By: Drew Duffy, MHA, FACHE, Founder & Managing Director

Healthcare providers across the country are already grappling with burnout, turnover, and talent shortages. Unfortunately, 2026 isn’t offering much relief—just new expectations.

Recent CMS and HRSA guidance hint at increasing scrutiny on staffing patterns, particularly in outpatient settings that rely heavily on allied health professionals and contractors. States like Minnesota are already piloting reforms tied to staffing minimums and credential transparency, and the ripple effect is likely to reach even the smallest practices.

So what’s changing—and how can your clinic prepare?

The Road Ahead: Key Workforce Compliance Shifts Coming in 2026

1. Credentialing Verification Timelines Will Tighten
   Payers and regulators are pushing for faster, more reliable credentialing. Delays in verification can result in claims holds, audit flags, or even suspension of reimbursement.

2. Documentation Standards for Roles and Responsibilities
   Expect clearer expectations on role definitions, scope-of-practice documentation, and task delegation—especially for medical assistants, LPNs, and contract staff.

3. Increased Oversight of Third-Party Staffing Arrangements
   Clinics using locums or staffing firms may be required to demonstrate that those entities meet the same onboarding, HIPAA, and background standards as in-house hires.

4. Workforce Reporting Requirements
   HRSA-funded clinics and Medicaid providers may be required to submit annual staffing reports—including data on vacancies, turnover, and workforce composition.

5 Steps Clinics Can Take Now

1. Conduct a Role Audit
Review every position in your clinic—from front desk to clinical support—to ensure each has a defined scope, supervision plan, and documentation trail.

2. Tighten Your Credentialing Process
Don't wait until a payer demands it. Make sure credentials are verified at hire, tracked, and re-verified on a regular cycle.

3. Review Employment and Contractor Agreements
Ensure language addresses compliance obligations, supervision, data access, and termination protocols. (Yes, this includes locums and per diems.)

4. Start Tracking Turnover and Vacancy Rates
Even small clinics benefit from basic HR metrics. Knowing where you’re losing staff—and why—can help you fix problems before regulators take notice.

5. Standardize Your Onboarding Protocols
From OSHA training to HIPAA attestations, every new team member should go through a consistent, documented onboarding process.

Future-Proofing Doesn’t Have to Be Overwhelming

The coming changes aren’t about punishing clinics—they’re about protecting patients and improving care quality. But navigating new rules, especially while short-staffed, can feel daunting.

At ClearPath Compliance, we help clinics like yours stay ahead of the curve—without burning out your team. Whether you need help refining credentialing workflows, reviewing HR policies, or just a second set of eyes on your staffing documentation, we’re here to help.

📌 Final Thought:

Healthcare’s greatest asset is its people. The more we invest in protecting and supporting our workforce, the more resilient our clinics—and our compliance programs—become.

-Drew

About the Author
Drew Duffy, MD (not practicing), MHA, CPCO, CRCMP, CHCO, CIPP/M, FACHE, is Founder & Managing Director of ClearPath Compliance. With over 20 years in healthcare operations and compliance, Drew draws on his clinical background and extensive expertise, supported by a network of experienced healthcare leaders—to deliver practical, ethical solutions for providers navigating today’s complex regulatory landscape

By: Drew Duffy, MHA, FACHE, Founder & Managing Director, ClearPath Compliance

The healthcare industry is under siege. While medical professionals remain focused on patient care, cybercriminals are increasingly targeting the very systems that support life-saving treatments. The statistics are sobering healthcare data breaches now average $9.7 million per incident—more than double the cross-industry average—and attacks are only accelerating.

The Perfect Storm: Why Healthcare Is a Prime Target

Healthcare organizations store what hackers want most: full identity profiles, financial details, and sensitive medical records—each of which can sell for hundreds of dollars on the dark web. Unlike credit card data, medical records contain immutable personal details, retaining value indefinitely.

Many clinics are vulnerable due to:

• Outdated or unsupported systems

• Limited cybersecurity funding

• Overworked staff with minimal training on security protocols

By 2025, more than 68% of healthcare IoT devices are expected to remain unpatched—leaving critical holes for attackers to exploit.

Beyond the Balance Sheet: The Real-World Impact

A ransomware attack doesn’t just cause financial strain. It disrupts appointments, delays diagnoses, and in urgent cases, endangers lives. In 2024 alone, over $133.5 million was paid out to ransomware groups—but that doesn’t account for regulatory fines, legal costs, or long-term reputation damage.

When systems go down:

• Providers must revert to paper documentation

• Patient care is delayed

• Emergency departments may divert patients

These aren’t just IT issues—they’re patient safety concerns.

2025 Threats Keeping Security Experts Awake

The threat landscape is evolving fast, and the risks are real:

• Third-Party Vendor Breaches – Your clinic is only as secure as your software and billing partners.

• IoT Device Weaknesses – Many network-connected medical devices lack basic security.

• AI Manipulation – As AI tools become integrated, they become new attack surfaces.

• Sophisticated Phishing – Social engineering attacks now convincingly mimic coworkers, vendors, and even regulators.

New Regulations Are Coming—Is Your Practice Ready?

Regulators are responding. In 2024, the FDA finalized new cybersecurity guidance for medical device manufacturers. Now in 2025, the proposed Healthcare Cybersecurity Improvement Act could make baseline cybersecurity a Medicare Condition of Participation and allocate $100 million to help smaller facilities catch up.

This marks a shift toward mandatory compliance—meaning failure to act could lead to exclusion from federal programs.

Building Your Clinic’s Cybersecurity Foundation

Every clinic—regardless of size—should take the following steps:

• Risk Assessments: Evaluate vulnerabilities across systems, devices, and staff training.

• Multi-Factor Authentication (MFA): A simple but powerful barrier to unauthorized access.

• Incident Response Plan: Be prepared to act quickly and contain damage.

• Ongoing Staff Training: Human error is the #1 security risk.

• Vendor Oversight: Require proof of cybersecurity compliance from all partners.

• Secure Backups: Ensure quick recovery from system failures or attacks.

The Cost of Inaction

Cybersecurity is often seen as a cost center—but in truth, it’s a safeguard. Comprehensive protection for a small or midsize practice may run $10,000–$50,000 annually. Compared to the $9.7 million average cost of a breach—and the ROI becomes clear.

The Bottom Line

Cyber threats are no longer an “if”—they’re a “when.” Clinics that take proactive steps today will be far better equipped to survive the challenges of tomorrow.

This is about more than just data. It’s about protecting your patients, your team, your license, and your future.

Need support evaluating or improving your cybersecurity readiness?
ClearPath Compliance offers risk assessments, vendor management strategies, and ongoing compliance support tailored for small and mid-sized clinics.