Federal Agencies Regulating US Healthcare: CMS, FDA, ONC, and More
Federal oversight of the US healthcare system is distributed across more than a dozen agencies, each operating under distinct statutory authority and enforcing separate bodies of regulation. The Centers for Medicare & Medicaid Services (CMS), the Food and Drug Administration (FDA), and the Office of the National Coordinator for Health Information Technology (ONC) represent the three highest-visibility regulators, but agencies such as the Office for Civil Rights (OCR), the Agency for Healthcare Research and Quality (AHRQ), and the Health Resources & Services Administration (HRSA) hold substantial rulemaking and enforcement power in their respective domains. Understanding which agency governs which activity is essential for hospitals, health plans, manufacturers, and provider organizations operating under federal law. This page maps the primary agencies, their statutory bases, and the operational boundaries between them.
Definition and scope
Federal healthcare regulation in the United States is not administered by a single authority. Jurisdiction is divided functionally: financing and program integrity fall to CMS, drug and device safety to the FDA, health data interoperability to ONC, civil rights compliance to OCR, and workforce and access programs to HRSA. Each agency derives authority from specific legislation — CMS from Titles XVIII and XIX of the Social Security Act, the FDA from the Federal Food, Drug, and Cosmetic Act (FD&C Act), ONC from the Health Information Technology for Economic and Clinical Health (HITECH) Act and the 21st Century Cures Act, and OCR from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 1557 of the Affordable Care Act.
The scope of federal healthcare regulation spans at least four distinct domains:
- Program financing and claims integrity — CMS administers Medicare (covering approximately 65 million beneficiaries as of 2023, per CMS Fast Facts) and Medicaid in partnership with all 50 states and the District of Columbia.
- Product safety and market authorization — FDA regulates pharmaceuticals, biologics, medical devices, and in vitro diagnostics under the FD&C Act and the Public Health Service Act.
- Health information and interoperability — ONC sets standards for electronic health records (EHR) certification and enforces information-blocking prohibitions under 45 CFR Part 171.
- Civil rights and privacy enforcement — OCR enforces HIPAA's Privacy and Security Rules as well as anti-discrimination provisions applicable to entities receiving federal financial assistance.
The boundary between state and federal authority is a recurring classification challenge. States license individual providers and facilities, while federal agencies set conditions of participation for entities accepting Medicare or Medicaid funding — a distinction explored in depth on the healthcare-accreditation-and-licensing reference page.
How it works
Each agency operates through a notice-and-comment rulemaking process governed by the Administrative Procedure Act (APA), 5 U.S.C. § 553. Proposed rules are published in the Federal Register, a public comment period (typically 60 days) is opened, and final rules are issued with agency responses to substantive comments. Enforcement mechanisms differ by agency and statutory authority.
CMS enforcement pathway:
- CMS issues Conditions of Participation (CoPs) or Conditions for Coverage (CfCs) that hospitals, skilled nursing facilities, and other providers must meet to receive Medicare or Medicaid reimbursement (42 CFR Parts 482–485).
- State survey agencies conduct on-site inspections on CMS's behalf.
- Deficiencies trigger a citation, a plan of correction, and — in serious cases — termination from the Medicare program or Civil Money Penalties (CMPs).
FDA enforcement pathway:
- Pre-market review: pharmaceutical manufacturers submit New Drug Applications (NDAs) or Biologics License Applications (BLAs); device manufacturers submit 510(k) notifications or Premarket Approval (PMA) applications.
- Post-market surveillance: the FDA's MedWatch system collects adverse event reports, and the agency issues warning letters, recalls, and injunctions under the FD&C Act.
- Criminal referrals to the Department of Justice for fraud or egregious safety violations.
ONC enforcement:
ONC itself does not carry traditional enforcement power over providers. Instead, ONC-certified Health IT developers must meet certification criteria under the ONC Health IT Certification Program (45 CFR Part 170). Information-blocking complaints filed against healthcare providers are investigated by the Office of Inspector General (OIG), which can impose disincentives of up to $1 million per violation for health IT developers under 42 U.S.C. § 300jj-52 (OIG Information Blocking).
