The 30th Annual Compliance Institute is coming to Orlando April 27-30, 2026, with a virtual option April 28-30.
This is where healthcare compliance teams go to pressure-test what “good” looks like in practice. When enforcement risk is real, audits are relentless, privacy and security expectations keep shifting, and the business still has to move.
What is the Health Care Compliance Association (HCCA)?
HCCA is a US nonprofit that supports healthcare compliance professionals through education, resources, and peer networking.
A few quick facts worth knowing;
- Founded: 1996
- Members: 1900+
- Countries: 100+
“HCCA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance professionals and others who share these principles.”
HCCA Mission
What makes the Compliance Institute the flagship is simple: it’s not abstract. It pulls together compliance leaders, regulators, legal experts, and practitioners who are actually living the work, then forces the conversation into the practical.
As one attendee put it;
“HCCA is the Ivy League for Compliance Education!”
Why you should join us (and what you’ll get out of it)
This year’s speaker line-up and session mix is built for the real world: privacy leaders dealing with widening scope, audit teams being asked to do more with less, compliance officers navigating AI adoption, and everyone trying to keep third parties from quietly becoming the biggest risk in the room.
A few session themes we’re tracking closely because they align with the conversations we are having with our expert community:
- AI legislation and enforcement: how state AI laws are emerging, and what “good governance” looks like before the rules settle.
- Third-party vendor programs: the shift from one-time due diligence to continuous monitoring, evidence, and accountability.
- Healthcare privacy and security pressure points: the newest developments, and how to operationalize them without burying the business.
Also, for anyone building career credibility, CI is tied into certification pathways like CHC, CHPC, and CHRC, and the virtual option means teams can still access the learning even if travel is a no-go.
Why CoreStream GRC is attending the 2026 Compliance Institute
1. Conflict-of-Interest + Open Payments: the US reality we’re built around
In US healthcare, conflicts of interest are not theoretical. They’re operational, high-volume, and reputational.
In practice, conflict of interest programs tend to break for two reasons:
- Disclosure is annoying for busy people, so completion quality drops.
- Follow-up becomes manual, so issues drift into email and “we’ll get to it.”
What matters is not the form. It’s the operating model:
- Clear ownership and routing
- Fast reviews
- Consistent management plans
- Evidence you can produce without panic
That’s exactly why we built our conflict of interest approach around usability plus proof. CoreStream GRC makes disclosure simple for occasional users, then turns follow-up into workflow.
And for US organizations, our Open Payments comparison view helps teams spot mismatches early and document decisions with confidence.
This is where compliance automation stops being a buzzword and becomes the difference between control and chaos.
Want to learn more about our integration with Open Payments?
2. The trusted GRC platform by healthcare orgs where scrutiny is normal
HCCA is a US conference, but the compliance problems in healthcare are global. Evidence, accountability, high workload, and public trust are not unique to one system.
CoreStream GRC is trusted worldwide in healthcare environments where scrutiny is constant, including:
- UNT Health (US), with a conflict of interest program designed for daily reality, not annual check-the-box
- NHS / NHS Trust (UK) supporting high-volume information governance workflows for their data privacy programs, and audit-ready reporting
The outcomes our healthcare clients care about tend to be the same:
- Time saved through fewer chases
- Better visibility into what needs action and who owns it
- Reporting that reflects reality, not last week’s spreadsheet
“If I go off to another compliance office and they don’t have anything like this in place, I will be suggesting CoreStream GRC. I think it’s a great system. It’s an easy process, for employees and for us. We can log in and very easily do what we need to do. I really do enjoy CoreStream.”
April Daniel, Director Compliance Operations, UNT Health
3. Networking with our community (and what we’re trying to learn)
Conferences are only worth it if you leave with sharper answers and more questions to research than you arrived with.
We’re showing up to compare notes with compliance leaders dealing with the same issues we see every day:
- privacy workload that never slows down
- third-party exposure that keeps expanding
- audit pressure that is becoming continuous
- conflict of interest transparency expectations that keep rising
We’re also looking for the honest conversation about AI: where it genuinely reduces friction, and where it creates new risk that compliance teams will be stuck defending later.
What the 2026 Compliance Institute agenda signals (and why it matters).
You can learn a lot about where the industry is heading by looking at what the agenda keeps circling back to. HCCA’s 2026 program spans 14 learning tracks and 100+ sessions.
