The future of compliance in successful health systems

Healthcare providers are facing mounting financial and compliance pressures with declining federal funding under the One Big Beautiful Bill Act (OBBBA) and increasingly complex oversight given potential shifts in payment models, 340B program and intensified fraud, waste, and abuse (FWA) enforcement. Many have responded by adding more staff to manage the burden, but talent is scarce and costs are rising. This manual approach is no longer sustainable. The time is now to rethink compliance, with new operating models and accelerating the use of automation to reduce reliance on limited human resources, improve accuracy, and efficiency. By doing so, health systems can transform compliance from a costly, reactive function into a strategic advantage that strengthens trust and resilience.

Mounting oversight and financial strain: The OBBBA signed in July 2025 reduces federal healthcare funding by almost $1T through 2034, which will drive up uncompensated care by an estimated $204B.^{1, 2} Academic medical centers are receiving less government funding for research. Between January and June, $2B in research grants to medical schools and hospitals were terminated.3 Even as funding shrinks, oversight grows. For example, the Trump administration’s efforts to root out FWA and reform the 340B Drug Pricing Program place greater compliance demands and further financial strain on providers.^{4, 5} Handed fewer resources to take on mounting requirements, most providers are struggling to keep up, with 76% citing regulatory complexity and evolving requirements as their top compliance challenge.⁶

Persistent challenges in compliance: Provider compliance functions are often fragmented, labor-intensive, and focused on short-term goals, making them ineffective. Many organizations maintain both a central compliance function and multiple function or hospital-specific teams, resulting in duplicative processes and inconsistent standards. Furthermore, because most compliance activities are still done manually, labor costs have ballooned. Poor staffing models and limited cross-training strain compliance budgets, making compliance functions slow to adapt to regulatory changes and new technologies. Meanwhile, the broader labor market lacks the necessary skill sets to fill these gaps. In the face of resource constraints, many providers prioritize day-to-day demands over building sustainable, efficient processes that enable the core mission, providing high-quality patient care. Much of the high labor cost of compliance stems from outdated systems and a continued reliance on manual tools, as compliance technology has struggled to keep pace. Some organizations face challenges with long-tenured employees who have not yet fully adapted to new technologies or efficiency-focused skill sets. Combined, these factors may create disruption: a compliance environment that is inefficient and ill-equipped to evolve with the rapidly changing regulatory landscape and the evolving needs of health systems operations.

These challenges often lead health systems to spend a median of ~$5 million on compliance every year, with labor, particularly among senior staff whose responsibilities are increasingly supported by technology, representing a significant share of that cost.⁶ As the regulatory environment becomes more complex with changes in financing and increased attestation for coverage in certain public insurance programs, compliance costs are only growing.^{7, 8} 38% of providers report increased compliance spending in the past three years, and 85% anticipate increased spending in the next three years. Even with such high spend, just 34% of providers felt that their compliance functions were extremely effective.⁵

_{Description: A survey chart illustrates provider perceptions of key compliance challenges. According to the results, 76% of providers identified the complexity of the regulatory environment as a major barrier to compliance, while 61% cited maintaining agility in a rapidly changing environment as a significant challenge.}

_{Source: PwC's 2025 US Risk Assessment in Healthcare Services}

_{Description: A survey chart displays the tasks where providers plan to use AI for compliance. 75% of respondents indicated they intend to use AI for training and education, while 45% reported plans to apply AI for monitoring and auditing activities.}

_{Source: PwC's 2025 US Risk Assessment in Healthcare Services}

A framework for automative compliance: Fix the model, embed automation, monitor effectiveness

The operating model of the future includes clear structures and governance models, standardized operations, industrialized tools, and automation to support workflow and performance monitoring. This model evolves through three core phases: fix the model, embed automation, and monitor effectiveness. Simplifying compliance functions and building in accountability enables teams to enhance people and technology. Only when built upon a solid foundation can technology simplify rather than fragment operations. With strong governance and streamlined operations in place, health systems can integrate continuous intelligence to shift compliance from a reactive requirement to a proactive business advantage. Agentic AI acts as a force multiplier: automating processes, interpreting complex data, and driving real-time action across the compliance spectrum. Risk-sensing dashboards then connect compliance health directly to performance, providing both defense and foresight. Together, these phases form a self-reinforcing, AI-enabled compliance ecosystem. The following sections illustrate how each phase builds upon the last to establish a continuously improving, AI-enabled compliance ecosystem.

