Why Healthcare Compliance Risks Often Live in Plain Sight

The discussion outlines common mistakes compliance teams make, what regulators actually expect, and how organizations can demonstrate integrity and oversight without assuming that “no news is good news.” These insights are especially relevant for hospitals, physician groups, and compliance officers navigating audits, payer inquiries, investigations, and enforcement activity in an increasingly scrutinized environment.  

Why This Topic Matters Right Now

Healthcare compliance risk is no longer defined solely by formal audits or government investigations. Today, risk often emerges quietly—through overlooked correspondence, routine workflows, and assumptions about how work gets done. 

Increased enforcement activity, sophisticated payer analytics, and heightened False Claims Act scrutiny mean that small missteps can escalate quickly. What once might have been resolved informally now carries the potential for prolonged audits, prepayment review, or referrals for investigation. 

At the same time, healthcare organizations are more complex than ever. Communication flows through multiple departments, documentation is heavily automated, and compliance teams are expected to oversee processes they don’t directly control. The result is a growing gap between policy and practice—one regulators increasingly expect organizations to identify and address proactively. 

This issue affects: 

• Compliance officers and compliance managers 
• Internal audit and risk teams 
• Revenue cycle and billing departments 
• Clinical leadership and physician groups 
• Hospital systems and multi-site practices 

When organizations miss early warning signs, the consequences can include: 

• Escalation of manageable issues into enforcement actions 
• Missed deadlines and incomplete responses to payer inquiries 
• Documentation that fails to reflect actual services provided 
• Expanded audits, prepayment review, or investigation referrals 

That’s why this episode focuses on a critical but often overlooked reality: compliance failures rarely begin with bad intent—they begin with blind spots.  

Key Takeaways from the Episode

What Most Organizations Get Wrong 

Many compliance teams assume that if a process exists, it’s working as intended. In reality, the most common compliance failures Amy Bailey sees stem from unexamined assumptions. 

A frequent example is frontline staff handling payer correspondence without adequate training. Mailrooms, administrative teams, or accounts receivable staff may receive audit notices, SIU letters, or refund demands without recognizing their significance. When those communications aren’t escalated promptly, organizations lose valuable time—and control of the narrative. 

Another common mistake is relying solely on documentation review to assess risk. Documentation can look compliant on its face while masking workflow issues, overuse of templates, copy-forward practices, or misalignment between what was documented and what actually occurred. Traditional audits often fail to capture this disconnect. 

Finally, many organizations underestimate the importance of physician engagement. When clinicians are not actively involved in compliance conversations, informal practices can become normalized—without visibility or oversight. 

What Regulators Actually Expect 

Regulators don’t expect perfection. They expect awareness, accountability, and responsiveness. 

Key expectations include: 

• Effective oversight across departments, not just within compliance 
• Timely identification and escalation of risk indicators 
• Training that reaches frontline and operational staff 
• Audits that reflect real-world workflows, not just checklists 
• Demonstrated efforts to understand and correct root causes 

Importantly, regulators recognize that compliance failures often arise from process breakdowns—not intent. But when organizations fail to identify obvious warning signs or cannot explain how decisions were made, those breakdowns start to look like negligence. 

Inaction, delay, or overreliance on surface-level audits can be just as problematic as noncompliance itself. 

Practical Steps Teams Can Take Now 

Compliance teams can reduce hidden risk by: 

• Mapping how payer correspondence actually flows through the organization 
• Training frontline teams to recognize and escalate high-risk communications 
• Auditing multiple encounters for the same patient to detect documentation patterns 
• Incorporating metadata and audit trails into documentation reviews 
• Engaging physician champions in compliance oversight and decision-making 
• Testing assumptions through real-world process reviews 

This approach shifts compliance from reactive to proactive—allowing organizations to demonstrate oversight before regulators ask questions. 

