In this episode of Compliance Deconstructed, Jessica Zeff and Elvan Baker sit down with Denise Lord to explore the realities of managing healthcare compliance in a critical access hospital. Denise shares firsthand insights into balancing multiple responsibilities, building effective compliance programs with limited resources, and creating sustainable processes that support both regulatory requirements and patient care.

This in-depth conversation examines the unique structure of critical access hospitals, where compliance leaders often oversee quality, risk management, infection prevention, patient experience, and privacy responsibilities simultaneously. Denise explains how this broad oversight can provide valuable visibility into organizational operations, helping healthcare leaders identify trends, address risks proactively, and strengthen collaboration across departments.

Jessica, Elvan, and Denise also discuss the importance of fostering a culture of shared ownership for compliance. They highlight the role of executive leadership, compliance committees, department managers, and frontline staff in creating an environment where ethical decision-making, regulatory adherence, and patient safety become part of everyday operations rather than isolated compliance activities.

Key Takeaways:

• Critical access hospital compliance leaders often oversee multiple functions, creating opportunities to identify risks and trends across the organization.

• Strong compliance programs depend on collaboration between leadership, clinical teams, operations, legal counsel, information technology, and frontline staff.

• Compliance committees become more effective when members actively participate in discussions and help identify organizational priorities.

• A just culture approach helps organizations address incidents fairly while encouraging staff to report concerns and potential compliance issues.

• Privacy and HIPAA training become more meaningful when employees understand how compliance directly impacts patients, families, and their local communities.

• Successful compliance management requires flexibility, strategic prioritization, strong communication with leadership, and a willingness to adapt when unexpected challenges arise.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

Information security plays a critical role in healthcare compliance, risk management, and organizational resilience. In this episode of Compliance Deconstructed, Jessica Zeff, Lorie Davis, and special guest Joe Wynn, Founder & CEO of Seiso, break down the foundational elements of an effective information security program and explain why protecting sensitive data requires a structured approach that extends beyond technology solutions.

This in-depth conversation explores the importance of conducting comprehensive risk assessments to identify vulnerabilities, evaluate threats, and prioritize security efforts based on potential impact. The hosts also discuss practical safeguards such as multi-factor authentication, data backups, software patching, access controls, and employee training that help healthcare organizations strengthen their security posture and reduce exposure to cybersecurity risks.

Jessica, Lorie, and Joe also address common misconceptions surrounding HIPAA compliance, SOC 2 reports, and security attestations while highlighting emerging concerns related to website tracking technologies and third-party data sharing. After consuming this episode, you’ll gain actionable insights into building a sustainable information security strategy that supports regulatory compliance, protects patient information, and promotes long-term organizational success.

Key Takeaways:

• Risk assessments provide the foundation for identifying security gaps, evaluating threats, and prioritizing remediation efforts across the organization.

• Multi-factor authentication, secure backups, regular software updates, access management, and employee education remain essential components of a strong security program.

• Healthcare organizations should understand that there is no official HIPAA certification and that compliance requires ongoing oversight and accountability.

• SOC 2 reports evaluate security controls and can support broader compliance initiatives when paired with regulatory assessments.

• Website cookies, tracking scripts, and third-party marketing tools can create privacy and compliance risks when organizations do not fully understand how data is collected and shared.

• Information security requires continuous evaluation, process improvement, and cross-functional collaboration to protect sensitive information and maintain regulatory compliance.

Connect with Joe Wynn

Website | LinkedIn

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

In this episode of Compliance Deconstructed, Jessica Zeff joins co-hosts Elvan Baker and Lorie Davis to unpack one of the most operationally complex areas of healthcare compliance: Medicaid and the realities of navigating state-specific healthcare programs. The reality is Medicaid is not a single national program with standardized rules, and organizations often underestimate how much variation exists between states when it comes to eligibility, benefits, managed care structures, provider enrollment, and compliance obligations.

Jessica, Elvan, and Lorie explore how Medicaid differs from Medicare and private insurance while discussing why compliance professionals, providers, and health plans cannot rely on assumptions when entering new Medicaid markets. From a compliance standpoint, this becomes especially important when organizations expand across state lines and discover that processes tied to credentialing, appeals, grievances, staffing, reporting, and oversight may look completely different depending on the state administering the program.

The conversation also examines the balance between federal oversight from the Centers for Medicare & Medicaid Services and the flexibility states have to design their own Medicaid programs through waivers, managed care arrangements, and operational structures. On paper, this may sound straightforward. But operationally, this becomes challenging when organizations attempt to align compliance, legal, IT, clinical operations, and leadership teams around requirements that are often layered across contracts, appendices, policy manuals, and state guidance documents.

