The Three Compliance Leaks That Will Cost Hospitals Twice: First in Fines, Then in Disincentives

The Compliance Crisis in an AI World

Hospitals across the country are entering a new phase of compliance scrutiny. Regulators are demanding not just documented policies, but verifiable evidence that those policies are followed in practice. With new Medicare and Medicaid disincentives taking effect, noncompliance now carries a double cost: penalties on one side, and reimbursement reductions on the other. These combined pressures are exposing long-standing gaps in how hospitals monitor, document, and prove compliance across their systems. The three most critical pressure points are HIPAA security, information blocking, and EMTALA documentation. Together, they form the foundation of a compliance model that can no longer rely on periodic audits or after-the-fact reporting.

Leak #1: The Data Blind Spot (HIPAA Security and Ransomware)

Recent HIPAA enforcement actions highlight a growing pattern. Hospitals often have strong security intentions, but lack the real-time evidence to show when, how, and by whom patient data was accessed.

“What keeps us up at night is what we don’t know. We don’t know what data is being shared, what risks are being introduced to the company. That’s the biggest worry for security practitioners, what the hell is going on?” — Michael Myint , Strategic Advisor and CISO

That uncertainty, what Myint calls “the unknown”, has become the defining risk in hospital compliance. The problem is not simply the presence of bad actors; it is the absence of visibility.

“All things that go beep are owned by the CIO, so my job is to protect all things that go beep.” — Steven Ramirez , CISO, Renown Health (YouTube)

Ramirez’s remark captures the impossible breadth of what hospital systems now encompass: every device, every data flow, every connected service. When everything generates data, the question becomes how much of that data can actually be monitored or verified.

“Healthcare CISOs are more willing than ever to share lessons learned. The human factor is a significant vulnerability. You must prioritize phishing training, continuous monitoring, and real-time response.” — Steven Ramirez, Risk Never Sleeps Podcast

“He emphasizes the importance of clearly articulating risk to drive strategic investments, ensuring those investments deliver value.” — Becker’s Hospital Review, interview with Steven Ramirez

These comments reflect a shift in mindset among hospital CISOs. Security is no longer just about defense—it’s about communicating measurable risk to boards, clinicians, and finance leaders. That conversation increasingly depends on data, not reassurance.

Leak #2: The Flow Bottleneck (Information Blocking and Disincentives)

Hospitals are also under pressure to comply with the 21st Century Cures Act and its rules around electronic health information (EHI). Under new HHS guidelines, delays or denials of data access can now reduce Medicare reimbursement.

The issue is not always intentional obstruction. In many cases, hospitals cannot show how exceptions were applied or when requests were processed.

“We’re letting technology go and do whatever it’s going to do, but we don’t always know what it’s doing in the weeds. We need that awareness and visibility across all the little AI footprints inside the organization.” — Michael Myint, Strategic Advisor and CISO, Chicago

That lack of awareness mirrors what investigators are finding: systems that move information without a clear audit trail. In those situations, hospitals may comply in practice but fail to prove it.

“The safety of data in healthcare must extend beyond perimeter defenses. It is about ensuring every expected data handoff is visible, traceable, and auditable.” — Vernon O’Donnell , Interview in Action @ HIMSS ’24 (Health Podcast Network)

O’Donnell’s comment captures the growing expectation that data accountability must match clinical accountability. Hospitals need to show not only that patient information is secure, but that its movement through the system is fully traceable.

When a complaint arises, that traceability is what determines whether the organization faces a penalty or an inquiry. The margin for error is shrinking quickly as CMS and OIG tighten enforcement around information blocking.

Leak #3: The Operational Gap (EMTALA and Documentation Risk)

OIG continues to levy penalties under EMTALA for screening, stabilization, and transfer violations. The root cause in many cases is incomplete documentation rather than clinical error.

“If we had an engineer working with an AI model and they left the company, that model could still be out there, running around, doing something, and nobody knows. It could have a life of its own.” — Zahra Timsah (PhD,MBA,MSc) i-GENTIC AI, Inc , CEO of i-GENTIC

Timsah’s description of ungoverned digital systems parallels what often happens in emergency departments. Processes become automated or fragmented, but oversight does not follow. The result is an operational blind spot that turns routine procedures into compliance risks.

“Every dollar must stretch between innovation, cybersecurity, and keeping the lights on.” — Bridgett Ojeda, PMP , CIO, Bryan Health (This Week Health)

Ojeda’s line speaks to the balance most hospital CIOs face: protecting compliance resources while maintaining daily operations.

“Physicians declaring that ambient listening technology has become a ‘career extender’… but still, fax machines dominate patient care coordination in 2025.” — Bridgett Ojeda, This Week Health

Her point highlights the uneven modernization within many health systems. While some functions adopt advanced digital tools, others remain trapped in manual or paper-based workflows. That inconsistency drives many EMTALA documentation lapses, where data capture stops short of the audit trail.

Closing the Loop (Compliance as Continuous Proof)

The emerging pattern across HIPAA, information blocking, and EMTALA is the same: compliance now depends on evidence that can be produced quickly and verified independently.

“It would be amazing to say we can prove compliance automatically, but hard to believe until you show it. You need a very good visual that explains how the system actually manages HIPAA or Sarbanes-Oxley compliance.” — Michael Myint

That skepticism is healthy. Regulators and hospital boards alike are looking for clarity, not promises. As hospitals adopt increasingly complex digital systems, the challenge will be to maintain verifiable oversight—proof that policies are not only written, but followed at every level of operation.

The organizations that succeed will treat compliance as an ongoing operational discipline rather than an annual report. Those that do not will keep paying for the same failures, twice.