staff training.

If you run a mental health clinic, don’t assume OSHA won’t come knocking. Preparing a solid workplace violence prevention plan and training your team is now a best practice — and increasingly, a legal requirement.

💥 Real-World Penalties for Non-Compliance

Even a basic OSHA violation — like failure to maintain training records — can trigger fines starting at $1,500 to $15,000 per item. In 2025, the penalty cap for serious violations rose to over $16,000 per citation — with additional daily fines for uncorrected issues.

In recent outpatient clinic citations, OSHA issued penalties for:
• No Exposure Control Plan for sharps/needles
• No annual BBP training
• Using expired disinfectants or unlabeled chemical containers
• Missing eyewash stations in treatment rooms where chemicals were stored

✅ What You Can Do Today to Prepare

You don’t need a 300-page binder — but you do need written plans, training documentation, and safety protocols that match your clinic’s scope.

Start with these 5 steps:

1. Create or update your Exposure Control Plan and Hazard Communication Plan.

2. Conduct and document annual staff training on bloodborne pathogens, workplace safety, and emergency procedures.

3. Review your PPE policies, including respiratory protection, gloves, and gowns.

4. Audit your injury logs and incident reporting practices.

5. Establish a basic Workplace Violence Prevention Policy.

If you have mobile units or unique procedures (like IV therapy or regenerative medicine), you may need additional hazard assessments to stay compliant.

-Drew

🛡️ ClearPath Can Help You Get OSHA-Ready — Without the Overwhelm

We help clinics across Minnesota and the Midwest navigate OSHA compliance with practical, affordable solutions that don’t disrupt patient care.

• Custom OSHA plans and templates
• Staff training (virtual or in-person)
• Emergency preparedness and documentation audits
• Mock inspections and compliance coaching

Whether you're building a clinic from scratch or responding to a recent incident, ClearPath makes compliance clear, manageable, and clinic-friendly.

📞 1-888-996-8376
📧 info@clearpathcompliance.org
🌐 www.clearpathcompliance.org

Discounted services available for clinics serving underserved or publicly insured populations.

By: Drew Duffy, MHA, FACHE

The landscape for mental health care is changing — fast.

Telehealth expansion, workforce shortages, billing scrutiny, and tightening federal and state oversight are creating a complex environment for behavioral health providers. While many changes won’t be fully implemented until 2026, 2025 is the critical year to prepare.

If you're a psychologist, therapist, psychiatrist, licensed social worker, or clinic owner, this guide breaks down what’s changing, what’s at risk, and what you need to do now to stay secure.

1. Increased Scrutiny on Telehealth and Virtual Mental Health

What's happening:

The telehealth flexibility that exploded during COVID is slowly tightening. The DEA, CMS, and state boards are issuing stricter rules about:

• Prescribing controlled substances via telehealth (especially ADHD meds, benzos, and stimulants)

• Out-of-state licensure and practice

• HIPAA-compliant platforms (end of “good faith” waivers)

2026 preview:

• The DEA’s final rule on tele-prescribing is expected to require in-person exams for controlled substances unless providers join an approved telemedicine referral registry.

• Interstate licensing compacts (like PSYPACT) will become a requirement, not a convenience.

What to do now:

• Audit your telehealth policies and vendor contracts — is your video platform HIPAA-compliant under the full rule?

• Stop prescribing controlled substances virtually unless you’ve documented medical necessity and state law allows it.

• Consider PSYPACT membership or cross-state licensure if you treat out-of-state clients.

2. HIPAA and 42 CFR Part 2 Alignment (and Enforcement)

What's happening:

The long-awaited alignment between HIPAA and 42 CFR Part 2 (federal rules governing substance use treatment records) was finalized in 2024, but enforcement ramps up in 2025–2026.

Key updates:

• You can now use a single, HIPAA-style consent to disclose SUD records for treatment, payment, and operations (TPO) — but you must clearly inform patients of this during intake.

• Breaches involving Part 2 records must follow HIPAA breach notification rules.

• Redisclosure limitations remain strict — downstream providers can’t reuse SUD info unless permitted.

Why this matters:

• Mental health clinics offering integrated therapy + SUD treatment are now held to stricter data-sharing standards.

• Improperly sharing records — even between staff — can trigger federal fines or licensing complaints.

What to do now:

• Review and update your Notice of Privacy Practices (NPP) to reflect 42 CFR changes.

• Train all staff on new redisclosure and consent rules.

• Use separate flags or access levels for SUD-related documentation in your EHR.

3. Credentialing, Billing & Audit Pressures Rising — Especially in Medicaid

What's happening:

Many mental health clinics rely on Medicaid or managed care for most of their income. These programs are becoming stricter, especially in:

• Credentialing delays and tighter enrollment checks

• Service documentation audits (especially for teletherapy and group sessions)

• Recoupment of payments for improper supervision, scope violations, or missing notes

Minnesota-specific updates:

• DHS has started post-payment reviews of outpatient therapy sessions, especially under fee-for-service.

