Why Compliance Case Management Is the Backbone of an Effective Program
Healthicity
Share:
compliance, compliance program, compliance officer, podcast, compliance program guidance, Case Management
Many organizations believe they are handling compliance issues effectively — until they have to prove it.
True compliance doesn’t just happen in meetings or email chains. It lives in how issues are logged, investigated, documented, and preserved. Without a structured approach to case management, even strong compliance efforts can fall apart under regulatory scrutiny.
Effective compliance case management allows organizations to:
- Capture every issue or hotline report in a consistent way
- Track how each concern was reviewed and resolved
- Store evidence, communications, and decisions in one place
- Identify patterns and trends across departments and issue types
- Demonstrate compliance during audits or investigations — even years later
Organizations that rely on ad hoc documentation, spreadsheets, or scattered systems often struggle to reconstruct the story when it matters most. A centralized electronic case management system not only improves efficiency — it protects institutional memory.
In a regulatory environment where demonstrating compliance is just as important as achieving it, strong case management isn’t optional. It’s the backbone of the entire program.
Tune in to this podcast episode with Jessica Zeff, Founder & CEO of Simply Compliance, for a firsthand look at compliance case management.
Episode Transcript
Welcome, everybody, to another episode of Compliance Conversations. I'm CJ Wolf with Healthicity. And today's guest is Jessica Zeff. Jessica, welcome.
Hi, thanks, CJ. Is this a good time to introduce myself?
Yes, we're so excited to have you. And that's exactly what we like our guests to do is tell us a little bit about yourself. I know you know you've been on a webinar with us, you with Healthicity, you've done some other work. And so, but tell us about what you do, what where, you know, how you got there, or whatever you want to share in that regard. Sure. Thank you.
All right. So I run a healthcare compliance consultancy called Simply Compliance. Uh, and I work very closely in partnership with Healthicity to do some of its compliance activity. I get to work with really cool clients on all kinds of different kinds of compliance-related projects. Uh, and that's generally what my business does. I've been in the healthcare compliance space for, dare I say it, 25 years. Wow, good for you. I know. Well, it's been a really exciting career. Like that's the thing about healthcare compliance. You get healthcare and compliance, and there's so many different aspects of this thing we call compliance. It's a bit of a beast, right? Uh, but there are so many opportunities to test yourself, to learn, so many different challenges, so many ways of contributing. So I say a career of 25 years, but it's been quite the ride. And in that time, I've had so many different experiences and perspectives. Um, it's been wonderful. And ultimately, I wanted to take all of that, test myself again, see if I could turn it into a business. And that's brought me to where I am now in this really great relationship with Health the City, where we get to talk about what we love. This thing called compliance.
Yeah. And let me ask you just a real quick question about simply compliance. Do you guys have a sweet spot? Is it general compliance, all sorts of areas, or any any more detail you want to share on that?
So I'm trying at the moment to keep it quite generalist. So we're aiming for smaller to mid-sized companies, really helping do compliance and privacy assessments, uh, work with risk management, identify where the compliance gaps are, and then help those organizations to address those gaps. So whether it's developing a compliance or privacy program, whether it's writing policies or procedures, or developing an audit program or risk management, any of that, uh, those are where we're putting our efforts in. But to be fair, you know, I've spent my career, you know, part of the challenge and the fun for me is trying different things, learning about new organizations, meeting new people. And there's no one way of doing compliance. Like that's the wonder of it. Um and so being able to work with so many different organizations and never knowing exactly what you're gonna be pulled into is really part of the joy and being able to contribute and critical think and problem solve and help organizations uh to get there. It's it's part of the fun. So I haven't really drawn too many boundaries around simply. Um I guess like any business, eventually you figure out, you know, maybe there are core aspects that you want to focus on. But for me, and the person that I am and the organization I want to run, yeah. Um part of honestly, the joy and the fun of it is to try different things with different types of organizations. So, and where I don't have necessarily expertise, I bring in other colleagues to help and support. So that's that's another aspect of the business.
