Healthcare Compliance for Startups, Part 2: What to Budget, How to Phase, and When to Scale

How much does it cost to build a compliance program from the ground up? A basic setup for a healthcare startup runs around $50,000 per year. If you add dedicated compliance leadership, expect $150,000 to $175,000 or more. In part two of a three-part series on the Compliance Advantage Podcast, Ross Ronan, JD, BSN, CPCO, CHC, CCEP, CMPE, breaks down the real numbers behind compliance budgeting for healthcare startups, including how to phase the program in when capital is tight and how to use the 1% of revenue rule to keep your investment right-sized as the business grows.

Ross covers the five core line items in a first-year budget: policies and procedures, training and education, sanction screening, auditing, and a disclosure program. He explains how to structure compliance oversight without hiring a full-time chief compliance officer on day one, what to look for in a fractional or part-time compliance leader, and why anonymity is the single most important feature of any reporting line. He also walks through the clearest signals that it is time to level up: increased payer audits, multi-state expansion, a rise in internal complaints, and preparation for a capital raise or acquisition.

Want to go deeper? Read our companion posts on What Does It Actually Cost When You Skip Compliance Investment? How Much Should You Really Invest in a Compliance Program? and What Are the Three Returns That Make Compliance Worth the Investment?

• What does an anonymous compliance reporting line actually look like, and why does anonymity matter more than anything else?

• How often should you test your compliance hotline, and who is responsible for doing it?

• Does a healthcare startup need to hire a chief compliance officer on day one?

• What are the risks of assigning the compliance officer title to the wrong person?

• What should a healthcare startup realistically budget for compliance in year one?

• Can a bootstrapped startup phase in compliance over time, and what should come first

• What is the 1% of revenue rule, and how do you apply it as you scale?

• What are the clearest signals that it is time to expand your compliance program?

• How should healthcare founders think about compliance in a one-to-three-year growth plan?

Season: 6 Episode: 2

Healthcare Compliance for Startups, Part 1: When to Start, What to Build, and How to Scale

INTRO:

Welcome to the Compliance Advantage Podcast. This is where healthcare executives transform compliance from a burden into a strategic asset that drives both growth and peace of mind. I'm your host, ROSS RONAN, founder of Ronan Healthcare Compliance and a healthcare compliance strategist with nearly 30 years of industry experience. I'll help you stay ahead of evolving regulations while building the sustainable, compliant organization that lets you focus on high-level strategy and exceptional patient outcomes. Remember, compliance pays dividends. Invest today.

[00:00:00] Episode Preview

What if your compliance program could scale right alongside your revenue without breaking the bank? This is part two of our three-part series where Ross walks healthcare founders and CEOs through the practical roadmap for building a compliance program that grows with the business. Drawing on nearly thirty years of industry expertise, Ross shares the real numbers, the smart phasing, and the strategic thinking behind compliance programs that actually work.

In this episode, you will discover what to realistically budget for compliance in your first year, how to phase your program in when you are working with limited capital, and the one percent rule that keeps your program right-sized as your revenue grows.

You will also learn the clear signals that tell you it is time to level up, from payer audits and multi-state expansion to preparing for capital raises or acquisition.

This episode gives you the financial clarity to build a compliance program that scales with confidence.

[00:01:50] Anonymous Reporting Lines

CO-HOST: Number three was clear reporting mechanism. What does that mean for a small startup team?

ROSS RONAN: The reporting has to be open lines of communication. That is what the OIG indicates as an element. What you want to be able to do is establish a system where somebody can report compliance concerns and questions.

What I would say is you at least need to have the ability for an individual to report anonymously. That is probably the number one most important thing. Because if people feel like they are going to be criticized or retaliated against, they will not report. You should have a non-retaliation policy, but people inherently feel that if they tell somebody something they do not want to hear, there will be consequences. Everybody has that same feeling no matter who they are. So anonymity is really important to establish.