• Board supervision requirements are being spot-checked — e.g., LPCCs billing independently without valid supervisor registration.

2026 preview:

• CMS is pushing new provider ID and NPI matching systems to catch “ghost billing” and billing by uncredentialed providers.

• Cross-checking billing with licensure databases will become automated — increasing the risk of clawbacks.

What to do now:

• Ensure all providers are credentialed under correct taxonomy codes, with updated licenses and NPI match.

• Regularly audit documentation — especially for:

  • Group therapy

  • Supervised clinicians (pre-licensure)

  • Crisis codes or extended sessions

• Use modifiers appropriately and maintain records for time-based billing.

4. Mental Health Clinics Are Now High-Risk for OSHA, HIPAA, and Labor Law Claims

Why:

• Staff burnout, patient aggression, and solo site management all increase risk.

• Behavioral health clinics often neglect OSHA or HIPAA because “we’re just talk therapy.”

• Mobile or home-based services complicate safety, supervision, and privacy obligations.

Real risks in 2025:

• OSHA is now citing clinics that lack workplace violence prevention plans — a major issue in behavioral health settings.

• HIPAA complaints are rising for unencrypted therapy notes, remote session recordings, and insecure email exchanges.

• Wage/hour audits are targeting clinical staff classified as contractors without valid independent licensure.

What to do now:

• Draft or update your OSHA-required Emergency Action and Workplace Violence Prevention Plans.

• Secure your telehealth, notes, and communications — including texting, voicemail, and client portal use.

• Confirm that supervised clinicians are W-2 employees, not 1099s (unless truly independent by IRS and board standards).

What’s Coming in 2026 — and Why 2025 Is Critical

Major reforms are coming down the pipeline:

• National mental health parity enforcement will increase, impacting how insurers must reimburse behavioral health.

• Interstate licensure frameworks will become essential for teletherapy models.

• Expanded data reporting rules will require even small clinics to participate in outcome tracking and CMS registries.

• DEA and SAMHSA modernization rules will permanently reshape controlled substance and SUD treatment compliance.

Clinics that wait until 2026 to get compliant will be too late. The infrastructure needs to be in place now.

What ClearPath Compliance Offers to Mental Health Clinics

Whether you’re a solo LGSW or running a 50-provider therapy group, we offer real compliance solutions tailored to mental health:

• HIPAA + 42 CFR Part 2 updates and documentation

• Credentialing, revalidation, and billing risk reviews

• OSHA plans and workplace violence programs

• Telehealth policy development

• Licensure supervision tracking tools

• Employment classification audits

• EHR documentation templates that match payer and board requirements

-Drew

📞 1-888-996-8376
📧 info@clearpathcompliance.org
🌐 www.clearpathcompliance.org

Discounted support for clinics serving publicly insured, rural, or underserved patients.

By Drew Duffy, MHA, FACHE
Published by ClearPath Compliance

The Invisible Risk Layer Growing Inside Clinics

AI isn’t coming to healthcare—it’s already here. In fact, most clinics are already using artificial intelligence in some form: auto-scribing, triage bots, predictive scheduling, claims scrubbing, or AI-driven patient outreach. But what’s changed in the last 12 months is the emergence of agentic AI—tools that act independently, interact with patients, and evolve their behavior without direct human prompts.

This is more than automation. It’s autonomy. And that comes with significant, unregulated compliance risk.

Clinics are integrating these systems rapidly—often unknowingly—without updating policies, risk assessments, or BAAs. In many cases, they don’t even realize the tools they’re using now qualify as “intelligent agents” with unsupervised access to protected health information (PHI).

What Is Agentic AI?

Agentic AI refers to artificial intelligence systems that can perceive their environment, make decisions, and take action independently—often across multiple steps and systems. These tools may learn over time, use probabilistic reasoning, or trigger new workflows without explicit commands.

Examples include:

• Smart voice assistants embedded in the EHR, recording and summarizing patient visits

• AI chatbots conducting intake, collecting sensitive disclosures

• Predictive care platforms that flag high-risk patients based on behavior or biometrics

• Documentation generators that “decide” what parts of the encounter are clinically relevant

These systems operate at scale—and sometimes without clearly defined decision logs, access trails, or human-in-the-loop safeguards.

Why This Is a Compliance Time Bomb

Agentic AI often falls into a regulatory blind spot. Many tools are labeled as “productivity enhancers,” and bypass traditional HIPAA scrutiny because they’re marketed as non-clinical. But if the tool generates, accesses, stores, or shares PHI? It’s subject to HIPAA—even if it wasn’t built for healthcare.

Here’s where the real danger lies:

1. Undefined Legal Responsibility

Who’s liable if an AI agent makes an inappropriate clinical suggestion—or overlooks a suicide risk disclosure in a chatbot intake? The vendor? The clinic? The medical director?

2. Poor Auditability

Most agentic systems don’t offer transparent logging. Clinics can’t always prove who accessed what data or why.

