Healthcare Compliance for Startups, Part 3: What You Gain, and How to Protect Your Investment

Many healthcare founders believe they are too small to need a compliance program. On this episode of The Compliance Advantage, host Ross Ronan flips that belief and shows why compliance built early is what protects a startup as it grows. Ross walks through the most common mistakes new healthcare companies make, from waiting until something goes wrong to handing compliance to someone who does not understand it, and explains why every issue eventually comes back around if it was never documented. He spends real time on billing, coding, and the False Claims Act, the area founders most often assume their billing company already covers. The money flows under your National Provider Identifier, so the responsibility stays with you, not the vendor. From there Ross lays out what startups actually gain when they build compliance correctly from the start: protected profits, preferred partner status with payers and hospitals, employees who are proud of where they work, and patient trust that keeps people coming back. His closing advice to founders is plain. Treat compliance as a foundation, budget for it, do not cut corners, and protect the investment that everyone, not just the owners, has made in the company. For PE-backed operators and founders alike, this is a clear roadmap for turning compliance into a strategic advantage instead of an afterthought. 

Is a healthcare startup ever too small to need a compliance program? 

No. The Centers for Medicare and Medicaid Services (CMS) and the Office of Inspector General (OIG) track billing and coding utilization to spot trends, and it only takes one disgruntled person to become a whistleblower. Ross has seen small physician practices pursued over a hundred or two hundred thousand dollars. Size does not protect you. A program does. 

What is the most common compliance mistake founders make? 

Waiting until something happens. Once you are dealing with a Corporate Integrity Agreement (CIA), a Civil Investigative Demand (CID), repeated audits, or a referral to the Office of Inspector General (OIG), it costs far more to fix than it would have cost to prevent. Building the program up front is the cheaper and safer path. 

Does my billing company handle compliance for me? 

No. The government follows the money paid under your National Provider Identifier (NPI), so whoever received that payment is responsible for compliance. A billing company may indemnify you, but you are still on the hook because you had the obligation to monitor and test. Thinking someone else owns your compliance is a costly mistake. 

What do healthcare startups gain by building compliance early? 

Four things. Protected profits, so you keep the money you earned without fines or paybacks. Preferred partner status with payers and hospitals who want to work with ethical operators. Employees who are proud of where they work. And patient trust, which keeps people coming back and is hard to repair once it breaks. 

Where should a founder start with compliance? 

Treat it as a foundation, not an afterthought. Find advisors who understand healthcare operations as well as compliance, put a real line in the budget and commit to it, and do not cut corners. There is an efficient way and a cost-effective way to do compliance, but there is no cheap way that actually works. 

Common Compliance Mistakes Startups Make 

Interviewer (00:47) 

What are the most common compliance mistakes you see these startups make? 

Ross Ronan (00:52) 

The number one thing I hear all the time is, we're too small. We're too small to need a compliance program. No one's looking at us, no one can see us. We don't do enough business. We're just too small to be noticed. Well, that may be true on the bigger scheme of things. CMS and the OIG, they do a lot of stuff with utilization, so they can see trends in billing and coding utilization, and that's how they do their audits and investigations. 

All it takes is one person to be disgruntled within your organization to say that you're doing something wrong, if you are, and become a whistleblower. Now you're not too small to actually have something wrong, because once somebody complains about it, now you're big enough for them to come after you on it. 

I've seen it. I've seen people come after them for a hundred, 200 grand. They're a very small business, a very small physician practice, but somebody out there got disgruntled and made a big deal. So you're never too small to need a compliance program. 

Second one is waiting until something happens. I see this a lot too. We don't need a compliance program until something happens, and then it's way more expensive to put in a compliance program. You have a big issue that you're dealing with, whether it's a CIA, a CID (which is a civil investigative demand), or you have these multiple TPEs or you pick audits that are out there that you keep getting denied, or referrals to the OIG, or prepayment reviews. Once you've gotten all of those things, they're really hard to unring that bell, and it costs you so much more to go fix it than it would be to say, let's try to prevent it from happening in the future by having a compliance program up front. So waiting until something happens is really a terrible idea, but it happens a lot. 

And we talked about this a little bit earlier: really entrusting the compliance program to someone who doesn't understand compliance, doesn't care about compliance, or takes it to the extreme level. That is a thing that I see all the time, and it's very hard to unring that bell when it comes to assigning someone a compliance role and then all of a sudden taking it away from them. It causes people to go, what happened? Did they know something that was bad with the company and you had to get rid of them, or something of that nature? It becomes a reputational issue. So you really need to assign someone to the compliance program and the functionality who really understands compliance and is able to be that strategic partner so the company can grow. 

Interviewer (03:00) 

So you listed three-ish mistakes there. Are there any other mistakes you can think of? 