Episode Chapters / Timestamps 

00:00 — Introduction 
02:00 — Where compliance risks really begin 
05:00 — Frontline breakdowns and missed escalation 
09:00 — Documentation that doesn’t match reality 
13:30 — Physician buy-in as a compliance control 
18:00 — Audit blind spots in electronic environments 
22:00 — Enforcement and audit trends emerging now 
28:00 — Final recommendations for compliance leaders 

CJ Wolf: 00:00 

Hello, everyone. Welcome to another episode of Compliance Conversations. I am CJ Wolf with Healthicity. And today's guest is Amy Bailey. We're really excited to talk to Amy about some really good ideas and topics. Amy, welcome to the podcast. Thank you for having me. Yeah, we're excited to talk to you. And we really appreciate your time, your experience, and the background that you have that that leads, uh, gives us some really unique perspectives on some of the things we'll talk about. But before we get to our topic, we always like our guests to have an opportunity to tell us a little bit about yourself, whatever you're comfortable sharing, who you work for, what you do, if you want to. Feel free to share some of that. 

Amy Bailey: 00:42 

Sure. I am the owner of HBE Advisors. HBE is a compliance consulting firm for healthcare providers. We work with hospitals, physician group practices, and third-party billing entities in an array of compliance contacts. We do routine compliance work, we assist providers with self-disclosures or response to investigations from payers, OIG, DOJ. And then we also serve as a corporate integrity agreement IRO for entities that are subject to corporate integrity agreements. I've been doing this for 26 years. We practice nationally and I'm happy to be here. 

CJ Wolf: 01:36 

Awesome. Well, that's a great background. You know, I, you know, I spend a lot of time in-house working for hospitals and health systems. And then, like you, I'm now, you know, last eight years or so, I'm doing consulting. And what I have found is, you know, I had really, you know, kind of certain perspective when I worked in-house for a system. And now that I'm consulting, I, you know, you're working and you're probably the same. You're working with clients all over the country. So you probably see like the spectrum, right? You see the really bad, the really good, and then everything in between. So I think that gives you a lot of uh value add. I'm sure you probably feel the same way. 

Amy Bailey: 02:12 

I do, I do. And I think by nature of the type of work that we do in terms of like False Claims Act investigations or doing the IRO work, it gives us a lot of good insight into the government expectations and what they're looking for and how they audit and how to respond. So when you're helping a client with a what I would call proactive compliance, um, it's good insight for them. 

CJ Wolf: 02:41 

Yeah, because you can usually tell them, okay, this is what I've experienced when things go bad. So let's help you prevent things from going bad by doing this. 

Amy Bailey: 02:50 

Right. 

CJ Wolf: 02:51 

Awesome. Well, and that's a little bit about what we're gonna talk a little bit about is kind of some of your experiences and some of your learned less lessons learned and those sorts of things. And I think you're also gonna be speaking at the HCCA Compliance Institute, right? 

Amy Bailey: 03:06 

Yes, yes. I'm gonna be speaking twice at the HCCA Compliance Institute this year. I have a session on um lessons learned from SAU investigations, and then I am also going to be talking with a former person from the Office of Inspector General on managing corporate integrity agreements and the dynamic between the IRO, the OIG, and the client or the subject entity. And so I will be sharing my wisdom in both of those sessions. 

CJ Wolf: 03:44 

That's awesome. Well, I'll have to I'll have to make sure I look at those. Um I'm speaking as well. And if I don't have a conflict, I'll I'll have to jump in one or both of those sessions. So thank you. So let's let's kind of jump in a little bit. So, you know, again, you have this vast experience. And so maybe at a high level, you can help us learn from your uh experience. What are some of the largest or these hidden kind of compliance risks that might exist in an organization that we as compliance leaders might often overlook? Like we've got blind spots too, right? 

