Happy New Year from the Rxperts team. Before we dive into 2026, let us take a moment to look back at the compliance landscape of 2025 - what changed, what caught pharmacies off guard, and what lessons we should carry forward. Then we will look ahead at the regulatory changes and trends that will define pharmacy compliance in the year ahead.
2025 in Review: The Compliance Stories That Mattered Most
Looking back at 2025, several compliance themes dominated the pharmacy landscape.
PBM reform gained real momentum. The FTC continued its investigation into PBM practices, several states passed meaningful transparency and reform legislation, and CMS implemented new oversight requirements for Part D plan sponsors. While pharmacies are still fighting uphill, the regulatory environment is shifting in a direction that favors greater transparency and accountability from PBMs.
DEA enforcement remained aggressive. The agency continued to prioritize corresponding responsibility enforcement, and we saw several pharmacies face significant penalties for failing to identify and act on red flags in controlled substance prescriptions. The lesson from 2025 is clear: documentation of your clinical decision-making process is not optional.
HIPAA enforcement set new records. OCR resolved more Right of Access cases in 2025 than in any previous year, and the penalties continued to climb. The pattern is unmistakable: when patients ask for their records, you must deliver them promptly and in the requested format.
OIG exclusion screening became a compliance flashpoint. Several high-profile enforcement actions involving excluded individuals highlighted the financial risk of missed screenings, and CMS guidance made it clear that monthly screening of all workforce members is the expected standard.
Regulatory Preview: What Is Coming in 2026
Here is what we are watching for the year ahead.
Medicare Part D continues to evolve under the Inflation Reduction Act. The next round of drug price negotiations will affect a broader set of medications, and pharmacies should expect continued adjustments to plan formularies and reimbursement structures. Stay engaged with your PSAO and state pharmacy association to track these changes.
DEA electronic prescribing for controlled substances may see updated regulations. The Modernizing Opioid Treatment Access Act and related legislative efforts could expand access to electronic prescribing while also increasing the technology requirements for pharmacies. If you have not migrated to a fully electronic controlled substance prescribing workflow, 2026 is the year to complete that transition.
State-level pharmacy regulation continues to diversify. We are seeing states take increasingly different approaches to pharmacy practice, from expanding technician scope of practice to implementing new compounding regulations. If you operate in multiple states, keeping track of these differences is a full-time job - and getting it wrong can cost you your license.
USP General Chapter revisions continue to affect compounding pharmacies. USP 795, 797, and 800 updates will bring new requirements for facilities, training, and documentation. If you compound, stay connected with the USP revision process and start planning for any facility or equipment changes you may need.
Cybersecurity in healthcare is getting regulatory attention. Following several high-profile data breaches in 2024 and 2025, HHS has signaled plans for updated HIPAA Security Rule requirements. Pharmacies should begin assessing their cybersecurity posture now, including network security, access controls, encryption, and incident response plans.
HIPAA Focus for 2026: Security Rule Modernization
HHS has proposed updates to the HIPAA Security Rule that would, among other things, require covered entities to conduct a written risk analysis, implement multi-factor authentication for access to systems containing ePHI, encrypt all ePHI at rest and in transit, and maintain detailed technology asset inventories.
While the final rule may differ from the proposal, the direction is clear: the government expects healthcare entities, including pharmacies, to take information security more seriously than ever. If your pharmacy still relies on shared passwords, unencrypted email for PHI, or has not conducted a formal security risk assessment, these changes will require significant investment.
Start with a risk assessment. You cannot protect what you do not understand, and a formal risk assessment is already required under the current Security Rule - most pharmacies just have not done one. Identify your systems that contain ePHI, the threats and vulnerabilities affecting each one, and the safeguards you have in place. This assessment becomes your roadmap for the security improvements you need to make in 2026.
Your 2026 Compliance Action Plan
Here is a month-by-month framework to keep your compliance program on track for the new year.
January: Conduct your annual compliance program review. Update your P&P manual, refresh your compliance plan, and schedule all required training for the year.
February: Complete your annual HIPAA security risk assessment. Identify gaps and create a remediation timeline.
March: File your annual HHS breach report for any small breaches discovered in 2025. Verify Medicare enrollment revalidation status.
April through June: Conduct your first-half internal audits - PBM documentation, controlled substance accountability, and OIG screening compliance.
July: Mid-year training check. Ensure all staff are current on HIPAA, FWA, and controlled substance training. Catch up on any new hire training that slipped.
August through September: Begin preparation for Q4 PBM audits. Review documentation practices and run a mock audit on a sample of claims.
October: Conduct a self-inspection using your state board checklist. Review all required postings, licenses, and registrations for expiration dates.
November through December: Year-end compliance wrap-up. Review contracts, update vendor lists and BAAs, and document your annual compliance program activities.
Tape this to your wall, put it in your calendar, or track it in Rxperts. However you manage it, having a plan beats reacting to problems after they happen.
Here is to a compliant and successful 2026.
Quick Hits
- Complete your annual compliance program review and update your P&P manual
- Schedule all required training sessions for 2026 now
- Conduct a HIPAA security risk assessment in Q1
- Review and update all vendor BAAs for the new year
- Set up monthly OIG screening reminders if you have not already
- Bookmark the 2026 compliance calendar and assign responsibility for each milestone
Stay compliant. Stay ahead. - The Rxperts Team