3. Missing BAAs

Many AI vendors refuse to sign Business Associate Agreements (BAAs), especially startups using open-source models. That alone makes their use in healthcare legally problematic.

4. Staff Misuse or Overreliance

Clinicians may trust AI tools too much—or copy/paste outputs into clinical notes without validation. That can introduce errors, propagate false data, or reduce patient safety.

HIPAA’s Current Position on AI (Spoiler: It's Outdated)

HIPAA, enacted in 1996, was never built to address agentic software. The Security Rule references risk analyses and access controls—but is silent on machine-driven decisions, model drift, or prompt injections.

Yet the Office for Civil Rights (OCR) has made it clear: any system interacting with PHI is subject to the same standards, regardless of whether it's operated by a human or an algorithm.

So while there is no AI-specific HIPAA rule, clinics must interpret existing rules through a modern lens. That means ensuring:

• Minimum necessary disclosures

• Role-based access to AI tools

• Signed BAAs for any vendor handling PHI

• Technical safeguards (encryption, timeouts, IP restrictions)

• Internal policies governing AI use

• Risk analyses that include AI-specific threats

Practical Compliance Steps Clinics Can Take Today

Agentic AI isn’t inherently noncompliant—but clinics must proactively adapt. Here's a practical framework:

✅ 1. Audit Your Tools

Create a full inventory of any system touching PHI—especially voice recorders, AI note generators, chatbots, or scheduling tools.

✅ 2. Update Risk Assessments

Revise your security risk analysis to account for AI-specific threats: model behavior, prompt injection, decision opacity, and access creep.

✅ 3. Lock Down Permissions

Ensure AI tools only operate in contexts where they are needed—disable always-on listening features, and limit who can deploy or view outputs.

✅ 4. Draft AI Governance Policies

Document when AI can be used, how outputs are validated, and what human oversight is required.

✅ 5. Train Your Staff

Include AI use and limitations in your annual HIPAA training. Teach clinicians and front-desk staff when to rely on AI—and when to override it.

How ClearPath Compliance Helps Clinics Navigate AI Safely

ClearPath Compliance is one of the few firms actively integrating AI governance into our healthcare compliance programs. For clinics using or considering agentic tools, we offer:

🔍 AI Risk & Privacy Audits

We assess your full technology stack for HIPAA exposure—including "invisible AI" built into scheduling, billing, or communication platforms.

📝 Custom AI Use Policies

From chatbot guardrails to note validation workflows, we provide documentation to protect your practice legally and operationally.

🤝 BAA & Vendor Review

We evaluate whether your AI vendors meet HIPAA standards—and help you negotiate compliant terms (or find better vendors).

🧑‍🏫 Staff Training Modules

We deliver engaging, role-specific training on proper AI usage in clinical, billing, and admin settings.

📆 Retainer-Based Support

All full clinic setup packages include a one-year compliance retainer with up to 5 monthly support hours, ensuring your program evolves with your tools.

The Bottom Line: Be Bold, but Be Ready

AI has the power to revolutionize care—but only if it’s implemented with compliance in mind. Clinics that proactively manage their agentic AI risk will be seen as leaders—not just in innovation, but in trust.

Let ClearPath Compliance help you stay one step ahead.

📞 1-888-996-8376
📧 info@clearpathcompliance.org
🌐 clearpathcompliance.org

By Drew Duffy, MHA, FACHE

The Centers for Medicare & Medicaid Services (CMS) has released its proposed rule for the Calendar Year (CY) 2026 Medicare Physician Fee Schedule (PFS), and with it, a clear message: change is coming—and fast. From payment redistribution and telehealth evolution to new quality reporting requirements and bundled SUD services, every private practice needs to take proactive steps now to remain financially viable, compliant, and positioned for success.

Here’s what every private medical, behavioral health, and allied health practice should be doing right now to get ready for 2026.

1. Analyze Your Current Medicare Revenue Exposure

Start by understanding exactly how much of your practice’s revenue is tied to Medicare Part B. Then model the projected impact of:

• The updated conversion factor

  • Proposed: $33.59 for APM participants; $33.42 for all others

  • This reflects a ~3–4% increase, but not all services will benefit equally.

• RVU changes and redistribution

  • CMS is shifting value away from high-volume, procedural services and toward primary care, behavioral health, and chronic care management.

  • Specialty practices may see flat or even negative payment adjustments.

▶ Action Step: Have your billing team or consultant run a CPT-level analysis comparing CY 2025 vs. proposed CY 2026 payment rates.

2. Upgrade Your Telehealth Program

Telehealth is no longer a pandemic workaround—it’s a core part of CMS’s care delivery strategy. Key 2026 updates include:

• Permanent removal of frequency limits for inpatient and SNF telehealth

• Permanent adoption of “virtual direct supervision” for most services

• Expanded billing rights for telehealth in FQHCs/RHCs through 2026

• In-person visit requirements returning for SUD and mental health services

▶ Action Step: Ensure your telehealth documentation, coding, supervision protocols, and platform capabilities are updated to meet 2026 rules. If you bill under incident-to or supervise NPs/PAs remotely, confirm your workflows support real-time audio-video compliance.

