Healthcare Compliance Teams Stretched Thin Due to Complex Regulations and New Risks
New compliance requirements are on the horizon as the HHS’ Office for Civil Rights (OCR) expects to publish a notice of proposed rulemaking later this year to update the HIPAA Security Rule with new cybersecurity requirements, but healthcare compliance professionals are already struggling to comply with existing regulations, according to a recent report from the Indianapolis, IN-based business law firm Barnes & Thornburg.
For its 2025 Healthcare Compliance Outlook Report, the law firm surveyed 120 compliance, risk, and legal leaders at U.S.-based healthcare and life sciences organizations, including health systems, pharma firms, biotech companies, and medical device manufacturers. The survey revealed a majority of the respondents felt stretched thin due to the current complex regulatory landscape and expanding areas of risk, including increasingly sophisticated cyberattacks, the rapid adoption of artificial intelligence (AI) solutions, and increased scrutiny of mergers and acquisitions. Only 31% of surveyed compliance, risk, and legal professionals felt they were very prepared to meet future compliance and risk challenges, and only 42% of respondents said they were very confident that they would be able to maintain a high quality of care as a result of compliance and risk issues. Just 4% of respondents said current compliance and risk issues were not a concern.
Currently, more than half of respondents (53%) said they are facing constraints on resources, with either insufficient budgets, staffing shortfalls, or a lack of technology reported as being the main problem areas and 56% believe the problem is going to get worse in the next 12 months. To improve efficiency and get more out of the resources they have, three-fourths of respondents said they have turned to AI solutions, which are most commonly being used for internal legal compliance functions, risk assessments, data analysis, and administrative tasks. While AI has the potential to make significant improvements, they expect the cost of implementation and development will add over 10% to their budget in the next year and 6 out of 10 respondents said developing a governance structure for AI compliance is proving difficult.
There is a pressing need to improve cybersecurity given the rate at which healthcare organizations are being attacked, and soon that will be a regulatory requirement. It is therefore understandable that 56% of respondents said cybersecurity was one of the most pressing concerns in the next year, along with data management and privacy risks. The biggest concerns were the threat of ransomware attacks (52%), patient data and HIPAA breaches (49%), internal cybersecurity, data management, and privacy risks (48%), and the expected regulatory changes (47%).
In light of these concerns, it is no surprise that security and privacy were the biggest current priorities, selected by 66% of respondents. The other main priorities were auditing high-risk compliance areas (48%), staying up to date with state and federal regulations (45%), enhancing and updating compliance documents and frameworks (39%), addressing resource limitations (32%), addressing staffing challenges (32%), and enhancing knowledge and expertise (32%). In the next 12 months, the biggest limitations will be financial resources (50%), skilled talent (44%), technological resources (38%), quality assurance resources (28%), and regulatory intelligence (28%).
Barnes & Thornburg suggests that one of the ways that leaders with limited resources can offset the constraints is by teaming up with external groups to help with their compliance efforts. While one in four healthcare organizations collaborates with industry associations or legal experts, only 35% are hiring compliance consultants. “The industry could be missing out on a vital source of support by failing to embrace cross-functional teamwork and external collaborations,” suggests Barnes & Thornburg in the report.
