Case Study #1 — Mental Health • Florida
Helping a Healthcare Office Become Audit-Ready in Days
The Situation
Several years ago, I was working with a large franchise-based healthcare group. It had more than 100 offices, each run on its own. My role was to help those offices understand and put in place the policies, procedures, training, and records needed to meet HIPAA rules and get ready for audits.
Like many franchise systems, some locations took on the compliance process right away. Others struggled to fit it in among the many duties of running a healthcare practice.
One office had been very hard to reach. For about six months, I tried to connect with them through phone calls, emails, and voicemails. Despite many tries, I got little to no response. In time, as often happens with large-scale rollouts, I shifted my focus to locations that were taking part in the process.
Then everything changed.
Out of nowhere, I got an urgent call from the office. The team said a state auditor was set to visit in just a few days. The audit would decide if the practice met the rules needed to keep its business license.
What first sounded like a routine request for help quickly became something much more serious.
The Challenge
As I began reviewing the office’s compliance standing, it became clear the situation was far worse than anyone had expected. The location had fallen far behind on key compliance tasks. It lacked many of the items that auditors commonly expect to see during a state review. Records were incomplete, required tasks had not been fully done, and several important items were still unfinished.
To make it harder, there was very little time to correct the gaps. The office was not asking for help months before an audit. They were asking for help days before one. There was no time for lengthy planning sessions, group meetings, or complex project steps. Every hour mattered.
The team was clearly stressed. They worried about the audit outcome and their ability to meet state rules. They were unsure where to begin. Like many healthcare practices facing a coming state review, they felt crushed by the amount of work still ahead of them.
The challenge was not just helping them become HIPAA compliant. It was helping them get audit-ready before time ran out.
The Solution
The first step was to create order out of chaos.
Rather than trying to tackle every compliance issue at once, I did a rapid review of the office’s situation. I found the areas with the greatest risk. From there, I built an action plan focused on the items most likely to affect the upcoming audit.
I worked with the office manager to set clear duties, deadlines, and goals. Instead of handing over a long list of gaps, I broke the work into steps the team could finish within the limited time they had.
Just as important, I made myself fully open to them. I opened my calendar and urged them to book as much time as they needed. We held frequent meetings to review progress, answer questions, and clear roadblocks. When doubt came up, we dealt with it right away rather than letting it slow us down.
One of the most important parts of the work was keeping focus. In cases like these, practices often get distracted by low-priority concerns while critical compliance gaps stay unresolved. I kept steering attention toward the items that mattered most for the audit. I helped the team see exactly why each task was important.
At the same time, I worked to ease stress and build trust within the office. State audits can be scary, especially when a practice knows it has fallen behind. Throughout the process, I assured the team the situation was doable. They just had to stay committed to the plan and carry out the required steps.
By setting a clear path forward, giving hands-on support, and staying on track, the office made progress far more quickly than they first thought possible.
The Outcome
Over the next few days, the office finished the needed fix-up tasks and greatly improved its compliance standing. By the time the state auditor arrived, the practice was prepared and organized. It could show the policies, records, and compliance efforts expected during the review.
The office successfully passed its audit and was able to continue operating without interruption.
For the staff, it meant relief after a stressful and uncertain time. For the business owner, it meant avoiding a major setback. For patients, it meant continued access to care from a practice that had taken the needed steps to strengthen its compliance program.
The thanks shown after was something I still recall. The owner sent a gift basket to thank me for the help I gave. While the gesture was welcome, the real reward was seeing the practice move from a place of doubt and risk to one of confidence and readiness.
Key Takeaways
This case drove home an important lesson I still apply today.
Practices rarely end up in compliance trouble because they want to ignore the rules. More often, competing tasks, limited resources, staffing issues, and day-to-day demands cause compliance work to fall behind.
The good news is that falling behind does not mean failure. With the right guidance, a clear action plan, and a focus on the highest-risk items first, practices can often make major progress in a very short time.
At One Guy Consulting, I help healthcare practices handle exactly these types of challenges. Whether you’re getting ready for an audit, responding to a compliance concern, doing a risk assessment, or just trying to understand where your practice stands today, the goal is the same. Create a practical path to compliance that is clear, doable, and lasting.
Because when an auditor is on the way, guessing is not a strategy.
Case Study #2 — Optometry • Rural Practice
Helping a Small Optometry Practice Achieve Compliance Despite Technology Challenges
The Situation
Not every compliance challenge involves an audit, a security incident, or a looming deadline.