3. Prepare for SUD & Behavioral Health Expansion

CMS is continuing its investment in behavioral health and substance use disorder (SUD) services. That means more opportunity—but also more scrutiny.

• Codes G2086–G2088 remain central for monthly SUD treatment

• New bundled models for integrated behavioral health are being prioritized

• Audio-only visits remain billable (in specific contexts), but with documentation and risk assessment requirements

▶ Action Step: Train clinicians and front office teams to identify eligible patients, document appropriately, and bill these codes correctly. Build in-person exceptions into your EHR if you rely on audio-only care.

4. Assess Alternative Payment Model (APM) Readiness

If you’re not already in an APM, CY 2026 may be the year to transition. Why?

• Higher conversion factor for qualifying APM participants

• More favorable MIPS exemptions

• Better access to value-based contracts through networks or ACOs

▶ Action Step: Evaluate whether your practice could qualify through a Medicare Shared Savings Program ACO or PCMH arrangement—or partner with an IPA or management service organization (MSO) that offers access to APMs.

5. Clean Up Coding and Documentation

Quality and risk-adjustment payment will rely more heavily on coding accuracy than ever before.

• HCC coding is central for value-based arrangements

• Under-coded chronic conditions could reduce reimbursements

• Improper documentation of time-based or incident-to services will be red flags under post-PHE audit protocols

▶ Action Step: Conduct an internal audit now—or partner with ClearPath—for a compliance and coding review focused on high-volume Medicare services.

6. Update Compliance & Training Policies

Regulatory and payer scrutiny is increasing. CMS’s proposed rule indicates more transparency and accountability measures in:

• Virtual care supervision

• Behavioral health integration

• Use of non-physician providers

• Quality reporting and cost efficiency metrics

▶ Action Step: Update staff training modules and compliance manuals to reflect CY 2026 expectations. Make sure providers know the latest on telehealth, supervision, and time-based documentation.

7. Prepare a Comment or Advocacy Plan

CMS is accepting public comment on the proposed CY 2026 rule through September 12, 2025. If there’s a change that could negatively affect your practice—or an area where clarification is needed—now is the time to speak up.

▶ Action Step: Coordinate with your specialty society or submit a comment directly through Regulations.gov.

How ClearPath Compliance Can Support Your Transition

Our team works with independent and small group practices to navigate complex CMS changes, providing:

• CPT & RVU payment modeling

• Telehealth and SUD compliance planning

• APM evaluation and alignment

• Credentialing and enrollment for expanded Medicare services

• Staff training and documentation toolkits

📩 Contact us at info@clearpathcompliance.org or call 1-888-996-8376 to schedule your CY 2026 readiness assessment.

Let us help you focus on what matters most—your patients. We’ll handle the paperwork.

-Drew

By: Drew Duffy, MHA, FACHE

Introduction The upcoming 2025 Medicaid budget reductions are poised to create deep and lasting impacts across the U.S. healthcare system—particularly for small practices, rural clinics, and providers who serve low-income populations. With over 90 million Americans enrolled in Medicaid at some point in the past two years, these cuts are not merely fiscal; they carry substantial implications for access, continuity, and equity in care.

This article presents a comprehensive overview of the proposed changes, examines the vulnerable segments within the provider landscape, and outlines key strategies that healthcare organizations can adopt to navigate the impending challenges.

I. Context and Drivers of the 2025 Medicaid Cuts The 2025 federal budget proposal includes significant Medicaid reductions aimed at curbing long-term healthcare expenditures. Several macroeconomic and political factors have catalyzed these proposed changes:

• Post-Public Health Emergency (PHE) Redetermination: Following the expiration of the PHE, states have resumed annual eligibility verifications, resulting in widespread disenrollments.

• Transition to Block Grants and Waivers: Some states are exploring capped funding models through Section 1115 waivers, shifting financial risk to providers.

• Cost-Containment of Optional Benefits: States are reassessing the provision of services such as dental, vision, and behavioral health under the "optional benefits" category.

• Increased Federal Scrutiny: CMS is tightening enforcement around medical necessity, improper payments, and state Medicaid program audits.

The combined effect is projected to reduce federal Medicaid contributions by over $200 billion across the next decade.

II. High-Risk Provider Segments The ramifications of these budgetary contractions will not be evenly distributed. Certain provider categories are particularly vulnerable:

• Small and Independent Practices: Often reliant on Medicaid as a primary payer, these clinics may face immediate revenue shortfalls.

• Behavioral Health and SUD Treatment Providers: These providers, already underfunded, may see reduced support for vital services.

• Rural Health Clinics (RHCs) and Federally Qualified Health Centers (FQHCs): Operating in underserved areas, these entities are more susceptible to reimbursement delays and care disruptions.

• Maternal, Pediatric, and Geriatric Specialists: Serving demographics heavily dependent on Medicaid, these providers could experience higher denial rates and administrative burdens.

