AI, Risk, and the Compliance Advantage with Paul DeMuro

Artificial intelligence is moving into healthcare faster than most compliance programs can keep up. In this episode of The Compliance Advantage, host Ross Ronan talks with Paul DeMuro, Counsel at Katten Muchin Rosenman LLP, about what that means for the people responsible for getting it right. 

Paul brings a rare cross-disciplinary view to the conversation. He is a healthcare attorney with a PhD in Biomedical Informatics, an MBA, and a CPA, and he has spent decades architecting deals and advising boards. He and Ross dig into why AI policies and procedures belong in every healthcare organization, and why the compliance officer is the right person to own them. 

The two also cover where AI creates real exposure: hallucinations, biased data, the limits of the human in the loop, and a growing patchwork of state laws that complicate any national platform. Paul makes the case that experience and judgment matter more, not less, as AI tools spread, and that diverse, collaborative teams beat any single model. 

Throughout, the throughline is opportunity. Bringing compliance in early on a deal saves money and surfaces risk before it becomes a problem. Treating AI governance as part of running the business, the way finance follows accounting rules, turns a source of uncertainty into a strategic advantage. 

Why should a healthcare organization have AI policies and procedures? 

Because AI now touches clinical, operational, and business decisions, and those uses need the same written guardrails as anything else in the organization. Paul DeMuro frames AI governance as a normal part of running the business, the way finance follows accounting rules, and he points to the compliance officer as the natural owner of those policies. 

Who should own AI compliance inside a healthcare company? 

The compliance officer. Paul argues that no one is better positioned to interface with AI policies and procedures, and that AI gives compliance a larger, more strategic role rather than a smaller one. 

What is the real risk of relying on AI in healthcare? 

AI models can hallucinate, work from biased data, and produce confident answers that are wrong. A human in the loop only helps if that human has the experience to catch the error. Paul warns that judgment built over years, not just access to a model, is what protects the organization. 

When should compliance be brought into a healthcare deal? 

Early. Ross Ronan and Paul DeMuro agree that bringing compliance and regulatory diligence in at the start surfaces risk before it becomes a post-close problem. The most sophisticated private equity buyers ask a few sharp questions up front, which saves money and protects the investment. 

How do state AI laws affect a national healthcare platform? 

They create a complicated regulatory labyrinth. State legislatures are moving quickly, sometimes restricting AI in healthcare decision-making, and a national platform often has to manage to the strictest common standard while the rules keep changing. 

Ross Ronan (00:00) 

Welcome to The Compliance Advantage. Today we have a really special guest and a friend of mine, Paul DeMuro, who is counsel at Katten. Paul, thank you so much for joining me today and talking about compliance and AI and things of that nature. 

Paul DeMuro (00:15) 

Thank you, Ross. Thank you for inviting me, and thank you for your many contributions to the compliance industry and your podcast. I had the pleasure of listening to all of them except the last one because I was traveling. 

Ross Ronan (00:29) 

I'm sure you'll get to it. So Paul and I used to serve on a board together at MGMA, and that's how we really got introduced and became friends. I really enjoyed spending time with you and helping that group develop into what it needs to be. 

Tell us a little bit more about your pathway into healthcare law. You've been doing it for such a long time, so tell us how you got to where you're at today. 

Paul DeMuro (00:56) 

When I was going to graduate from law school, I always thought I'd work for an oil company, but I wasn't able to hire on to the oil company in Texas, so I joined a law firm on the East Coast. I did corporate work, and then they had me in litigation, and then I did some reimbursement and antitrust and healthcare. I decided that healthcare was pretty complicated and rather interesting. 

I thought the East was a little boring, so I moved to the West Coast. I guess compliance wasn't as big of an issue back in the '80s, but it was very fascinating. Then I decided, well, maybe I didn't want to be a lawyer, so I went to business school and almost interviewed for another oil company, but this time as a management trainee. They raised my salary, the world got much more interesting in California, and I decided to stay with healthcare. So that's how I got in, just by happenstance. 

