Compliance Conversations Podcast: Pathways to Compliance

How did you end up in Compliance? What is compliance? How does one become a compliance expert? That sounds so boring (says every compliance professional’s children). In this episode of Compliance Conversations, our compliance expert, CJ Wolf, sat down with fellow compliance and HIPAA expert Brian Burton to discuss the many different paths folks take that lead to a career in compliance.

If you’re in compliance, you’ll smile and nod throughout this episode because you can probably relate so much. One of the most common topics among compliance professionals is how did you end up in this career? And the personal stories are always fascinating. Compliance isn’t usually a job that begins with childhood daydreams. Let’s be honest, first graders don’t typically sit around with their juice box in hand telling their friends that they can’t wait to stop a Stark Law violation, even though it would be fantastic if they did.

Honestly, most people don’t even know that a career in compliance is a thing (but our goal is to educate them because it’s a genuinely great career!), so the backgrounds can be really interesting.

Listen to this episode, “Compliance Conversations: Pathways to Compliance with Guest Brian Burton,” to hear our two very different paths to compliance. In this episode, we also cover:

    • Modern Compliance Certificates and Education
    • Daily Responsibilities of Compliance Professionals
    • Relatable Personal Stories About How All Roads Can Lead to Compliance

Listen Here


Episode Transcript

CJ: Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity and today we are talking with Brian Burton, the chief compliance and privacy officer for Healthicity.

Question: Hey Brian, how are you?

Brian: I’m great CJ, good morning to you, and good afternoon or evening to those who may be listening to us.

CJ: That’s right and hopefully you’re not listening at two (2) in the morning. Sometimes people can’t sleep. Maybe we could be a good sleeping aid and we’ll put people right to sleep [laughs].

Brian: [laughs] that’d be awesome.

CJ: Well today, we’ve had a few people approach us with questions about:

Question: How do you get into compliance? How do you get into that as a career?

So Brian and I thought we would talk a little bit about that. Share how each of us has fallen into compliance. That’s how it seems like for a lot of people and then we can talk about ideas for other folks. I don’t think anyone grows up thinking, “I want to be a compliance officer.”

Question: Did you grow up that way Brian?

Brian: I didn’t, if I could have forecasted this as my career path, a complete surprise to me.

CJ: Exactly, and my kids will ask me sometimes, “Dad what is it that you do again?

Brian: And that’s the most difficult question to answer for people. I typically just try to explain to I work in healthcare and I try to make sure or try to ensure we’re following the rules, regulations, and laws that are applicable to healthcare.

CJ: Exactly, that’s what I tell my kids and they’re like that sounds boring [laughs].

Brian: Yeah and most people say, “What does that mean” and then I found that if I say, “Well, I make sure we’re following HIPAA.  And then that becomes clear.

CJ: Exactly. So Brian, if it’s okay with you let’s start with you. I’m interested in:

Question: How did you get into compliance?

You were probably doing other things before you got into compliance as a full-time professional. So tell us about the background and then the path that leads you into what you’re doing now.

Brian: It’s really interesting for me realistically because it was a complete surprise to me. I had no idea what compliance was other than I went to work for the healthcare system back in 2004. I was familiar with the code of conduct because I had to take that every year and I understood that we had a hotline and that was about it. My understanding of the code of conduct and the hotline was about the extent of my real knowledge of compliance for five (5) or six (6) years or so. But I was working in the technology department at the health system and had worked on a variety of things. Built data centers and did all kinds of fun stuff as an IT professional.

I moved into more of a project management role and then in 2009, I picked up a project, randomly assigned to me and my team, to orchestrate and build a new solution to manage payments to potential referral sources. And so this project, we integrated with our accounts payable solution and our contract management solution, created this hybrid database that crosswalked all of our AP payments to all of our physician contracts and their identified potential referral sources, and made sure all the payments to those potential referral sources were appropriate. That was my first real introduction to what it meant to be a compliance professional because as a project manager I had to learn the solution.