Once you have actually established a disclosure program and clear ways of open communication, you have to disseminate it. I see this a lot with startups and with different companies who say, yeah, we have a compliance line, but we do not put it out there because we do not want people calling.

What you do not want are material deficiencies in what people are actually reporting. If you have a lot of complaints that are all true, you have a bigger systemic problem in the organization. But you still want people to call. If you set up an 800 number or an anonymous hotline and you do not tell anybody about it, you are defeating the entire purpose.

I see this a lot. They say, we have a 1-800 number and nobody calls it. They say, we are so compliant. I ask: where is it published? Is it on your website? Is it at the bottom of your email signature lines?

Where is it? They say, we do not put it out there, they can find it if they need to. If you do that, you do not know what you do not know. You do not know if you have compliance problems or not.

The OIG also recommends multiple ways of reporting. But the number one thing is anonymity. And once you have established it, I always recommend that the executive compliance committee, the board of directors, whoever it is, literally test these communications regularly.

There is nothing wrong with that, as long as you are not fabricating reports that would trigger an investigation. Just reach out, say you are testing the system, call the number, see how it works. That is totally appropriate. It is your responsibility as an executive to make sure it works and stays active.

[00:04:26] Choosing Compliance Oversight

CO-HOST: Does a startup need to hire a chief compliance officer on day one?

ROSS RONAN: No. A chief compliance officer is a very high-level position. Compliance officer, director of compliance, or compliance manager, someone who has some oversight, is a much more appropriate place to start.

What you need is someone who is responsible for the compliance program and who is independent enough to make a judgment call on a compliance matter without a conflict of interest. If someone has to choose between their compliance role and another job, you cannot assign them as the compliance officer. That is the core problem we are trying to prevent.

You also have to be careful about giving that responsibility to someone who does not know what they are doing. We have seen both ends of the spectrum. On one end, they get the compliance officer title in name only and do not actually do anything. The government has been very clear about this. They have named compliance officers in litigation where the individual had a responsibility to know but did not act, or acted erroneously. That creates personal liability for the person wearing the compliance officer hat, even if it is part-time or fractional.

On the other side, the word "officer" causes confusion. Some people think it means a corporate officer like a CEO or CFO. Others think it means an enforcement person who is going to get them in trouble. What a compliance officer actually does is prevent, detect, and mitigate. So be very careful about who you put into place as the startup compliance lead.

In the meantime, find a fractional consultant or someone you trust who understands what compliance actually is. That person should be a steady, strategic partner for the business.

[00:07:50] First-Year Budget Breakdown

CO-HOST: Let's talk about money. What should a healthcare startup realistically budget for compliance in their first year?

ROSS RONAN: It depends on who is doing what. Are you putting a compliance executive in place, or are you tapping somebody on the shoulder to take that role?

In a fully functional compliance program with significant risk and revenue, the biggest expense will be salaries. Second is auditing and monitoring. Third is the disclosure program.

If you are tapping someone internally, there may not be a salary change, or maybe a $10,000 to $15,000 increase. Beyond that, here is how the line items break down:

Policies and procedures can be established for about $15,000 to $20,000, depending on how complex the business is.

Training and education can be as low as a PowerPoint presentation, or $5,000 to $6,000 per year for interactive programs. Sanction screening runs about the same.

For audits, there is no OIG requirement that they be done monthly or quarterly. Quarterly is recommended because it limits risk and lets you mitigate quickly. At $5,000 to $7,500 per audit, you are looking at a little over $20,000 per year.

Put all of that together and a basic compliance setup runs about $50,000 per year. Once you place a compliance officer or compliance leader over the program, that number starts at about $150,000 to $175,000 and goes up from there.

[00:11:34] Phasing In for Bootstrapped Startups

CO-HOST: What about startups that are truly bootstrapped? Can they phase this in?

