Federal Agencies Regulating US Healthcare: CMS, FDA, ONC, and More

The US healthcare system doesn't answer to a single authority — it answers to a layered architecture of federal agencies, each holding a specific jurisdiction over drugs, dollars, data, or delivery. Understanding which agency does what matters enormously when a hospital faces an audit, a patient disputes a coverage decision, or a startup tries to bring a health app to market. This page maps the major federal regulators, explains how their authority intersects, and clarifies who calls the shots in common real-world situations.

Definition and scope

Federal oversight of healthcare in the United States is distributed across at least a dozen agencies operating under different statutory mandates. No single "Department of Healthcare" exists. Instead, authority is divided by function: financing, safety, access, data standards, public health, and research each fall under distinct regulatory homes.

The five agencies with the broadest day-to-day impact on how Americans experience healthcare are:

1. Centers for Medicare & Medicaid Services (CMS) — administers Medicare, Medicaid, the Children's Health Insurance Program (CHIP), and the Health Insurance Marketplace created under the Affordable Care Act. CMS is the single largest payer in US healthcare, covering more than 160 million people according to CMS enrollment data.
2. Food and Drug Administration (FDA) — regulates drugs, biologics, medical devices, and increasingly digital health tools. Drug approval timelines, device clearance pathways, and the 510(k) process all run through FDA's Center for Devices and Radiological Health (CDRH) or Center for Drug Evaluation and Research (CDER).
3. Office of the National Coordinator for Health Information Technology (ONC) — sets the interoperability and health IT standards that govern how medical records and health data move between systems. ONC's authority was significantly expanded by the 21st Century Cures Act of 2016.
4. Office for Civil Rights (OCR) within HHS — enforces HIPAA's Privacy and Security Rules. OCR can issue civil monetary penalties reaching $1.9 million per violation category per year (HHS OCR, HIPAA Enforcement).
5. Centers for Disease Control and Prevention (CDC) — leads public health surveillance, disease reporting, and immunization policy. CDC does not directly regulate healthcare providers but shapes clinical practice through guidelines that CMS and accreditation bodies frequently adopt.

Supporting these five are the Agency for Healthcare Research and Quality (AHRQ), which funds comparative effectiveness research; the Health Resources & Services Administration (HRSA), which oversees community health centers and workforce programs; and the Substance Abuse and Mental Health Services Administration (SAMHSA), the primary federal authority over substance use disorder treatment funding and certification.

How it works

Each agency derives its authority from specific enabling legislation passed by Congress. CMS enforces conditions of participation — the baseline requirements a hospital, nursing facility, or home health agency must meet to receive Medicare and Medicaid payments. Miss those conditions, and a provider can lose access to federal reimbursement entirely, which for most hospitals represents 40–60% of total revenue.

FDA operates a pre-market review system: a product cannot be legally marketed until it clears the appropriate pathway. A new pharmaceutical drug requires a New Drug Application (NDA) reviewed under 21 CFR Part 314. A Class III medical device — a pacemaker, for instance — requires a Premarket Approval (PMA), the most rigorous review tier. Lower-risk devices may qualify for the faster 510(k) clearance by demonstrating substantial equivalence to a legally marketed predicate device.

ONC enforces information blocking rules established under 45 CFR Part 171. A healthcare provider, health IT developer, or health information exchange that restricts the flow of electronic health information without a recognized exception can face penalties up to $1 million per violation (ONC, Information Blocking).

These agencies coordinate — sometimes awkwardly — through HHS, which houses CMS, FDA, ONC, OCR, CDC, AHRQ, HRSA, and SAMHSA under one departmental roof. Coordination doesn't mean uniformity: FDA's evidentiary standards for drug approval operate entirely separately from CMS's coverage determination process, which is why a drug can be FDA-approved yet not covered by Medicare without a separate National Coverage Determination.

Common scenarios

Hospital compliance: A hospital seeking Medicare certification must satisfy CMS Conditions of Participation codified at 42 CFR Part 482. State surveyors conduct on-site inspections on CMS's behalf, reporting findings that determine certification status. Understanding hospital types and designations helps clarify which conditions apply.

Digital health products: A company building a clinical decision support tool must determine whether FDA classifies it as a medical device. FDA's 2019 Digital Health Policy Navigator and subsequent guidance distinguish between software that is clearly a device (Class II or III) and software that meets the low-risk exemptions under the 21st Century Cures Act. ONC simultaneously governs whether the same tool must support interoperability standards.

Insurance coverage disputes: A patient denied coverage for a specialty drug is navigating CMS rules (if on Medicare or Medicaid), the ACA's essential health benefits framework, and potentially OCR protections against discriminatory coverage denials. The patient rights and protections framework draws from all three sources simultaneously.

Decision boundaries

Knowing which agency to engage depends on the nature of the problem:

• Billing and payment disputes → CMS and its Medicare Administrative Contractors (MACs)
• Drug safety or device recalls → FDA MedWatch reporting system
• Privacy breach or HIPAA violation → HHS OCR complaint portal
• Health IT data blocking → ONC complaint mechanism
• Workplace health standards in clinical settings → OSHA, which operates entirely outside HHS under the Department of Labor
• Public health emergency declarations → CDC coordinates with HHS Secretary authority under the Public Health Service Act

The critical distinction between CMS and FDA captures the broader logic of the whole system: CMS decides whether something gets paid for; FDA decides whether something is safe and effective enough to exist in the market. Those are different questions, answered by different evidentiary standards, with different administrative processes — and both answers are needed before most healthcare interventions reach a patient. The US healthcare policy overview traces how these agency mandates evolved alongside the broader legislative history of American health reform.