Excellent. And I I totally agree with what you're saying. You know, we know there's these seven elements of an effective compliance program, but we're always taught, you know, by enforcement agencies and just our experience that you have to customize it for that organization. And so each job looks different, and so that is enjoyable for me too. So I totally understand what you're saying. And then I'll add that you also seem to be a um collector of beautiful scarves, and so in the back. So very good.
It's autumn, it's winter time, it's scarf time. You know, a friend once taught me a trick. Once we all started working from home and doing these Zoom calls, I thought, why do you? And I told her, I said, why do you always look so glamorous on every meeting? And she said, Jess, you collect scarves, you throw it on, and it makes you look glamorous in an instant. So I've taken her advice. It helps decorate my office. See, it's actually an act of laziness, right? And then my husband doesn't need to know how many scarves I have. There you go.
Well, I think it's beautiful, very good, very well done. Oh, thank you. Yeah, so um, we're gonna talk about something that's near and dear to your heart in the compliance space, which is compliance case management, as we're calling it. So why don't we just jump into that and you tell us what it is and why is that an important part of a compliance program?
Okay, so I learned a long time ago, and I I do love this topic. I think it's one of the biggest uh challenges that I've seen again and again. And part of me doesn't truly understand why, and part of me does. So, like I said, I've been in this space for just about 25 years. And when I first started out in this thing that we call healthcare compliance, I didn't even know it was compliance, but I traveled around hospitals and health systems with teams to assess the quality and safety of care. And what I realized is that people have a really difficult time understanding how to collect evidence or information to demonstrate compliance, right? And and there, and and some of it's a challenge, right? You're trying, there's so many things you're trying to do in a healthcare environment that collecting evidence isn't always top of mind while you're trying to save someone from dying, you know, in the OR, right? So I completely get it. But one of the biggest challenges that I saw is this idea it's very difficult to demonstrate compliance for people not understanding how to demonstrate compliance, not thinking ahead, planning ahead to demonstrate compliance. So when we have a regulator coming in, you know, how are we going to demonstrate uh that we're doing the things that they're expecting of us? And I have found that again and again in every organization that I've gone into, and I go in to run their compliance and privacy program or build it. And again, I see a real issue around, first of all, there's a lot of stress and tension with regulators coming in with audits, and some of that's deserved, maybe even a lot of it, right? Right. Except that having had the experience of working as a regulator and knowing what the regulator is looking for and trying to see and how that evidence should be presented and sitting in that regulator's shoes, right?
Right.
I've worked with organizations and and different teams to say, well, hold up. When you have compliance issues, how are you demonstrating that you're addressing them?
Right.
It's not okay, it's not sufficient enough to say we've addressed it. Well, as a regulator, how do I know that? And what I found really frustrating is that you I've gone into organizations and there's no system, there's nothing. So, and when we call, so what is case management? What are we really talking about? So you have you can have all case management can mean different things in different contexts, right? So let's call it compliance or even privacy. To me, privacy falls into a realm where case management is very possible. What is it? It's a means of logging that there was a compliance or privacy issue and being able to demonstrate that you followed a process to manage that issue and having the evidence to back it up. And when you think about case management, um, you need to think about what it is you're managing. So to manage compliance cases might be a little bit different than managing privacy cases, right? So privacy, you might want to gather, you need to think about what information am I going to need to gather and evidence later on for compliance. And that might look different for compliance issues than it does for privacy issues, where there are all kinds of deadlines and requirements, maybe state and there's a risk assessment that needs to be done, and there are timelines for reporting under HIPAA and all this other information. But the point is case management is about having a system where you can uh log issues that come up and how you've responded, and you can keep your evidence in one place. Now, you can do this. I mean, old school, we used to do it on paper and manual. Exactly. The problem with that is number one, you know, you can lose the information quite quickly. Number two, it's very hard to do any kind of analytics. So again, when you're trying to demonstrate compliance or you're trying to identify, hey, uh, I don't know, how many fraud cases did we have? Where are they coming from within the organization? You're trying to identify risk. It becomes much harder if you're doing everything manually. If you're using a case management system, an electronic one, the benefit, right, is number one, you can see who in your team is managing what. Uh, because you can assign cases, you can run all kinds of metrics. How many cases are coming in? What are the big hot topics? Where in the organization are they coming from? When in the year are they coming from? Are they coming from outside the organization? Are they privacy? Are they fraud? Are they conflict of interest? Are they claims? There's so much more you can do to target your compliance program and allocate resources and provide education. You also have an element of consistency because if you do it right, you've built your case management system to reflect your policies and procedures. So hopefully you can tell, you know, you know that because the system is built a certain way, you're ensuring to some degree a level of consistency in how your team is managing cases and how those reports are being generated. So to me, that's very important. I need to know that we're following our policies and procedures. And I'll take it even a step further as a manager, as a leader of teams who do compliance and compliance casework in terms of then being able to audit. It makes my life so much easier. I've got all the information in front of me. I can then say, hey, I'm gonna do a sample. I'm gonna look at who's managing what cases. I don't know, I'm making this up. I'm gonna look at three cases a month from each staff member of my team. I'm gonna give them some feedback. If I'm really lucky, you know, I can even include that feedback in the case management system so that I now have evidence that says, hey, you know, we do manage our cases, we've got all that evidence, but now I've taken it a step further and I can show you that even within our compliance department, we do quality checks. Here's what it looks like.
