CMS Enforcement Acceleration: What the 2025 Penalty Wave Means for Hospitals

The Enforcement Landscape Has Shifted

CMS’s enforcement posture on hospital price transparency has changed materially in 2025. What began as primarily complaint-driven reviews has evolved into a proactive, data-driven audit program — with penalties now assessed at scale.

Key 2025 Enforcement Developments

Expanded Random Audit Sample

CMS announced in February 2025 that it would double its random audit sample of hospital MRFs from 5% to 10% of all licensed hospital facilities quarterly. For the first time, smaller critical access hospitals are included in the audit pool.

Accelerated Penalty Schedule for Repeat Violations

Hospitals cited for the same deficiency in consecutive quarters now face an accelerated penalty schedule:

• First violation: corrective action plan required, no immediate penalty
• Second violation (same deficiency): $500/day assessed from the date of the first warning letter
• Third violation: full statutory maximum of $2M/year

Expanded Deficiency Categories

CMS added three new categories of citable deficiencies in its March 2025 technical guidance:

1. Failure to publish MRF in the required naming convention at the root domain level
2. Rate records that fail to distinguish between negotiated and billed rates
3. MRFs that have not been updated within 12 months of the prior publication

Immediate Steps for Hospital Compliance Teams

1. Verify your MRF URL is accessible from the hospital’s root domain (not a subdomain), with the required file naming convention
2. Check your last publication date — files more than 11 months old are at elevated audit risk
3. Validate your schema version — CMS schema v2.0.0 is required; older versions are now citable deficiencies
4. Audit your NPI and EIN identifiers for accuracy against current NPPES records

SumHealth’s Compliance Monitor performs all of these checks continuously, with real-time alerts when any monitored facility’s MRF falls out of compliance.