Three significant developments are shaping the healthcare compliance landscape this week: OCR is broadening its HIPAA enforcement focus to include risk management, the DOJ has resolved one of the largest ACA enrollment fraud cases in recent memory, and CMS has finalized sweeping changes to Medicare Advantage and Part D for 2027. Here’s what compliance officers need to know (and do) right now.

Table of Contents

OCR Expands HIPAA Risk Analysis Initiative to Include Risk Management

The Office for Civil Rights (OCR) has expanded its Risk Analysis Initiative, first announced in October 2024, to encompass risk management as well. On April 8, 2026, OCR released a new video providing tips and strategies for implementing effective risk management measures under the HIPAA Security Rule. The expansion signals that OCR intends to scrutinize not just whether organizations have conducted a risk analysis, but whether they have acted on it.

Key Details

OCR launched the Risk Analysis Initiative against a backdrop of a 264% increase in large healthcare data breaches involving ransomware since 2018. The stakes have only grown: from early 2024 to mid-2025, settlements related to risk analysis failures totaled approximately $6 million, and OCR issued over $15 million in fines and settlements across 2024 and 2025 combined.

The initiative has been prolific. Within just six months of launch, the Security Risk Analysis Initiative alone led to seven enforcement actions, all tied to ransomware attacks. By the third quarter of 2025, the pace had intensified: 17 of 19 enforcement actions (89%) in the nine months ending September 30, 2025, were related to ransomware or other cyber incidents, compared to just 9 out of 15 total enforcement actions in all of 2024.

The pattern is consistent: inadequate risk analysis has been involved in 90% of OCR’s HIPAA Security Rule enforcement actions. Under the expanded initiative, OCR will now scrutinize whether organizations are not only identifying risks, but documenting and acting on them. OCR now expects regulated entities to prove not only that they identified risks, but that they acted on them with documented remediation efforts and ongoing risk management—a significant shift from past enforcement focus.

Penalties have ranged widely. Settlements under the initiative have run from $10,000 for a small surgical group to $3 million for a national medical supplier, and virtually every case has included a corrective action plan (CAP) requiring ongoing monitoring by OCR.

What this Means for You

A deficient risk analysis is bad. A deficient risk analysis paired with inadequate follow-through on risk management is now squarely in OCR’s crosshairs. Organizations that cannot demonstrate both a sound analysis and documented, ongoing mitigation efforts face civil monetary penalties, resolution agreements, and CAPs that can impose years of federal oversight.

Review OCR’s new Risk Management video alongside its earlier Risk Analysis video and assess whether your program addresses both obligations — not as a one-time exercise, but as a continuous process. Templated policies, self-assessments, and documented staff training are practical starting points. Given that OCR’s prior Right of Access Initiative spurred nearly 50 enforcement actions over five years and is still ongoing, organizations should treat the Risk Analysis Initiative as a long-term enforcement priority, not a short-term compliance sprint.

Frequently Asked Questions

What is OCR’s Risk Analysis Initiative? OCR’s Risk Analysis Initiative is a HIPAA enforcement program launched in October 2024 focused on ensuring covered entities and business associates conduct accurate, thorough security risk analyses and act on the findings through documented risk management. It has already resulted in more than a dozen enforcement actions and millions of dollars in settlements.

What is the difference between risk analysis and risk management under HIPAA? A risk analysis is the required process of identifying threats and vulnerabilities to electronic protected health information (ePHI). Risk management is the required follow-through — implementing security measures to reduce those identified risks to a reasonable and appropriate level. OCR’s 2026 expansion targets entities that complete an analysis but fail to act on it.

DOJ Resolves $135M+ ACA Enrollment Fraud Scheme — A Warning for All Healthcare Organizations

On April 8, 2026, the Department of Justice announced that AP of South Florida, LLC (APSF), a Florida-based insurance brokerage, agreed to plead guilty to one count of major fraud against the United States for fraudulently enrolling thousands of vulnerable consumers into fully subsidized ACA plans they did not qualify for. In a parallel civil resolution, APSF’s former parent company, AssuredPartners, Inc., agreed to pay $107 million to resolve False Claims Act allegations — bringing the total resolution to over $135 million.

Key Details

APSF, through its highest-ranking executives, preyed on thousands of vulnerable consumers to fraudulently enroll them into fully subsidized ACA plans, for which the federal government awarded $141.5 million in unwarranted subsidies.

The mechanics of the scheme were brazen. APSF contracted with “street marketers” who targeted homeless shelters, bus stops, and drug treatment clinics, offering cash or gift cards to individuals to enroll in subsidized ACA plans or provide their personal information. APSF employees then submitted applications falsely representing that consumers would earn a minimum income just over the federal poverty line in order to cause the government to pay the highest possible subsidy amount. The company also deliberately submitted a high volume of Medicaid applications in a way designed to guarantee denial, then enrolled those same individuals in fully subsidized ACA plans.

The human cost was real. Some consumers who were fraudulently enrolled into ACA plans lost access to free benefits through Medicaid or local assistance programs, facing increased costs in accessing HIV medication, medication to treat opioid dependence, and medication to treat mental health disorders.