So not only did I have to learn the general financials and the accounts payable process but also had to learn what was “Stark”, what was the definition of a potential referral source. And how do we identify those, what is the procedure to identify them, how do we make all the technology work inside the contract management solution to identify those properly, and what I learned from all of that process, I had a much deeper understanding of “Stark.” That had the kickback statute and how it applied to us in that health system.

And then the conclusion of that, go ahead.<,p>

CJ: I was going to ask, you were on the technical side. Was there somebody from the compliance side involved from the start or were you asked to?

Question: Was there somebody from the compliance side involved from the start or were you asked to also learn all that?

Brian: I was reporting directly to the compliance department and the chief compliance officer there at the time as my liaison for that project. Of course, we had liaisons and worked with the CFO and their team and multiple members of leadership from the finance team. But I was organizing all of the meetings with all of those stakeholders to pull all of that information together and assimilate it. So for me, when I was managing projects like that I found I was more successful when I understood everything completely. So I just rolled up my sleeves and tried to study and learn and understand what was “Stark”, what was the anti-kickback statute, and how does this applies to our organization. Which is funny, I imagine you have a similar experience, when you have a compliance problem that’s what we have to do. We have to really understand the problem, how we solve it, and what remedial or protective actions can we take to protect ourselves.

CJ: And on that point, I was thinking about problem-solving skills. Before we started this I was thinking what are some important things on your pathway to compliance and what skills should people have and problem-solving was the number one that I came up with because you’re dealing with an issue and you’re trying to solve the problem.

Brian: Absolutely, and to make that long story shorter. At the end of the project the chief compliance officer at that company offered me a position on her team to transition from IT, and IT project management, to come work for her in the compliance department. And my first compliance role and responsibility was triaging hotline calls. From the first six (6) months or so reporting into that department, making the transition, I was the intake person for all of our hotline calls.


Just understanding what were the issues, allegations, and complaints that were coming into our department and then learning how to make that decision process on which function of our compliance department was best suited to investigate and then learn the outcome.

CJ: Yeah that’d be a great starting position for somebody in compliance because you get a nice broad overview of all the different things coming in. You might even find, “I think this subject, I hate that subject.” [laughs]

Brian: Yeah, and for me in that particular health system the volume of calls was… fortunately, we had a very healthy compliance program there. The volume of calls might be half a dozen to two (2) dozen a week. So we were getting lots of reports, and to your point, a lot of different various things that were being reported to our compliance program.

CJ: Yeah, so tell me a little bit about your schooling then or your training before the health. I mean were you trained for IT.

Brian: In my career, I guess I have a unique perspective or pathway. I joined the Army right out of high school and I happened to pick, in the Army, they allowed us to pick the job that we were doing and happened to choose a very technical telecommunications job. It required six (6) months of what they called advanced individual training. And where I really had, to your point, learn those problem-solving skills.  Don’t ask me to do this today but circuit board level sauntering and repair. Replacing resistors and things like that so I learned a very technical trade in my professional career and that transitioned into project management and then compliance.

CJ: I see. I was also thinking before we were going to meet what kind of pathways people come in. There’s no one typical path but I do see a lot of folks coming from a technical background. May IT expertise or information systems and that’s a really valuable skill set in compliance especially now with HIPAA security rules and those sorts of things. You talk about your background coming from a technical background and training from the Army.

Question: I’m kind of curious whether you think that skill set might lend itself to a career or path to compliance. What are your thoughts?

Brian: Yeah. I think that an iatrical part of having a larger and more mature compliance program is to have various compliance experts with various expertise and backgrounds. I was very blessed in my first compliance team. We had a very eclectic group of compliance professionals. Some were RNs and had provided clinical support, others came from the “HIM” department and that experience and background, and others came to us from the finance side, internal audit and provided those types of experiences and for me, I was the first person to join our compliance team that had that true IT background and to your point, it becomes an integral part of your compliance program as you translate the differences the privacy rules, the security rules, and the organizations overall HIPAA compliance program.