Ross Ronan (01:55) 

It's amazing. I went to law school thinking I was going to become this great healthcare defense lawyer, and then tort reform hit within Texas. I also worked for a little bit in a law firm and decided that is just really not what I ever want to do for the rest of my life. If I ever had to keep hours again, that would drive me crazy. So I got into compliance that way. It sounds like a similar story of changing into new things outside of law. 

Paul DeMuro (02:24) 

I find that to be true, Ross. Many of the people who have gotten into healthcare, particularly in compliance, and your guests have mentioned this in prior podcasts, it's just by happenstance. One of the things that I appreciate the most was being a young lad and having a number of repetitive jobs. I didn't want to be in a field where it was the same thing all the time. I didn't know it'd be different every minute, as you said, but it is, and that's very interesting. 

Compliance as Part of Running the Business 

Ross Ronan (02:54) 

When we talk about The Compliance Advantage, we talk about leadership. I know you've sat on a lot of boards and been in different positions within healthcare. The compliance advantage really talks about how compliance can be seen as an advantage, but it's really seen as an advantage by leaders in healthcare. 

When you think about your journey from where you came from to where you are today, leading big teams and leading initiatives, is there a mentor or philosophy or something that taught you how to be a leader and drive things forward, even as a board member? 

Paul DeMuro (03:38) 

It started with having good mentors in a first job, and I think many people have had that, not only in my professional positions but in other positions where people guided you and took an interest in your career. In my new position at Katten, I have one of the best leaders I've ever had. I feel that I was in part hired to mentor her, because she's a lot younger, in how we developed our practice, but I found myself being mentored by her also. So it's really a two-way street, and it depends on the culture. 

One of the things that's probably most important is realizing the importance of compliance. You probably would ask me this question, but I thought about it a lot, because every podcast we talk about how important compliance is. This morning it struck me: I'm a certified public accountant in Maryland, and I don't hear the finance department and accounting department talking about whether or not they want to follow the accounting rules. 

The rules that govern compliance, which are in my view much more complex, it's really a matter of it just being part of running a business. And the business, as you've said before, is focusing on patient care and the best interest of the patient. So I think it has evolved over the last thirty-five years I've worked in it, because originally compliance officers were like cops. They found something that was wrong. Now what I find is the compliance officer almost has to be the person who finds the solution. 

One of the things that's good about my varied background is I can draw from a lot of different areas in trying to come up with those solutions. When I got my doctorate, I realized I knew less than I thought I did, so I knew who to talk to. The compliance officers I've worked with who are the most successful are those who think about the answer and realize they might not know the solution, but they know who to go to and who to bring in, because there are sometimes other ways of doing things. 

Ross Ronan (06:20) 

I love this analogy, and you do have this plethora of education and experience: JD and PhD in informatics, MBA and CPA, like you said. It was really interesting that you said, as a CPA dealing with the finances, and I never really thought about it this way, you never walked into the controller or the CFO's office and said, “Hey, today, do you think you want to follow GAAP, or do you think you might not want to follow GAAP principles? What do you think you want to do with the financials today?” It's always, “Well, no, we are going to do it this way. This is how we're going to do it. We always do it this way, and this is what it is.” 

You're right. In the compliance realm you do get this odd perception that it is by choice what you can follow or what you can't follow and how you're going to do it. Some people don't put in a compliance program because they see it as the cop, or they see it as a hurdle, or they see it as a way to slow business or slow growth. Instead of saying, “No, this is how we show the advantage of the organization, and this is how we see it growing, and this is how we protect our investment.” 

So with all of those backgrounds that you have, and even seeing what a CPA does, how does that change how you talk to clients about either legal issues or compliance issues? I think there's such a different range of people that you have to deal with on a day-to-day basis. 

Bringing Compliance into Deals from the Beginning 

Paul DeMuro (08:04) 

One of the first things is trying to decide if you're trying to get a deal done or you're trying to accomplish some goal. On one of your podcasts, you asked people what they would like to know if they were clairvoyant. I would like to know, before I went in the room, if there were 12 people, what people's motivation was with respect to this specific transaction. 

