top of page


The Best Cybersecurity Story OIG Has Published This Year Isn't About a Breach
A small hospital demonstrated that effective cybersecurity is achievable when organizations focus on prevention, detection, and response as part of their operational culture.

Jessica Zeff
3 days ago3 min read


OIG Isn't Starting with the Medical Record Anymore. It's Starting with the Data.
The future of healthcare enforcement is increasingly data-driven. OIG is no longer looking for a needle in a haystack. Analytics helps them identify the haystack before they ever ask for the needle. The organizations best positioned for the future will be those that review their data with the same level of scrutiny as the government.

Jessica Zeff
5 days ago3 min read


What Patients and Providers Should Know About Safe GLP-1 Telehealth Care
Interest in GLP-1 medications has grown rapidly, and with that growth has come an increase in organizations offering prescriptions through online platforms. GLP-1 telehealth has created new opportunities for patients to access care, particularly for those who face transportation barriers or limited provider availability.
The reality is that convenience should never come at the expense of patient safety, regulatory compliance, or sound clinical judgment.

Jessica Zeff
6 days ago2 min read


You May be Paying for Software. OIG May See a Referral Payment.
Healthcare organizations are increasingly using technology to streamline referrals, improve care coordination, and reduce administrative burden. This article highlights how responsible compliance professionals must balance these benefits with how they influence referral patterns and financial relationships between parties.

Jessica Zeff
Jul 103 min read


California's New Hospice Regulations Aren't Just About California
California has adopted its first comprehensive hospice licensing regulations, which include a sweeping set of operational requirements that touch everything from staffing ratios and administrator qualifications to geographic service areas and response times. Here's why compliance professionals across the country should be paying attention.

Jessica Zeff
Jul 82 min read


Compliance Culture Starts With People, Not Policies
When organizations talk about strengthening compliance, the conversation often begins with policies, training requirements, audits, and reporting structures. Those elements matter, but they are rarely what determines whether a compliance program succeeds or struggles.
The reality is that compliance culture is built through relationships.

Jessica Zeff
Jul 13 min read


Trust, Communication, and Privacy: The Human Side of Healthcare Compliance
When healthcare organizations discuss compliance, the conversation often centers around regulations, policies, audits, and corrective action plans. Those elements are important, but compliance programs ultimately succeed or struggle based on something much more fundamental: trust. The reality is that employees are far more likely to raise concerns, ask questions, and report potential issues when they trust the people leading compliance efforts.

Jessica Zeff
Jul 13 min read


Why Chasing HIPAA Certification Can Create Compliance Blind Spots
One of the most common conversations I have with healthcare organizations, vendors, and business associates revolves around a simple question: "How do we become HIPAA certified?" The reality is that HIPAA certification does not exist in the way many organizations believe it does.

Jessica Zeff
Jun 193 min read


Why Information Security Starts With Risk Management, Not Technology
When organizations talk about Information Security, the conversation often turns immediately to software, cybersecurity tools, firewalls, and monitoring platforms. While technology certainly plays an important role, the reality is that Information Security is fundamentally a management and governance issue before it becomes a technology issue.

Jessica Zeff
Jun 153 min read


Why Understanding State Medicaid Programs Matters for Healthcare Organizations
When healthcare organizations operate across multiple states, one of the first realities they encounter is that Medicaid is rarely a one-size-fits-all program.

Jessica Zeff
Jun 52 min read


A Records Project Turns Into a Privacy Puzzle
We’re in the middle of a records retention clean-up project—one of those dusty, backroom compliance jobs where nobody gets excited until someone discovers a red flag. In our case? It was this deceptively simple question: “How do we confirm whether a patient is deceased so we can apply our retention policy?” You’d think it would be easy. But in practice, determining a patient’s date of death isn’t always straightforward—especially when there’s no family notification, no claim

Jessica Zeff
Apr 173 min read


Use of Proxy Entities in Fraud Cases
Fraud schemes rarely rely on a single bad actor. A recent DOJ case shows how proxy entities—marketers, telemedicine platforms, and suppliers—can be layered to create the appearance of legitimacy while obscuring accountability. For compliance teams, the real risk often lives between organizations. Understanding how inter-entity relationships operate, and where oversight breaks down, is critical to detecting fraud before regulators do.

