Atlantic Health Strategies

One Vendor, Many Hats: Why Fragmented Behavioral Health Operations Break at Scale

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The Short Answer

Behavioral health operators who split licensing, accreditation, HIPAA, IT, credentialing, and HR across four or five separate vendors lose money, miss deadlines, and get cited by regulators. A single accountable operating partner closes the seams those vendors leave behind.

That is not a marketing claim. Our team hears it every week when a founder in Florida or Tennessee calls us after a HIPAA breach, a CARF one-year decision, or a Medicaid SIU audit letter lands on the desk. Behavioral health operators sit at the worst end of the fragmentation curve because 42 CFR Part 2, state licensure, and payer credentialing all touch the same chart.

Split the vendors, and you split the accountability. Regulators do not care where the seam is. They find it anyway.

What Fragmentation Actually Costs

The pattern is boringly consistent. Licensing lives with one consultant. Accreditation prep lives with another. IT and cybersecurity sit with a managed services provider that has never read a state behavioral health rule. HR sits with a PEO. Billing sits with a third-party RCM.

Then something breaks.

On February 21, 2024, the HHS Office for Civil Rights announced a $40,000 settlement with Green Ridge Behavioral Health, a Maryland provider of psychotherapy, medication management, and psychiatric evaluations, after a ransomware attack encrypted files and exposed the PHI of more than 14,000 individuals. On July 7, 2025, OCR hit Deer Oaks with a $225,000 payment and a two-year corrective action plan, tied to a breach affecting 171,871 individuals.

Both settlements cited the same root cause. OCR concluded that Deer Oaks failed to conduct an accurate and thorough risk analysis, in violation of the HIPAA Security Rule. Green Ridge got the same finding: OCR said Green Ridge failed to conduct a thorough risk analysis, failed to implement security measures to reduce risk, and failed to sufficiently monitor its health information systems’ activity.

That is exactly the artifact that falls through the cracks when the compliance vendor thinks the IT vendor owns it, and the IT vendor thinks the compliance vendor owns it. Founders end up deficient because five vendors each assumed someone else was holding the pen.

OCR Director Paula M. Stannard said it plainly in the Deer Oaks announcement: “Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information.” By July 2025, the Deer Oaks case was the 17th HIPAA resolution OCR imposed that year, with more than $7 million collected in settlements and civil monetary penalties. The most common violation cited: failure to conduct a risk analysis.

The Enforcement Environment Is Not Slowing Down

Operators sometimes ask whether the federal appetite for behavioral health enforcement is real or a talking point. It is real.

On June 30, 2025, the Department of Justice announced its 2025 National Health Care Fraud Takedown, which produced criminal charges against 324 defendants (including 96 doctors, nurse practitioners, pharmacists, and other licensed medical professionals) across 50 federal districts and 12 State Attorneys General’s Offices, tied to over $14.6 billion in intended loss. That figure more than doubled the prior $6 billion record set in 2020. Alongside the criminal cases, CMS prevented over $4 billion in false and fraudulent claim payments and suspended or revoked the billing privileges of 205 providers in the months leading up to the Takedown.

Behavioral health sat squarely in the crosshairs. In the District of Arizona, prosecutors indicted Jimmy Muyumbu on charges tied to a substance abuse treatment clinic in Phoenix that submitted approximately $44,920,644 in false and fraudulent claims to AHCCCS, primarily targeting patients enrolled in AHCCCS’s American Indian Health Program. AHCCCS paid roughly $36.6 million on those claims.

Illinois and Virginia produced similarly stark cases. Federal prosecutors in Illinois charged Daniel Robinson, CEO of ODA Solutions, Inc., alleging that since January 2024 the company billed Illinois Medicaid over $92,241,952 and was paid approximately $75,171,733 for counseling and therapy services that were allegedly never provided (including for beneficiaries who had died). State Medicaid Fraud Control Units are running parallel enforcement tracks.

When an MFCU investigator or an OCR investigator asks for documentation, they do not care that your credentialing sits with one company and your policies with another. They want the record. Now.

Why the Fragmented Model Keeps Failing

Founders end up with five vendors doing overlapping work for structural reasons. Behavioral health billing is genuinely complicated. Commercial plans carve out behavioral health benefits to MBHOs like Optum, Carelon, and Magellan, and SUD records fall under 42 CFR Part 2, which imposes stricter confidentiality rules than standard HIPAA. Add ASAM Criteria, level of care documentation, state licensure quirks, and CARF or Joint Commission standards, and it is easy to see why founders reach for a specialist for each lane.

