Post Acute Care Compliance Checklist for 2026

For years, and littered throughout this site, are pieces (and presentations) I have done on compliance. Some goodies are below.

The one major implication of solid (or not) compliance is the connection to just about every piece of organizational success from revenue maximization to risk mitigation (think litigation) to public relations and marketing, to employment and labor (highly rated, successful organizations tend to recruit and retain staff “better”).

A post acute care compliance checklist should not live in a binder that appears only when a surveyor, payer auditor, or government investigator arrives. It should function as an operating discipline – one that connects board oversight, clinical practice, reimbursement integrity, referral relationships, and workforce accountability.

For post-acute operators, the compliance environment is no longer limited to avoiding an isolated billing error or correcting a deficient chart. CMS quality programs, Medicare Advantage utilization management, managed care contracting, staffing pressure, data reporting, and federal enforcement priorities have made compliance a direct financial and strategic issue. A weak control can affect more than a single claim. It can jeopardize cash flow, referral confidence, quality ratings, transaction value, and leadership credibility.

Why post-acute compliance has become an executive issue

Skilled nursing facilities, home health agencies, hospices, inpatient rehabilitation facilities, and senior living organizations each face different rules. Yet they increasingly share the same exposure: regulators and payers are looking beyond whether an organization has a policy. They are asking whether the policy is followed, measured, documented, and escalated when it fails.

That distinction matters. A compliance plan written years ago may technically exist, but it does little to protect an operator if training records are incomplete, internal audits are sporadic, corrective actions are never closed, or senior leaders cannot explain how risk findings reach the board.

The practical question is not whether a provider is compliant in the abstract. It is whether leadership can demonstrate a credible system for identifying risk before an outside party identifies it first.

The post acute care compliance checklist

The following checklist is designed for executive teams and compliance leaders. It is not a substitute for counsel, state-specific requirements, or provider-type regulations. It is a framework for building a compliance function that can withstand routine scrutiny and respond intelligently when conditions change. For insight into the CMS compliance standards, the reference link is here: Quality, Safety & Oversight -Certification & Compliance | CMS

1. Establish real governing-body oversight

The board or governing body must receive more than a quarterly statement that says compliance is “on track.” It should review a defined compliance dashboard that includes hotline activity, substantiated allegations, audit findings, repayment issues, survey trends, quality measures, exclusion-screening results, and the status of corrective action plans.

The most useful board reporting identifies patterns. For example, a recurring documentation error across multiple branches is not simply an education issue. It may indicate poor supervision, unrealistic productivity expectations, flawed software workflow, or a compensation model that rewards speed over accuracy.

Oversight should also be documented. Minutes should reflect questions asked, risks discussed, and actions assigned. In enforcement matters, the record of governance can be as meaningful as the policy itself.

2. Keep policies tied to actual operations

A policy library becomes a liability when it promises controls the organization does not perform. Review policies annually and whenever there is a meaningful change in regulation, payment methodology, service line, ownership, electronic health record workflow, or managed care contract.

High-risk policies generally include billing and coding, documentation standards, referrals and marketing, gifts and inducements, privacy and security, infection prevention, grievance handling, mandatory reporting, quality reporting, and non-retaliation. But policy review should not become a clerical exercise. Ask frontline managers whether the process described can actually be completed during a normal shift.

If a policy requires a supervisor review within 24 hours, but staffing patterns make that impossible, the organization has a design problem. Changing the language without changing the operation merely conceals it.

3. Test billing, coding, and documentation before a payer does

Payment integrity is where compliance and operating margin meet. Post-acute providers must validate that records support the services billed, that required assessments and certifications are timely, and that coding reflects clinical reality rather than revenue expectations.

Audit priorities vary by setting. Skilled nursing operators should focus on assessment accuracy, therapy documentation, diagnosis coding, consolidated billing, and Medicare coverage decisions. Home health agencies should examine eligibility, homebound status, plan-of-care certification, visit documentation, and episode-level billing logic. Hospice providers should closely monitor eligibility narratives, face-to-face requirements, levels of care, and live discharge patterns.

Use a statistically sensible sample where possible, but do not wait for a large annual audit. Targeted monthly reviews of high-risk claims can reveal a pattern early enough to correct education, workflows, and repayment exposure. When errors are found, quantify the scope. A single flawed claim may be an isolated mistake. Repeated errors involving the same clinician, branch, diagnosis, or payer require deeper investigation.

