Hospitals in the United States are overseen by a layered system of federal agencies, state governments, independent accrediting organizations, and their own internal boards of directors. No single entity is in charge. Instead, different organizations monitor different aspects of hospital operations, from patient safety and billing integrity to workplace conditions and data privacy. Here’s how each layer works.
Federal Oversight: CMS and Medicare Funding
The Centers for Medicare and Medicaid Services (CMS) is the most powerful federal regulator of hospitals. CMS sets what are called Conditions of Participation, a collection of health and safety standards that hospitals must meet to receive Medicare and Medicaid payments. Since the vast majority of hospitals depend on this funding, CMS requirements function as a near-universal baseline for hospital quality in the U.S.
These conditions cover a wide range of operations: infection control, patient rights, surgical safety, nursing standards, discharge planning, and more. Hospitals that fall out of compliance risk losing their Medicare certification, which for most facilities would be financially devastating. CMS can survey hospitals directly or delegate that responsibility to state health agencies and approved accrediting organizations.
State Health Departments
Every state has its own health department (or equivalent agency) that licenses hospitals and conducts inspections. These departments set minimum standards for facility design, construction, staffing, and ongoing operations. They grant, deny, suspend, and revoke hospital licenses. They also handle complaint investigations when patients or staff report problems.
State agencies often act as the on-the-ground enforcement arm for federal standards as well. When CMS needs a hospital inspected to verify compliance with Conditions of Participation, it frequently contracts with the state health department to carry out that survey. So a single state inspection can serve dual purposes: verifying both state licensure requirements and federal participation standards.
Accreditation Organizations
The Joint Commission is the best-known private accreditor of hospitals. It’s an independent, nonprofit organization that evaluates hospitals through on-site surveys, typically every three years. Trained surveyors assess patient care, medication management, infection control, and overall organizational performance. Hospitals that earn Joint Commission accreditation are “deemed” to meet CMS Conditions of Participation, meaning they can skip separate federal surveys.
The Joint Commission isn’t the only option. CMS has approved several other accrediting bodies, including DNV Healthcare, which received its initial CMS approval in 2008. Hospitals choose which accreditor to work with, but all approved organizations must meet CMS standards for their surveys to count. These accreditation visits are thorough and carry real consequences: hospitals that lose accreditation face a difficult path to regaining Medicare eligibility.
The Hospital’s Own Board of Directors
Internally, a hospital’s board of directors holds legal responsibility for everything that happens within the facility. Board members have a fiduciary duty to act with care and loyalty in the best interest of the organization and the community it serves. Their responsibilities include overseeing management, finances, and quality of care, as well as setting strategic direction, establishing ethical standards, and selecting the CEO.
In the area of quality, a board’s role typically includes setting organizational priorities around safety, establishing credentialing policies for physicians and staff, ensuring that quality improvement committees exist and function, and monitoring outcomes. The board also oversees utilization and risk management. Importantly, board members are expected to avoid micromanaging day-to-day administrative decisions, instead focusing on monitoring results and ensuring that management’s methods align with board policy.
Billing and Fraud Oversight
The Office of Inspector General (OIG) within the U.S. Department of Health and Human Services audits hospitals for billing fraud, waste, and mismanagement. Its Office of Audit Services conducts independent reviews of how hospitals and other HHS-funded programs use federal money. These audits examine whether hospitals are billing correctly, delivering promised services, and complying with program rules.
The OIG also enforces the Emergency Medical Treatment and Labor Act (EMTALA), which requires hospitals with emergency departments to screen and stabilize anyone who arrives, regardless of their ability to pay. Violations carry significant financial penalties. West Tennessee Healthcare, for example, paid $340,000 to settle allegations of failing to provide appropriate medical screenings and transfers. Baptist Medical Center South paid $290,000 for similar violations. Smaller hospitals have faced penalties in the $40,000 to $113,000 range. These enforcement actions are public and serve as a deterrent across the industry.
Patient Privacy Enforcement
The Office for Civil Rights (OCR), also within HHS, enforces HIPAA’s privacy and security rules at hospitals. OCR investigates complaints filed by patients or staff who believe their health information was mishandled. It can also conduct proactive compliance reviews without a specific complaint.
When OCR investigates, both the person who filed the complaint and the hospital are asked to present information about what happened. Hospitals are required by law to cooperate. If OCR finds a violation, it first tries to resolve the issue through voluntary compliance or a corrective action plan. If a hospital refuses to cooperate, OCR can impose civil money penalties. Cases that suggest criminal misuse of health data can be referred to the Department of Justice.
Workplace Safety
The Occupational Safety and Health Administration (OSHA) oversees hospitals as workplaces, protecting the staff who work inside them. Hospitals present specific hazards that OSHA regulates: exposure to bloodborne pathogens (like needlestick injuries), tuberculosis, toxic substances, workplace violence, and reproductive hazards. Under the General Duty Clause of the law that created OSHA, hospitals must provide a workplace free from known hazards that could cause death or serious injury.
OSHA can inspect hospitals in response to complaints, reported injuries, or as part of targeted enforcement programs. Violations can result in fines, mandatory corrective actions, or both.
Tax-Exempt Hospital Requirements
Nonprofit hospitals, which make up the majority of U.S. hospitals, face an additional layer of oversight from the IRS. To maintain their tax-exempt status under Section 501(c)(3), hospitals must meet what’s called the community benefit standard. Simply claiming to promote health isn’t enough. A hospital must demonstrate it serves a broad enough segment of the community to justify its tax exemption.
The IRS looks at several factors: whether the hospital operates an emergency room open to everyone regardless of ability to pay, whether its board includes community members, whether it accepts Medicaid and Medicare patients, and whether it uses surplus revenue to improve facilities, patient care, and medical education rather than enriching insiders. Providing free or subsidized care to people who can’t pay is a significant indicator that a hospital is meeting this standard. Nonprofit hospitals report this information annually on IRS Form 990, which is publicly available. Operating at a financial surplus doesn’t disqualify a hospital from tax exemption, as long as those funds go toward the hospital’s charitable mission.