Jessica Zeff
Apr 103 min read


Phishing Simulations: A Teachable Moment—or a Warning Sign?
Phishing simulations are a critical awareness tool—but repeated failures raise an uncomfortable compliance question. At what point does a teachable moment become a real risk indicator? As regulators continue to focus on reasonable safeguards and workforce behavior, organizations must decide how to respond to repeat simulation failures. Doing nothing can signal tolerance for risk, while overreaction can undermine culture. The challenge is finding a defensible, documented middl

Jessica Zeff
Apr 33 min read


EMTALA Enforcement Is Alive — “Patient Dumping”
Federal EMTALA enforcement is back in focus. A recent DOJ settlement reinforces that hospitals remain accountable for screening, stabilization, and transfer decisions, especially when capacity exists. Regulators are closely examining how EMTALA obligations are handled in real time, not just in policy. For organizations, compliance now depends on whether workflows, documentation, and escalation processes hold up under scrutiny.

Jessica Zeff
Mar 273 min read


DME Proof of Delivery: What CMS Requires
Proof of delivery is a nonnegotiable requirement for DME POS claims billed to Medicare—but it remains one of the most common causes of audit denials. CMS requires clear documentation showing the beneficiary (or designee) actually received the item, with specific elements and long-term retention expectations. This post breaks down what valid POD requires, where suppliers often fall short, and how to reduce audit risk.

Jessica Zeff
Mar 203 min read


Same-Day, Same-Patient E/M Visits: What Happens When Providers Are Different Specialties?
Same-day E/M services by multiple providers can be compliant—or problematic—depending on specialty designation, documentation, and how claims are submitted. Medicare rules allow separate E/M billing in some situations, but the distinctions are easy to miss in practice. This post explains how CMS treats same-day E/M services, where organizations get tripped up, and what compliance teams should reinforce to reduce audit and denial risk.

Jessica Zeff
Mar 133 min read


Alexa, Are You Listening?
Smart speakers like Alexa and Google Nest are common in both offices and home workspaces—but they introduce real HIPAA risk. Because voice assistants continuously listen for activation, patient information can be captured unintentionally during calls, charting, or telehealth visits. This post explains why smart speakers create compliance exposure, how HIPAA applies, and what a clear smart device policy should include.

Jessica Zeff
Mar 63 min read


Attributed Patients Aren’t Automatically Your Patients: A Compliance Reality Check for Providers
Attribution lists are common in value-based care—but they’re often misunderstood. Being “attributed” to a provider does not automatically create a treatment relationship or grant access to a patient’s clinical record. This post explains where organizations go wrong, why pre-engagement record access creates real HIPAA risk, and how to structure outreach, role-based access, and documentation so compliance keeps pace with population health goals.

Jessica Zeff
Feb 273 min read


A Major Shift in Medicare Advantage Compliance Expectations
OIG has released new Industry Segment-Specific Compliance Program Guidance for Medicare Advantage — the first major update since 1999. While nonbinding, the ICPG signals enforcement priorities across risk adjustment, utilization management, marketing, FDR oversight, and access to care. For MA organizations and partners, this guidance serves as a blueprint for strengthening compliance governance before the next audit arrives.

Jessica Zeff
Feb 213 min read


HIPAA and SUD Records
Federal enforcement of 42 CFR Part 2 is now aligned with HIPAA, meaning substance use disorder records are fully within OCR’s enforcement authority. Organizations that handle SUD treatment data must understand how Part 2 differs from traditional HIPAA PHI and what this enforcement shift means for policies, consent, training, and technical safeguards. The deadline has passed. The risk is no longer theoretical.c

Jessica Zeff
Feb 213 min read
bottom of page
