Healthcare Compliance for Startups, Part 1: When to Start, What to Build, and How to Scale

When should a healthcare startup build a compliance program? Ideally before the first patient. Realistically, right after launch.

In Part 1 of this compliance roadmap series, Ross Ronan, founder of Ronan Healthcare Compliance, walks healthcare leaders through the five compliance essentials every startup needs, why compliance belongs in your top priorities at launch, and how early investment protects the revenue you earn and the company you are building.

Healthcare is one of the most regulated industries in the United States. Healthcare leaders who treat compliance as an afterthought often face costly retrofits, federal investigations, and personal liability. This episode gives you a clear, practical roadmap to build a compliance program that lives, breathes, and scales with your growth.

Want to go deeper? Read our companion posts on the 5 Pillars Framework, Strategic Compliance Outsourcing, and HIPAA in the Digital Era.

• When should a healthcare startup think about compliance?

• What happens when compliance is treated as an afterthought?

• What are the five must-haves for a startup compliance program?

• What is the difference between a real compliance program and a bookshelf program?

• How much training does a startup actually need?

• Why does role-specific training matter for coding, billing, and HIPAA?

• How does HIPAA privacy training prevent costly data breaches?

Season: 6 Episode: 1
Healthcare Compliance for Startups, Part 1: When to Start, What to Build, and How to Scale

INTRO:

Welcome to the Compliance Advantage Podcast, where healthcare executives transform compliance from a burden into a strategic asset that drives both growth and peace of mind. I'm your host, Ross Ronan, founder of Ronan Healthcare Compliance and a healthcare compliance strategist with nearly 30 years of industry experience. I'll help you stay ahead of evolving regulations while building a sustainable, compliant organization that lets you focus on high-level strategy and exceptional patient outcomes. Remember, compliance pays dividends. Invest today.

Ross Ronan: Welcome back to the Compliance Advantage. Today's topic comes from multiple discussions I've had with CEOs and founders of healthcare companies who are in startup mode, or who have been thinking about starting a healthcare company, whether it's a provider group, a hospital, a behavioral health center, or something else entirely. The question they all share is: what does compliance have to do with starting up a healthcare company?

Today we're going to talk about the roadmap for establishing a compliance program, what phases to build it in, and how to approach it as a startup. Joining me to guide us through that roadmap is our podcast producer, Kami Reyna.

Co-Host: Thanks Ross. Kicking things off, what is the biggest mistake you see founders make when they're launching?

Ross Ronan: Compliance becomes an afterthought. Everything else gets set up first, and then someone asks: how do I comply with all these rules and regulations? A lot of people feel it's easy to hang your shingle as a healthcare provider and start making money. It's easy to start seeing patients, start billing federal healthcare programs, and watch the revenue come in. What they don't understand is that healthcare is one of the top three or four most regulated industries in this country. There are a lot of rules, regulations, and statutes that go along with everything you do to make money in healthcare.

Compliance should be in the top three or four departments you put into place. I've met with a lot of CEOs who've run compliance at large organizations, and I can tell right away when they start a new role. When they call me and say, "I need a compliance program, help me get it started," I know they're taking it seriously. Usually they've been through something, or they've just seen firsthand how it works.

You obviously need operations first. You need to run a business and make money. But thinking about compliance as the next phase, how do I keep that money and keep the compliance program effective, that's what matters. When you're staffing up, enrolling in Medicare or Medicaid, hiring people, and setting up your revenue cycle program, all of those should include guidance from compliance. There's a lot that a compliance department can offer a startup to make sure they do it right the first time so they don't have to undo it later.

Building compliance from the ground up sets a DNA within the organization. This is how we do things. You don't have to go back and fix it later. Get the systems, habits, and culture right from the start.

Co-Host: You mentioned when a healthcare startup should start thinking about compliance, and that's before the first patient?

Ross Ronan: Idealistically, yes. But realistically, almost no one does that. You have to have money to pay people to build the infrastructure. We've had a few clients who had investment funding and put a compliance program in place beforehand, just the essentials, the basic minimum, because there's really nothing for the program to do until you have patients. A compliance program has to live and breathe. It has to do something. It's not a bookshelf program, where you write everything down, stick it on a shelf, and grab it when something goes wrong. That's not a compliance program.

Without patients, a compliance program can't really function. But there are a limited number of things you can do before that first patient: setting up the essentials, code of conduct, policies and procedures, and an auditing and monitoring program ready to go. Sanctions screening ties into hiring, so that one's easy to start early. Set up that foundation before the first patient, or very shortly after, to limit your risk.

Once you start seeing patients, your risk level starts to increase. From that day until the day you have a compliance program that's actually living, breathing, auditing, monitoring, and looking under rocks, you are building risk. As a startup, you have to understand how long you're willing to carry that risk before it becomes a problem. You want to make sure you're not giving all that revenue back or getting into trouble.

We see it in OIG investigations. Someone hangs their hat, does everything absolutely wrong, maybe even fraudulently bills for patients they didn't see or under providers who don't work for them. A year or two later, the doors are shut, they're facing legal consequences, and they'll never work in healthcare again. That can happen that quickly without a compliance program providing oversight.