Right.
Right. And I this has come from experience. I mean, I have experience of building, uh working with developers and actually building. I've been very lucky in that sense. I've had opportunities to build exactly what I wanted in order to manage privacy and compliance cases in the way that I thought really would demonstrate compliance and help us ensure consistency. So that's why I really get excited around case management. It makes it very easy to look up particular cases. And A, you can say, you can prove, hey, this is the case that came in, here's when it came in, it took us this long to resolve, here's everything that we did, and you can sit it in front of a regulator. And not just that, it's not just me or a member of my team. If we all win the lottery and we go off on, you know, we go to the Bahamas for a fun two weeks, and that's when OCR or the OIG or whoever it is comes in to audit us, you know, someone else who has access to the system can easily see, hey, we can handle this, we can respond. And combined with your policies and procedures, they should be able to respond. So there are so many different benefits to the case management process, um, particularly an electronic case management process. And it excites me. It really does. I feel that um those organizations who are fortunate enough to have seen the benefit and have the resources to invest in some sort of I call it case management, right? But other people might call it compliance management, or there are many different ways of describing software that yeah, like a tracking system. Yeah, it could be, yeah. But incident management, yeah, but it's the functionality. Um, and I don't, it just makes an organization their compliance function run so much more efficiently. And the resources, I mean, what organizations don't often realize is that you are spending resources no matter what you do. So why not spend it more effectively? Yeah, invest in that electronic system. You are going to get a much, whether you see it or not, you're going to get a much bigger return on your investment than you realize. Compliance is difficult, right? We don't tend to generate revenue.
Exactly.
But but, and it's hard to quantify how much we're protecting our organization. It's hard to put a price tag on that because you're preventing issues from happening. And I suppose, you know, if you really wanted to, you could do an analysis of, hey, we prevented X and it might have cost us Y. But essentially, you know, we're not necessarily seen as revenue generators. But the truth is, certainly, electronic case management, it helps to understand risk. It helps to respond to audits and investigations much more efficiently. Think of all the time and the resource and the effort that is saved by your compliance team, by maybe your legal team when you use a case management system.
Yeah.
So I know I've waxed on for a long time about this, but I can't help it. It's like a passion project.