CJ: Yeah, I have seen that in a lot of compliance programs. You know I worked full time, in house as a compliance officer and also done consulting. What you mentioned is not very rare. A lot of compliance programs are made up of people from different backgrounds and skillsets. Like you get a lot of legal folks that are excellent in interpreting some of those laws and telling us where that right line is, like you said, clinical folks. I’ve seen people that come from a training background because one of the elements of an effective compliance program is training so they can assist there. I’ve even seen investigators. People who are…

Brian: Law enforcement.

CJ: Yeah, there was one person whose main job; about eighty percent (80%) of what she did were investigations with violations of internal policy or violations of retaliation and those sorts of things where you had to be very precise in your investigation. You’re interviewing people and those sorts of things.

I come from a clinical background. You mentioned RNs. That’s kind of where I came from. I’m like you, who would have thought. I didn’t know there was a career in compliance. But I started in the 90s in medical school where, I don’t know if you know but some of our listeners do about the “PATH” audits, these are the physicians at teaching hospital audits. And as a medical student, I was intrigued why we were required to get all this training and how we were documenting in the medical record because there were all these multimillion-dollar settlements at teaching institutions where the attending physicians were just signing the note and then they would get paid. So the whole thing about the “PATH” audits, the teaching physician rules piqued my interest. I ended up finishing medical school and starting a residency but then I knew I didn’t want to do clinical care and found an institution that was interested in hiring someone dumb enough to teach doctors about Medicare compliance and I guess I was dumb enough but that was my start. So I came from a coding and clinical background. Like you said there’s a place for all sorts of different backgrounds.

Brian: I couldn’t agree more. I think the strongest compliance teams, the compliance officer or the leader of that team is looking for that diverse set of skills and experiences. And then on the contrary we have our compliance programs that are very small. They come from, it might be five (5) or ten (10) physicians in their particular practice and they’re looking for one person to be the compliance professional and I always have a tremendous amount of empathy for that person.  Because their ask to manage a full-fledge compliance program and they don’t necessarily have all those tools and resources and I think that’s where at Healthicity we really try to step in and provide that extra level of support being an additional resource through the things that we do. The things you and I do together, the things you do and all the resources we put together that are out there on our website, and of course, we’re helping our clients every day with their instances of audit manager and compliance manager. Our advisory services solutions that we offer. I think that’s where my passion is at, is to be that extra layer of support for individuals who might not have the opportunity to have a ten (10) person compliance team.

CJ: Yeah exactly and even those larger teams don’t have all the in-house expertise. I think it’s good as a compliance professional to know where your strengths are and to know where you need assistance. And I don’t think there’s anything wrong with that. I think that’s actually a strength, to recognize when you can do things yourself and when you might want to rely on somebody else.

So a couple of other questions for you, we talked about problem-solving skills. These are some of the other skill sets that I thought were important. I’d love your thoughts and maybe if you know of certain backgrounds that might lend themselves to these, like communication skills. As a compliance officer, you have to communicate with frontline employees as well as executives and board members, analytical skills, anticipation to anticipate what might happen, and put human behavior down.

Question: Do any of those ring a bell with you?

Brian: Absolutely and I think, being a professional project manager, one of the things that I really about what the project management institute does is it really focuses on the people aspect of project management. And for me, coming from a really technical background, I really had to focus on interacting and communicating with various levels of individuals. I think back to my days as a project manager and I had to go back to the basement and talk to the introverted, very technical, very curt, and direct individual whose super smart and intelligent and capable of doing amazing things but really struggled with communicating with management. So learning how to manage those communications and going from talking to the super technical IT folks and then translating what they learn and what they inform us of and carrying that up to our management, senior management, and even the board. As a project manager really developing those skills translated well to a compliance profession because, to your point, we have to make ourselves available to the frontline staff, help them understand the rules, policies, and requirements that we have, understand their problems and challenges and help them resolve them and we also have to manage our communication and efforts with the management team in the organization and oh by the way we got to put on our jacket and tie and go to our board meeting and represent our compliance program.

CJ: Yeah so project management skills and you mentioned you’re probably certified in that.