If it's a merger of two companies, are the CEOs primarily concerned with what their compensation is going to be? How is the board put in this? I always try, not always successfully, to involve compliance from the beginning. Sometimes I get pushback about who's going to be on the team, and I did the same thing when I was general counsel for a company. The reason is, in my view, not because they'd catch me or something, but the diversity of thought is very important. 

I've done this long enough to know that my task is to get to a specific goal. While I'm hired to do certain things, sometimes a would-be acquirer realizes in diligence that he doesn't want this company, that it isn't worth what they thought it was, as you've said in one of the other podcasts. Back when we had data rooms, we had a huge data room in a western state, and after three or four days, we realized we didn't want the company at any cost. While I was despondent because I'm a deal guy, the CEO turned to me and thanked me for helping facilitate not buying a company that wouldn't work for them. 

Sometimes everything's not even in the documents. You acquire a company, and there are employees who don't respect compliance, and then on day one after you've acquired the company, you have a problem you didn't know you had. So I try to get everybody on board and understand their reasoning and thoughts. Ultimately, sometimes you have to go to the board of directors, because the board may have a special committee. 

Ross Ronan (10:54) 

It does. I think it's amazing when we're talking about architecting deals. I just did a panel discussion on this at the transactions conference for AHLA a couple of weeks ago. A lot of this is when you bring in your regulatory and your compliance diligence, right up front, or you do it on the back end. I really think that says a lot about understanding the compliance risk when you're doing a deal. 

If someone is doing a deal and says, “Hey, we're going to do it at the end, because you know what we need to do? Check that box. Get that done. We're going to get our reps and warranties insurance, we have to do compliance diligence to be able to do that,” it's a much different kind of behavior than if it's somebody up front, like a CEO going, “I want to know what I'm getting into right off the bat.” So how do you deal with people who want to push it to the back side versus really using it as their advantage to say, “Can I get into this or can I get out of this deal?” 

Paul DeMuro (12:09) 

Oddly enough, I find the most sophisticated clients I've worked with are private equity. They don't want me to come up with a 200-page diligence list initially. They have a list, and we modify it based upon whether it's a hospice, a hospital system, or whatever kind of company. There are a couple of key things they want to know up front, and if these things aren't answered to their satisfaction, they might not go through with the next phase of the deal. This saves them a ton of money. It doesn't mean they might not find things later that are problematic, but it's very important to do this. 

And who is better to be on that team than people from compliance? I can kick this to them and say, let's say it's one particular niche healthcare company, and I'm working with Ronan Healthcare Compliance, “Ross, what about this particular IT or EHR company, and what do you see in your compliance work across the country?” We come up with what I call a mini diligence list. We meet with the private equity sponsor and say, “This is a way that we might be able to save money and move more quickly.” And almost invariably, they're fine with it. 

Ross Ronan (13:44) 

It's amazing. A lot of our clients, well, 80% come from private equity. It's such an interesting way of dealing with how they protect their investments, how they get into deals, and how they do the transactions, because they understand the risks associated with them. Even lately, there's been a lot of spotlight shown on investors in healthcare, whether it's private equity, VC, or whatever it may be. So I think that's a really important way of looking at it when we're doing deals. 

AI in Healthcare: Policies, Risk, and the Human in the Loop 

Ross Ronan (13:44) 

I do want to transition. I think there's so much to talk about when it relates to artificial intelligence in healthcare, and I know you do quite a bit of this. With all of this AI activity going on, it can be a real exposure for people in healthcare. It can be a real compliance risk where there are some blind spots, and, as you know, no one really knows where we're going tomorrow. Every day is a challenge in the AI industry. 

When I sat and listened to the DOJ talk about a year ago about how they're going to go after AI, and how they have to make sure compliance programs know about AI and what you can and can't do. With it accelerating across the country, what are you seeing that compliance or regulations need to step up on, or where do we need to get ahead of the game so that we create that advantage and companies can use AI to be more efficient? 

Paul DeMuro (15:30) 

The first thing is that companies should have, and I talked about this last week in New York at an AI conference, AI policies and procedures, just like they have policies and procedures for many other things. And who better to interface with these policies and procedures than the compliance officer? So let's just give compliance more responsibility as a result of this. 