Here’s what we think it’s really signaling and what are team at CoreStream GRC is eager to learn about;
Regulatory and enforcement developments
If you need one number to explain why this matters, start here: the DOJ reported $6.8B in False Claims Act settlements and judgments in FY2025, with nearly $5.7B tied to healthcare matters.
That’s the backdrop for everything else. Priorities change. Proof expectations do not. The pressure is always the same: show what you did, who owned it, what changed, and where the evidence lives. That’s why regulatory compliance management software stops being a “nice to have” the minute scrutiny shows up.
Auditing and monitoring, plus investigations
Audit readiness is now continuous, not seasonal. The best internal teams are treating audits like an always-on operating rhythm, supported by audit management software and internal audit software that can actually produce defensible records on demand.
Risk management and culture of compliance
Boards and executives are not asking for more slide decks. They want a clean answer to: what’s the risk, who owns it, what are we doing, and what’s still exposed.
This is where enterprise risk management software plus a consistent risk assessment update approach earns its keep. It turns compliance from a quarterly scramble into a steady system that leadership can actually trust.
Check out our enterprise risk management guide to learn more about optimizing your existing program here:
Privacy and security moving from “policy” to “operational control”
Privacy is no longer a policy conversation. It’s an operational control problem: access, evidence of review, vendor exposure, requests, incidents, timelines.
And the economics are brutal. IBM’s 2025 report puts the global average cost of a data breach at $4.44M.
If you’re still trying to manage that without data governance software or access audit software, you feel the pain every week.
AI is no longer a side conversation
AI is showing up everywhere, whether compliance teams invited it or not. HCCA is reflecting that reality with multiple sessions on AI legislation, governance, and practical compliance use cases.
Teams are experimenting. Regulators and plaintiffs are watching. Governance has to keep up. The real issue is not “should we use AI?” It’s “how do we manage it without creating new risk we can’t explain later?”
Discover our AI approach for effective security and governance with clients:
Meet us at HCCA
Mike Vidoni, Senior GRC Client Executive & Customer Success
Mike brings 15+ years in GRC, with deep expertise in conflicts of interest, Open Payments, policy management, incident management, third-party risk, and gifts and entertainment. He’ll be focused on practical COI and Open Payments conversations, plus workshops and peer chats.
Lucy Montague, Head of Marketing and Women in GRC advocate
Lucy will be there as a Women in GRC advocate and a lead organizer of CoreStream GRC community events. If you want to find out events where you can talk about real community trends (what teams are struggling with and what’s working), find her.
Want to read a recap of Lucy’s recent conversation with leading women in GRC at #RISK Europe 2025?
Frequently asked questions
HCCA (Health Care Compliance Association) is a US nonprofit that supports healthcare compliance professionals through education, resources, and peer networking.
The 30th Annual Compliance Institute is in Orlando April 27–30, 2026, with a virtual option April 28–30, 2026.
Because it’s one of the few places where the conversation stays grounded in operational reality: enforcement pressure, audit readiness, privacy and security controls, and third-party risk that keeps expanding. It’s not theory, it’s how teams actually survive scrutiny.
Four themes show up everywhere right now:
Regulatory and enforcement pressure and the expectation of defensible proof
Audit readiness moving from seasonal to continuous
Privacy and security shifting from policy to operational controls
AI governance becoming a real compliance problem, not a side project
Because regulators, auditors, and boards don’t grade intentions. They ask the same questions every time: who owned it, what changed, who approved it, and where’s the evidence. If you can’t answer fast, you’re already behind.
Not “dashboards.” It means workflows that make it hard to drop the ball:
assigned ownership (no orphan tasks)
routed reviews (so issues do not sit in inboxes)
documented decisions and management plans
audit-ready evidence captured as work happens
That’s compliance automation that holds up under pressure.
COI management is how healthcare orgs collect disclosures, review them, apply management plans, and prove accountability over time. It breaks when:
the disclosure experience is painful, so completion quality drops
follow-up is manual, so issues drift into email and “we’ll get to it”
This is exactly where compliance management software should reduce friction and still produce proof.
CoreStream GRC is built to make disclosure simple for occasional users, then turn follow-up into workflow:
clear ownership and routing
faster reviews
consistent management plans
defensible audit trails without “audit-week archaeology”
Open Payments is a US transparency program tied to reporting of certain transfers of value. In practice, teams care because mismatches, timing gaps, and documentation gaps become reputational and enforcement risk fast. CoreStream GRC supports workflows that help teams spot issues early and document decisions cleanly.