Retrofitting compliance back into what you've already built is harder than building it from the ground up. Before the first patient is ideal. Shortly thereafter is realistic. Either way, keep it to the essentials. It's not that expensive.

Co-Host: As you've discussed in other episodes on compliance budgets, let's look at this practically. What are the five absolute must-haves for a healthcare startup?

Ross Ronan: Starting up, before you have patients to audit and monitor, is the perfect time to establish your practice standards, your code of conduct, and your policies and procedures. There's a core set of compliance and HIPAA policies that need to be in place. You should have your HIPAA and compliance policies and procedures ready before anyone starts seeing patients or handling protected health information.

Once those are in place, train your staff on them. The code of conduct tells people what they shall and shall not do. The policies and procedures tell them how to do it, or not do it. Training your staff and providers on both is your responsibility as a CEO and healthcare company leader.

Second, open up clear reporting mechanisms, a hotline of some kind. You don't have to spend a fortune. An anonymous 800 number works. Google has options. Microsoft Teams has them. The idea is to give people an anonymous way to report a concern. Without that, employees, contractors, vendors, and providers don't feel like they have a voice. Set that up early.

Third, designate the right compliance oversight. Someone has to be in charge. Make sure they don't have a conflict of interest and that they actually know what they're doing. It can be someone within the organization. Human resources, risk management, or quality can take on compliance too. Just make sure they're not embedded in operations, finance, or general counsel, where conflicts of interest exist.

Fourth, make sure someone is recording everything that comes into the compliance program. You need a compliance matters log, a case management system, even if it's just an Excel file. Without it, there's no proof or evidence of anything you've done, and you can't track and trend situations that need to be mitigated or prevented.

Co-Host: Let's break those down one by one, starting with the code of conduct and core policies. What does that actually look like for a startup?

Ross Ronan: The code of conduct is really about what you can and cannot do as an employee of a healthcare organization. Most people who work in healthcare don't know all the regulations and rules, and why would they? When I was a nurse in the ICU and the ER, I was running around saving lives, putting in IVs, coding patients. I couldn't have told you what the False Claims Act was. I didn't know what Stark was or the Anti-Kickback Statute. I was doing what I needed to do, providing great nursing care. And by the way, they don't teach you that in nursing school or medical school. I used to teach healthcare professionals about compliance as an adjunct professor at Regis University, and it was always kind of an elective. It just isn't taught.

So a code of conduct, along with policies and procedures, educates your workforce on what they should and shouldn't do. They don't have to go read the False Claims Act or hire a lawyer to understand it. They read it in plain language and learn: I can't do this, I shouldn't do that, because the law doesn't allow it. That's what the code of conduct and policies and procedures do. They set the boundaries for everyone inside the organization.

Co-Host: That's interesting that it's not taught as part of the curriculum.

Ross Ronan: They don't teach it. Crazy.

Co-Host: Okay, so what about training? How much training does a startup really need?

Ross Ronan: Training is an interesting thought process when it comes to compliance. When I think back to the first corporate integrity agreements we had to implement, back in the late nineties and early two thousands, a lot of the OIG requirements under CIAs were around training and education. They'd go through the seven elements, and one of those is training and education. Back then they'd say: one hour of compliance training, one hour of HIPAA, two hours for board training, every year. Always hours. Always a number.

Then over the last decade or so, they started changing their approach. Instead of assigning hours, they started saying: submit a training plan that shows us how you're going to educate your workforce, your provider groups, your board, and we'll approve it. I thought that was really ingenious, because everyone knew what was happening with the hour-long training model. What's the first thing someone does when they have to sit through an hour of training they don't care about?

Co-Host: Start clicking through it.

Ross Ronan: Press play and go do other things. That's not training. That's not education.

So when the OIG shifted to asking for training plans, what they were really saying is: tell me how you're actually going to educate people. As a startup, if you have good compliance guidance, the first thing they should be telling you is: I don't care about hours. I care that you know what you're talking about. I care that your people have a real knowledge base. What does the False Claims Act mean? What does Stark mean? What can and can't you do? If someone can test out in five minutes because they already know it, that's education. That counts.

Don't spend a lot of money chasing hours. Find a way to build an educational system that actually works for your providers and your people, whether that's an interactive module, a quick PowerPoint with Q&A, or pre-testing to assess proficiency before training. As long as you're covering your policies and procedures, code of conduct, relevant laws, and compliance program basics, you've met your training requirements without breaking the bank. Interactive training programs are more effective and they're not that expensive, especially for smaller teams.

Also, specific roles need specialized training. People doing coding and billing need to understand medical necessity, split and shared services for Medicare patients, and what those mean from a coding and billing perspective. The OIG is clear that role-specific training matters. And HIPAA privacy training is critical. The OCR has recovered around $2 million in HIPAA violation penalties, and about six million-plus medical records are breached every year. A lot of that comes down to phishing schemes and gaps that good training can prevent.

OUTRO:

Thank you for listening to today's episode of the Compliance Advantage Podcast. If you enjoyed it, please rate, review, and share this episode with someone who might benefit from it. Visit us at ronanhc.com for more resources, and connect with us on social media for the latest updates. And remember, compliance pays dividends. Invest today.