ROSS RONAN: Absolutely. The OIG, in their 2023 guidance, acknowledged that small companies can tap someone on the shoulder to take on that role. That is actually an easy way to start a compliance program. You can also bring in a consultant on a fractional basis.

If you are truly strapped for cash, I would recommend at least putting policies and procedures and a code of conduct in place. Have someone oversee and implement them. Audit at a minimum of once per year. And make sure the people doing your coding and billing know what they are talking about from a compliance standpoint. Prevention before it starts is the most cost-effective approach.

[00:12:43] How Compliance Needs to Evolve as You Scale

CO-HOST: The startup is growing, adding locations, hiring more people, expanding services. How does compliance need to evolve?

ROSS RONAN: If built correctly, a compliance program should be able to scale with the business without a lot of additional financial infrastructure. A disclosure program you invest in early, whether you have 100 employees or 10,000, your costs do not change dramatically because the infrastructure is already in place.

Where the money starts to trend up is when you need a full-time compliance officer to oversee the program and when you need more audits and more investigations. That is where scaling costs increase.

I look at it as roughly 1% of revenue. If you make $10 million, your compliance program should run about $100,000. That is the benchmark I use. The program will cap out at larger revenue levels, but for smaller companies, 1% is a good target.

[00:14:21] Signals That It Is Time to Level Up

CO-HOST: What are the signals that it is time to level up your compliance program?

ROSS RONAN: There are several clear ones to watch for.

More payer audits. Whether they are UPIC audits or TPEs, a lot of companies let their revenue cycle company respond on their own, and they really should not. Compliance should be involved. We know what documents need to be produced. At the end of the day, the auditors will come back and ask about your compliance program and your internal audit history. Compliance needs to be part of that.

Expanding into new states or locations. Every state has different rules, especially for Medicaid. There are also state-level False Claims Act and anti-kickback laws to comply with. If you are thinking about a new state or location, that is a signal to build more compliance infrastructure.

Rising internal reports. When your disclosure program is generating calls and complaints from employees, contractors, vendors, and providers, that is a sign you need a bigger program. You need to be looking under more rocks and conducting more investigations.

Preparing for a capital raise or acquisition. If you are raising capital or looking at being acquired or acquiring another entity, compliance is vital. Investors and acquirers want to know you are aware of your risks and that you are preventing, detecting, and mitigating them.

[00:16:18] Planning One to Three Years Out

CO-HOST: How do you help founders think about compliance as they are planning for growth?

ROSS RONAN: When you are doing a startup and really planning for what your future looks like, I would put a fully functional compliance program on a one-to-three-year plan. The first year takes time to set up. You can get the essentials ready in about 100 days.

A lot of it has to do with tailoring the compliance program to the specific needs of your organization. One size does not fit all. There is a core set of policies and procedures, but the program needs to be specialized to fit the organization.

When you think about your one-to-three-year plan, that is where you start planning the staffing. Maybe in year one you have someone doing compliance on the side. In year two, you want a full-time compliance director. In year three, you are putting a compliance executive above that director and really starting to build out the program as you scale with revenue.

Growing from $10 million to $100 million comes with very different needs. If you plan on that kind of growth in three years, have the plan in place so you can expand your program and build the budget every year to support it.

[00:17:40] Next Episode Preview

Next time on the Compliance Advantage, Ross wraps up our three-part series on compliance for healthcare startups. He brings together everything from the foundational essentials and the budget realities into a clear strategic vision. You will see what a fully built-out compliance program looks like over the long term. You will learn how to think about compliance as a leadership advantage. You will discover how to position your program for sustainable growth. And you will find out how to make compliance part of the DNA that defines your organization. You will not want to miss it.

[00:18:15] Final Thanks and CTA

Thank you for listening to today's episode of the Compliance Advantage Podcast. If you enjoyed it, please rate, review, and share this episode with someone who might benefit from it. Visit us at ronanhc.com for more resources and connect with us on social media for the latest updates. And remember, compliance pays dividends. Invest today.