• Clinics Serving Marginalized Communities: LGBTQ+, BIPOC, and immigrant-focused practices may struggle to retain care continuity as patient eligibility is terminated.

III. Compliance, Reimbursement, and Operational Risks As Medicaid funding contracts, enforcement activity often intensifies. Providers should anticipate the following compliance and operational challenges:

• Increased Prepayment Review and Denials: Expect elevated scrutiny of prior authorizations and coding accuracy.

• Documentation and Audit Vulnerabilities: Poor documentation can lead to recoupments, civil penalties, and exclusion.

• Eligibility Verification Complexities: Redetermination errors could lead to retroactive denials if staff are not trained appropriately.

• Revenue Cycle Volatility: Clinics may face cash flow interruptions due to longer processing times and reduced state funding matches.

IV. Strategic Recommendations for Providers Proactivity is key to mitigating the risks associated with the Medicaid cuts. Providers should consider the following actions:

1. Conduct a Payer Mix Analysis: Determine your clinic's Medicaid dependency and assess revenue diversification opportunities.

2. Update Eligibility and Billing Workflows: Train staff to manage redetermination, prior authorizations, and appeal processes efficiently.

3. Strengthen Compliance Infrastructure: Implement robust internal audit programs and regular documentation reviews.

4. Engage with Community Partners: Collaborate with local organizations to support patients during eligibility transitions.

5. Seek Federal and State Grant Support: Explore HRSA, ARPA, and state innovation funds for supplemental operational support.

6. Implement Scalable Telehealth Solutions: Use technology to reduce overhead while maintaining access and quality.

7. Consult with Reimbursement and Compliance Experts: External advisory can help avoid costly missteps and guide regulatory adaptation.

Conclusion The 2025 Medicaid cuts will be more than a fiscal correction; they will redefine the delivery landscape for providers who care for America’s most vulnerable. Clinics that respond strategically—by improving compliance, training staff, and streamlining operations—will be better positioned to sustain their mission.

At ClearPath Compliance, we support clinics through transitions like these, offering regulatory guidance, audit preparation, and strategic risk management tailored to Medicaid-participating providers. With over two decades of experience in healthcare compliance and operational resiliency, we help ensure your practice doesn’t just survive—it thrives.

-Drew

by: Drew Duffy, MHA, FACHE

Why the Time for Full Compliance Is Now

As of 2025, healthcare organizations can no longer afford to treat cybersecurity requirements under HIPAA as optional or open to interpretation. The long-standing distinction between “required” and “addressable” security standards is being redefined — and in some cases, eliminated altogether. Whether you’re a hospital system or a five-provider family clinic, the expectation is the same: implement the full spectrum of technical safeguards — including multi-factor authentication (MFA), encryption of ePHI, and access control measures — or face the legal, financial, and reputational consequences.

This is not a recommendation. It’s a structural shift. And it demands serious attention.

Mandatory MFA, Encryption, and Access Controls: The End of “Addressable”

For years, HIPAA’s Security Rule allowed some flexibility around the implementation of specific safeguards. Under 45 CFR § 164.312, certain standards were labeled as “addressable,” meaning a covered entity could implement an alternative solution or document why a standard wasn’t reasonable or appropriate.

But in the 2025 proposed update to the HIPAA Security Rule (NPRM), that flexibility is being narrowed dramatically. In particular, MFA and encryption are no longer optional — they are now expected to be fully implemented across all systems handling electronic protected health information (ePHI), regardless of size, budget, or organizational complexity.

Let’s break this down:

Multi-Factor Authentication (MFA) — A New Standard, Not a Suggestion

What’s Changing:

• All users accessing ePHI must authenticate using two or more factors: something they know (password), something they have (authenticator app or hardware token), or something they are (biometric).

• SMS and voice codes are being discouraged due to known vulnerabilities.

• Google Prompt and similar push-notification systems are acceptable only when paired with a secure device enrollment process.

Why It Matters:

MFA is now considered a non-negotiable layer of protection. The days of relying on username + password alone — especially for cloud-based services like EHR platforms or email systems — are over. Credential theft and phishing have driven a surge in healthcare-related ransomware attacks, and the federal government is making it clear: organizations that skip MFA are in violation of their duty to protect patient data.

What You Must Do:

• Enforce MFA across all accounts that access ePHI — this includes physicians, nurses, billing staff, and administrative users.

• Disable access to non-compliant devices or accounts that bypass MFA.

• Require use of time-based one-time passcodes (TOTP) via apps like Google Authenticator or Authy.

Encryption in Transit and at Rest — Now Presumed Required

What’s Changing:

• Encryption of all ePHI during transmission (TLS/HTTPS for emails, secure FTP, VPN tunnels) and while stored (full disk encryption, encrypted databases, etc.) is now considered mandatory unless a demonstrable technical impossibility exists.

• The standard applies to cloud storage, mobile devices, external drives, and internal systems.

Why It Matters:

Any unencrypted ePHI is a liability — and under the new rules, failure to encrypt is presumed noncompliance unless rigorously justified and documented. This significantly raises the bar for what regulators will accept in a breach investigation.