You hear this concept of the human in the loop. There is a lot of consideration about having AI-type models, for instance, in radiology, where the AI developments in IT can arguably read certain films better. One of the questions I got at the cocktail reception, and of course I don't drink alcohol so I was able to answer this, was, “Do you really think this is going to replace the physician?” 

I have seen a suggestion that the AI model would be what reads initially, and unless the AI model found a problem, the doctor wouldn't get involved. The thought was this would save a lot more money because you wouldn't pay as much for radiologists. But growing up as a research scientist with a PhD, I realized the AI model will make mistakes. It'll miss a mass, but then that wouldn't have been seen by the physician. 

Of course, some of the lawyers in the room asked, “What about the malpractice implications? Who's going to be liable?” This is all true, but I'm more interested in the basic aspects of how information technology and AI models are used. Part of this should be written policies and procedures that are recalibrated all the time. It's different for different aspects of healthcare, just like many other things are. So I think it's very exciting for compliance officers, because if they were getting bored, they won't be bored for the next six months. And it's exciting for Ronan Healthcare Compliance, because now you can remind people that they should refresh this and look at that. It's also incredibly important that everybody keeps up on the developments in every aspect of their field, because it changes all the time. 

Ross Ronan (18:26) 

I did sit on an AI panel late last year. We're getting a lot of questions from our clients. I think they're a little slow to the game, to be honest with you, when it comes to AI. They're like, “How do we implement AI now? How do we put this in place?” It's not necessarily just for care issues with patients and PHI and things of that nature. There's a whole other bucket over here that has to deal with operational efficiencies, how you're going to run your business, your human resources, and all the other aspects of a healthcare organization that don't necessarily deal with patient care. 

So we're getting quite a few questions from a compliance standpoint of what we can do and what we can't do. My first response is, we'll give you today's answer, but come back tomorrow and we'll have a conversation about what tomorrow's answer is, because everything is changing minute by minute. What I'm seeing is a lot of changes in state regulations. They're preempting anything that's happening at the federal level, but they're being more restrictive in what they can say you can and can't do. 

Colorado just came out, or is coming out, with a regulation saying that if any decision-making at all in healthcare is relied upon by AI, that's a violation of this regulation. That's a huge issue. We all don't want AI to be making medical decisions, but we also wonder at what point you're able to use it or how it works together. Have you seen any state laws that are being overly restrictive and really putting a chokehold on what you can do from an AI perspective? 

Paul DeMuro (20:30) 

Some AI professionals would suggest that all state laws put a chokehold on AI, because it stymies innovation, and that it should be up to the individual organization and their compliance program to decide what's best. I'll use this example. You recall when the AI model started playing chess. Now it wins all the time. You recall, I think the first two times it failed the MCATs, now it passes the MCATs. As you know, these models work on a probability analysis. So if there are biases and other problems in the dataset, the data points, that can create a problem for the analysis. 

Sometimes you'll see people joking, “Well, I queried AI models three times and got three different answers,” although they may have been similar. Another problem, which scares me as a research scientist, is hallucinations. 

Paul DeMuro (21:40) 

One might wonder why these models hallucinate, particularly in the legal world. You're a lawyer, so why would it cite cases that didn't exist? Why would it not be able to check? Some very accomplished lawyers have paid tons of money because of this. As I help you take your legal hat off and put your healthcare professional hat on, you probably wonder what other hallucinations there might be from an infrastructure standpoint, a business standpoint, and a clinical standpoint. What's scariest is what we don't know. 

When you ask about the state laws, the state legislatures are trying to control what happens in AI in the best interest of the people in their state. The problem is they don't really know, and the problem is that AI evolves so much. It often creates a very difficult regulatory labyrinth for somebody who has a national company. So I'll turn this question back to you, Ross, as a national compliance executive. You're trying to make sure this internet healthcare platform complies with all state laws, and you've got differing state laws that don't comply with whatever we think the federal law is, and the question of who might be preempted. 

