Healthcare Compliance Requirements for PTs and Small Practices in 2026

Whether you’re new to healthcare compliance or are reviewing requirements for 2026, now is the time to ensure your physical therapy practice or other small business is fully compliant. 

Healthcare compliance updates this year are less about brand-new rules and more about changes to how the government is approaching reinforcement. “They’re fully enforcing standards that have been on the books for a long time,” says compliance expert Daniel Hirsch, PT, DPT.

Agencies are also embracing technology like AI, strengthening their ability to identify noncompliance. 

In most cases, enforcement efforts focus on higher-impact fraud, waste and abuse. However, smaller practices and solo providers are facing growing expectations to proactively identify and mitigate risk — particularly around privacy and cybersecurity. “Claiming a lack of awareness is no longer a defensible position. If compliance standards aren’t being actively applied, practices are exposing themselves to significant liability and financial penalties,” says Hirsch.

If you’re running a practice or healthcare business, the reality of compliance in 2026 is you can’t afford to wing it anymore. Hirsch offers the following tips for ensuring your practice is fully compliant.

HIPAA Privacy Policy Updates Practices Must Complete by 2026

Just around the corner, on February 16, 2026, is the deadline to update your HIPAA Notice of Privacy Practices (NPP).

If you’re a HIPAA-covered entity that creates, receives or maintains substance use disorder (SUD) records subject to 42 CFR Part 2, then you must update your Notice of Privacy Practices (NPP). The updated form must be posted on your website and available for patients onsite.  

Your specific obligations and implementation details may vary depending on your location and area of speciality and how your practice handles protected information. Regardless, now’s the time to review your specific requirements with qualified counsel or a compliance advisor.

Click here to learn more about what should be included in your NPP and to find templates from other healthcare organizations.

Cybersecurity and HIPAA Security Risks Facing Small Healthcare Practices

When it comes to cyber threats, eliminating all risk is a Sisyphean task but that doesn’t mean you shouldn’t take meaningful steps to protect your practice. Because cyberattacks can compromise patient health information (PHI), healthcare organizations must actively adhere to applicable privacy and security standards to reduce exposure and limit harm.

“Cyber threats are like a faucet that never fully turns off. The goal isn’t to stop the flow entirely, but to continually plug the leaks through routine system updates, ongoing staff education and trusted expertise that helps you focus on the areas of greatest risk. You can’t eliminate every threat but you can minimize how you educate staff, secure your practice and have a plan,” says Hirsch. 

To protect your practice and your patients’ information, Hirsch recommends the following: 

• Annual IT risk assessments
• Meaningful and ongoing staff training
• Strong technology controls (such as role-based access) and acceptable use policies for all staff
• HIPAA-compliant technology configurations, such as secure email encryption and multi-factor authentication settings
• Thorough vetting of vendors and anyone with access to PHI

Finally, when it comes to cyber insurance, Hirsch says, “At this point in 2026, an individual cyber policy is something you just have to have to stay in business.”

HHS OIG Exclusion List Screening Requirements for Small Healthcare Practices

Few small practices are aware of an official list of individuals you should avoid hiring without getting fined. One of the most overlooked (and easiest) risks among smaller healthcare businesses is screening staff and vendors against the HHS OIG exclusion list.

The exclusion list bars individuals and entities from participating in federal healthcare programs, such as Medicare and Medicaid. Even if you’re a cash-only business, it’s still a best practice to know if you’re working with someone on the exclusion list. Malpractice insurers, lenders, compliance programs and investment partners may expect screening.

Hirsch recommends taking a few minutes each month to check the list, which is updated monthly. The financial consequences can stack up fast. Civil monetary penalties can be up to $10,000 for each item or service furnished by an excluded individual and billed to a federal program, plus additional assessments.

Physical Therapy Compliance Updates and CMS Changes for 2026

Some compliance requirements for physical therapists are now more flexible in 2026, including remote therapeutic monitoring (RTM). The Centers for Medicare & Medicaid Services (CMS) finalized changes that make RTM more practical. 

Remote Therapeutic Monitoring Billing Changes for Physical Therapists

You no longer need more than 16 days of monitoring data to get reimbursed. Previously, one of the biggest pain points with RTM was the days of data requirement. If a patient only used the device for 15 days, you were paid nothing.

Now, CMS added a therapy-designated RTM device code that allows you to bill at the same payment rate even for a device used for 2–15 days in 30 days.

RTM revenue is a more predictable and viable way to support your patients in 2026.

2026 Medicare Therapy Thresholds for Physical Therapy Services

For calendar year 2026, the Centers for Medicare & Medicaid Services (CMS) set the therapy threshold at:

• $2,480 combined for (PT) and speech-language pathology 
• $2,480 separately for occupational therapy 

The threshold isn’t a cap, so Medicare doesn’t necessarily stop paying once a patient reaches $2,480. Instead, it means there’s additional scrutiny once a patient reaches the amount. 

The threshold resets every calendar year, and typically increases each year.

A Practical Healthcare Compliance Checklist for Small Practices

Finally, Hirsch recommends a compliance to-do list cadence that’s realistic for most practices:

• Annual internal audits for documentation, coding and billing
• Annual cyber risk assessment
• Annual HIPAA compliance training for all staff
• Yearly review of HIPAA business associate agreements (BAA)
• Ensure manual, policies and procedures are up to date and accurate 

“The beauty of compliance is that it’s supposed to be meaningful and effective for you. It’s not hard to stay within the compliance boundaries, it’s not time-consuming, it shouldn’t be expensive either,” says Hirsch.

For those who want to outsource compliance, companies like Risk & Compliance Analytics can manage your compliance needs for you.

Explore CM&F Group’s professional liability coverage options to help protect your practice as regulations and enforcement evolve.

Disclaimer: The information in this update is not legal or consulting advice, but for educational purposes to enhance compliance.