What You Must Do:

• Implement full-disk encryption (e.g., BitLocker, FileVault) on all workstations and portable devices.

• Require TLS 1.2 or higher for all external communications containing PHI.

• Encrypt server storage, backups, and removable media.

Role-Based Access Controls — Lock Down What Doesn’t Need to Be Open

What’s Changing:

• Organizations must apply the principle of least privilege to all systems containing ePHI.

• Access logs, automatic timeouts, and re-authentication mechanisms are now considered essential.

Why It Matters:

If every staff member can access every record, your system is not compliant — it is wide open to internal threat, human error, and external exploitation.

What You Must Do:

• Create user roles that define the minimum access necessary based on job duties.

• Implement audit logs that monitor and retain records of access attempts.

• Use automatic logouts and session expiration controls.

How ClearPath Compliance Can Help

We understand that most clinics and practices are not IT firms — but they are expected to act like one when it comes to compliance. That’s where we come in.

We offer:

• Secure MFA Deployment — We configure and enforce app-based MFA (e.g., Google Authenticator) across all platforms, including EHR, cloud email, and file storage.

• Encryption Strategy & Rollout — From mobile devices to email to network drives, we ensure all PHI is encrypted in motion and at rest — in full alignment with 2025 guidance.

• Access Policy Engineering — We design and implement customized access control policies tailored to your workflows, staffing structure, and risk profile.

Our team brings over 20 years of healthcare compliance experience to each engagement, and we’ve helped providers of every size modernize without disruption.

❤️ A Note About Equity: Supporting Those Who Serve the Underserved

If you are a small clinic, community-based provider, or organization that primarily serves marginalized populations, or has a high volume of Medicare/Medicaid patients, we believe you deserve the same level of data security as any large system. As part of our founder’s commitment to equitable care access, we offer significantly reduced rates for qualifying practices.

Everyone deserves to be protected. We make sure you can be.

📣 Final Thoughts

HIPAA is no longer tolerating excuses. Whether you're still using outdated systems, relying on password-only logins, or haven't encrypted your devices — you are on borrowed time.

But you don’t have to navigate this alone.

At ClearPath Compliance, we help providers meet today’s standards — and prepare for tomorrow’s. Let us bring you into full alignment with the 2025 HIPAA framework, without disruption, confusion, or guesswork.

If you find our blogs and insights helpful, we invite you to visit our Contact Us page. Simply enter your name and email, and let us know you'd like to receive updates. You’ll be among the first to know when we publish new articles, resources, or important compliance news.

-Drew

By Drew Duffy

Founder, ClearPath Compliance

The COVID-19 pandemic permanently altered the healthcare regulatory landscape, and no area has seen more substantial post-pandemic scrutiny than emergency preparedness. As hospital systems navigate the new normal, the Centers for Medicare & Medicaid Services (CMS) has updated and re-emphasized the Emergency Preparedness Rule, signaling a more aggressive enforcement posture and higher expectations for clinical and critical access hospitals.

Below, we break down the key updates, enforcement trends, and practical compliance strategies for providers.

1. The Regulatory Backdrop: CMS's Renewed Emphasis on Emergency Preparedness

Originally finalized in 2016, the CMS Emergency Preparedness Rule (42 CFR § 482.15 for hospitals) requires participating providers and suppliers to establish and maintain comprehensive emergency preparedness programs. These programs must address all hazards, ensure continuity of care, and be reviewed and updated at least annually.

Post-COVID, CMS has made clear that emergency plans must go beyond theoretical exercises and reflect real-world events, such as pandemics, cybersecurity attacks, and climate-related disasters.

2. What’s Changed Since COVID-19?

While the Emergency Preparedness Rule’s core framework remains intact, CMS’s guidance and surveyor training post-COVID have led to practical changes in how compliance is evaluated:

A. Increased Focus on Infectious Disease Planning

CMS now expects emergency plans to explicitly address infectious disease outbreaks — not generically, but with reference to real lessons learned during COVID-19. Hospitals are expected to show:

• Infection control integration with emergency planning

• Surge capacity protocols

• Staffing contingency strategies

• PPE acquisition and burn-rate forecasting

B. Surveyor Guidance Emphasizes Operationalization

Surveyors are being trained to evaluate not just whether a hospital has a plan, but whether the plan is actively integrated into operations. Expect increased scrutiny of:

• Real-world drill outcomes

• After-action reports

• Policy updates reflecting those learnings

C. Updated Risk Assessments Must Reflect All-Hazards – Including Cybersecurity

The “all-hazards” approach now formally includes cybersecurity threats, ransomware events, and digital infrastructure failures. Hospitals must demonstrate that their risk assessments and response frameworks cover these domains.