Question: There are certifications right?

Brian: Yeah.

CJ: What a great skill because that’s really what compliance is, whether you’re setting up a new policy or investigating potential billing issues or, like your example, at the beginning of the project management system. All of those are projects and it’s managing people and processes and technology and deadlines and getting effective input, getting buy-in because in compliance we’re often perceived as a department of no you can’t do that so part of it is communicating and building relationships. So I think that would be a great skill set, project management.

Brian: It is and I also would encourage our compliance professionals to reach out to your organization and find your project managers. They can be one of the most valuable resources in your organization to help you effectively manage and communicate your compliance program.

CJ: Absolutely, one of the other skills that I mentioned was anticipation. This is something that I’ve found was really important. I felt like earlier on in my career it was almost a natural knack of anticipating okay if this is going to happen these are the three (3) or four (4) things that might happen four (4) months from now, six (6) months from now, ten (10) months from now and seeing into the future a little bit. Some of that comes with experience but some of it is trying to anticipate how humans are going to react, how our organization is going to react when this hurdle is put in place. So getting to know your organization and who the key players are, takes time but once you can get that anticipation skill down that’s a really important thing in compliance because you’re often trying to knock down roadblocks, build a coalition, and those sort of things. I found those skills to be really important too.

Brian: I couldn’t agree more. Staying connected to the legislative process, what’s on the road map, what enforcement actions are taking place, and then it’s not just reading and understanding the news of the day if you will for compliance and watching the roadmap change but it’s also understanding your business enough to know how your organization aligns to these regulatory changes or these enforcement actions and then building up the best responses to protect ourselves from those particular risks in our environment.

CJ: Yeah, I’ll give a good example of this. So when COVID started two (2) years ago some regulatory agencies were exercising their discretion on enforcement and some things were loosened a little bit. Maybe with telehealth, maybe with HIPAA, and the moment that was announced I was already thinking oh boy when this pandemic is over we somehow have to bring those horses back into the barn and that’s hard to do once people are like we’ve been doing this for two (2) years why do we have to stop now. That two (2) years was an exception during a public health emergency and so as soon as those exceptions are announced you have to keep track of them because you as the compliance officer are going to be expected to tell people when the spigot is being turned off and you have to start bringing those people back into the barn, those horses back into the barn and they’re not going to like it.

Brian: Absolutely and I think to that point, one of the things that I think we will see, and this is just my subjective maybe semi-qualified opinion. I think we’ll see more and more enforcement against CARES Act funding. We’ve already seen enforcement action on absolute, direct fraud, individuals or companies finding ways to manipulate CARES Act funding. I really believe the “OIG” is going to come back through and look at how every organization appropriated those funds and did we as an organization manage those funds appropriately and according to the requirement defined in each. For me in my personal experience, I think one of the most interesting things was how some and I’ll just use a hypothetical example if you will but a hospital association that has multiple affiliates, received some CARES Act funding and they’re looking to redistribute that to their members. Well, in many cases they were adding all these additional requirements that weren’t necessarily in the CARES Act legislation, and then you’d have to follow through all those requirements and ensure any of those funds we accepted were appropriately dispersed.

CJ: Exactly because any time there’s funding there’s red tape and to get those funds you have to certify to all the fine print and if you’re not reading and following through you’re going to get caught. We saw these ten (10) years ago, the meaningful use funding, and now we’re seeing all of the settlements of institutions that certified to meaningful use and now they’re saying those things back and they’re potentially false claims because you falsified the certification. And that cycle just repeats itself in compliance. One of the basic mantras is to follow the money. So if a lot of money is being dispersed now, or two (2) years ago with COVID, think of all the federal spending that was approved. There’s going to be a follow-up on that, as there should be. It’s your money and my money.

Brian: Absolutely, if I could transition because I had one important question I wanted to ask you. I have a little bit of personal experience in this area but I was curious about you and what you’re seeing in the academic world today. I know as compliance has matured since the mid to late 90 we’re now starting to see academic programs specific to healthcare compliance and it’s an avenue for a lot of new professionals who are just entering the workforce.

