With federal enforcement intensifying and new compliance expectations on the horizon, physicians may face higher legal and financial exposure in 2026, according to a report from
The post highlighted five risk areas that could trigger audits, penalties or liability for practices in the year ahead:
1. Not implementing new HIPAA security and privacy overhauls
HIPAA is no longer just a checklist, but a “living security framework,” according to the post. Upcoming rule updates are expected to mandate stronger baseline security controls, meaning a reactive approach, particularly one that relies solely on an IT vendor, could become a major liability.
Several changes are expected to be more strictly enforced, including:
- Mandatory multi-factor authentication for systems accessing electronic protected health information
- Encryption of ePHI, both:
- At rest (stored data)
- In transit (sent or transferred data)
Updated notices of privacy practices, with an expected compliance deadline of February 2026, reflecting expanded patient rights related to sensitive health information
2. Routine foot care remains a major Medicare audit risk, especially for podiatry
Medicare generally does not cover routine foot care unless medical necessity is clearly established. Because routine services such as nail trimming or callus removal are heavily scrutinized by CMS and oversight bodies, they are a frequent trigger for audits and payment recoupments.
Key compliance requirements include:
- Using the correct Q modifiers (Q7, Q8, Q9) when the patient has a qualifying systemic condition
- Ensuring documentation explicitly links the service to:
- A qualifying systemic disease (such as diabetes or peripheral vascular disease)
- Required clinical findings (such as loss of protective sensation, infection, pulse findings or history of complications)
3. Stark law creates strict liability risk
Under the Stark law, practices can violate the statute even without intent to break the law. Stark prohibits referrals for certain Designated Health Services to entities in which the physician — or an immediate family member — has a financial relationship, unless an exception applies.
Common risk areas include:
- Leases: Rent must be at fair market value and cannot be tied to the volume or value of referrals
- Management services agreements:
- Compensation must align with fair market value
- Agreements should be written, clearly defined and established in advance
If a physician refers patients to a DHS entity where they have an ownership stake, the arrangement must fit a specific exception, or every resulting claim may be considered tainted.
4. Repeated billing mistakes can become fraud under the False Claims Act
The False Claims Act is often used to pursue systemic billing errors, especially those interpreted as reckless disregard. Even if errors begin as accidental, repeated patterns can be treated as fraud. Penalties can include triple damages and per-claim fines, meaning small recurring errors can quickly become financially devastating.
High-risk billing behaviors include:
- Upcoding
- Unbundling
Billing non-covered services without informing the patient or obtaining a properly completed advance beneficiary notice.
5. Business associate agreements can determine liability during a breach
Vendors that handle patient information, including billing companies, IT providers and cloud services, are considered business associates and should be governed by up-to-date business associate agreements.
If a BAA is outdated or generic, practices may lose key protections and could carry liability even when the vendor caused the breach, according to the report.