Sometimes the biggest obstacle is simply helping an organization get started.
I once worked with a solo eye doctor in a rural area. Like many solo healthcare providers, he wore many hats each day. He handled patient care, business tasks, staff management, and the many other duties that come with owning a healthcare practice.
He was also not particularly comfortable with technology.
Tasks that many practices take for granted, like reading emails, joining virtual meetings, using software, and finishing online tasks—often became major hurdles. While these issues may sound minor, they created real obstacles when it came to putting a HIPAA compliance program in place.
The compliance process required records, training, policy review, and ongoing effort. Without steady input, there was a real risk the practice would never fully complete the process.
The Challenge
Many compliance programs assume a certain level of tech skill.
The reality is that healthcare practices vary widely in their comfort with technology. Some clients have IT teams and admin support staff. Others are small, solo practices with limited resources and little experience using modern compliance tools.
This optometry practice fell into the latter category.
The doctor truly wanted to do the right thing and understood that HIPAA compliance was important. But the technology itself often became a barrier. Meetings had to be moved. Emails were missed at times. Tasks that might take another practice a few minutes could take much longer.
From a compliance standpoint, the risk was real. If the practice failed to finish the required steps, they would remain open to the same state, day-to-day, and reputation risks that affect any healthcare practice lacking a solid compliance program.
The challenge was not proving that compliance mattered. The challenge was helping them work through a process that felt scary and crushing.
The Solution
Rather than forcing the client to adapt to a rigid setup process, I adapted the process to fit the client.
Early on, I saw that the key to success was building strong ties with the people who kept the practice running day to day.
One of those people was the office manager, who was also the doctor’s wife. She was a bit more at ease with technology. But she was also juggling many duties within the practice. Like many small healthcare offices, there was no compliance team, IT team, or project manager to push the work forward.
As a result, success depended on communication, patience, and consistency.
I spent time helping both the doctor and the office manager understand not only what needed to be done, but why it mattered. Rather than just giving out tasks and waiting, I kept in regular contact, answered questions, gave guidance, and followed up often.
Most importantly, I focused on building trust.
Compliance efforts often stall when clients feel uneasy about what they do not know or get frustrated by new technology. Instead of letting those issues create distance, I worked to build a space where questions were welcome and progress was praised.
Over time, the office manager became a strong champion for the process. As she learned more about the compliance needs, she helped keep the project moving and made sure key tasks were done. What first looked like a hard setup slowly became a winning partnership.
The Outcome
Through steady contact, patient guidance, and a readiness to adapt the process to the client’s needs, the practice completed its compliance program.
More importantly, the doctor gained a deeper respect for the value of HIPAA compliance and the role it plays in guarding both patients and healthcare practices.
What began as a tough setup became a rewarding experience for everyone involved. The practice met its compliance goals. The office gained confidence in its processes. And the doctor was truly pleased with the outcome.
For me, the experience drove home a lesson that still shapes my approach today. Compliance is not about software, policies, or records. It is about people.
Key Takeaways
One of the most common mistakes in compliance consulting is assuming every practice learns, talks, and works the same way. They do not.
Some clients need detailed tech guidance. Others need high-level direction. Some need more learning before they can move forward with confidence.
The most successful compliance efforts spot those differences and adapt to them.
At One Guy Consulting, I believe compliance solutions should fit the practice—not the other way around. Whether you’re a large healthcare group with dedicated resources or a small practice trying to balance compliance with patient care, the goal is the same. Create a practical, doable path toward compliance that works for you.
The best compliance program is not the one that looks perfect on paper. It’s the one that actually gets done.
Case Study #3 — Multi-Location • Healthcare Organization
Using Data to Increase HIPAA Compliance Adoption Across a Multi-Location Healthcare Organization
The Situation
One of the challenges healthcare practices often face is assuming a compliance program works just because it exists.
Policies may have been handed out. Training may have been assigned. Software may have been bought. Leaders may think the practice is making progress.
But what people assume and what is real are not always the same.
I saw this firsthand while working with a large healthcare group with many locations. On paper, the group seemed to have the resources, leadership support, and compliance setup needed to succeed. But when I looked at the data more closely, a different picture emerged.
Use of the compliance program varied widely from location to location. Some offices were taking part and making steady progress. Others had stalled. Some locations had embraced the process, while others barely seemed to use the tools available to them.
The group had invested in compliance. But spending alone was not leading to engagement.