• Fix the model first: Before embedding AI, health systems should redesign the compliance operating model to confirming technology can reinforce efficiency rather than replicating fragmentation. Organizations should start by overhauling their governance structures, for only with strong governance in place will compliance functions likely see the full benefit from streamlining operations. To fix the model, organizations should clarify accountability structures, understand current vs. needed talent capabilities, and standardize processes. This requires health systems to understand the necessary body of work to be accomplished now and in the future and establish scalable skills and capabilities. As leaders build a standardized and skill-aligned foundation, automation can serve as an accelerator.

• Embed automation: With the foundation in place, organizations can incorporate automation, such as agentic AI, in high value areas to replace manual, routine tasks and reallocate human labor. This shift transforms compliance from a manual, reactive function into an intelligent, proactive system that strengthens oversight capabilities, accelerates monitoring and investigations, and enhances defensibility across workflows such as conflict-of-interest (COI) management, privacy breach response, and case documentation. Once adopted, these solutions are scalable, allowing for a centralized compliance function and help reducing the cost of future expansion, even in the face of increased regulatory complexity. And though automation remains a tremendous opportunity for health systems to enhance efficiency and accuracy, it also carries inherent risks. Health systems can apply the principles in the Joint Commission’s Responsible Use of AI framework, which establishes safeguards across a range of potential issues, from ongoing quality monitoring, voluntary blinded reporting of AI related safety events, and the mitigation of bias.⁹

• Monitor effectiveness: Harnessing data to enable real-time risk sensing and monitoring dashboards delivers the dual value of defense and foresight. Defensively, they provide audit readiness and a single transparent view of compliance activity across operations. Strategically, they enable leaders to anticipate exposure and act in advance, tying compliance health directly to performance and reputation. Dashboards can be designed to reflect meaningful performance metrics like aging investigation cases, tracking denials by reason, or 340B prescribing trends for compliance and performance. Dashboards can also surface emerging trends in conflict-of-interest filings or spikes in privacy incidents, prompting automated remediation workflows and precise interventions. Agentic AI can autonomously monitor key risk indicators (KRIs) in these dashboards and, when a threshold falls below an acceptable level, investigate anomalies, leverage organizational knowledge sources to conduct preliminary research, and provide the compliance team with insights for decision support.

This image depicts the evolution toward an automation-enabled compliance operating model. The framework is structured as a three-phase continuum: Fix the model, Embed automation, and Monitor E=effectiveness, illustrating how each stage builds upon the previous to create a continuously improving, intelligent compliance ecosystem.

Problem: Across several multi-hospital integrated care networks, PwC observed recurring challenges plugging compliance gaps after they had already surfaced and often only once they were revealed externally through regulatory enforcement or public reporting. For many, their compliance models were distributed and, while a corporate oversight model existed, enterprise standards were not in place and there was little transparency. These health systems struggled to handle the volume of events, making false choices on where to direct resources between highly critical areas like privacy and clinical quality and safety. They recognized that addressing this required more than increasing staffing, it was about shifting the organization’s approach to compliance readiness as a business imperative.

Solution: To achieve this shift, these health systems demonstrated commitment to addressing issues at their root rather than treating symptoms. Compliance teams collaborated with business operations to integrate regulatory expectations into workflows, decision points and performance measures across billing and coding, 340B, privacy, safety & quality, and research program compliance. PwC helped them by developing customized risk performance reporting to provide user visibility, while cross-functional collaboration established compliance as a shared responsibility rather than a siloed obligation. The data and tooling also provided foresight into areas of exposure allowing for more preventive measures, reducing the backlog of fire-fighting and putting compliance and operations in collaboration to help patients and support growth. For example, now they could monitor patient safety and quality events across the entire footprint of the hospital network, anticipate potential areas of vulnerability, apply more effective network-wide interventions, and drive greater accountability across clinical and operational teams. In line with Centers for Medicare & Medicaid Services (CMS)’ expectations of Compliance and Quality, this approach transforms compliance into a proactive operating model in which issues are flagged in real time.

Outcome: The results were both measurable and transformative. These care networks advanced from a reactive compliance posture to industry leaders in these given areas. The impact they made in high priority areas established the case for scalable change in how Compliance operates.

PwC conducted a study and captured cost drivers and metrics associated with risk and compliance maintenance across 206 healthcare organizations, which included some of the largest Fortune 500 healthcare organizations. Fieldwork was conducted March–April 2025 through interviews with executives, with a total of 206 completions. Respondents included C-level executives and other upper management, targeting at least one stakeholder per company across pharmaceutical manufacturers, medical device manufacturers, medical insurance payers, and providers. Topics included cost areas applied to risk and compliance, how organizations structure monitoring and management of risk issues, and comparison between stronger and weaker performers on compliance efficiency.