D. Training & Testing: No Longer Just a Checkbox

Annual testing and staff training requirements have shifted in tone from a documentation exercise to a functional expectation. CMS expects that hospitals:

• Conduct two emergency preparedness exercises annually (one full-scale, one table-top or equivalent)

• Use actual events as part of their drill documentation when applicable

• Can demonstrate staff awareness and involvement at multiple levels

3. Compliance Risks and Deficiency Trends

Increased surveyor training and focus have led to a rise in condition-level deficiencies tied to emergency preparedness — especially in critical access hospitals. Common pitfalls include:

• Outdated risk assessments

• Failure to conduct or document required exercises

• Insufficient integration of infection control policies

• Inadequate communication plans with local and regional emergency management systems

For clinical and critical access hospitals already operating under resource constraints, these deficiencies can quickly escalate to citation risk, potential loss of deemed status, and even payment suspensions.

4. Strategic Compliance Recommendations

Given the renewed enforcement landscape, we recommend hospitals take the following actions:

✅ Conduct a Gap Analysis Immediately

Evaluate your current Emergency Preparedness Plan against:

• Updated CMS guidance (QSO-20-41 and beyond)

• Lessons learned from COVID-19 response

• Cybersecurity readiness

✅ Integrate Emergency Planning with Infection Control and Supply Chain Teams

Your Infection Preventionist, Supply Chain Officer, and Compliance Officer should be active contributors to emergency plan development and review.

✅ Document Real-World Events as Testing Equivalents

CMS allows real emergencies to substitute for required testing. Ensure that all such events are formally documented with:

• A timeline of actions

• Stakeholder roles

• Outcomes and after-action findings

✅ Re-train and Re-test Staff Annually

Develop role-specific emergency scenarios. For example, train ICU nurses on surge capacity protocols, or HIM staff on continuity of operations during a cyberattack.

✅ Engage Legal and Compliance Early

Emergency preparedness intersects with HIPAA, EMTALA, and accreditation standards. Legal and compliance leaders should proactively review policies for alignment.

Conclusion: A Moment of Recalibration

The post-COVID era is not about rewriting the Emergency Preparedness Rule, but about enforcing it with new urgency. Clinical and critical access hospitals must pivot from theoretical compliance to operational readiness. With CMS surveyors applying more rigorous standards and accrediting bodies following suit, the time to act is now.

Our team at ClearPath Compliance has deep experience helping hospitals navigate emergency preparedness audits, build resilient response plans, and meet CMS expectations. Contact us to schedule a compliance risk assessment or drill facilitation session.

Stay Compliant. Stay Prepared. Stay Operational.

As healthcare continues to evolve, compliance is no longer a back-office obligation — it's a core operational pillar. In 2025, maintaining compliance is not just about avoiding fines. It’s about building resilient systems, protecting your revenue, and demonstrating the integrity of your organization to regulators, payers, and the communities you serve.

🔎 The Federal Compliance Environment in 2025

Following the Office of Inspector General (OIG)’s updated General and Industry-Specific Compliance Program Guidance (GCPG and ICPGs) released in late 2024, regulators have made it clear: every healthcare entity — regardless of size — is expected to have a formal, documented compliance program.

These updates emphasize:

• Tailored compliance plans: Generic policies are no longer sufficient.

• Active oversight: Compliance is expected to be embedded in day-to-day operations.

• Documentation of training, audits, and follow-up: If it’s not written down, it didn’t happen.

This isn’t a new requirement — but in 2025, it is a renewed priority.

What’s Changed for Clinics and Rural Providers

In prior years, smaller practices and rural providers may have been overlooked in major enforcement actions. That’s no longer the case.

Changes in 2025 include:

• Insurance networks (including Medicaid MCOs) are auditing credentialing and compliance materials more thoroughly.

• CMS and OIG have shifted focus to ensure smaller facilities meet the same standards as larger systems.

• Funding and grant eligibility often require proof of current compliance structures.

This shift isn’t punitive — it reflects the reality that all healthcare providers play a role in preventing fraud, waste, abuse, and patient harm.

Compliance as an Operational Asset

The most successful clinics and hospitals today aren’t treating compliance as a burden — they’re using it to:

• Support clean claims and avoid billing delays

• Ensure provider credentialing is accurate and up-to-date

• Build trust with patients and referring partners

• Navigate audits and payer requests without disruption

In short, compliance supports operational stability.

It minimizes risk while helping you standardize policies, reduce confusion, and respond quickly when issues arise.

What Does an Effective Compliance Program Include?

An effective program is not about complexity — it’s about consistency and clarity. At a minimum, healthcare organizations should have:

1. Written Policies and Procedures

Tailored to your size and specialty, including HIPAA, billing, documentation, and patient rights.

2. Training and Education

All staff, including part-time and contract workers, should receive compliance training annually — with logs maintained for reference.

3. Risk Assessment and Monitoring

Basic internal reviews, even if informal, should occur regularly — such as chart audits, billing spot checks, or documentation reviews.

4. Clear Reporting Pathways

Staff need to know how to raise concerns — and feel confident those concerns will be taken seriously and handled professionally.

5. Responsive Action Plans

When an issue arises (e.g., a billing error or privacy breach), your response should be documented and prompt.