The Challenge
The biggest challenge was not finding that a problem existed. The challenge was learning why.
Large groups often have a visibility problem. Leaders may get reports showing overall activity levels. But those reports rarely explain why adoption is poor.
Sending more emails would not solve the issue. Requiring more training would not solve it either. Assuming people would engage on their own would not fix things.
Before taking action, I needed to understand what was actually happening at the individual office level.
I began reviewing activity trends, adoption numbers, and engagement data across the group. As patterns came into view, it was clear that many locations were not avoiding compliance efforts on purpose. Instead, they lacked a link to the process.
Many office managers and providers had little or no bond with the people behind the compliance effort. To them, compliance often felt like another admin task landing in their inbox rather than a real business need.
The issue was not really pushback. The issue was a lack of engagement.
The Solution
Rather than relying only on auto-emails or mass outreach, I chose to take a more personal approach.
Using the data at hand, I weighed several strategies and mapped out the likely outcome of each.
One option was to keep relying on email and auto reminders. Another was to focus only on locations already showing signs of engagement. A third option was to build direct ties with the offices that were struggling the most.
After reviewing the data, I felt the third approach offered the best chance for improvement.
I began reaching out to offices across the group. For many locations, I was saying hello for the first time. Rather than framing talks as compliance enforcement, I focused on building ties and learning the challenges each office faced.
I shared my direct contact info and urged offices to reach out when questions came up. More importantly, I pushed for face-to-face virtual meetings when possible.
Those talks proved very useful. During Zoom meetings, I answered questions, cleared up confusion, showed workflows, and explained how compliance tasks tied to the group’s broader goals.
Many offices that seemed checked out simply needed clarity, guidance, and a real person they could trust. As bonds grew, so did activity. What had been a mostly one-sided process became a team effort.
The Outcome
Over time, adoption numbers began moving in the right direction. Locations that had shown little activity became more engaged. Office leaders built a stronger grasp of the compliance program and how it applied to their day-to-day work. Questions increased. Meeting attendance improved. Activity levels grew.
Most importantly, the group saw a clear increase in overall adoption. By combining data review with direct outreach, adoption rose by about 17%.
While the number mattered, the broader impact was even more telling. Greater adoption meant more staff finishing required tasks. More offices were following set processes. And there was better consistency across the group as a whole.
The group had already invested in compliance tools and resources. The missing piece was human engagement.
Case Study #4 — Small Practice • Multi-Specialty
When the Office Manager Became the Compliance Department
The Situation
One of the most common myths about HIPAA compliance is that every healthcare practice has dedicated resources to manage it.
In reality, many smaller healthcare practices run with lean teams. A handful of people are in charge of nearly every admin task within the practice.
I ran into this while working with a practice that truly wanted to improve its HIPAA compliance standing but struggled to make real progress.
At first glance, the practice seemed fairly organized. Providers focused on patient care. The office was running well. Day-to-day work seemed smooth.
But as I spent more time with the practice, a different picture started to show.
Nearly every admin duty had slowly piled up under one person: the office manager.
Scheduling, billing, new-hire setup, vendor calls, payroll support, patient messages, daily issues, and compliance duties all flowed through the same person.
The physician owners believed compliance was moving forward. But the reality was the office manager carried a crushing workload with little time left to focus on HIPAA tasks.
The Challenge
The challenge was not a lack of commitment.
The office manager cared deeply about the practice and wanted to make sure it met its compliance duties.
The challenge was capacity.
Every day presented competing priorities. Patients needed assistance. Employees required support. Vendors had questions. Billing issues surfaced. Scheduling conflicts occurred.
Like many healthcare practices, urgent daily tasks kept pushing compliance work further down the list.
As a result, compliance efforts often felt overwhelming.
Policies needed review. Training needed to be finished. Records needed sorting. Compliance tasks needed tracking.
Each task seemed manageable on its own, but when viewed collectively, the process felt intimidating.
Over time, the growing list of responsibilities created a sense of frustration.
The organization was not avoiding compliance. The organization simply lacked a practical system for managing it.
Without help, the practice risked leaving important compliance tasks undone. This created needless legal and day-to-day risk.
The Solution
Rather than adding more steps, my goal was to make the process simpler.
The first step involved understanding exactly where the organization stood.
We reviewed existing compliance efforts, identified completed work, and documented the areas that still required attention.
This immediately created clarity.
Many practices assume they are much further behind than they really are. By finding what had already been done, we could focus on the remaining tasks rather than starting over.
