Case Studies

The following case studies reflect actual engagements. Identifying details have been generalized to protect organizational confidentiality.

Case Study 1: Regulatory Turnaround – CMS Termination to Compliance in 30 Days

Situation

A 300+ bed acute care teaching hospital within a large multi-hospital system was on track for CMS termination — a designation that would have ended Medicare and Medicaid reimbursement and effectively closed the facility. Survey deficiencies were widespread across multiple TJC and CMS standard chapters. Leadership lacked a coordinated compliance governance structure, corrective action plans were incomplete, and staff at all levels were unprepared for regulatory scrutiny. Over $400 million in annual federal revenue was at risk.

Background

The hospital operated under both TJC accreditation and CMS Conditions of Participation. A recent triennial survey had generated immediate jeopardy findings, triggering a 23-day timeline for CMS termination. The facility had no centralized compliance tracking, no formal corrective action process, and no single point of accountability for regulatory readiness. Prior remediation attempts had been siloed by department with no executive oversight structure in place.

Assessment

Engaged as interim Regulatory Compliance Program Manager, reporting directly to executive leadership. Conducted an immediate enterprise-wide gap analysis across all 16 TJC and CMS standard chapters, prioritizing deficiencies by risk level and survey timeline. Established a Regulatory Oversight Committee (ROC) co-chaired with the CMO to create executive accountability and real-time visibility into compliance performance. Developed individualized corrective action plans with assigned owners, hard deadlines, and measurable completion criteria. Deployed targeted staff education and leadership coaching concurrent with remediation efforts.

Results

  • Removed from CMS termination track within 30 days of engagement
  • Over $400 million in annual federal revenue protected
  • Over $10 million in potential CMS HAC penalties avoided
  • CAP completion rate improved from 65% to 100%
  • 12+ regulatory surveys supported including TJC triennial, multiple DOH visits, and CMS complaint investigations
  • ROC governance model adopted for regional rollout across the health system

Recommendation

Sustainable compliance does not come from surviving a survey. It comes from building systems that make compliance the default state. The governance infrastructure built during this engagement was designed to function without the consultant in the room.

Case Study 2: Risk Management Department Rebuild from Vacancy

Situation

A state veterans healthcare facility had operated without a dedicated Risk Management leader for nine months. In that time, reportable safety incidents had gone underinvestigated, compliance monitoring had lapsed, and the facility faced an upcoming AHCA state survey and VA accreditation review with no coordinated readiness plan. Four executive functions — Risk Management, Quality Assurance, Regulatory Compliance, and Safety Officer — were either vacant or fragmented across staff without the authority or bandwidth to manage them.

Background

The facility served a veteran population under dual oversight from AHCA and the VA. Risk Management, Quality Assurance, Regulatory Compliance, and Safety Officer functions had historically been distributed across multiple staff members with no unified reporting structure. The nine-month vacancy had left incident investigations incomplete, compliance monitoring inconsistent, and no documented readiness plan for the upcoming state and federal reviews.

Assessment

Stepped into the Director role and immediately consolidated the four functions under unified leadership. Conducted a rapid assessment of outstanding incidents, open corrective actions, and compliance gaps. Built a facility-wide compliance monitoring infrastructure from the ground up, including real-time regulatory readiness tools, quality dashboards, and executive reporting protocols. Initiated a PSI-90 reduction effort through policy revision and workflow redesign. Prepared the facility for both AHCA and VA surveys while simultaneously managing active incident investigations and root cause analyses.

Results

  • Reportable patient safety events reduced by 30%
  • AHCA state survey and VA accreditation review completed with zero deficiencies
  • Facility avoided termination through rapid deficiency correction
  • Four executive functions stabilized and operational within weeks of arrival
  • Compliance infrastructure built to sustain performance beyond the engagement

Recommendation

A compliance gap is not just a regulatory risk — it is a patient safety risk. Rebuilding from vacancy requires moving fast without cutting corners, and leaving behind infrastructure that the organization can actually use.

Case Study 3: Data Privacy in Public Spaces – A Real-World HIPAA Exposure

All case studies are based on real experiences. Identifying details have been generalized to protect individual privacy.