Oftentimes, you then have to go to the lowest common denominator. I remember when I practiced in Florida, people said they weren't concerned about the GDPR or the European privacy laws. I said to them, “Well, do you have any patients who came from Europe? I know they don't come in the summer, but they come in the winter.” “Oh, yes.” So they were subject, for many of these internet things, to the GDPR. But I'll leave it to the compliance professionals like yourselves, whom I would hopefully retain to work on that, as long as I manage that overall process. 

So I think you're spot on, but it's evolving. A lot of people feel that, until we let it learn the MCAT and let it learn a chessboard. Now, the difference there is there's a limited number of chess moves, so even if somebody makes a wacky move with a rook, there's a limit on them. The MCAT is a little more complicated, because the questions do change. But in healthcare, there's an infinite number of answers. 

I remember once in Florida, a physician was caught up in an OIG and DOJ investigation, and my job is to solve problems. He said, “I think this modality works,” and I actually found a research study in Norway, I believe it was Norway, that supported what he was doing. Now, he still ended up in trouble, but at least there was something that supported it. So sifting through all of this is really key, I think. 

Ross Ronan (24:48) 

We're a very AI-forward company. We spend a lot of time getting educated and getting certified in different areas of what all the LLMs are and what you can use them for. You hear this all the time: AI is not going to replace you. I agree with that, in part, because, and this is what we tell all of our clients, you've got to be an expert, in my opinion, in the issues you're dealing with on AI. If you're asking it a question, you'd better know more than it does before you get into it, if you just need some clarification. 

So with the hallucinations, the bad cases, the bad advice, the wrong advice that comes through, I tell all of my staff and all of our clients, you've got to be able to look at it and go, “That doesn't sound right. That doesn't make a lot of sense. Show me the case. Show me where you got this. Show me where it's at.” If it's hallucinating, it can't produce it. “Oh yeah, you're right, I just made that up.” “Okay, why did you make that up?” “Well, you asked it in a really weird way that made me make it up.” So there are all kinds of different conversations you can have with these LLMs. When we talk about it from a compliance perspective, it's: don't use it to replace your brain. 

The Skills Gap and the Value of Experience 

Paul DeMuro (26:16) 

Ross, you've hit on a key issue, but I think the bigger consideration is the skills gap. You're one of the leading compliance professionals in the world, so it's easy for you to say, “Don't go down this rabbit hole, look at this, this doesn't make any sense.” I can tell your employees love you, you have a great culture in your company, and they're attuned to this because they can go ask Ross. And if Ross doesn't know, he can go ask somewhere else. 

But I gave a talk last year at a university on the skills gap. It was AI in clinical research. One of the problems is, if you give somebody an assignment, or they're looking at a problem and they go to an AI model for the answer, they don't necessarily know whether this is an issue. When I gave my talk, I had a set of references, and somebody asked me, “Did you actually read all those articles?” Yes, I actually did. The research studies. And see, Ross, you would read them. 

So the problem here, potentially, is that while there may be a human in the loop, if this is a human who grew up just on AI and doesn't have your plethora of experience, then that could be a problem. We worry, in a lot of professional industries, as we become more efficient and there are fewer people going to the library reading things or going to the medical library, do we have people over time who won't be able to exercise the judgment that you have? 

That is an issue. Your company is growing, so as it gets bigger and bigger, you might have a great culture, but you have to make sure everybody feels they're getting that training. And how do they get that training if they're drafting a document through AI? Somebody asked me today, “Could we take these remarks, run them through this AI model, and draft an article for you?” I said, “I'll look at it, but I don't know.” It seems to me that we're really going to need more of these people with this skill set rather than less. 

Ross Ronan (28:47) 

I completely agree. You hit a really good point, especially with the younger generation who have one, two, three, four years of experience, and now all of a sudden they're using AI and maybe getting some big jobs, making big decisions, when in reality, even you and I know this, ten years of experience in something is just not enough to be an expert. 

You really have to spend a lot of time doing the work, whether it's deal work, law, healthcare, whatever it is. You need to have that kind of experience, and it's more than ten years. It's, I've lived it, I've seen it, I've got the bruises, I've got the scars to be able to use AI in a more effective way. Even with our team and our clients, we say, “Okay, I get that you want to use it, and I get you're getting a pretty picture and a pretty report, but you've got to know what to ask and when to ask it. If you're not pushing that way, you're going to get bad outcomes.” 