Amy Bailey: 04:17 

Sure, sure. So I think, and because it's been a repetitive theme across several of my clients the last few years, I think some of the places where things get overlooked are really that frontline team in an organization. I don't think compliance as a general rule is often down interacting with the folks that are receiving the mail as an example. And so things get overlooked, and we have found several instances in my clients where things have blown up from a compliance perspective because the first people in the organization to know or to receive correspondence that would indicate there's a compliance problem weren't appropriately trained and really aren't kind of in that compliance inner circle, if you will, and it's resulted in some fairly bad outcomes. And so what I mean by that is a lot of organizations clearly do not have a good handle on you know the mail team and who's who's receiving correspondence from payers, what all avenues does that correspondence come in from? How quickly are they circulating it? Are they really critically looking at that correspondence to know does is this something that really requires escalation or not? And a couple of very recent examples that I've had is we had a client that was receiving mail correspondence from an SIU, but they did not know the SIU meant something different than just the regular payer name. And so that didn't get escalated. The response to the SIU inquiries wasn't as appropriate or fulsome as it needed to be because compliance didn't get looped in. And what started as probably a small something that could have been resolved easily issue blew up into a 100% prepayment review that lasted over a year because that critical first line team didn't know what to do with that correspondence or how to recognize it. I also had a situation where we were conducting an internal risk assessment for a client, and as part of that, we asked just to look at payer correspondence, and we wanted to gauge what types of payer correspondence are you getting, what are the payers looking at, how efficiently do you respond to these requests, what are the outcomes, how successful you're being. And as part of that process, we discovered some letters from Medicare requesting refund of overpayments, and we could see the AR team just issued the refunds, compliance wasn't involved or notified, and we specifically asked them, okay, why did you not escalate these overpayment demands or requests? And the response was, you know, very confident that this is a routine request. These were all routine requests. We get these all the time. The problem was within those overpayment requests, the letters contained bold italicized statements that were all direct quotes from the False Claims Act, such as you knew or should have known these claims were false. But the team had not been educated in a way to discern those types of statements to signal to them that this is not a routine request, this is a high-risk communication that should have been escalated immediately. 

CJ Wolf: 08:55 

That is such a good example. And uh like you, I've been doing compliance for decades now. And um and I remember uh so I was doing compliance before the recovery audit contractors uh program existed or the RACs. And as that was announced and as we were trying to get our system ready, what you just said is something we focused on. It's uh okay, when when a request comes in, the payer sends it to whatever address uh generic mail room that you guys used when you applied with them. It doesn't say uh attention compliance officer, attention uh compliance department. So, like you said, we had to train who those frontline folks would be to say, look, if you see anything that looks like this or like this or like this, you need to send it to these people right away. And because a lot of these requests have timeline deadlines and they might be 60-day deadlines. And if you get it to us three weeks late and we have to submit records for 100 encounters, that takes time. 

Amy Bailey: 09:60 

Right, right. I I agree. So I think it's some I don't think it's a part of the compliance process at every organization to really get in there and be involved with the mail and that department and make sure that they're regularly trained. Um, I have clients that have done now like kind of test letters or dummy letters, if you will, where they they are pushing it through the mail room to test those responses to see how long is it sitting there, did we route it appropriately, you know, those types of functions to make sure that they aren't missing that component because they've had some escalating, what I would call compliance failures or had situations that blew up into something much more than it needed to be because we failed with the just get the mail where it belongs. 

CJ Wolf: 11:02 

Yeah, such a great example. Great example. Um, let me shift gears a little bit and ask you. So uh I'm an MD by schooling. I left the clinical route and got into compliance and have been doing compliance for you know decades. And so I love this next kind of thing we wanted to talk about, which is what are some lessons you have learned about gaining physician buy-in, right? Because that is a critical aspect of compliance. They have a lot of control over what gets ordered, what gets done, um, documentation, they hold sway with leadership. So, what are some of the things you've learned in in that regard? 