Here is the problem. Drift happens in the gaps between vendors.

EHR documentation templates fall out of sync with updated CARF standards. Terminated employees stay in the EMR because HR never told IT. The HIPAA risk analysis never gets refreshed because everyone assumed someone else owned it. That is exactly what OCR keeps citing.

The clinical leadership tax is real, too. A peer-reviewed study by Woolhandler and Himmelstein in the International Journal of Health Services found that psychiatrists spent the highest proportion of their working time on administration at 20.3%, followed by internists and family/general practitioners at 17.3%, while pediatricians spent 14.1%. A follow-up commentary in Psychiatric News noted psychiatrists average 10.6 hours per week on administrative tasks, almost three hours more than the average physician at 8.7 hours per week. When your medical director is also refereeing fights between the compliance consultant and the IT vendor, you are burning the wrong hours. Section 1 (ASPIRE to Excellence) findings pile up because founders let operational drift accumulate between accreditation cycles.

What a Single Operating Partner Actually Does

Licensing, accreditation, compliance, credentialing, IT, and HR all connect. That is not a philosophical position. A state surveyor demonstrates it when the surveyor asks, in the same 20 minutes, to see your terminated-employee EMR access log, your fire drill documentation, your governing body minutes, and the CV of your medical director. Those four artifacts sit in four different vendor silos in most treatment centers our team walks into.

At Atlantic Health Strategies, we built the MSO to hold all of it. Our team maps licensing renewal calendars to HR onboarding. Our team maps cybersecurity controls to the HIPAA risk analysis OCR keeps citing. Our team maps credentialing files to payer contracts and to the personnel file CARF surveyors will pull.

In the Deer Oaks announcement, OCR itself recommended that operators identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems. Founders cannot do that with five vendors who do not talk to each other.

Founders should run clinical care and growth. Our team makes sure nothing between those two things collapses.

If you operate in Florida, Texas, Georgia, or Colorado and you can name five vendors touching your operations, you have a fragmentation problem. It is not a matter of if a surveyor or an investigator finds the seam. It is when.

Frequently asked questions

How many vendors is too many for a behavioral health treatment center?

If you cannot name a single person accountable for the intersection of licensing, accreditation, HIPAA, credentialing, and IT, you already have too many. Most operators we work with came in with four to six separate vendors and could not tell us which one owned the HIPAA risk analysis. That is the exact gap OCR cited in the $225,000 Deer Oaks settlement (July 7, 2025; 171,871 individuals affected per the HHS resolution) and the $40,000 Green Ridge Behavioral Health settlement (February 21, 2024; more than 14,000 patients affected).

Is the federal government actually enforcing against behavioral health providers, or is this hype?

Not hype. The DOJ’s 2025 National Health Care Fraud Takedown, announced June 30, 2025, charged 324 defendants tied to over $14.6 billion in intended loss, more than doubling the prior $6 billion record set in 2020. Charged behavioral health cases include a $44.9 million Arizona AHCCCS scheme targeting patients enrolled in the American Indian Health Program (District of Arizona), and a $92 million Illinois Medicaid behavioral health scheme (ODA Solutions, Inc.) in which prosecutors allege the company billed Illinois Medicaid more than $92.2 million and was paid roughly $75.1 million for services that were never provided.

What is the biggest hidden cost of running with fragmented vendors?

Clinical leadership time and documentation drift. Woolhandler and Himmelstein’s peer-reviewed research in the International Journal of Health Services (2014) found psychiatrists spend 10.6 hours per week (20.3% of working hours) on administration, the highest of any specialty, versus 14.1% for pediatricians. When medical directors and clinical VPs also referee between compliance, IT, and HR vendors, that percentage climbs and CARF Section 1 (ASPIRE to Excellence) findings pile up between surveys. That drift is why so many organizations receive a one-year rather than a three-year accreditation decision.

Does an MSO model make sense for a smaller, single-site operator, or only for multi-site groups?

Both, for different reasons. Multi-site and PE-backed operators need the MSO to standardize policies, credentialing, and payer contracting across locations. Single-site founders in states like Florida, Tennessee, or Colorado use the MSO to get enterprise-grade compliance and IT support without hiring a compliance officer, an IT director, and an HR generalist on day one. The failure mode is identical in either case: nobody owns the seams, and OCR, CARF, and state Medicaid Fraud Control Units find that out at the worst possible moment.

Request a Free Consultation

Scroll to Top