On May 21, 2026, HHS announced the launch of AERO, the Audit Enforcement and Risk Oversight initiative, a department-wide program integrity effort aimed at holding states and federal grantees accountable for chronic noncompliance with Single Audit requirements. Led by Gustav Chiarello, HHS Assistant Secretary for Financial Resources, the initiative uses AI-powered analytical tools to scan at least five years of federal audit history across all 50 states. HHS has already sent letters to all 50 state governors and treasurers putting them on notice, with a warning that states with delinquent submissions or persistent unresolved findings should expect further communication in the coming weeks.

Table of Contents

Key Details

The scale of the noncompliance AERO was designed to address is significant. Initial findings reveal states and grantees have consistently failed to remedy serious internal control issues, with some persisting for three, four, or even five or more years. Hundreds of HHS grantees have not submitted their required audits, with some late by more than two years. Prior enforcement efforts have failed to produce meaningful compliance, leaving federal dollars vulnerable to waste, fraud, and abuse. Chiarello described the problem in the May 21 announcement: years of audit reports documented serious vulnerabilities and failures in oversight, yet states and grantees faced little to no consequences. AERO is the mechanism designed to change that.

The legal framework underlying AERO is not new. Under the Single Audit Act and Uniform Guidance at 2 CFR Part 200, any non-federal entity that expends $1,000,000 or more in federal awards during its fiscal year is required to have a single audit, which consists of a financial statement audit conducted in accordance with Government Auditing Standards, plus an audit of the non-federal entity’s federal programs that examines internal compliance controls and tests compliance with applicable statutes, regulations, and award terms. What is new is HHS’s enforcement posture and the technology powering it. The Wall Street Journal reported that the AI tool driving AERO was built in part using ChatGPT, and that the initiative grew out of Chiarello’s review of child care fraud in Minnesota, with HHS now scrutinizing funding that flows through major universities to subgrantees.

The range of healthcare entities subject to single audit requirements is broader than many organizations realize. Public hospital systems, State Medicaid agencies, nonprofit behavioral health providers receiving block grant pass-through funds, FQHCs, hospitals receiving Medicaid, NIH, or HRSA funding, academic research centers, and AIDS Drug Assistance Program providers are all examples of entities that may cross the $1 million threshold and therefore fall within AERO’s reach.

Chiarello has estimated that HHS has between $100 billion and $200 billion in wasteful or fraudulent spending annually, signaling that this initiative is not a routine compliance exercise but a major enforcement priority. For entities identified through AERO’s AI analysis as having persistent noncompliance, HHS has made clear it will pursue all available remedies, including temporarily withholding payments until corrective action is taken, disallowing costs associated with the noncompliance, suspending or terminating awards in part or in full, withholding future federal funds, and initiating suspension or debarment proceedings.

What this Means for You

For healthcare organizations that receive federal grant funding, AERO fundamentally changes the risk calculus around Single Audit compliance. Prior enforcement in this area was infrequent enough that many organizations treated late submissions and unresolved audit findings as low-priority administrative matters. AERO, backed by AI-driven data analysis across five years of audit history and an explicit commitment to pursue the full range of enforcement remedies, eliminates that tolerance.

The most immediate priority is a status assessment. If your organization expends $1 million or more in federal awards annually, confirm that all required Single Audits were conducted and submitted on time for each of the past five years. If any submissions were late or missed, take immediate corrective action and document it. If your organization has open audit findings, prepare or update a corrective action plan that documents what remediation steps have been taken, what remains outstanding, and on what timeline.

Critically, do not assume that open findings from prior years have been administratively forgotten. AERO’s AI analysis is specifically designed to surface persistent unresolved findings, and HHS has signaled that multi-year noncompliance is precisely what it is targeting. Consult with your auditor to confirm which findings have been formally closed and which remain open, and prioritize any that involve internal control deficiencies, as these are the categories most likely to attract AERO scrutiny. Organizations in receipt of AERO-related correspondence from HHS should engage qualified grant compliance counsel before responding.

Frequently Asked Questions

What is a Single Audit and which organizations are required to have one?

A Single Audit is a comprehensive audit covering an organization’s financial statements and its compliance with federal program requirements, including internal controls. Under the Single Audit Act and Uniform Guidance, any non-federal entity that expends $1,000,000 or more in federal awards during its fiscal year is required to complete one. This includes nonprofit healthcare providers, public hospital systems, FQHCs, State Medicaid agencies, behavioral health providers receiving federal block grant pass-through funds, and academic medical centers, among others.

What enforcement actions can HHS take against grantees under AERO?

HHS has authority under the Single Audit Act and Uniform Guidance to pursue a range of remedies against organizations that fail to submit required audits or remediate audit findings, including temporarily withholding payments until corrective action is taken, disallowing costs associated with noncompliance, suspending or terminating awards in part or in full, withholding future federal funds, and initiating suspension or debarment proceedings. Debarment can bar an organization from receiving any federal contracts or grants for a specified period, making it one of the most consequential available remedies.

What should a healthcare organization do if it receives an AERO-related letter from HHS?

Do not ignore it and do not respond without preparation. Engage qualified grant compliance counsel, confirm the accuracy of the audit findings referenced, and document all remediation efforts undertaken to date.

Healthcare compliance regulations move fast. Check back every Wednesday for the developments that impact your healthcare business.

Have a question about how these developments affect your organization?