Jessica, Elvan, and Lorie also share practical strategies for approaching Medicaid compliance in a structured and sustainable way, including conducting detailed gap analyses, building operational playbooks, mapping information flow, and training teams on state-specific requirements. A lot of organizations struggle with treating Medicaid compliance like a one-time implementation project, when in practice it requires ongoing monitoring, collaboration, and operational adaptability to manage risk effectively while supporting patient access and organizational stability.

Key takeaways from this episode:

• Medicaid programs vary significantly from state to state, including eligibility rules, covered services, managed care structures, and provider participation requirements.
• Compliance professionals should avoid assuming that experience in one Medicaid program automatically translates to another state’s program.
• CMS provides federal oversight, but states maintain substantial flexibility through waiver programs, managed care models, and operational design decisions.
• Provider enrollment, credentialing, appeals and grievances, staffing requirements, and reporting obligations often differ substantially across states.
• Conducting a detailed gap analysis helps organizations identify operational, compliance, staffing, and technology requirements before entering a Medicaid market.
• Successful Medicaid compliance requires collaboration across compliance, operations, legal, clinical, IT, and leadership teams to ensure policies translate into day-to-day operational execution.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

Healthcare providers continue to face growing pressure to improve patient outcomes while meeting evolving regulatory expectations, and this episode of Compliance Deconstructed breaks down how the Merit-based Incentive Payment System (MIPS) shapes modern healthcare compliance and quality reporting. Jessica Zeff, Lorie Davis, and Elvan Baker explain how MIPS creates measurable standards for quality care and why healthcare organizations need a practical strategy for managing performance across multiple reporting categories.

The conversation explores the four pillars of MIPS, including Quality, Cost, Improvement Activities, and Promoting Interoperability, while providing real-world examples of how these metrics impact healthcare providers on a daily basis. The hosts discuss how quality measures influence patient care workflows, how cost tracking affects reimbursement, and why interoperability continues to play a growing role in coordinated healthcare delivery.

Once you press play, you’ll gain actionable insights into how healthcare organizations can build stronger compliance processes by integrating MIPS requirements directly into clinical operations and electronic health record systems. This episode also highlights the importance of monitoring performance data consistently, engaging in ongoing improvement activities, and understanding the reasoning behind quality measures instead of approaching reporting as a checkbox exercise.

Jessica, Lorie, and Elvan bring an approachable perspective to a topic that often feels overwhelming for healthcare professionals navigating compliance obligations and government reporting programs. Their discussion provides healthcare leaders, administrators, and compliance professionals with a clearer understanding of how MIPS participation can support operational efficiency, strengthen patient outcomes, and position organizations for long-term success in value-based care environments.

Key takeaways from this episode:

• MIPS was created to measure and incentivize quality healthcare delivery across the Medicare system.
• The Quality category evaluates providers using detailed performance measures tied to patient outcomes and treatment standards.
• Cost measures examine healthcare spending patterns and help identify opportunities for more efficient care delivery.
• Improvement Activities encourage providers to invest in continuous education, workflow enhancements, and patient-centered initiatives.
• Promoting Interoperability focuses on secure electronic health record communication and coordinated care between providers.
• Successful MIPS participation requires proactive workflow integration, consistent performance monitoring, and a strong understanding of reporting requirements.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

HEDIS measures, developed by the National Committee for Quality Assurance, provide a standardized framework for evaluating healthcare quality across health plans and provider organizations. In Episode 24 of Compliance Deconstructed, Jessica Zeff and Lorie Davis break down how the Healthcare Effectiveness Data and Information Set (HEDIS) supports consistent performance measurement and drives improved patient outcomes.

Today’s conversation explores how HEDIS measures track key areas such as preventative care, chronic disease management, behavioral health, access to care, and patient experience. These categories help healthcare organizations identify whether patients are receiving evidence-based services, while also highlighting opportunities to improve engagement and care delivery.

Jessica and Lorie explain the HEDIS data collection process, including the use of claims data, chart chase efforts, and medical record abstraction to validate performance. This process ensures that healthcare organizations capture accurate and complete data, which is essential for reporting, regulatory compliance, and quality improvement initiatives.

The episode also emphasizes the importance of identifying and closing care gaps, along with the critical role compliance plays in maintaining data integrity, privacy, and adherence to regulations. By integrating compliance into every stage of HEDIS planning and execution, healthcare organizations can reduce risk, support accreditation efforts, and strengthen overall performance.