Question: What’s your take on academic compliance and programs that might be available?

CJ: It’s a great question, I’m glad you brought it up because there are some universities that are doing graduate certificates. Because you typically have a bachelor’s degree and then you go get a professional certificate and even some master’s degree programs in healthcare law and ethics and even in compliance. I know “HCCA” which does a lot of certifications for compliance officers, they’ve recognized certain programs. If you’re in that program it might meet some of the requirements having worked a certain number of years in the fields and those sorts of things required for certification. So there are definitely those and I also teach in an undergraduate university in healthcare administration and though that’s a broad degree for all healthcare administration we have classes specifically focused on law and ethics that I teach. And so even though you might not be getting the full certificate in healthcare compliance in an undergraduate setting you are getting exposed to that and it’s now a formal part of a lot of curricula for undergraduate degrees that you have some sort of law and ethics course and I love teaching those to undergraduates. But you’re absolutely right; some of the graduate certificates and even degrees are out there. So if people are interested in a career in compliance that’s one way to demonstrate your commitment to that path is by getting those certifications. So those are a great pathways for people who might want to set themselves apart and as you said in your question the profession has matured so before it was a bunch of people who just kind of came to it now people can actually purposefully think about it and say I chose a career in healthcare compliance.

Brian: Yeah it’s very interesting for me. Speaking from my personal experience there, I know I’ve had a number of interns that were finishing up their undergraduate degree, they’re considering law school, they might have an internship requirement in either a legal or compliance capacity and I’ve seen a number of interns come through our company and work with us as their approaching law school or the decision to go to law school and really try to get an idea of what it’s like to be inside a healthcare system managing a compliance program. And I’ve seen a number of those folks transition from that internship to compliance professional careers.

CJ: Absolutely and to the point of internships, “HCCA” will occasionally post on their job board internships that are available. I would suggest to those of us that are in leadership positions in compliance programs, to try to make internships more available and build that next generation of compliance professionals.

Brian: I agree and for me, there’s such a passion for helping people learn and understand because you and I can’t work forever. I want to pass the baton on to a qualified population of compliance professionals that have that broad experience. I don’t think we’re going to be able to recreate the early 2000s and the Wild West if you will the way it was in compliance because we were all just trying to figure it out as we went along. I came to the profession a little later than that in 2009 or 2010 or so but we were still really figuring things out. There were substantial changes forthcoming to HIPAA, enforcement connections and “Anti-Stark” kickbacks were huge back in the early 2010s. I don’t know that we’ll be able to recreate that experience for compliance professionals coming into the world today but what we can do to prepare them to be flexible and understand the world of compliance is constantly changing. For me, that’s what makes it most interesting.

CJ: Yeah I agree because there are always new things to learn and it keeps it fresh. As we are coming to the end here I’ll ask if you have any last-minute thoughts but for those who are listening and maybe younger, I think there’s a real future still. I think the world of compliance is growing, it’s not shrinking. It’s getting more established not less so I really think that young professionals have a great opportunity to succeed in the field of compliance.

Question: Do you have any last-minute thoughts, Brian?

Brian: I do and your comment takes me back to a session we did a few months back and how compliance translates to patient safety and patient trust. Really and truly, why I love this field, I’ve struggled to put a bandage on a child but what I can do is help mature a compliance program and that healthy and mature compliance program translates to better patient safety and better patient trust, improving the overall healthcare delivery in most communities.

CJ: Yeah, absolutely there’s a connection there.

Brian: And I think an individual looking to get into compliance or a new start, a new career, having an opportunity to have that kind of influence in your community. You can come to join our profession and be a compliance professional and have that type of impact in your particular community.

CJ: Absolutely, and we are both passionate about it. Feel free to reach out to me or to Brian. I think he’s offered that in the past. Thanks, Brian for your thoughts, and thanks to everybody for listening to another episode of compliance conversations we’ll talk to you next time.

Brian: Thanks, everyone.

Questions or Comments?