Amy Bailey: 11:40 

A few things. I think for compliance or even revenue integrity coders, um, I think for them to be successful, there has to be a couple of things going on. Um, one, they have to have physician partners or champions to lead by example. And I think the physician partner champions they pick are very important because they need to have someone that's you know well respected within the group and the organization that has sufficient seniority and political capital to really be effective. And it's got to be a physician or physicians that truly do want a partner and are gonna invest the time to learn, review the rules, ask insightful questions, and then be able to take that information and articulate it intelligently to their peers. Um I think I've got some clients that have been particularly successful in this space where they've set up physician-led committees really to drive clinical documentation, coding, and revenue integrity. And so the committees are almost all physician participants. You have a compliance expert and an HIM expert to help provide the authoritative guidance and help drive some of those discussions. But then all of those decisions are being made at that physician committee level, and that has really helped with kind of the narrative of, you know, compliance is the bad guy. Um it's really helped get better engagement and far less pushback from the physicians when changes are required, particularly ones they perceive as big changes. Um and so I think that's been very successful where that's being done. And then I think the other piece of that has got to be financial components tied to it. I think clients that have set up physician like incentive comp programs that are truly based on what I will call compliance metrics instead of productivity metrics, where physicians are being held accountable for their documentation quality and their coding accuracy, um, where we're really now incentivizing them to do the things we really want them to do, and we're focusing the attention where it needs to be. And that's in line with the current guidance and push from the Department of Justice and OIG, where they're saying, you know, you really have to have these incentives and penalties, and they should be tied to financial metrics. And I think we're seeing in at least the entities that I've been in that have gone this direction, they have a lot more physician buy-in than the ones that kind of have a more hands-off approach of well, we can't make our physicians upset. 

CJ Wolf: 15:20 

Yeah. Well, and that's such a great point. I I had a client that I helped uh develop a program where they were productivity-based, right? So clinicians are incentivized, you know, to get more RVUs. But what we put in there, and of course, with clinical leadership as a strategy, we talked about the strategy first. We said if our internal auditors or external auditors find that we have to return funds because the documentation is not appropriate, that comes out. You know, every doc loves to get the extra bonus, but to have skin in the game, look, if we as an organization have to return those funds, you don't get that bonus. That has to be retracted. And so to your point about having these incentives and disincentives, it you know, that is so important. And you mentioned the OIG and DOJ have shared that in guidance. 

Amy Bailey: 16:14 

Right. And I agree um with the clawback approach. That's obviously a concept that DOJ has raised as well. I know we have organizations that are struggling with that, that have had to make significant repayments, but their physician contracts don't really have any purview to claw that money back. And so now they're in a process of when we're ready to recontract with these physicians, we need to start adding those provisions. And so I think it's important, because I don't think it's been done historically, that compliance be involved in some of those kind of recontracting and restructuring of the contracts to permit some of that type of financial penalties. 

CJ Wolf: 17:10 

Yeah. Such a great point. These are great points. Um, we're gonna take a quick break and we'll come back and talk some more. Uh, but everyone, uh, stay tuned. We'll we'll be right back. Welcome back, everyone, from the break. We've been having really good discussions with Amy about um lessons learned and some really good practical ideas uh to strengthen compliance programs. Uh Amy, uh, you know, if we could kind of move on, um let's talk about how, you know, again, I'm kind of old, so I remember the days of paper where in paper. So, but we're now in this kind of current electronic environment. So, any recommendations or ideas on best practices for auditing, given now that we're in this current electronic environment, and that may or may your thoughts may or may not include things about AI, but just kind of in the broader sense of electronic, what do you what do you think? 

