HCAC Compliance and Accreditation Relationship

The relationship between HCAC compliance and accreditation is one of structured interdependence: regulatory compliance establishes the minimum legal floor, while accreditation programs evaluate whether an entity meets standards that frequently exceed those minimums. Understanding where these two frameworks overlap, diverge, and reinforce each other is essential for healthcare organizations navigating federal and state oversight simultaneously. This page examines the definition and scope of that relationship, the mechanisms through which it operates, the scenarios in which it becomes operationally significant, and the decision boundaries that govern which framework controls.

Definition and scope

HCAC compliance refers to adherence to the regulatory requirements imposed on healthcare entities by governing bodies, statutes, and implementing regulations — a framework described in detail on the HCAC Defined page. Accreditation, by contrast, is a voluntary or conditionally required determination by a recognized external body that an organization meets a defined set of quality and safety standards.

The scope of each framework differs in a structurally important way. Regulatory compliance is mandatory and enforced by government authority — entities that fail to meet requirements face sanctions, exclusion from federal programs, or civil monetary penalties. Accreditation is granted by private, non-governmental standards organizations and carries its own operational consequences: loss of accreditation status can trigger loss of Medicare and Medicaid payment eligibility under the Centers for Medicare & Medicaid Services (CMS) Conditions of Participation (42 C.F.R. Part 482), making the distinction between voluntary and mandatory more nuanced than it appears.

The Joint Commission, DNV GL Healthcare, and the Accreditation Commission for Health Care (ACHC) are among the accreditation bodies that hold CMS "deemed status" authority — meaning a successful accreditation survey can substitute for a CMS certification survey for certain provider types (CMS Deeming Authority).

How it works

The operational relationship between compliance and accreditation functions through three distinct mechanisms:

1. Deemed status substitution. CMS grants certain accreditation organizations the authority to survey providers in lieu of state agency surveys. A hospital accredited by The Joint Commission under this arrangement is deemed to meet the Medicare Conditions of Participation without a separate federal survey, provided the accreditation standards are at least as stringent as CMS requirements.
2. Compliance as accreditation prerequisite. Accreditation bodies routinely require evidence of baseline regulatory compliance before a survey even begins. An entity that cannot demonstrate adherence to applicable federal and state law — including licensure, life safety codes under NFPA 101 (2024 edition, effective January 1, 2024), and HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164) — will typically fail accreditation review on that basis alone.
3. Accreditation findings as compliance triggers. When an accreditation survey identifies deficiencies, those findings can trigger regulatory investigation by state agencies or CMS. A deficiency in medication management standards, for example, may simultaneously represent a violation of state pharmacy regulations and a Conditions of Participation deviation.

The process-level interaction is documented through the HCAC Audit and Inspection Procedures framework, which identifies the points at which accreditation survey results enter the regulatory record.

Common scenarios

Three scenarios account for the majority of situations in which the compliance-accreditation relationship becomes operationally significant:

Scenario A — Hospital seeking Medicare certification via deemed status. A general acute care hospital applies for Medicare participation and elects accreditation by a CMS-approved body rather than a direct state survey. The accreditation body surveys against its own standards, which must meet or exceed the CMS Conditions of Participation. Upon accreditation, CMS deems the hospital certified. If the accreditation lapses, Medicare payment eligibility is at immediate risk.

Scenario B — Accreditation survey revealing regulatory gaps. A home health agency undergoes a scheduled accreditation resurvey and receives a finding of Standard Not Met related to patient rights documentation. That finding maps directly to 42 C.F.R. § 484.50, a federally enforceable Condition of Participation. The agency must file a corrective action plan with both the accreditation body and, potentially, the state survey agency.

Scenario C — State licensure requiring accreditation. Certain states condition facility licensure on maintaining accreditation from an approved body. In these jurisdictions, losing accreditation initiates a regulatory cascade: loss of state licensure, which then triggers loss of Medicare/Medicaid enrollment, resulting in complete operational shutdown. The interaction between HCAC Federal vs. State Requirements is particularly acute in this scenario.

Decision boundaries

Determining which framework governs a specific organizational obligation requires evaluating four boundary conditions:

1. Is the requirement statutory or accreditation-derived? Statutory requirements (federal or state) carry enforcement authority regardless of accreditation status. Accreditation standards that exceed the statutory floor are enforceable only by the accreditation body — unless state law independently mandates them.
2. Does the accreditation body hold deemed status for this provider type? Deemed status is granted by CMS on a provider-type-specific basis. A body with deemed status for hospitals does not automatically have deemed status for ambulatory surgical centers. Providers must confirm the specific scope of any deeming authority.
3. Which standard is more stringent? Where accreditation standards exceed regulatory minimums, organizations operating under deemed status must meet the higher bar. The accreditation standard controls operationally even if regulatory enforcement only reaches to the lower threshold.
4. What are the consequences of each type of failure? Regulatory non-compliance can result in civil monetary penalties, exclusion, or criminal referral. Accreditation failure can result in loss of deemed status and payment eligibility. The two consequence tracks are independent — an organization can lose accreditation without a regulatory finding, or face regulatory sanction while retaining accreditation, depending on the deficiency type.

Organizations assessing their position across both frameworks benefit from a structured HCAC Risk Assessment process that maps each internal standard to its regulatory and accreditation source simultaneously.

References

• Centers for Medicare & Medicaid Services — Deeming Authority
• 42 C.F.R. Part 482 — Conditions of Participation: Hospitals (eCFR)
• 45 C.F.R. Parts 160 and 164 — HIPAA Privacy and Security Rules (eCFR)
• NFPA 101 — Life Safety Code, 2024 Edition (National Fire Protection Association)
• The Joint Commission — Accreditation Programs
• CMS — Survey & Certification General Information
• Accreditation Commission for Health Care (ACHC)

📜 3 regulatory citations referenced  ·  ✅ Citations verified Feb 28, 2026  ·  View update log