Yeah, and I agree with you. You know, in addition to all the positives that you mentioned, I've seen too, you know, you it helps when you're reporting um metrics and trends to like a board, a governing board. Yes. Um sometimes it can help you justify um needing more resources. You could say, look, we've had X number of complaints come in. We're only we've only been able to take of this, take care of this many in this short period of time because we don't have the resources. Here are 20 others that are going uninvestigated. How would you like us to deal with that, board? What would you want us to do? The other thing that I find beneficial is on time-sensitive um cases, you already alluded to this where maybe it's it's privacy or something, and you have a deadline that you have to either uh self-disclose or or report to OCR or something. You can usually, in most of these electronic systems, you can usually tag them with a time-sensitive flag or or some sort of deadline saying, you know, each day it counts down. You have seven more days, you have six more days, you have five more days. And that might be true for privacy. It could be true for if you're returning claims and trying to meet that 60-day repayment rule when when you know you have to repay within a certain number of days. Or, you know, some people in compliance also use some people put under the umbrella of compliance or people are wearing multiple hats some patient safety issues. And if those are in your case management, a lot of times patient quality and safety are in different systems, but I've seen organizations combine them and they might have different timelines. They might have to report to the state or you know, to a nursing board, or this or that. And so I find it really helpful to, like you said, it helps you get your arms around all of the issues, to divvy them out appropriately, to monitor how quickly they're getting done. And then to your point, how well they're being done, you can check your staff and those sorts of things. So I think it, I think it's really a helpful tool. Um, to that point, so once a concern is reported, what would you say from start to finish is an effective process for case management? What is what does that look like to you? Are you you're triaging, you're assigning, like what does that process start to finish?
So from the point that you get, well, first of all, I'll make this point. I'm not a big fan of keeping clinical patient information in the same system as compliance and privacy issues, right? To me, they for security reasons, for privacy reasons, they should be kept separate. So I'm just putting in that plug.
Yep, good.
Yeah. Uh, and I've seen there are challenges, there are a number of challenges there. But going back to the questions, uh, the question that you raised, from my perspective, the the clock, so to speak, starts ticking the moment uh a member of the compliance team or the legal team, whoever is handling the compliance issues or the privacy issues, the moment we hear from that, that issue goes into the case management system. Even if there's no underlying uh problem or challenge or concern. The point is you're trying to, what you're demonstrating is you have a process for receiving concerns and issues, for investigating them. And the case management system isn't just about demonstrating, you know, the cases that you found some compliance gap. It's about saying, no, we have a process for identifying issues, period. Sometimes there might not be an issue, or maybe it's an HR-related issue that came in through the compliance hotline, but we still have an obligation and our records have to match, right? So if something came through the hotline and our processes, we put all hotline calls into the case management system. Well, the numbers have to add up. So even if you're putting something into the case management system and saying, okay, well, we've got to investigate this, and that's what your case management system hopefully is helping you to do. The great thing about case management and what it should be doing is helping you to keep all of those records. Hey, you know, I got this call on the hotline, it seemed to be about HR. Okay, you put it into the system, contacted the director of HR, handed it over, we discussed, blah, blah, confirmed it's an HR issue. Here's a copy of the email. We're closing this. It's not not a compliance issue, so we're gonna close this. Or, you know, there was an allegation of a privacy breach. Uh, someone called in from, I don't know, client services, sent us an email about a we called the patient on such and such a day, or the member or the client on such and such a day. We got the details, there's insufficient evidence to support the allegation. Um, and so we're closing this case at the time. Or, you know, we notified information security, and here's attached their emails or notes of our conversation, and this is what we concluded, and there's nothing here. Those are all issues you want to document and demonstrate.
That's right. Yeah, such a great point. I I totally agree. And in my experience, a lot of issues that come into like a hotline, or many of them turn out to not be issues we have to investigate. Maybe the person reporting it doesn't know the complete process. Like I a lot of times with billing issues, somebody will report and say, Oh, we're we're billing this wrong. They don't know that on the back end, before the claim goes out the door, we have a claim scrubber, we have people looking at this, and the claim actually went out appropriately, but from their from their limited perspective, they only saw this. But to your point, it's a way to communicate concerns because we don't want anyone to be silenced. We want them to report any concern. And just honestly, a lot of them won't turn out to be actual compliance issues per se.
So well, and also how do you build trust? Like that's another thing. It's not like compliance always has the greatest reputation. We love it, but to be fair, not everyone loves us, right? So there's a lot to be said about building partnership and trust. And one of those ways is by taking people's concerns seriously, whether you know, there's a lot whether they come to you and they're not sure, and being able to say, hey, but we looked at this, you were brave enough to come and talk to us. The least we can do is look into it, and that really fosters that kind of trust culture. When people see that often enough, yep, and eventually someone's gonna come to you. Not that you wish for this, this you're not looking for wrongdoing or gaps, but when it counts, when it really matters and there's a compliance issue, you're building up that goodwill, that trust, I don't know what to call it, that someone hopefully, yeah, hopefully they feel confident enough to come to you and say, Hey, can I talk to you about something? I I don't know whether I've got it right or not, but can I talk to you?