Amy Bailey: 18:05 

Sure. And I think obviously going forward, everybody's gonna want to shift to some type of AI assistance. Uh, I I've got mixed thoughts on that right this minute. I think it's gonna be great for some things, maybe not so great for other things. I I think the one thing that has really been driven home to me through various compliance, kind of what I would call whoopses at organizations is the absolute need to do provider shadowing. Um what we're finding is you know, compliance issues get raised about, you know, providers are billing inappropriately, they're billing level fours, level fives, their billing patterns appear to be aberrant, and compliance or revenue integrity is coming in and they're doing chart audits and they're saying, Well, okay, it looks good. The provider, you know, wrote a lot, the provider wrote enough to be a four or sometimes a five. We think everything is fine. And what we had, because this came up with a particular client, is they had a compliance concern raised. That was really the crux of the issue. And when compliance reported back to the individual that had raised the complaint, some more information was provided and said, Well, what I'm really concerned about is just the overall accuracy of the documentation. I don't think it really is reflective of the work that's being performed. And so a decision was made to do some shadowing as part of this investigation where the compliance auditor did have a lot of clinical knowledge and experience and went and shadowed and basically served as their own. Scribe and recorded the encounter and then compared that to what the physician's completed encounter notes reflected, and then we found an enormous disconnect. The physician was documenting and relied heavily on macros and templates and copy paste and pull forward. And so what we were seeing is on the face documentation that perfectly aligned with the codes that were being assigned, when in reality the physician was barely stepping into the exam room, having a conversation with the patient for two or three minutes, leaving, and the encounter notes reflected something different entirely. You will never be able to identify something like that without doing some shadowing or having somebody in that room to compare what the output is. So I would say that I would also say compliance people tend to do their samples where they'll look at, you know, 10 patients, they're all 10 different patients. We've looked at a single encounter from each one of those patients. And I don't think it really gives you a great picture into what's truly going on from a provider behavior perspective. And so I think the need to audit multiple encounters across single patients becomes important because then it really illuminates bad behaviors in terms of copy-pasting, cloning, and it gives you some insight into how well is a provider really documenting the unique work that they're performing at each encounter. And I just don't think compliance teams are doing that type of approach enough. 

CJ Wolf: 22:02 

Yeah. That's such a good point. I was actually on a call with a client this morning. We were talking about macros and um and to your earlier point about having like a physician champion. We actually had a physician champion in the room. And one of the decisions that was made was rather than use kind of this pull forward mechanism, they created an electronic medical record and they were trying to balance, still making operationally it convenient for physicians, but also driving home, it's a conscious decision. So what they ended up doing is yes, they had some drop downs, but uh the clinician had to individually select uh what they're doing on each and every part of the exam and what they say they're doing on each and every part of the assessment and plan. So the whole thing in block is not being transferred from visit to visit. And their electronic medical record has an audit trail that could show, nope, on this day, at this time, the clinician intentionally chose this, this, and this. And so I think that, you know, that still might, some people still might have a trouble with that. But that's a little, in my opinion, that's a little bit safer than just saying, oh, we just took the whole note and put it here. You could demonstrate that no, on each and every element, we designed the electronic medical record such that a conscious decision had to be made. 

Amy Bailey: 23:24 

Right. And I think you raised a good point in terms of looking at the metadata or the audit trail, too. I think that's also something compliance professionals should be incorporating into their audits on a more regular basis because it does give you great information. Did the provider spend, you know, five minutes creating their note or did they spend three seconds? And I think that tells you a lot. 

CJ Wolf: 23:51 

It does. It does. You know, we I I want to get to our kind of our last kind of subtopic, if you will, because we're we're getting kind of close to the end of time. But I think this last question is probably the most important because, you know, and I'll let me set a little bit of stage here. Um, I was driving down this road and I saw this police officer, you know, in a speed trap. Fortunately, I was obeying the speed limit. After I had gone to my errand, I came back on the same road, and that same policeman had turned, had pulled somebody over for speeding. So people always talk about where are the speed traps, right? And we tend to behave better when we're on a road where we know police tend to always monitor that. So, what I want to ask of you, because because no, the OIG, DOJ, no one has unlimited resources to look at everything. So we can learn a lot from what are some of the current enforcement trends, what are some of the current audit trends? And since you are dealing with multiple clients, a lot of us that are working, if we were just working in-house, we only see what's coming in for us. But you are let's say you're working with 20 clients simultaneously, you're seeing, and you're like, oh, on the East Coast, they're asking for the same thing as this and this. And you can kind of probably see trends. What are some of the trends enforcement audit that you're kind of seeing across your clients? 

