I work with dental practices on their IT, and regulators are getting serious about cybersecurity and HIPAA. We've tried a lot of things, but what actually works is putting money into securing patient records and watching for ransomware. Auditors always poke around the virtual visit software and your breach plan. My advice is to check your systems often and keep your security current. Cleaning up a mess is way harder than preventing it.
1 / Telehealth services continue to undergo scrutiny by healthcare organizations using this technology to treat chronic diseases, mental health conditions, and substance abuse. Since the pandemic led to the adoption of permanent virtual care options, state boards and federal investigators regularly evaluate virtual prescription practices and potential service overuse. Our compliance reviews now require organizations to maintain detailed audit trails for remote consultations, confirm patient eligibility under CMS telehealth waivers, and document all time-based billing activities. 2 / CMS is still focused on high-use codes like 99214 and 99215, but we're also seeing a surge in audit activity related to prolonged services and time-based E/M services linked to procedures, particularly in geriatrics and cardiology. One practice we supported came under scrutiny after using add-on codes multiple times while failing to clearly show the full duration of services. The practice ultimately passed the audit because we had established structured note templates and a peer-review process for evaluating documentation before claim submission. 3 / Prescribing controlled substances continues to represent a major compliance risk, especially regarding compound medications and the use of substances for unapproved indications. We're also seeing compliance challenges arise from the No Surprises Act, which requires practices to implement strict processes for securing patient consent prior to providing out-of-network care. Meanwhile, regulations such as HIPAA and the California CPRA, along with similar state-specific mandates, are evolving quickly. Organizations now need to build patient data governance systems that align with clinical safety standards and include structured auditing procedures backed by visible top-level leadership.
In my work with small cardiology and primary care groups, the 2026 hot zone is still fraud around billing. Data driven teams are circling telehealth, remote monitoring, labs, genetic tests, and high level E/M when they pair with chronic pain, substance use, or behavioral health diagnoses. For practices I advise, the sleeper risk sits outside pure coding. Tougher HIPAA cybersecurity rules, No Surprises Act fights, information blocking penalties, and state pressure on workplace safety and controlled substances stack up fast. I push clients toward short internal audits and written fixes, backed by 2025 enforcement data: https://www.mintz.com/insights-center/viewpoints/2406/2025-01-28-health-care-enforcement-trends-2025-outlook
In 2026, the biggest compliance risk I see isn't a single code set or rule; it's the growing gap between what practices document and what CMS now expects them to show. Regulators are moving away from line-item audits and toward what they call "clinical coherence reviews," which look at the whole patient story in relation to the billing pattern. That's where a lot of practices will be found out. We can already see signs that CMS will step up audits of chronic diagnoses that bring in money but don't show that they are being managed properly, like hypertension with complications, COPD, and major depression. People don't care about the codes themselves; they care when the care plan, medication changes, and follow-up times don't match the severity being billed. The next round of federal fraud investigations will almost certainly look at telehealth patterns that look more mechanical than clinical. These include quick cycles of established-patient visits, notes that are all the same, and behavioral health encounters that all look the same. It's not the amount of risk; it's the lack of variety. Controlled-substance documentation is the one blind spot that practices need to fix right away. The prescribing data is already part of state PDMP systems. In 2026, regulators will start looking at prescribing patterns in the chart, not just the signature log, to see if they make sense. The main point of all of these trends is simple: Any part of the record that doesn't sound like the patient will be looked at during the 2026 audit.