Regulatory Expectations Are Now the Baseline

What regulators are asking for in 2025 isn’t extravagant — it’s foundational. They want to see that healthcare organizations are:

• Aware of their obligations

• Making good-faith efforts to train staff and monitor operations

• Taking appropriate steps when issues surface

This means even small clinics and sole providers can meet expectations with the right tools, guidance, and systems in place.

Support Is Available — You Don’t Have to Do This Alone

At ClearPath Compliance, we specialize in helping providers implement practical, scalable compliance systems — without overwhelming your staff or disrupting care delivery.

We work with:

• Rural health clinics

• Mental health and MAT providers

• Critical access hospitals

• Emerging cannabis and integrative health practices

Whether you need a full compliance framework, help with credentialing prep, or a refresher for your current plan, we offer custom solutions built for the realities of small- to mid-size providers.

📞 Let’s Talk

If you’re unsure whether your current compliance setup meets 2025 expectations, let’s talk — no cost, no pressure.

📅 Book a Free Compliance Review
📧 info@clearpathcompliance.com
📞 1-888-996-8376

Let ClearPath help you align your operations with today’s standards — and get ahead of tomorrow’s.

© 2025 ClearPath Compliance. All rights reserved.
This article is intended for informational purposes only and does not constitute legal advice.

Access to quality healthcare is a strategic imperative—and yet, for far too many Americans, it remains an elusive ideal. From the earliest community clinics founded on philanthropy to the complex multi‑payer systems of today, barriers persist that thwart timely, affordable care. In this blog post, we dissect the core dimensions of this struggle and explore practical, data‑driven approaches clinics and Critical Access Hospitals can implement immediately to alleviate access gaps.

Historical Context: A Legacy of Uneven Access

Since the establishment of the Hill–Burton Act in 1946, the U.S. has recognized the importance of distributing healthcare infrastructure equitably. Yet, despite decades of policy initiatives—from Medicare and Medicaid in the 1960s to the ACA in 2010—structural impediments endure:

• Geographic Maldistribution: Rural communities have historically depended on local hospitals and traveling physicians. Today, nearly half of rural hospitals operate at a financial loss, and hundreds face closure.

• Insurance Coverage Fluctuations: Public and private programs have expanded coverage, but dips in enrollment and coverage gaps still leave millions uninsured each year.

• Administrative Overhead: From paper‑based intake to siloed reporting systems, the cost and complexity of compliance continue to erode clinical bandwidth.

This legacy informs our present reality: systemic friction that undermines patient engagement and compromises health outcomes.

Four Dimensions of the Access Struggle

1. Coverage Gaps and Cost Barriers

• Uninsured and Underinsured Populations: Approximately 25 million Americans lack coverage at some point annually, and high‑deductible plans shift more financial risk onto patients.

• Deferred Care Consequences: Cost‑related nonadherence leads to delayed diagnoses, emergency department overuse, and escalated long‑term expenditures.

2. Rural and Underserved Community Challenges

• Infrastructure Vulnerability: With 432 rural hospitals deemed at risk of closure, residents often face 30–60 minute commutes for essential services.

• Provider Shortages: Fewer specialists and primary care providers exacerbate wait times and force reliance on telehealth, which itself is hampered by regulatory nuances.

3. Administrative Complexity

• Manual Processes: Patients juggle multiple forms, authorizations, and referrals—each administrative touchpoint introduces potential drop‑offs.

• Provider Burnout: Clinician time diverted to compliance and documentation diminishes capacity for direct patient interaction.

4. Socioeconomic and Cultural Factors

• Social Determinants of Health: Transportation insecurity, linguistic barriers, and digital divide issues disproportionately affect low‑income and minority populations.

• Trust and Engagement: Historical inequities and cultural mistrust can discourage routine care utilization, further widening health disparities.

Turning Friction into Forward Motion: Actionable Strategies

1. Digital Intake Transformation

   • Deploy patient‑centric online forms that pre‑populate known data, reducing check‑in time and data‑entry errors.

2. Automated Compliance Workflows

   • Leverage templated, rule‑based document generation for consent, incident reporting, and licensure renewals—minimizing manual handoffs.

3. Holistic Revenue Cycle Optimization

   • Align billing and coding processes with payer requirements to reduce denials, surprise bills, and patient financial distress.

4. Targeted Staff Enablement

   • Implement modular, plain‑language training programs that reinforce compliance “must‑dos” while illustrating operational efficiencies.

By integrating these measures, providers can reclaim clinical capacity, accelerate patient throughput, and bolster community trust—delivering care where and when it’s needed most.

ClearPath Compliance specializes in empowering clinics and Critical Access Hospitals to operationalize these strategies. Through tailored digital workflows, automated reporting, and staff enablement, we drive administrative excellence that directly translates into expanded access and improved patient experience.

Next Steps: Contact ClearPath Compliance at 1‑888‑996‑8376 or visit www.clearpathcompliance.com

© 2025 ClearPath Compliance. All rights reserved.