Amy Bailey: 25:12 

Sure. And that's a that's a good question. And it is you do see trends, you start seeing a lot of similarities across the types of information the contractors are asking for, which makes sense because they all share information and they're all getting it from the same sources. So I would say, and I don't think that these are going to be surprises to anyone that's paying attention to any of the government sites, but I would say chronic care management has been big. I have seen so many chronic care management audits coming out of Medicare specifically. Um Medicare annual wellness visits. We've had a lot of clients get audits for Medicare annual wellness visits. Same with skin substitutes and just wound care in general. Um that's obviously been a hot button issue for many, many years, and it doesn't seem to be slowing down at all. The other place I will say I've seen a lot of activity and in a much higher level, like from a DOJ type level, is around HCCs or risk adjustment coding and not just directed to the payers, specifically directed towards healthcare providers and shockingly, not just hospitals, but physician group practices as well. So that's something I know a lot of providers, once you're out of that kind of inpatient hospital space, a lot of providers don't focus a ton on their diagnosis coding. Um, all of the EMRs are really helpful now with flagging your HCCs and making them bright red and reminding you to do something to them. And I think physicians aren't really thinking about the downstream risk and implications there. And so we've seen a lot of what I would call alarming activity in that space. And then with back to your AI, I think almost every client I have, without exception, is getting hammered on AI ENM down coding. Just absolutely hammered. So I think the ability to be able to run data analytics around that and start thinking about how do you proactively combat that and address it is going to be really important for clients. 

CJ Wolf: 27:48 

So what you mean by that is that payers are doing AI reviews and their down coding. Yep. Gotcha. Okay. 

Amy Bailey: 27:56 

On a wide, wide, wide scale and hundreds of encounters. And so for providers that don't have a lot of internal resources to go fight this, or they don't have a lot of good data analytics around what's been billed, what's been paid, looking at these trends, it could become a big problem for them financially because ENM is most providers, bread and butter. 

CJ Wolf: 28:27 

Yeah. Yeah, you know, and I I kind of was joking with a client about this, is because one of the clients that I work with, they are using AI to help bolster their EM documentation. And then the payers are using it to try to. I said, this is gonna just become a war of AI versus AI, whereas 20 years ago it was physical coder, physical human being against auditor at the payer side. So it's like we're still doing the same fight, but now we're using AI to file. 

Amy Bailey: 28:56 

Right. Right. 

CJ Wolf: 28:58 

Right. Um, and I'll I don't know if it's just me because maybe I attract these kind of clients, but one thing that I've been getting a lot of requests for is medical necessity of urine drug testing. Kind of a whole quantitative, qualitative whole argument. Is it medically necessary to just automatically do these, you know, quantitative after you've done qualitative and stuff? And so really interesting on these trends. But the ones that you mentioned, it's like, okay, she gets me, because uh those are the ones I'm seeing too. So that's actually validating for me. I'm like, okay, it's not just me, others are seeing the same patterns. Yeah. Well, awesome. Well, Amy, this has been so insightful. I I if you have any last minute thoughts or or guidance that you'd like to share, um, we'd love to hear that. We're kind of coming to the end of our time, but uh any any last-minute thoughts or right. 

Amy Bailey: 29:52 

I think I think my thoughts are really just T and it could it the onus on compliance professionals just increases exponentially every year with the expectations from the government for you to become more sophisticated, more evolved. And I think um figuring out how to address these issues from all aspects of your organization and working with departments that compliance maybe hasn't always had such a close relationship with is going to become very important. 

CJ Wolf: 30:29 

Wow. Great, great words of wisdom to kind of end our podcast today. Thank you so much for taking the time to share your experiences with us. 

Amy Bailey: 30:38 

Thank you for having me. 

CJ Wolf: 30:40 

Yes, and thank you all to our listeners for always listening. We we love to get your feedback. It series we kind of say this at the end of every podcast. If you know of a speaker that you think would be good for our podcast, please let's help us get connected with that individual. Or if you know of a topic that you'd like to hear more about, uh we'd we'd love to hear that. So uh, and we'll include uh Amy's uh contact info in the show notes. Obviously, you've learned today that she has expertise here. If you feel like she can be of assistance to you, please reach out to her. Um, and thanks everyone again for listening. Until next time, take care.