Next, we prioritized activities based on risk and importance.
Instead of giving the office manager dozens of tasks at once, we focused on the items that would provide the greatest compliance gain.
Breaking the project into smaller goals turned what had felt crushing into a series of doable steps.
Just as important, I worked to make sure the office manager did not feel alone in the process.
Many healthcare admins quietly carry compliance duties on top of many other tasks. When issues arise, they often feel they must solve every problem alone.
I wanted the office manager to understand that support was available.
Questions were encouraged. Roadblocks could be discussed. Priorities could be adjusted when necessary.
The goal was not perfection. The goal was consistent progress.
As we continued working together, the compliance process became far more manageable.
Instead of reacting to compliance needs only when problems came up, the practice began tackling compliance in a more planned and forward-looking way.
Small victories accumulated over time.
Training was completed. Documentation improved. Policies were reviewed. Outstanding items were addressed.
Most importantly, confidence began replacing uncertainty.
The Outcome
By creating structure and focusing on realistic goals, the practice was able to complete its compliance tasks without crushing the staff in charge of doing the work.
The office manager gained a clearer view of what needed to be done, why it mattered, and how to keep making progress.
The physician leaders gained better sight into the compliance process. They also gained a new respect for the workload being handled behind the scenes.
Compliance no longer felt like an impossible project sitting in the background.
It became a series of manageable responsibilities supported by a clear roadmap.
The outcome was not only a stronger compliance standing but also a process that could be sustained over time.
For the office manager, the greatest benefit may have been peace of mind.
Instead of always wondering if something important was being missed, there was now a clear system for tracking progress and meeting needs.
Key Takeaways
This case reinforced a lesson I have seen again and again in healthcare.
Compliance problems are not always caused by a lack of knowledge.
More often, they are caused by limited time, competing priorities, and insufficient resources.
Many healthcare organizations do not have dedicated compliance departments.
They have office managers. They have admins. They have practice leaders wearing many hats while trying to keep things running.
The most effective compliance programs recognize that reality.
At One Guy Consulting, I focus on creating practical compliance solutions that fit the way healthcare practices really work. Rather than flooding clients with long task lists and unreal goals, I help build clear, doable plans. These let practices make real progress while still serving their patients.
Compliance should support healthcare work—not become another hurdle in the way.
Case Study #5 — Vendor Compliance • Healthcare Organization
Discovering Hidden Vendor Risks Through a Business Associate Agreement Review
The Situation
One of the most common beliefs I see in healthcare compliance is this: if a practice has policies, staff training, and a risk assessment, then its vendor ties must be in order too.
Unfortunately, that is not always the case.
I worked with a healthcare practice that had put major time and effort into building its compliance program. Leaders were engaged. Staff had received training. Important compliance tasks were being done on a regular basis.
By most appearances, the organization seemed to be in good shape.
As part of a broader compliance review, though, we began looking more closely at the third-party vendors that helped run the practice.
That review quickly revealed a problem.
The Challenge
Like many healthcare practices, the client relied on many outside vendors to help run the business.
Some vendors handled tech systems. Others helped with calls, daily work, software, billing, consulting, or admin tasks.
Over the years, those ties had built up one by one.
One vendor was added to solve a particular problem. Then another. Then another.
The practice had rightly focused on keeping things running and serving patients well.
What had not happened was a formal review of every vendor relationship through a HIPAA compliance lens.
As we began evaluating vendors one by one, it became clear that several organizations potentially qualified as business associates under HIPAA.
Some agreements could not be found. Others had never been obtained. In a few cases, staff assumed a vendor tie had already been reviewed when no formal records existed to back up that belief.
The issue was not negligence. The issue was growth.
The practice had grown over time. But its vendor management process had not kept pace.
The Solution
Rather than treating this as a simple paperwork task, we saw it as a chance to strengthen the practice’s compliance program.
The first step was to identify every vendor that might interact with protected health information.
This required talks with leaders, daily staff, and the people in charge of systems and services across the practice.
Once we had a full vendor list, we sorted each one based on the services they gave and how much access they had to protected health information.
Some vendors clearly qualified as business associates. Others did not. A few required additional review before a determination could be made.
After finding the vendors that needed Business Associate Agreements, we built a plan. We would obtain missing records, review current agreements, and sort files in a way that could be kept up going forward.
Just as important, we set up a repeatable process for checking future vendors before they were brought into the practice.
