Hospitals in the United States are regulated by a layered system of federal agencies, state health departments, and private accrediting organizations. No single entity is in charge. Instead, different regulators oversee different aspects of hospital operations, from patient safety and billing practices to workplace conditions and data privacy. Understanding which body does what can help you make sense of how hospitals are held accountable.
The Federal Government: CMS and Medicare
The Centers for Medicare and Medicaid Services (CMS), part of the U.S. Department of Health and Human Services, is the most influential federal regulator of hospitals. Because the vast majority of hospitals accept Medicare and Medicaid patients, they must comply with a detailed set of federal rules called the Conditions of Participation. These rules cover nearly every major area of hospital operations: patient rights, quality improvement programs, medical staffing, nursing services, infection prevention, antibiotic stewardship, discharge planning, emergency preparedness, and governance structure. A hospital that fails to meet these conditions risks losing its Medicare and Medicaid funding, which for most facilities would be financially devastating.
CMS also enforces the hospital price transparency rule, which took effect January 1, 2021. Every hospital operating in the U.S. must publish a comprehensive machine-readable file listing the prices of all items and services it provides, along with a consumer-friendly display of common “shoppable” services so patients can compare costs before receiving care.
State Health Departments
Every state has its own licensing authority for hospitals, typically housed within the state health department. These agencies issue the license a hospital needs to operate, conduct regular inspections, and investigate complaints. In many states, the licensing agency also performs certification surveys on behalf of CMS to verify that hospitals meet federal Conditions of Participation. New Mexico’s Health Facility Licensing and Certification division, for example, oversees more than 3,500 health facilities and laboratories across three bureaus that handle acute care, long-term care, and state-licensed-only facilities.
State requirements often go beyond federal minimums. States may set their own staffing ratios, building codes, reportable disease protocols, and patient safety mandates. If a hospital violates state regulations, the state can impose fines, require corrective action plans, or in extreme cases revoke the hospital’s license entirely.
Private Accrediting Organizations
The Joint Commission is the best-known private accreditor of hospitals, but it is not the only one. CMS grants “deemed status” to hospitals accredited by approved organizations, meaning that accreditation can substitute for a direct government survey. Other CMS-approved accreditors include DNV Healthcare, the Center for Improvement in Healthcare Quality (CIHQ), and the Accreditation Commission for Health Care (ACHC), among several others.
Joint Commission standards are developed with input from clinicians, subject matter experts, consumers, and government agencies including CMS. They focus on 14 high-priority topics designed to be measurable and actionable, covering key areas of patient safety and care quality. Hospitals that pursue accreditation undergo periodic on-site surveys and must demonstrate ongoing compliance. While accreditation is technically voluntary, it carries real weight: many insurers, referral networks, and patients treat it as a baseline marker of quality.
Emergency Care: EMTALA
Any hospital with an emergency department that participates in Medicare must follow the Emergency Medical Treatment and Labor Act (EMTALA). This federal law requires hospitals to provide a medical screening exam to anyone who comes to the emergency department, regardless of their ability to pay or insurance status. If the screening reveals an emergency medical condition, the hospital must stabilize the patient before discharge or transfer.
Transfers of unstabilized patients are permitted only in narrow circumstances: the patient requests it in writing after being informed of the risks, or a physician certifies that the medical benefits of transferring outweigh the dangers. Violations of EMTALA can result in civil penalties for both the hospital and the physician involved, and repeated violations can lead to exclusion from Medicare.
Patient Privacy: HIPAA Enforcement
The Office for Civil Rights (OCR), another arm of HHS, enforces the privacy and security rules that govern how hospitals handle patient health information under HIPAA. OCR investigates complaints, conducts compliance reviews, and applies corrective measures whenever it finds a hospital or its business associates have mishandled protected data. To date, OCR has settled or imposed civil penalties in 152 cases, totaling nearly $145 million. When violations involve knowing disclosure or theft of patient information, OCR refers cases to the Department of Justice for criminal investigation. More than 2,400 such referrals have been made.
Workplace Safety: OSHA
Hospitals are workplaces, and the Occupational Safety and Health Administration (OSHA) regulates worker safety inside them. Under the General Duty Clause of the Occupational Safety and Health Act, hospitals must provide an environment free of known hazards that could cause death or serious injury. Specific standards apply to bloodborne pathogen exposure, hazardous substances, and safe patient handling. Several states have passed additional legislation around patient handling to reduce injuries among nurses and other staff who regularly lift or move patients.
Fraud Oversight: The HHS Inspector General
The Office of Inspector General (OIG) within HHS monitors hospitals for fraud, waste, and abuse in federal healthcare programs. OIG conducts audits of billing practices, investigates improper Medicare and Medicaid payments, and works with Medicaid Fraud Control Units in each state. Recent OIG investigations have flagged issues like improper use of emergency department billing codes (resulting in over $15 million in improper payments in one case) and Medicare overpayments exceeding $12 million at a single hospital. OIG also coordinates with the Medicare Fraud Strike Force, which targets large-scale billing schemes across the country.
Tax Rules for Non-Profit Hospitals
Roughly half of U.S. hospitals operate as non-profits with tax-exempt status under Section 501(c)(3) of the Internal Revenue Code. The IRS requires these hospitals to meet additional obligations beyond what for-profit facilities face. Each facility must conduct a Community Health Needs Assessment, maintain a written financial assistance policy, establish an emergency medical care policy, limit charges for patients eligible for financial assistance, and follow specific billing and collections restrictions. Non-profit hospitals report this information annually on IRS Form 990, Schedule H, which details the community benefits they provided during the tax year. Failing to meet these requirements on a facility-by-facility basis can jeopardize a hospital’s tax-exempt status.