Situation

While traveling through a busy Florida airport, a healthcare compliance professional observed a provider conducting patient calls from a crowded food court. The conversations were fully audible to anyone nearby. Full names, dates of birth, cancer diagnoses, biopsy results. Anyone within earshot had access to information that patients almost certainly believed was private. The provider’s laptop screen was also visible to bystanders, and the connection appeared to be an unsecured public Wi-Fi network. Three separate HIPAA exposure vectors – audible PHI, visible screen, and unsecured transmission – happening simultaneously in a public space.

Background

This was not a cyberattack or a system breach. It was a provider operating without situational awareness of their environment. The risk was not technical – it was behavioral. And behavioral risk is harder to patch than a software vulnerability. Under HIPAA, covered entities are responsible for ensuring the confidentiality of protected health information regardless of setting. The Florida Information Protection Act (FIPA) adds a state-level obligation to take reasonable measures to protect personal information. Neither statute makes an exception for airports, food courts, or travel delays.

Assessment

  • No policy or training governing PHI discussions in public or remote environments
  • No requirement for privacy screens on mobile devices and laptops
  • No secure communication protocol for remote patient contact
  • No mechanism for staff to recognize or self-correct public PHI exposure

Response

The fix is not complicated, but it requires intentionality. Organizations should establish and enforce a clear remote work and travel privacy policy that addresses public environments specifically. Staff need training that goes beyond annual HIPAA modules – scenario-based education that puts people in situations like this one and asks: what do you do? Practical controls include requiring privacy screens on all devices handling PHI, mandating VPN use on any non-organizational network, and establishing approved channels for patient contact outside the clinical setting. Regular audits of remote work practices close the loop.

Recommendation

Compliance programs often focus on systems, documentation, and survey readiness. This incident is a reminder that patient privacy is also a function of daily habits and professional judgment. The provider in this scenario was almost certainly not acting with any intent to cause harm. That is exactly the point. Without deliberate training and clear organizational expectations, good intentions are not enough to protect patients.

Case Study 4: Engagement Design – Regulatory Readiness for a Startup Home Health Agency

Situation

A startup home health company in Florida engaged NurseDebb, LLC for regulatory compliance consulting prior to launching operations. The organization had three owners, a preliminary business plan, and a set of policies originally drafted under Washington State requirements. They needed a complete regulatory readiness assessment, Florida AHCA licensure pathway determination, policy remediation, and a compliance framework that would support both initial companion care services and future expansion into skilled nursing services.

Background

The client was in the process of converting from a Washington LLC to a Florida entity, with plans to utilize CNAs and HHAs for companion care as the initial service model. Future expansion was planned into wound care, catheter care, and medication management, all of which carry additional AHCA licensing and RN supervision requirements. Existing policies were Washington-based and had not been assessed against Florida statutes, AHCA rules, or federal Conditions of Participation. Critical business formation prerequisites, including Florida LLC registration and federal EIN, were still outstanding at the time of engagement.

Assessment

Developed a comprehensive four-phase statement of work spanning six to eight weeks. Phase 1 addressed regulatory assessment and strategic alignment, including the critical determination between homemaker/companion registration and home health agency licensure. Phase 2 covered full policy and procedure remediation from Washington to Florida compliance standards. Phase 3 focused on AHCA licensing readiness, application package preparation, employee onboarding frameworks, and operational workflow guidance. Phase 4 mapped the regulatory pathway for future skilled services expansion. The engagement design included structured prerequisites to confirm entity formation before commencement, milestone-based payment terms, a formal change order process, and clearly defined exclusions to protect both parties from scope ambiguity.

Results

The engagement was fully scoped and contracted but ultimately did not proceed to execution. Repeated changes to the project scope, deliverable expectations, and engagement terms by the client made it clear the work could not be performed as designed. The decision was made to decline the engagement rather than accept an unstable foundation that would compromise deliverable quality or introduce regulatory risk for the client down the line.

Recommendation

A well-structured engagement protects both the consultant and the client. In regulatory consulting, scope creep is not just a business inconvenience – it is a compliance risk. When the foundation of an engagement shifts repeatedly before work begins, the resulting deliverables cannot be trusted to meet the standards regulators expect. Knowing when to walk away from a shifting engagement is as important as knowing how to execute one. The work product developed during the scoping process – the SOW, compliance framework design, and regulatory pathway analysis – demonstrates the rigor required to build a new healthcare operation on solid ground.