The goal was not simply to fix a current problem. The goal was to prevent the same problem from reappearing a year later.
The Outcome
By the end of the project, the practice had greatly improved its view into the vendor network.
Leaders now knew which vendors counted as business associates, which agreements were in place, and what steps to follow when a new vendor came on board.
Missing records were filled in. Vendor files became more organized. Compliance duties became clearer.
Most importantly, the practice no longer had to rely on guesses.
Instead of wondering whether required agreements existed, they had documented processes and records to support their compliance efforts.
The result was a stronger compliance standing and more confidence in the practice’s ability to manage vendor ties the right way.
Key Takeaways
One of the most important lessons from this work is that compliance gaps are not always caused by a failure to care.
More often, they are caused by growth, changing needs, and processes that fail to keep pace with change.
Business Associate Agreements are often missed because vendor ties tend to build up over time. A software platform gets added. A service provider is hired. A daily need is met.
Years later, practices may find that key compliance records never caught up with those choices.
At One Guy Consulting, I help healthcare practices spot these types of hidden compliance risks before they grow into larger problems. Through vendor reviews, risk assessments, and practical compliance guidance, practices can feel sure that their compliance programs go beyond policies and training to include the third parties that help keep things running.
Because when it comes to HIPAA compliance, knowing your vendors is just as important as knowing your own processes.
Case Study #6 — Technology • Healthcare Organization
When a Healthcare Organization Learned That Software Alone Does Not Create Compliance
The Situation
One of the most common myths in healthcare compliance is that buying a compliance platform on its own creates a compliant practice.
I ran into this mindset while working with a healthcare practice that had just bought HIPAA compliance software. They expected the tech itself to solve most of their compliance issues.
The organization had good intentions.
Leaders knew that HIPAA compliance was important. They had made a real investment in improving their compliance standing. The software rollout was seen as a big step forward. Many people assumed compliance would just follow from there.
Unfortunately, compliance programs rarely work that way.
Technology can be a very useful tool. But software alone cannot create ownership, finish staff training, conduct risk assessments, review vendors, or build a culture of compliance.
As setup moved forward, it became clear the practice was expecting the software to do work that really needed human effort.
The Challenge
The challenge was not proving that compliance mattered.
It was helping them see the gap between buying a tool and putting a compliance program in place.
Like many practices, the client saw software as the finish line rather than the starting point.
Staff assumed the platform would handle compliance needs on its own. Managers thought buying the software showed enough effort. Leaders expected progress without grasping the level of input needed to get real results.
As a result, engagement lagged. Tasks remained incomplete. Training activities were delayed. Required reviews had not been fully addressed.
The practice had gained a powerful tool but had not yet set up the processes needed to use it well.
Without help, there was a risk that leaders would wrongly believe compliance goals had been met when major work still remained.
The Solution
The first step was resetting expectations.
Rather than focusing on the software itself, I shifted the conversation toward outcomes.
We talked about what HIPAA compliance really requires and how technology supports those needs rather than replacing them.
I worked with key staff to set up a practical roadmap. It connected compliance tasks to real-world duties.
Risk assessments needed to be completed. Training needed to occur. Policies required review. Documentation needed to be maintained. Vendor relationships required evaluation. Employees needed to understand their role in protecting patient information.
Most importantly, the practice needed to see the platform as a tool that supports compliance efforts, not a stand-in for them.
As understanding increased, participation improved.
The software became much more useful because it was finally being used as intended.
Instead of expecting tech to create compliance on its own, the practice began using it to support a planned compliance program.
The Outcome
Over time, the practice built a much stronger grasp of what HIPAA compliance really requires.
Engagement improved. Participation increased. Compliance activities became more consistent.
Most importantly, leaders gained confidence that progress was being measured through finished actions, not guesses.
The practice moved from viewing compliance as a software purchase to seeing it as an ongoing duty.
That shift in thinking proved far more useful than any tech feature.
Key Takeaways
Technology is one of the most useful tools for healthcare practices seeking to improve compliance.
However, software does not create compliance. People create compliance.
Technology helps practices document, manage, track, and sort compliance tasks. But real compliance still requires input, ownership, and ongoing effort.
At One Guy Consulting, I help healthcare practices close the gap between compliance technology and compliance outcomes. Whether you’re setting up a new platform, doing a risk assessment, or building a compliance program from scratch, the goal is the same. Create a process that works in the real world and produces clear results.
Compliance is not something you buy. It’s something you build.