Ross Ronan (03:05) 

Yeah, there's a lot of stuff once you actually get a compliance program in place that people don't do because they don't feel like they need to. A great example is documenting, not documenting things because you'll remember, or we just took care of it, we don't need to reflect on it or go back to it. 

Every compliance issue will come back around in some way, shape, or form. Someone will ask about it. There'll be ripple effects from it. Somewhere down the road you'll need to refer to it. You need to show somebody you fixed it, whatever. So documentation is key. You're never gonna remember. And by the way, as I tell everybody in compliance: the day you win the lottery, you're out, you're going to do something else. Somebody has to be able to come back behind you and figure out what you did and be able to go, yes, we can replicate this, or I fully appreciate and understand it. 

The next one is ignoring employee concerns. One of the things in the elements of a compliance program is investigation protocols. Compliance departments should investigate and research to conclusion any and all compliance matters that have been raised by an individual, an employee, a company, or whatever. So it is one of the basic elements, and to ignore a compliance issue that has come in, or say that's no big deal, we're not gonna investigate it, or that's not really a compliance issue, I'm not gonna go look into it, is the number one mistake that you can make. 

There were about almost a thousand whistleblower cases filed in 2024. As soon as someone believes that you're not listening to them, or they do have a compliance issue, whether it's coding, billing, Stark, anti-kickback, whatever it may be, they will actually go to the federal government and become a whistleblower. It's a very profitable industry out there for lots of people. It's up to 30%, 35% of the recovery that the whistleblower gets. And there's a lot of whistleblower counsel out there too, who all they do is support whistleblowers. So the idea of not responding to patient complaints or employee complaints or provider complaints just feeds that fire of somebody going, ooh, I'm gonna go tell on somebody because you're not doing anything. So responding, making sure that you're actively listening and fixing those problems before they become major problems, is the number one piece that you need to do. 

And then finally, compliance not being involved in the business strategy or business development is always a common mistake. You have to be able to have compliance sitting beside you. Whether they're saying something or not is irrelevant, but they are sitting there going, I'm listening, I'm hearing, I don't see any red flags, or I do see red flags, or we need to look out for this, or we need to look out for that. That is the number one mistake that a startup will make: saying, I don't need that advice, I don't need that person in here because they're just gonna tell me no. If they're just gonna tell you no, then you have the wrong person in there. You need that person who's gonna go, let's figure out how to get there in a compliant way, in a legal way, in a regulatory way. And that's a number one mistake: excluding the compliance functionality from those business development and business strategy discussions. 

Billing, Coding, and the False Claims Act 

Interviewer (06:30) 

Billing can get tricky too. Are there any specific mistakes around billing? 

Ross Ronan (07:00) 

When you look back at 2024, there's about 1.6, 1.7 billion dollars recovered by the OIG and the DOJ for healthcare fraud, waste, and abuse. A lot of that comes from False Claims Act violations. Settlements with a False Claims Act can be between a million or tens of millions of dollars. I've actually seen it up to almost a billion dollars at one time, with a Tenet discussion that they had. So the False Claims Act is a number one priority for a compliance program at a healthcare company. 

Oftentimes we will go in and we will say, what are your biggest issues? From a healthcare company that bills 85, 90% Medicare, the first thing that they say is HIPAA. And I just kind of go, okay, patient privacy's really important, get it. How about your False Claims Act? Oh no, we're compliant, because we got coders and billers who are doing everything and they understand it. Okay, great. What are you doing to test it? And they go, oh, we're not testing it. I go, okay. So False Claims Act, billing and coding, is really a number one thing that startups, or any healthcare company, needs to be focused on. 

The first mistake is not understanding what it means or how to do the billing and coding. It's really easy to put a code down on a record, on a CMS 1500, send it to Medicare, and have them pay it. It's really hard to make sure that documentation matches the requirements for that CPT code to be able to support that payment that is made to you by the federal government. 

And that's the hard part. So understanding what it takes to create a CPT code from the documentation that the provider puts on the record of the services that they render to the patient is the most difficult part of it. Not understanding what that revenue cycle piece takes to be able to go from patient to billing company to payer back to me to get reimbursement is the number one mistake. So you gotta understand coding, billing, and the revenue cycle process. 

Two: if you outsource your compliance or outsource your revenue cycle, a lot of the healthcare companies feel like my billing company is handling compliance. They know what they're doing. Okay. Technically, you probably have a contract with this billing company that has some sort of indemnification to say you are going to make sure you bill correctly and code correctly and appropriately. 

Ross Ronan (09:27) 

But at the end of the day, the government follows the money that comes from Medicare, Medicaid, TRICARE, whatever. The OIG and DOJ will follow that money. And whoever received that money under that NPI, whether it's the group NPI or a physician, whatever it may be, those are the people that are responsible for compliance. 