The legal consequences were severe. APSF’s former president, Cory Lloyd, was convicted at trial in November 2025 and sentenced to twenty years’ imprisonment for his role in orchestrating the scheme. U.S. Department of Justice APSF will pay $27.6 million in restitution, and the whistleblower who brought the case under the False Claims Act’s qui tam provisions will receive $24.3 million. The DOJ announced the resolution as part of President Trump’s Task Force to Eliminate Fraud — a signal that anti-fraud enforcement in federal health programs is a cross-administration priority. This case is one piece of a much larger picture: False Claims Act settlements and judgments exceeded $6.8 billion in fiscal year 2025, with healthcare fraud remaining a leading source.

What this Means for You

This case is a reminder that False Claims Act exposure is not limited to large hospital systems. Any organization that touches federal healthcare dollars — including insurance brokers, downstream vendors, and enrollment platforms — is a potential enforcement target. The whistleblower payout of $24.3 million underscores that employees are both legally empowered and financially incentivized to report suspected fraud, making internal reporting culture a critical compliance priority.

At minimum, your compliance program should include written False Claims Act policies and procedures, mandatory FCA training for all relevant staff, and a clearly communicated, retaliation-free reporting mechanism. Organizations that lack these fundamentals are operating without a basic layer of legal protection in an enforcement environment that spans administrations and agencies.

Frequently Asked Questions

What is the False Claims Act and how does it apply to healthcare organizations? The False Claims Act imposes civil liability — including treble damages and penalties — on any organization that knowingly submits false or fraudulent claims for federal funds, including Medicare and Medicaid reimbursements or ACA subsidies. Healthcare organizations, including brokers and vendors that support enrollment or billing, can face FCA liability if they submit or cause the submission of false claims.

What is a qui tam lawsuit? A qui tam lawsuit allows a private individual (a “relator,” often a current or former employee) to file a lawsuit on behalf of the federal government and share in any resulting recovery. The whistleblower in the APSF case will receive $24.3 million — roughly 17% of the total recovery.

CMS Finalizes 2027 Medicare Advantage and Part D Rule: What Plans Need to Do Now

On April 2, 2026, CMS issued the Contract Year 2027 Medicare Advantage and Part D Final Rule, revising regulations across the MA, Part D, and Medicare cost plan programs. The rule is effective June 1, 2026, with most provisions applicable to coverage beginning January 1, 2027 — and critically, marketing and communications changes take effect even earlier, on October 1, 2026.

Key Details

The rule is broad in scope. Some of the most operationally significant changes include:

Payment: CMS estimates Medicare will pay MA plans approximately 2.48% more in 2027 than in 2026 — translating to roughly $13 billion in additional payments to plans, a dramatic improvement over the 0.09% increase estimated in the advance notice.

Part D benefit redesign: The rule codifies Inflation Reduction Act provisions eliminating the Medicare Part D coverage gap (the “donut hole”), establishing a reduced annual out-of-pocket threshold. The annual out-of-pocket cap is set at $2,100 for 2026 and indexed annually going forward.

Star Ratings: CMS is removing 11 measures focused on administrative processes and areas showing little variation between plans, and adding a new Depression Screening and Follow-Up measure starting with the 2027 measurement year and 2029 Star Ratings. CMS estimates the net impact of the Star Ratings changes on the Medicare Trust Fund at $18.56 billion from 2027 through 2036. The agency’s analysis found that 63% of contracts would see no change in their overall rating.

Marketing and communications: The rule finalizes a comprehensive rollback of existing marketing and communications safeguards. Most changes are effective October 1, 2026 and will require plans to update their marketing and agent oversight workflows well in advance of the annual enrollment period. The 48-hour waiting period between Scope of Appointment (SOA) completion and personal marketing appointments is eliminated.

The rule generated substantial industry engagement: CMS received approximately 42,632 timely pieces of correspondence in response to the proposed rule.

What this Means for You

The gap between the June 1 effective date and January 1 enforcement start is shorter than it appears once you account for the October 1 marketing changes and the complexity of operational updates across formulary design, bid processes, enrollment workflows, Star Ratings strategies, and agent oversight programs. The clearest takeaway for Medicare Advantage organizations, providers, and intermediary partners is that CMS is continuing to raise expectations around eligibility determination and consumer-facing operations while streamlining quality measurement.

MA plans, Part D sponsors, and their downstream partners should begin a gap assessment immediately to identify which policies, procedures, and workflows require updates ahead of both October 1, 2026 (marketing changes) and January 1, 2027 (full rule applicability). Do not wait for enforcement to begin to understand the scope of what needs to change.

Frequently Asked Questions

When do the 2027 Medicare Advantage rule changes take effect? The final rule is effective June 1, 2026. Marketing and communications changes are applicable beginning October 1, 2026, for all CY 2027 marketing. All other provisions are applicable to coverage beginning January 1, 2027.

What is the Medicare Part D donut hole and has it been eliminated? The coverage gap — commonly called the “donut hole” — was a phase of the Medicare Part D benefit where enrollees were responsible for a larger share of their drug costs before catastrophic coverage kicked in. The CY 2027 final rule codifies IRA provisions that eliminate this phase, providing enrollees with more consistent cost-sharing throughout the benefit year.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?