OCR enforcement:
OCR investigates HIPAA complaints, conducts compliance reviews, and can impose civil money penalties up to $1,919,173 per violation category per calendar year (adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, per HHS OCR HIPAA Enforcement Data). Willful neglect cases that are not corrected are subject to mandatory penalties. For a detailed breakdown of HIPAA's privacy requirements, see the hipaa-and-medical-privacy reference page.
Common scenarios
Federal agency jurisdiction becomes most operationally relevant when a healthcare organization must determine which regulatory body applies to a specific activity. The following structured breakdown identifies representative scenarios and the primary regulating authority:
| Scenario | Primary Agency | Statutory Basis |
|---|---|---|
| A hospital fails a fire safety inspection during a CMS survey | CMS / State Survey Agency | 42 CFR § 482.41 (Life Safety) |
| A drug manufacturer distributes an unapproved indication | FDA | FD&C Act § 301 |
| A health system's EHR vendor blocks data sharing requests | OIG (via ONC complaint pathway) | 21st Century Cures Act § 4004 |
| A provider denies a wheelchair-accessible exam room request | OCR | ADA Title III; ACA § 1557 |
| A Federally Qualified Health Center fails to meet grant requirements | HRSA | 42 U.S.C. § 254b |
| A Medicare Advantage plan denies a medically necessary claim | CMS | 42 CFR Part 422 |
The FDA–CMS boundary is a particularly common point of confusion for medical device manufacturers. The FDA authorizes a device for market; CMS separately determines whether the device qualifies for Medicare reimbursement — a determination governed by National Coverage Determinations (NCDs) and Local Coverage Determinations (LCDs). These are independent processes, and FDA clearance does not guarantee Medicare coverage.
Similarly, the relationship between CMS conditions of participation and state licensure creates a dual-compliance layer for facilities. A hospital can be state-licensed but not CMS-certified (and thus ineligible for Medicare and Medicaid payments), or it can lose CMS certification while retaining its state license. The us-healthcare-system-overview page provides broader structural context for this federal-state division.
Mental health and substance use disorder services introduce a third regulatory layer: the Substance Abuse and Mental Health Services Administration (SAMHSA) administers block grants to states under the Community Mental Health Services Block Grant program and the Substance Abuse Prevention and Treatment Block Grant, while CMS governs the parity requirements under the Mental Health Parity and Addiction Equity Act (MHPAEA) of 2008. The mental-health-services page details those access frameworks.
Decision boundaries
Identifying which agency has jurisdiction — or whether jurisdiction overlaps — requires evaluating the activity type, the regulated entity class, and the funding relationship with the federal government.
CMS vs. FDA:
CMS jurisdiction applies when the primary question concerns reimbursement eligibility, conditions of participation, or fraud and abuse under the False Claims Act. FDA jurisdiction applies when the question concerns product safety, labeling, manufacturing quality, or market authorization. A single product (such as a combination drug-device) can fall under both agencies simultaneously under a jurisdictional framework established in the FD&C Act.
OCR vs. FTC:
The Federal Trade Commission (FTC) holds concurrent authority over health data privacy for entities not covered by HIPAA — particularly consumer health applications and wearable device manufacturers that are not HIPAA-covered entities or business associates. The FTC enforces Section 5 of the FTC Act against unfair or deceptive practices and has applied the Health Breach Notification Rule (16 CFR Part 318) to non-HIPAA health app developers.
ONC vs. CMS on interoperability:
Both ONC and CMS issued parallel final rules in 2020 implementing Section 4004 of the 21st Century Cures Act. ONC's rule governs EHR certification and information-blocking definitions (85 FR 25642). CMS's companion rule (85 FR 25510) governs payer-to-payer data sharing requirements for Medicare Advantage, Medicaid, CHIP, and qualified health plan issuers. These are complementary but independently enforceable.
Accreditation bodies as deemed authorities:
The Joint Commission, DNV GL Healthcare, and the Center for Improvement in Healthcare Quality (CIHQ) hold CMS "deemed status," meaning their accreditation surveys are accepted in lieu of direct CMS state agency surveys for hospital certification. Deemed status is granted by CMS under 42 CFR