When you've enrolled your services for Medicare and Medicaid, you have made a commitment to the federal government that you will not submit anything that is improper from a coding and billing standpoint, whether it's knowingly or unknowingly, for payment and reimbursement. So that means that you have to be looking out for what you're doing. You have to be testing, you have to be understanding. To say my billing and coding company is making sure that we do it right, well, guess what? They're not the ones receiving the money. You are. You are getting the money. So when they come knocking, they're gonna knock on your door and say, I don't care. You can blame your RCM over here, but at the end of the day, the buck stops here. You got the money. You had an obligation. You told us under your enrollment forms and your conditions of enrollment that you will monitor compliance and you will do this. Show me where you've done that. Well, a billing company did. It doesn't work that way. They may indemnify you for doing something wrong, but you're still on the hook, because you did it wrong and you didn't have the oversight. So thinking that somebody else is doing my compliance work is a huge mistake. 

Sponsor Message 

This episode of The Compliance Advantage podcast is brought to you by Ronan Healthcare Compliance. At Ronan Healthcare Compliance, we believe in transforming healthcare compliance from a checkbox attitude to a strategic advantage. With decades of expertise, our team of consultants provides innovative solutions tailored to your organization's unique needs. We don't just help you meet your standards, we elevate your business, ensuring ethical practices are at the heart of what you do. Whether you're navigating complex regulations or seeking to enhance your compliance strategy, Ronan Healthcare Compliance is your partner in achieving excellence in healthcare compliance. Ronan Healthcare Compliance: redefining compliance, empowering leadership. Visit us at ronanhc.com to learn more. Now, back to the show. 

What Startups Gain: The Compliance Advantage 

Interviewer (11:52) 

So we talked about consequences and the seriousness of a lot of these things that healthcare startups cannot afford to overlook. Let's flip that and talk about what healthcare startups gain when they do build their compliance programs correctly from the beginning. 

Ross Ronan (12:13) 

It's the compliance advantage. That's what we talk about on the podcast. First and foremost, protecting your profits. As a startup, you really need to make sure that the money that you're earning, the efforts that you're putting out there lawfully to gain that revenue that you're bringing in to pay your providers, to pay your employees, to make a profit, you gotta protect that. Otherwise, why are you doing it? So the advantage that you get is protecting those profits, so you don't have to give the money back, you don't have to have fines and penalties to hurt your margins or hurt your cash flow, whatever it may be. So protecting those profits is really huge. 

Secondly is better partnerships. Preferred partner status. And these preferred partner statuses come in all different kinds of shapes and forms. Whether it is, I get a better rate because of a payer who knows that I am checking and double checking and ensuring we're not trying to over-utilize care provided to a patient, or billing higher codes when they're really lower codes. They really start to look at that and go, you are my preferred partner. And then you also look at hospitals, or different contracts that you have. People want to do business with people who are ethical and have a compliance program. 

And finally, employees. Employees want to work, and preferred partner status, whether you like it or not, as an organization, as a company, your employees kind of consider you as their partner. I work for this company, they're either proud of it or they're not proud of it. And you want people to be proud of where they work and who they work for. Part of that is being that preferred provider. If you have a compliance program and you're trusted, then clearly people are going to feel like they are part of something bigger and special. 

And then lastly is that patient trust equity. Patient trust is really important to be able to start up in healthcare. If you don't have patients, if you're not taking care of patients, you've not given good quality care, and patients don't trust you, you're not in business for very long. The number one thing you see in compliance: people will read the headlines, they see them all over the place and go, do I want to go to someplace that's defrauding the government? No. 

You see this in the mal cases as well. The number one thing that doctors get sued on is not for bad care. It's because they were an asshole. And once you have pissed off a patient from that standpoint, I don't care what kind of care you are, you're gonna get sued. It just happens all the time. It's the same thing in compliance. If patients don't like you, you're not gonna do business. They're gonna make complaints. They're gonna do something against you that you need to actually repair that trust. 

Compliance in Day-to-Day Operations 

Interviewer (14:58) 

Two more questions. What about day-to-day operations? 

Ross Ronan (15:05) 

On the day-to-day operations side, compliance matters can go from being a huge disaster, if you didn't have a compliance program in place, to just another thing we manage in compliance. When I talk to a lot of CEOs and a lot of executive compliance committees, and we have pretty big issues that are out there, I'll say, this came up, this is happening. They're like, oh my God, what are we gonna do? We're gonna handle it, because we have the processes in place to be able to handle this. And stuff happens. It just happens all the time. We will deal with it, we'll mitigate it, we'll prevent it from happening in the future, and we'll disclose if we need to, we'll refund if we need to. We'll do all those things that we have to do. 