I think that's the same way in healthcare when it comes to the compliance policies and procedures that people need to put into place when they're utilizing AI. You have to use it, and there has to be human supervision and oversight, because it's not always right. Just like people aren't always right. But experienced people can be right. Even me, I'll call you and say, “Hey, Paul, I've got issues here. I need to bounce it off somebody. This is not feeling right for me.” It's the same concept in healthcare, and I think compliance really plays a big role in that going forward with AI. 

Paul DeMuro (30:33) 

Ross, you just brought something to light that I never thought of, and I've always learned something from you. This is a key point, and I'm really glad we're doing this, not just because it's fun to talk to you, but because of this thing you said. The AI model, when it hallucinates or makes up stuff, because it wants to answer your question. What about the younger person? It's not too different. In some settings, the younger person, and you do an incredible job of screening employees, the younger person wants to please Ross. So Ross wants an answer, and the younger person goes out and tries to find everything he or she thinks will support the answer to Ross. Some of it is maybe off the wall, but that's not unlike the current status of the AI models and even the large language models. 

I never thought about it in this context until you said what you did, but I think we have to look at it that way. When you raise the issue about certain infrastructure in a healthcare organization, do you want that AI model that's making stuff up sometimes to be the definitive answer on all of that? And then do you want some human in the loop who doesn't know either? That's why I think these cross-collaborative teams, whether for a deal or for compliance, are key. 

I realize, with my vast educational background, that there are stakeholders in addition to the primary and secondary stakeholders, particularly in healthcare, and they're important. I also realize that the more I think I know, I don't really know that much. This is why I'm such a proponent of what I'll call diversity of thought. I see the posts you have with your team. They come from various backgrounds. You have these team meetings, and I bet you all learn stuff and develop things from something that someone says or thinks that you never would have thought of. 

And, more importantly, they probably don't hallucinate. If they don't know the answer, they probably don't say anything. The team respects what they're thinking. So the model of your company should be the model of how people use and employ AI. I'm only using that because the people who listen to your podcast know you, and they see that in play. 

We can't expect that an AI model is going to solve all of our problems. Now, it's very good where, let's say, your law firm has five acquisition models, asset purchase agreements. You load them in and say, “From this model, create X.” But if you just go to the internet and say, “Oh, just come up with a form,” it has nothing to do with what you need. In the old days when we did this mechanically, we had form files at firms, and the person would look at these documents and cut and paste. That's essentially what it's doing, but then trying to draw more. 

One of the problems with hallucinations is when they don't have the cites, the cases in their database to check, or they don't have the medical knowledge. I'm a Fellow of the Royal Society of Medicine, and we have access to an incredible plethora of electronic publications. If that thing doesn't have access to all those publications, and then know how to deal with what they mean, that's a different thing. So I think this is where compliance is key again. 

It's not a matter of whether there should be compliance. They're a necessary part of answering some of these questions, of raising these questions. And why would a business want to have this? Because the business wants to come up with the right answer. Even a private equity company, where people may arguably be trying to make a lot of money, the billionaires who often run these companies do not want to have a negative story in The Wall Street Journal. That's as big a motivation as I've heard some people have. So I think it's incredibly important that people realize we are flying the plane while we're trying to fix it, given AI, and the compliance officers need to be an integral part of that. 

Advising CEOs and Boards in a Highly Regulated Environment 

Ross Ronan (35:17) 

We could talk about AI all day long. As we move toward the end here, and we're talking about compliance as an advantage, you deal with a lot of CEOs in healthcare, whether they're boards, CEOs, or leadership. This is one of the highest-regulated environments, whether it's AI, fraud, waste, and abuse, or anti-kickback issues. Go down the list, especially with the new initiatives that are out there, like the CRUSH Initiative. 

How do you, or what do you advise, CEOs or leadership when they're trying to get into this and say, “I want to be part of healthcare. I really want to step up to the plate”? From a regulatory standpoint, where do you go? Where do you tell them or give them the best advice? 