Exactly. Such an important, such an important thing. This has been great so far. We're gonna take a quick break and come back and talk some more about this important process of of case management and compliance. So uh hang tight, everyone, and we'll be back shortly. Welcome back from the break, everybody. We're talking about case management and compliance processes. Uh Jessica, I'd love to know because you do a lot of this with clients and you probably see good examples of case management and bad examples. What are some common pitfalls that you see that organizations run into when managing compliance cases? Are there are there some common errors or mistakes that you see over and over?
Yeah, there are a couple. So I think I'd I'd almost pin it down to three. Um number one, not having a case management system, period. Exactly. Like that to me, and I suppose given how long I've been doing compliance, I and it's unfair, but in my heart of hearts, I I have a hard time coping with this. I almost understand how it happens, but I think because you and I live and breathe enforcement action and compliance, uh, it's so embedded in us to be able to provide evidence, to show evidence of managing concerns and issues. It is hard to fathom that that you might have an organization that doesn't, but it's actually not abnormal. There are organizations that just don't have one, they they don't know, they do what they do, and that's really fantastic, that's great, and they they don't know, um, they don't have the skill set necessarily or the awareness. Um, so that that's a big issue that I see, particularly in smaller providers, which which I get, right? Resources are limited, expertise is limited. The other issue that I see is that um the data inside the case management system isn't correct. Or, like, for example, cases are uh misclassified, fraud is called conflict of interest. I'm making this up. Or uh and so that what that the problem with that is is that when you go to run analytics, you're not getting a true picture of where your risks are and where they're coming from, or maybe uh we're getting multiple reports that things are coming from the marketing team when really they're coming from client services. And the issues will be different, and also, you know, if it's coming from client services, well, what's going on there? What's the problem? It's a very it suggests an underlying issue that may be quite different. Um, and so not really saying, okay, we have this case management system, that's great, but not really paying attention that the data going in is correct. And often that's because staff aren't trained properly. You've got to have and you've got to agree, you've got to have a system that says, hey, this is how we're going to document issues, and you have to define the issues, define how you're going to categorize them, and you have to make that available to the team. Uh, you have to have, I know it's painful, like I get it, but you really do have to have a kind of handbook because you're trying to ensure consistency. And there are ways of developing that handbook. You use your team, they're the one that use the system every day. So there are ways of doing that that don't have to be horribly painful, right? But you do have to agree a certain set of principles. How will we document? How will we classify, right?
Um can I on that point, can I throw in um something that I've seen? Because you're right, it has to be consistent, especially if you're in a large organization. I was in a very, very large organization. We probably had 60 compliance staff um reporting up to one compliance officer. And what you just described can be an issue if somebody enters this as a coding issue or a billing issue or a privacy issue, and it's not truly that category. So we had to kind of develop, like you said, a handbook or a glossary of these are what the categories are. And then the other thing that we did is just about anyone could enter an incident in the system, but before it was accepted and approved with those assignments and categories, there was a manager level that signed off and said, Yeah, based off of what you described, that is that does fall into our agreed upon category of X. Or no, that's not quite where we want this categorized, we want it and Y. So I think having a system that allows for some oversight within the compliance department to kind of build that consistency could be a really good thing.
And that is exactly what I was gonna say last. The biggest the other third issue that I see is that again, you know, you have organizations that say, Oh, we've got this system, and it's not just about compliance, it could be any database, any system. Right. And there's no oversight or quality assurance. That's why I talked about audit before the break and having that function that can show you're reviewing the records because, and I know it's hard to find time to audit. Like I get it, I've been there, right? Yes, but it's crucial because how do you catch and how do you retrain your staff if you're not doing that supervising, that auditing function? So those are the three things I see not having a case management system at all, or not training your staff. So, what is the saying garbage in, garbage out?
That's right. That's what I was thinking when you were saying that.