But when you don't have a compliance program in place, that thing is huge and magnified on a day-to-day operational perspective, because now you have this big disaster that everybody has to shut down and go deal with, versus a compliance program that's managing it on a day-to-day basis to make sure they become just matters that you handle. 

Executives on a day-to-day standpoint get to start running the business. They get to start looking at strategy. They get to start looking at growth. They start looking at ways to do things better and not having to worry about compliance regulations and statutes, because they know that they have a culture of compliance. They know that the compliance program is detecting, preventing, mitigating things that are happening. They're looking under rocks and things like that to make sure, and they'll let me know as an executive if something is wrong. But now I get to focus on the future. 

I had a really great conversation with one of my client's executives the other day, and all we did was talk about strategy. All we did was talk about growth. All we did was talk about how we can get there from that perspective. And he knew at the end of the day that we got the compliance stuff covered. Let's figure out where you want to go, and I can help to say whether or not you have compliance issues associated with it. That also positions the company for rapid scaling, to be able to say, how do we go into these new markets and how do we get this new business? And that's really important on a day-to-day perspective as well. 

Advice for Founders Starting a Healthcare Company Today 

Interviewer (17:12) 

Last question to wrap up. What's your advice to someone who's thinking about starting a healthcare company today? 

Ross Ronan (17:22) 

Think about compliance as a foundation. Obviously it doesn't have to be the first thing, but it has to be something very shortly thereafter. It can't be an afterthought, because once it's an afterthought, it costs a lot more and it takes a lot more time to be able to establish and build. Because you're not only building the compliance program, you're managing compliance issues that are coming up. Building the plane and flying it at the same time. No one really wants to be doing that. It's really nice to build the plane, test it, and then fly it. But if you're doing it as an afterthought, it takes a little bit longer, a little bit more cost, a little bit more expense. 

Find advisors and people who can guide you, who know healthcare operations as well as compliance. Without knowing healthcare operations and how it pertains to compliance, you're really doing yourself a disservice. One of the biggest benefits that I got in my career was to be able to become an executive vice president of operations and performance improvement for a company in the middle of my stint as a compliance officer. Did it upfront, did that for a while, came back to compliance. And when you do that, you really are able to understand the needs of the business in a compliance manner, and you can speak the language. So find consultants and advisors from that standpoint. 

Budget appropriately. Put the compliance budget in, commit to it. It's not a one-time expense. Even if you hire advisors and compliance consultants or whatever it may be, put that cost you're spending in your budget and just say, I'm gonna use that for my compliance program coming up. As a matter of fact, just set it and forget it, put that in your compliance budget and go. 

When you talk about compliance, don't cut corners. There's not a cheap way of doing it. There's an efficient way of doing it, and there's a cost-effective way of doing it, but there's not a cheap way of doing it. If you're going the cheap route, buying policies, putting them on your shelf, you don't have a compliance program. Number one thing, don't cut corners. Do it right, and you'll actually get that ROI and you'll get that compliance advantage. 

And then finally, do what you need to do to protect your investment. I talk about this a lot, protecting the investment. It's not just money. Yes, there are people invested in healthcare companies, and owners, and private equity groups, and venture capitalists, and I get all that. Even some CEOs have a vested interest and put their money in. I get it. But everybody who works for an organization has invested something in that organization, whether it's time, money, career, reputation. Protect those people's investment in that company by who they work for and how they work, what goes on their resume. People who have invested their money in there, protect that investment. Compliance will protect that investment for you, because they will be preventing, detecting, mitigating things that are coming up and making sure that you know what you don't know. 

As a startup, you're doing something, you're investing in something, you're looking at your career. You may want to sell it in the future, you may want to put it on your resume that you started this company and it was wildly successful. But that is an investment that you need to protect, and compliance can do that for you. 

Closing 

Interviewer (20:37) 

This roadmap is so practical. Ross, thank you so much for breaking it down so clearly for us. I think a lot of founders are going to realize that compliance isn't this mysterious, overwhelming thing. It's actually a very clear set of steps they can take to build a strong foundation. 

Ross Ronan (20:57) 

That's exactly right. And I hope what has come through is, it's not about perfection, spending lots of money on a compliance program, because it's really not about that. It's about doing it right, and it's about making the right decisions on a compliance program, and thinking about compliance as an advantage and a strategic partner that can help you grow a startup business and protect your investment. 

From that perspective, the healthcare entrepreneur that is thinking about compliance right off the bat are the ones that are gonna be wildly successful. And I've seen it happen over and over again. So this roadmap, hopefully, is a way to understand what you need to do as a startup from a compliance perspective. And again, you don't need to break the bank, you just need to do it right and don't cut corners. So hopefully this roadmap was able to provide that guidance. 

Interviewer (21:47) 

Absolutely. If you're building a healthcare startup, and this episode was helpful, we'd love to hear from you. And as always, thank you for listening to The Compliance Advantage.