Paul DeMuro (36:06) 

The first thing I tell them is to listen. I think it's very important not to have the answers in your mind first. Particularly if you have a new board member coming to healthcare who doesn't understand it, try to get them a better background of healthcare. We have, as I'm sure you do, board training programs to bring them up to speed on various things. And then make sure they're very comfortable asking questions at any time, and that they read the board packet, and not on the plane to the meeting. 

Overall, I don't know how many luminaries finally concluded, when they thought they'd be able to fix healthcare, that healthcare is complicated, and it is increasingly complicated. Because it's complicated, we do have to spend the time to try to understand it, and this also involves understanding people's motivation. 

The difficulty in healthcare, and I just thought of this, Ross, is if you try to compare it to a financial audit, you get a financial audit every year. You're suggesting the compliance audit, but it's not by a third party necessarily. It might be by your group, but it's not the same as an independent audit. Also, there are these notions in finance and accounting about reserves, reserves for various contingencies that we might know happen. These things are guesstimates, and companies make decisions on how much risk they want to assume, because people know that. 

A complicating factor in healthcare, as you know, is that you have to realize people's risk tolerance, and it can't be unreasonable. You've said this in one of your podcasts: if you don't have any risk tolerance, you won't have any business. So I think it's important to have a reasonable risk tolerance that doesn't kill the business. Sometimes that's where we get a disconnect between new CEO types and new board members from a different industry who say, “Oh well, we can just do this.” 

I have a close friend who is a lawyer but became the CEO of a company that sold plastic piping. They didn't manufacture it, so he didn't have to worry about the same regulatory issues that a manufacturer has to worry about. So I also think that if people don't appreciate the complexity or the risks, they ought to probably find another field, because this is a complicated field, and it involves a lot of attention to detail and collaboration. 

Ross Ronan (39:42) 

The risk tolerance, I think that's great advice for any CEO. With the right compliance partner, the right compliance strategic advisor with you, and that could be your compliance executive or an outside company, somebody who's a strategic partner to you should be educating you on what is high risk, what is a no-go, and what is something where you say, “Hey, I think it's defensible, but you might lose, and we can make that defensible argument, and you need to make a business decision on that.” 

That's really important. It's great advice to give to a CEO in this regulatory environment. If you have the right compliance person, the right compliance executive, they will tell you, “Brown bags of money are bad. Don't ever do that. We're not doing that. That's never a consideration. I don't care what you think the risk factor is. No.” And then there's this other range over here that's like, “Hey, it's not good, it's not great, but it's defensible, and it's up to whether you want to take the risk or not.” So I think that's really great advice. 

Paul DeMuro (40:51) 

The compliance officer is not always the person, out of the 12 people in the room, who raises the issue. He or she is one of them. But if there are 12 people in a room and you're trying to get to some point, if somebody has a significant problem, instead of ignoring them, it's much better to try to get that person on board, not through groupthink, but by addressing what they're thinking. 

What I do is I get that person out of the room later and talk to them and explain why we think this is the case, have them research it or think about it. And I tell them, “I'm not going to tell everybody else that you're the problem, because maybe the decision should go the other way.” You find that you get a much better result. Even if you recalibrate the approach, the approach becomes less suspect, because you've accounted for it. Everybody, the public, the regulators, are going to be like that person. Somebody's going to find things from time to time. 

Ross Ronan (42:31) 

Thank you, Paul, for joining us today. I really appreciate it. Such an insightful conversation, and it's really good to see you, my friend. We'll talk again next time. 

Paul DeMuro is Counsel at Katten Muchin Rosenman LLP, based in Dallas. 

A healthcare attorney with a PhD in Biomedical Informatics, an MBA, and a CPA, Paul has spent decades as a legal architect on complex healthcare transactions and as an advisor to boards navigating regulatory risk. 

In this episode he joins Ross Ronan to talk through AI governance, deal diligence, and why experienced judgment is what keeps compliance a strategic advantage as AI spreads across healthcare. 

https://www.linkedin.com/in/paul-r-demuro-phd-9364461/