News
Article
Author(s):
This is how health care organizations are addressing compliance pressures, cybersecurity threats, and the rise of artificial intelligence (AI) amid resource constraints and evolving regulations.
The health care industry is grappling with a surge in cyberattacks and data breaches, a pressing issue that underscores the urgency of robust compliance strategies. In the first half of this year alone, more than 31 million Americans were impacted by the 10 largest health care data breaches, a number poised to rise as incidents like the Change Healthcare ransomware attack unfold.1 These breaches not only disrupt care but also highlight vulnerabilities in health care’s digital infrastructure.
Against this backdrop, the 2025 Healthcare Compliance Outlook report2 sheds light on evolving risks and offers guidance for safeguarding patient care and organizational integrity.
“Health care compliance professionals are dealing with expanding areas of risk, even as many report resource constraints that could limit their ability to meet challenges,” John E. Kelly, partner and chair of Barnes & Thornburg’s Healthcare Department and Healthcare Industry practice, said in a statement.3 “These pressures underscore the need for organizations to adopt a robust compliance strategy to stay ahead of the curve.”
The report draws from a survey of 120 compliance, risk, and legal leaders across diverse US health care sectors, including hospitals, physician practices, and life sciences firms.2 Conducted in May 2024, the study captures perspectives from organizations of varying sizes, from under $1 million to over $10 billion in annual revenue. Respondents, including CEOs and chief compliance officers, shared insights on pressing issues like artificial intelligence (AI) integration, cybersecurity, and regulatory risks, providing a data-driven exploration of emerging challenges and strategies in health care compliance.
Here are the key findings:
Resource constraints represent a significant challenge for health care compliance teams, with 53% of respondents reporting limitations in budgets, staffing, and technology. These constraints hinder the ability to manage emerging risks effectively, such as regulatory compliance and cybersecurity threats. Furthermore, 56% anticipate these challenges will persist or worsen in the coming year. Notably, financial resources are the most cited limitation, followed by skilled talent and technological tools. These shortfalls leave many organizations struggling to maintain high-quality care and adequately address compliance priorities.
Nearly 75% of health care organizations are using or considering using AI for compliance-related tasks. Among these, 31% have already implemented generative AI, and 28% have integrated predictive AI. Common applications include data analysis (45%), administrative tasks (43%), and risk assessments (39%). Despite these advancements, 58% of respondents report difficulties in establishing governance frameworks to guide AI’s ethical use. Furthermore, over 60% expect AI integration to increase their budgets by more than 10% in the coming year, underscoring both its potential and its associated challenges.
The report highlighted significant cybersecurity concerns, with 56% of respondents identifying external data breaches as a top risk, followed by ransomware attacks (52%) and Health Insurance Portability and Accountability Act violations (49%). Internal data privacy issues and vulnerabilities in medical devices also rank high, cited by 48% and 31%, respectively.
Change Healthcare reported to HHS that the care breach in February affected 100 million US individuals, making it the biggest breach of health care data ever reported to US regulators.4 With fewer than half of organizations conducting proactive audits, many remain vulnerable to escalating threats in an increasingly digitized health care environment.2
The report revealed gaps in risk auditing, with only 48% of health care organizations conducting audits in high-risk areas. Even fewer collaborate with external experts, regulators, or industry partners, missing opportunities to enhance compliance strategies.1 This lack of proactive auditing leaves organizations vulnerable to risks such as data breaches, fraud, and regulatory penalties. With resource constraints already limiting their ability to address compliance priorities, the absence of robust auditing frameworks exacerbates vulnerabilities in an increasingly complex landscape.
Private equity also plays an increasingly significant role in health care, with 54% of surveyed organizations either already backed by private equity (22%), actively seeking it (14%), negotiating deals (14%), or considering it as a future option (4%). This trend reflects the growing need for private capital to fund operational improvements and innovations. However, private equity involvement also brings heightened regulatory scrutiny, including compliance with the Anti-Kickback Statute and corporate practice of medicine laws. Balancing the financial benefits of private equity with these regulatory demands is critical for organizations.
Looking into the future, emerging trends in health care compliance point to mounting pressures from budgetary and staffing challenges, with many organizations expecting these issues to escalate. This has led to an increased reliance on technological tools, such as AI, to address compliance demands. Additionally, rapidly evolving federal and state regulations are reshaping compliance priorities, particularly in areas like data privacy and patient safety. Despite these changes, the report noted that many organizations are lagging in preparation, with gaps in audit readiness and oversight frameworks, highlighting the need for more proactive compliance strategies.
"I think the biggest challenge is really a combination of a few different things coming together," Kelly told The American Journal of Managed Care® (AJMC®). "One is there just continues to be some resource limitations and stresses on compliance programs. Compliance programs are not viewed as a revenue generator, although they should be viewed differently, because they certainly save companies a lot of money. And I think when you add that to the fact that the risks in the health care industry continue to increase from a compliance perspective, and those come together, you have a really challenging situation when it comes to compliance program effectiveness."
To address rising compliance risks, the report emphasized strategic recommendations across key areas. In AI governance, organizations should develop ethical guidelines, align with emerging regulations, and provide regular staff training on AI use and data privacy. Additionally, enhancing risk management involves conducting proactive audits in high-risk areas and fostering collaborations with regulators and industry experts. Furthermore, to strengthen cybersecurity, health care providers are encouraged to adopt advanced threat-detection tools and consistently update incident response and recovery plans to mitigate the impact of potential breaches effectively.
"There's no secret from the government's perspective of the importance of compliance programs," Kelly told AJMC. "Everyone knows it's incredibly important, that it's an expectation that you're going to have an effective program [and] that you're going to have a compliance culture. When you fail to do that, you radically increase the amount of risk that any organization can bear."
References
1. Southwick R. The 10 largest health data breaches of the first half of 2024. Chief Healthcare Executive®. July 2, 2024. Accessed November 19, 2024. https://www.chiefhealthcareexecutive.com/view/the-top-10-health-data-breaches-of-the-first-half-of-2024
2. 2025 healthcare compliance outlook. Barnes & Thornberg LLP. October 23, 2024. Accessed November 19, 2024. https://insight.btlaw.com/43/1706/uploads/2025-healthcare-compliance-outlook-report.pdf
3. US healthcare, life science industries face rising compliance pressures, Barnes & Thornberg’s 2025 healthcare compliance outlook report shows. Barnes & Thornberg LLP. News release. October 23, 2024. Accessed November 19, 2024. https://btlaw.com/en/insights/news/2024/us-healthcare-life-science-industries-face-rising-compliance-pressures
4. Starks T. Change Healthcare breach affected 100 million Americans, marking a new record. Cyberscoop. October 25, 2024. Accessed November 19, 2024. https://cyberscoop.com/change-healthcare-breach-affected-100-million-americans-marking-a-new-record/#:~:text=The%20Change%20Healthcare%20data%20breach,ever%20reported%20to%20U.S.%20regulators