Yeah, garbage in, garbage out. And then third, really not taking that extra step, that final step, to do just a little bit of a review. That's not to say you review every case, do a sample audit like you would in any other compliance activity. Um, but be able to give that valuable feedback to your team when they need it.
Well, and in the large organization that I worked for that I was referring to, we would meet once a week as a compliance group. Um, and there would be a report of these are all the things that have been entered into the system over the last week. And and we would pick out one or two that were questionable, and as a group, we would review that. And so, you know, we would sometimes determine, oh, you know, that should have been assigned to this instead. And here's the reasons why. You know, we're not we're not trying to shame anybody, but we're trying to build consistency that so that we're all on the same page. And I found that that activity was really helpful um in in kind of building that what you just said.
We did something I've done very similar. I've always been cautious because I I don't want anybody to feel they're being picked on. So I'll try to phrase it as, you know, I I didn't do a good enough educating, or we missed this as a team, and we're always learning and growing, and and that's the point. Yes. Um but I've always found that little piece challenging. Yeah. But the group exercises, though, the case studies are really helpful. They're great discussions. You get good feedback from the people who are using the system as well about what's working and what's not. So sometimes those cases are tricky. They're not straightforward.
That's the point.
And having the benefit of how you could make it better. Yes, a great part of the exercise.
Yeah. And to your point, maybe rather than calling people out on real entries that were made, you look at some of those and you find the common mistakes, and then you create a hypothetical and you say, okay, as a group, this just came into the hotline. How would we all let's work together and say how we would enter this into the system, right? So then in that way, you're not really calling anyone out on a specific error or something, but rather you're moving forward and saying, given this set of facts, how would we all categorize it? So that could be a way about that. So we've kind of talked about some of the pitfalls. I'd love to hear then is there, can you share an example maybe of a case that was handled really well? Like what made it successful? Like how do you define, oh, that's a gold star case management example, if you have one.
Well, I have I have a lot, I think, but I mean some of it depends on whether, you know, if you're audited or you're investigated. Um, one that I can think of is that, you know, I worked for an organization where the Office for Civil Rights uh had had a complaint uh that we were um not supporting a certain patient uh with uh who had a hearing who had a I think it was a visual impairment. It was a visual impairment. Um, but the truth of it was we had done everything we could. But so I'll set the scene. We get the investigation letter right before Thanksgiving. Of course it lands on my desk because I'm the component.
As you're heading out of town.
I know it was what it was truly, truly horrible, serious. And OCR, they have this thing where you know, they want you to present your evidence in a very certain way. And there's an archaic way of doing the pages. So they want a book, they want your evidence. Let's pretend it looks it looked like a book, is what it was. And every page has to be numbered. Well, think about that. If and they have to be in numerical order. So think about all your policies and procedures that you would normally include. Well, let's say you've got a hundred pages of different policies and procedures, they've got to read one to one hundred.
And they're one through seven, one through seven, one through six, one through twelve.
They don't accept that. And you're, you know, you might be having screenshots or training records or e copies of emails. They all have to be numbered and they have to be numbered sequentially. So that was a huge challenge, right? Wow. And our legal team had to review everything before it went out, and there was a deadline. Well, the deadline was something like January the 2nd. I am not kidding, to conduct an investigation. Lots of people had already gone away. They were gone for Thanksgiving, gone for the winter holidays. So I'm just setting the scene a little bit to give you an idea of what happened. Well, I had my team and I, like I said, we'd been very fortunate enough that the organization had given me the resources to build our own compliance case management software. So that's what we had done. And I'm not gonna lie, it was hard. There was no way of saying it. But what I did have was all the evidence. I'd I could demonstrate, so I had to do an investigation. I got this complaint, I had to do an investigation, I did interview people, I did look for documentation, but one of the great aspects of it was that a lot of the documentation was already right there in the system of everything we had done, of all the conversations we had had. And so I was able to lean on that. First of all, I could go in right away and say, hey, we had a case like this. I don't know the patient's name because that's not how we kept our records, but I know we had a case. Let me search, let me find. I found the case. So from that, right from the get-go, I could say, Oh, here are the notes, here's what happened, here's what was done, so that when I raised it with the board, I could say, we got this complaint, but I was already informed, right? I knew who had already been involved in the project. I had records of what had been done in the conversations, we had engaged an external consultant, I had all of their records, I knew who they were. So it sped up the investigation process and just made me more uh I when I reported and when I spoke to people, it came from a position of uh relative strength already. I knew what I was talking about. And it sped up the investigation. Um, and then it really helped me to be able to pull information. It was all right there for me, not all of it, I'm lying, but so much of it was there for me, right? So the challenge then became almost technical, you know, learn making sure that I presented the information. I had it all, but how do you then present it to the to the regulator, which is a different beast, right? I had already solved at least one third of the problem, and that is accessing the data, right? And the next was pulling it together into a story, and the next was the pagination and making sure we FedExed'd it and it was recorded. But I don't know what I would have done without the case management, without those records and all of that information. I would have had to have run around trying to figure out if anyone had heard of this case, uh, who had been involved, uh, what what what had gone on at a time when no one really was around. And we had used an external vendor. How would I have found them?