Key Takeaways:

• HEDIS measures provide a standardized system for evaluating healthcare quality and performance across organizations
• The framework tracks essential areas including preventative care, chronic disease management, and patient experience
• Accurate data collection relies on claims data, chart chases, and detailed medical record abstraction
• Care gaps identify missed healthcare services and create opportunities for targeted patient outreach
• Compliance ensures regulatory adherence, data security, and ethical handling of patient information
• A proactive, year-round HEDIS strategy supports improved outcomes, stronger reporting, and organizational success

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

This episode of Compliance Deconstructed is brought to you by Jessica Zeff of Simply Compliance and features Emma Howard of Cozza Law Group. Together, they focus on medical spa compliance and Managed Service Organizations (MSOs). This episode explores how MSOs help medical spa owners navigate complex healthcare regulations and maintain legal compliance.

The conversation breaks down the corporate practice of medicine doctrine, explaining how state-specific laws impact who can own and operate a medical spa. Emma highlights how compliance structures like MSOs create a legal separation between clinical care and business operations to reduce regulatory risk.

As you consume this episode, you’ll learn how the two-entity MSO model, consisting of a physician-owned medical company and a non-clinical services company, supports compliant medical spa ownership. The episode also explains the importance of a Management Services Agreement (MSA) in defining roles, responsibilities, and financial arrangements between entities.

Jessica and Emma also discuss key compliance risks, including fee splitting, unauthorized practice of medicine, and improper operational control. This in-depth conversation provides actionable guidance for building compliant healthcare business models, improving risk management, and ensuring long-term operational success.

Key Takeaways:

• Managed Service Organizations (MSOs) enable compliant medical spa ownership in regulated states
• The corporate practice of medicine doctrine determines who can legally own medical businesses
• The two-entity structure separates clinical services from administrative operations
• Management Services Agreements (MSAs) are essential for defining compliant relationships
• Improper structuring can lead to fee splitting and unauthorized practice of medicine risks
• Legal guidance is critical when setting up and managing an MSO structure 

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

In this episode of Compliance Deconstructed, hosts Jessica Zeff, Elvan Baker, and Lorie Davis challenge the outdated perception of compliance as a rigid, rule-enforcing function and instead position it as a dynamic, strategic driver within healthcare organizations. They explore how modern healthcare compliance professionals contribute to organizational success by blending regulatory expertise with communication, trust-building, and leadership skills.

The conversation begins with the critical role of ethics and trust in building an effective compliance program, emphasizing the importance of approachability and integrity in healthcare compliance leadership. The hosts highlight how creating a safe environment for reporting concerns strengthens compliance outcomes and prevents small issues from escalating into major regulatory risks.

Accountability and empathy emerge as essential qualities for compliance professionals, particularly in complex healthcare environments where fairness and consistency must guide every decision. The discussion underscores how empathetic problem-solving improves collaboration, helping compliance officers address challenges while maintaining strong relationships across clinical and administrative teams.

Finally, the episode reframes compliance as an educational function, encouraging professionals to shift from being the “department of no” to the “department of know.” By focusing on training, communication, and continuous learning, compliance leaders can empower employees to make informed decisions, ultimately strengthening organizational integrity and long-term regulatory success.

Key Takeaways:

• Trust and ethical integrity are foundational to successful healthcare compliance programs
• Approachability encourages employees to report concerns early and transparently
• Consistent accountability ensures fairness across all levels of an organization
• Empathy enhances compliance effectiveness without compromising standards
• Education-driven compliance fosters better decision-making and reduces risk
• Strong communication skills are essential for translating complex regulations into actionable guidance

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

On this episode of Compliance Deconstructed, hosts Jessica Zeff, Lorie Davis, and Elvan Baker explore the critical non-clinical skills every healthcare professional must master to succeed beyond medical training. Listeners will learn why clinical expertise alone is not enough in today’s complex healthcare environment and how gaps in business, regulatory, and operational knowledge can lead to stress, burnout, and compliance risk.

The conversation dives into the business of healthcare, breaking down revenue cycles, insurance dynamics, billing practices, and operational costs that directly impact patient care and organizational sustainability. Jessica, Lorie, and Elvan explain how understanding financial workflows and administrative systems empowers clinicians to reduce delays, improve efficiency, and strengthen overall practice performance.

Episode 21 also unpacks the regulatory landscape shaping modern healthcare, including the requirements of Health Insurance Portability and Accountability Act (HIPAA), billing compliance standards, and the protection of Protected Health Information (PHI). The hosts discuss real-world compliance pitfalls, personal liability risks, and why safeguarding patient privacy is not just a rule, but a civil right central to ethical care delivery.

Additionally, the discussion turns to business ethics, physician relationships, and the legal boundaries defined by the Stark Law and the Anti-Kickback Statute. Listeners will gain practical strategies for navigating administrative burdens like prior authorizations, avoiding improper financial arrangements, and building a sustainable healthcare career rooted in compliance, transparency, and operational excellence.

