As a healthcare business owner, year-end is a critical opportunity to ensure your compliance strategies and risk management practices are current. Performing a proactive checkup annually is an important way to safeguard your business and ensure a smooth year ahead.
With enforcement on the rise post-COVID and penalties higher than ever, these steps can save time, money and stress later.
Daniel Hirsch, PT, owner of Risk & Compliance Analytics, offers a checklist tailored to healthcare providers, which includes actionable steps to maintain compliance and safeguard your business in 2025.
Why year-end compliance matters
Federal and payer audits are currently high, driven by increased funding and a renewed focus on enforcement from agencies like the Centers for Medicare & Medicaid Services (CMS). “Post-COVID, these agencies are fully funded and are just trying to collect. They’ve been waiting years to get back to auditing for fraud, waste and abuse,” says Hirsch.
The good news is that meeting industry compliance standards doesn’t just help you avoid penalties or fines –– it’s good business practice. Staying compliant protects your business and license, as well as your patients and employees.
Whether you run a small clinic or a large healthcare practice, the rules apply equally. A proactive compliance checkup helps you identify and address vulnerabilities before they become costly.
Know what’s new in compliance for 2025
Keeping your healthcare business compliant in the new year means staying updated about industry changes. If you don’t have a chief compliance officer on your team, your insurance broker or an external compliance resource, like Risk & Compliance Analytics, can help determine if any changes apply to your industry.
You can also research compliance for your industry on the Department of Health and Human Services and enforcement trends from the Office of the Inspector General (OIG) website.
Following are some Medicare changes for 2025:
Supervision for physical and occupational therapists:
The required level of supervision in outpatient care is changing from direct to general supervision. This means licensed therapists are no longer required to be on-site while supervising a physical therapy assistant. This offers clinics more flexibility with staffing.
Some states, like New Jersey, may have more specific requirements such as having a PT be onsite every sixth visit or every 14 days, so check local requirements to know what applies to your location.
Telehealth changes:
Without action from Congress, telehealth coverage will expire for physical and occupational therapists in 2025.
Physician referrals: Historically, an initial physical or occupational therapy plan of care required physician approval until direct access. In 2025, patients will again need a referral instead of a signed care plan if an initial signed plan of care is unavailable. “This was intended to help satisfy the initial signed plan of care requirement, but it simply reverts back to the prior standard of receiving a prescription from the doctor with the type of service listed, a signature and date. Proof is also required to show that you attempted to obtain a signed plan of care. This feels like history is repeating itself with the physician serving as a gatekeeper to therapy services,” says Hirsch.
Key areas of compliance focus for 2025
Besides identifying any changes for your industry or location, the end of the year is a great opportunity to perform some compliance housekeeping.
Vendor agreements
Take stock of your Business Associate Agreements (BAAs), which are HIPAA-compliant agreements with vendors who handle protected health information (PHI). Ensure each agreement is signed and updated.
It’s not unusual for vendors and healthcare business owners to operate without them, which is problematic. A simple review safeguards your practice against data mishandling by third parties.
Cyber risk assessment
Cybersecurity threats have escalated, and breaches can be devastating. At HealthIT.gov, you can download a free IT risk assessment to evaluate your systems and processes. This step costs nothing but is invaluable in identifying vulnerabilities in your practice’s technology infrastructure.
Identify and prevent employee exposures
If you’re a covered entity, you must verify that employees and contractors aren’t putting patients at risk. Consider connecting operational compliance to employees’ performance reviews. A facility that maintains weekly compliance tasks (OSHA, ADA, etc.). Those who perform well on documentation audits as demonstrated by accurate billing, coding and medically necessary documentation should receive a better objective review.
“This should be something owners consider when doing their end-of-year planning for bonuses or incentive initiatives,” says Hirsch.
Incident response plan
Evaluating and improving workplace safety measures can help you reduce risks. When an incident does happen, having an incident response plan specific to your practice’s needs ensures you can react quickly and thoroughly. A trusted compliance or insurance advisor can help you customize a plan for your business.
“You need an updated and formalized process that staff are knowledgeable about in order to track and document incidents, plus take effective and timely corrective action. You can’t just wing it,” says Hirsch.
Role-based training
Ensuring your employees receive HIPAA and compliance training is an annual requirement for all covered entities, including therapy practices. “Don’t forget about role-based training, which can be done during onboarding and is considered the gold standard for education,” says Hirsch.
Compliance companies now offer industry and role-specific training in pre-recorded webinars for just a few dollars per employee. Practical training keeps your staff informed, reduces the training burden on managers and helps ensure quality control across your company.
“Owners don’t realize you can get great very affordable and industry-specific training with a compliance company,” says Hirsch.
Ensure your online presence is compliant
Many healthcare websites are missing key compliance components, such as good faith estimates and privacy policies. “This doesn’t take a lot of effort, but you may need a third party to help you identify these operational gaps with a simple and quick audit,” says Hirsch.
Update company manuals
Update your manuals online and dispose of any historical documents. “People love saving documents in the healthcare industry, but it’s not good to save old policies, procedures, manuals and guidebooks because you will be referencing outdated standards. This needs to be updated annually,” says Hirsch.
Exclusion checks
If you’re a covered entity, you must verify that your employees and contractors aren’t excluded from federal healthcare program participation. This process takes only seconds — just type their name into the exclusion database — but skipping a monthly review can result in significant penalties.
Offer open lines of communication
The OIG requires all covered entities of any size to provide employees with open lines of communication. You should have an anonymous reporting line, even if your company is small. “It’s not a matter of size. If someone feels intimidated or worried about retaliation from a superior, that’s enough to place an entire company at risk when lines of communication are shut,” says Hirsch.
Many options are available for this type of service, so shop around and determine what makes sense for your company.
Year-end compliance checklist
Here’s a quick checklist to simplify your proactive annual checkup:
- Review and update all Business Associate Agreements
- Conduct an IT risk assessment
- Review facility safety protocols and incident reporting systems
- Ensure an incident response plan is in place and up to date
- Provide role-based compliance training for all employees
- Verify and update your healthcare business insurance policies, such as malpractice insurance and cyber insurance
- Dispose of out-of-date manuals
- Provide employees with an anonymous hotline
- Complete monthly checks for employee exclusions
Get help with compliance for 2025
Compliance doesn’t have to be overwhelming or expensive. Outsourcing compliance department tasks or leveraging on-demand resources can make the process simple and affordable.
By following this checklist, you’ll meet regulatory requirements and create a safer, more secure environment for your patients, staff and business in 2025. “We have a responsibility to do the right thing as licensed professionals, but compliance doesn’t have to be cost-prohibitive or complicated,” says Hirsch.