4. Treat referrals and marketing as a compliance risk, not just a growth strategy

Referral relationships remain a central exposure point in post-acute care. Hospital discharge planners, physicians, managed care organizations, senior living communities, and marketing representatives all influence patient flow. The commercial pressure to protect census or admissions can create precisely the conditions that attract scrutiny.

Review all financial relationships with referral sources, including medical director agreements, consulting arrangements, lease arrangements, joint ventures, transportation support, sponsored events, and employee incentive programs. Compensation should be commercially reasonable, supported by legitimate services, and not tied to the volume or value of referrals.

Marketing materials deserve the same discipline. Claims about services, quality outcomes, staffing, or coverage should be accurate and supportable. A growth team should understand that aggressive messaging can become evidence if it overstates what the organization delivers.

5. Make quality and compliance work from the same evidence

Compliance teams and quality teams often operate in parallel, even though they are reviewing many of the same underlying failures. Falls, hospital readmissions, medication errors, pressure injuries, grievances, infection-control concerns, and missed visits can create quality consequences, survey exposure, billing risk, and litigation risk at the same time.

A mature organization aligns these functions. It uses root-cause analysis to determine whether an adverse trend reflects an individual performance issue, a staffing gap, inadequate training, poor handoffs, or a flawed care model. This matters because superficial corrective actions – another in-service, another reminder email – rarely fix systemic defects.

Quality reporting also requires governance. Publicly reported measures, value-based purchasing consequences, and managed care scorecards influence market position. Data should be validated before it is submitted, not explained away after unfavorable results appear.

6. Screen people, vendors, and payments consistently

Exclusion screening is basic, but inconsistent execution remains common. Screen employees, contractors, physicians, vendors, and other covered individuals or entities against applicable federal and state exclusion lists before engagement and at a recurring interval thereafter. Retain proof that screening occurred and establish a clear escalation process for potential matches.

Vendor oversight deserves more attention than it receives. Outside therapy providers, staffing agencies, pharmacy partners, transportation firms, technology vendors, and consultants can create risk through access to patient information, billing functions, or patient-facing services. Contracts should define responsibilities, privacy obligations, audit rights, and incident reporting expectations.

The organization should also test accounts payable controls. Duplicate payments, unsupported invoices, unusual vendor arrangements, and payments approved outside normal authority levels can indicate weak financial governance or, in more serious cases, fraud risk.

7. Build privacy and cybersecurity into care delivery

Post-acute care remains a high-value target for cyber incidents because its systems contain sensitive patient data and its operations cannot easily tolerate downtime. Privacy compliance is not solely an IT responsibility. Workforce behavior drives many incidents: misdirected emails, unsecured devices, inappropriate chart access, weak passwords, and informal text messaging about patient care.

Conduct role-based training, not generic annual recitations. A nurse, intake coordinator, billing specialist, and executive assistant encounter different risks. Access should be limited to job need, reviewed regularly, and promptly removed when roles change or employment ends.

Incident response plans should be tested. Leadership needs to know who makes decisions about system shutdowns, patient communication, legal review, payer notification, law enforcement contact, and business continuity. A plan that has not been exercised is an assumption, not a control.

8. Protect reporting channels and close the loop

Employees must have a credible way to report concerns without fear of retaliation. A hotline can be useful, but it is not enough by itself. Staff must know how to raise concerns with supervisors, human resources, compliance leaders, and senior management. They must also believe that reports will be investigated fairly.

Track allegations from intake through resolution. Document the facts reviewed, findings reached, actions taken, and whether the issue requires repayment, self-disclosure, discipline, retraining, policy revision, or expanded audit work. The organization should test whether corrective actions actually worked. Closing a case administratively is not the same as reducing the risk.

What leadership should review every quarter

A quarterly compliance review should force decisions, not merely distribute information. Leaders should examine whether claim denials and recoupments are rising, whether survey findings repeat across locations, whether staffing instability is contributing to care failures, and whether managed care practices are creating new authorization or documentation burdens.

This is also the point to assess emerging exposure. A provider expanding into a new market, acquiring a facility, outsourcing a service, or changing its payer mix should not assume its existing compliance model will transfer cleanly. Growth often introduces different state rules, unfamiliar referral practices, incompatible systems, and inconsistent documentation habits.

The strongest operators treat compliance as an early-warning system. It gives leadership a clearer view of where financial pressure, clinical strain, and regulatory exposure are beginning to converge – before they become a survey crisis, a repayment demand, or a headline.

Leave a Comment