Key Takeaways from This Episode:

• Clinical training does not fully prepare healthcare professionals for the operational and regulatory realities of modern practice.
• Understanding healthcare revenue, insurance processes, and billing compliance is essential for reducing financial and administrative strain.
• HIPAA compliance and PHI protection are fundamental responsibilities that carry potential personal liability.
• Violations of Stark Law and the Anti-Kickback Statute can result from seemingly minor financial relationships or incentives.
• Administrative processes such as prior authorizations and documentation requirements directly impact patient experience and workflow efficiency.
• Developing non-clinical skills in business, ethics, and compliance leads to reduced burnout, improved patient care, and long-term professional success.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

In this episode of Compliance Deconstructed, hosts Jessica Zeff and Elvan Baker explore why written policies and procedures are foundational to business success, risk mitigation, and regulatory compliance. Throughout this conversation, they break down how documented guidance eliminates confusion, creates operational consistency, and protects organizations from unnecessary legal and financial exposure.

Clear, well-written policies function as a company’s rulebook by defining expectations, outlining responsibilities, and standardizing processes across departments. When employees have accessible, written procedures to reference, organizations reduce misinterpretation, improve accountability, and strengthen internal controls.

Jessica and Elvan also examine the critical role policies play in legal and regulatory compliance, especially in highly regulated industries like healthcare. Documented policies demonstrate due diligence during audits, investigations, and compliance reviews, while routine updates ensure alignment with evolving laws, industry standards, and regulatory requirements.

The episode concludes with a practical, step-by-step framework for developing effective policies and procedures, including stakeholder collaboration, structured drafting, training, and ongoing review. The hosts also discuss how AI and LLM tools can assist with brainstorming and drafting, while emphasizing that human expertise, organizational context, and compliance insight remain essential to producing policies that truly protect and support the business.

Key Takeaways

• Written policies and procedures establish clear expectations and reduce operational confusion.
• Documented processes promote consistency, accountability, and standardized decision-making.
• Strong policies serve as evidence of compliance during audits, investigations, and legal challenges.
• Regular review and updates are necessary to maintain alignment with changing laws and regulations.
• AI and LLM tools can support drafting and organization, but human expertise is required for customization and compliance accuracy.
• Effective policy development includes stakeholder input, employee training, and continuous improvement.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.

In this episode of Compliance Deconstructed, hosts Jessica Zeff, Elvan Baker, and Lorie Davis unpack the true meaning of whistleblowing in healthcare compliance and why speaking up is essential to protecting patients and public funds. They explore how whistleblowing differs from gossip or tattling, emphasizing that good faith reporting is rooted in observed facts, regulatory violations, and unresolved internal concerns, not rumors or personal grievances.

This thorough discussion highlights real-world healthcare scenarios, including pharmaceutical off-label promotion and falsified patient records, to demonstrate how compliance failures can escalate into systemic wrongdoing. By clarifying the distinction between minor workplace issues and serious fraud, the hosts provide compliance professionals with practical insight into when concerns rise to the level of protected whistleblower activity.

A major focus of the episode is the legal framework surrounding whistleblowing, including the Qui Tam provisions under the False Claims Act that allow individuals to report fraud against government healthcare programs and potentially receive a financial award. The hosts explain how these incentives are designed to offset the personal and professional risks whistleblowers face, while reinforcing that most individuals are motivated by ethics, accountability, and patient safety over financial gain.

Finally, the conversation turns to building a culture of trust within healthcare organizations through strong non-retaliation policies, confidential reporting channels, and responsive compliance programs. By fostering psychological safety and taking internal reports seriously, organizations can address misconduct early, reduce regulatory exposure, and strengthen overall compliance governance.

Key Takeaways from This Episode

• Whistleblowing in healthcare compliance involves reporting serious legal or regulatory violations, not minor workplace complaints.
• Good faith reporting requires a genuine belief that misconduct has occurred, supported by factual observations.
• Systemic fraud, false claims, patient safety risks, and regulatory violations are common triggers for protected whistleblower actions.
• The False Claims Act’s Qui Tam provisions incentivize reporting fraud against government healthcare programs while acknowledging the risks whistleblowers take.
• Strong non-retaliation policies and confidential reporting mechanisms are essential components of an effective compliance program.
• Creating a speak-up culture helps healthcare organizations identify risks early, prevent enforcement actions, and protect both patients and public funds.

Learn more about Healthcare Compliance and discover how Simply Compliance can help your company at simplycomplianceconsulting.com.