Right.
And so, and I didn't have a lot of time. That that was the thing. It was horrible. Um, so that's a great example. I can't begin to tell you how meaningful and how helpful um having that system there was for me and my team at that time.
Yeah, uh, such a great example. Jessica, we're kind of getting towards the end of our time. I think we could probably talk about this for forever, um, and it would be interesting. But unfortunately, we are kind of running towards the end of our time. Any last-minute thoughts or advice or I don't know, kind of key takeaways? Anything that you feel like you'd like to share as we come to a close here shortly?
Only that if you're an organization that's kind of sitting on the fence uh about a kind of case management system, but you're also stressed about if you ever get audited, or you know, you really do want to understand where your organization can do better. It's not a bad thing to invest in a case management system. Do you need something that has every bell and whistle known to humankind? No, but even something basic will pay dividends. I know it's an investment, uh, maybe at the beginning, but it really does pay off later. Um, and if anyone ever wants to talk to me about it, I'm more than happy to have that discussion. Um, and I I get there are pros and cons. Um, and there are a lot of different, you know, we're all trying to juggle so many things. But when I think about a compliance or privacy case management system, I feel that that's fundamental to a strong compliance program, really and truly.
Yeah, it's kind of like I don't know how I would do my daily work without a computer, right? It's like that, it's like I use it every day. It helps me organize, it helps me keep me straight, it helps me calendar, it helps me do. It's like, I think that's how I sometimes look at a case management system is it's kind of like the backbone of the of the work that we're doing on a regular basis. It's the way we document it so that we could tell the story five years later if we get investigated. Because most investigations happen, you know, and you're looking back multiple years. Um, so I I kind of feel it's kind of like a backbone to a lot of the work that we do in compliance.
Well, there's so there is so much when you think about where risks might emerge.
Yeah.
Right? They could be from internal audit, external audit, it could be from, you know, a member of staff, an employee, it could be from someone outside of your organization. Like it can come from anywhere, information security. How can you possibly manage all of that and demonstrate that you responded to those issues without something to help you manage? You can't, is the bottom line.
Yeah, such a great point. Well, that that's a good message to to end on. Uh, to our audience, we're gonna, you know, we'll include uh contact information for Jessica and and her firm if you feel like they might be of help to you. Uh, she's invited you to reach out. She likes to talk about it. And I think she has some expertise, obviously, and and years and years of experience here. So I hope that you you reach out to her. Jessica, thank you so much for being a guest today.
Thanks, CJ, for having me. And I'm normally a quiet person, but I've been gabby today.
That's good. That's hey, this is compliance conversations. We want you to gab. So thank you. I know.
It's been a lot of fun. Seriously. Thank you for having me and giving me this opportunity. It's been great.
Absolutely, absolutely. And to all of our listeners, um, we always make this invitation at the end. If you know of a guest that might make a or a person that might make a good guest, we we welcome your uh input on that. Send us an email. Or if there's a specific topic that you really want to hear about, uh please let us know that as well. And we'll we'll search for expertise out there. Uh and until next time, everyone, take care.
Questions or Comments?