Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The Short Answer: What Fractional Executive Leadership Actually Solves
Fractional HR, IT, and compliance leadership gives a behavioral health or addiction treatment operator embedded, accountable executives on a defined part-time schedule, typically 8 to 20 hours per week per function, at a fraction of the cost of hiring a full-time CHRO, CIO, and Chief Compliance Officer. The work is not advisory. Our fractional executives at Atlantic Health Strategies sit inside the EHR, the policy library, and the CARF or Joint Commission preparation calendar, and they own outcomes. We build these engagements for licensed treatment programs in Florida, Tennessee, Texas, and Utah.
The leadership gap is where most programs quietly bleed margin. It does not show up on a census report. It shows up in a CARF finding, a HIPAA breach notification to the HHS Office for Civil Rights (OCR), a licensed counselor walking out at 90 days, or a payer SIU audit pulling 18 months of charts the operator cannot fully defend.
The federal numbers back this up. On July 7, 2025, OCR announced a $225,000 settlement with Deer Oaks – The Behavioral Health Solution, with a corrective action plan OCR will monitor for two years. The resolution followed a 2021–2023 coding-error exposure and an August 2023 ransomware attack that affected 171,871 individuals. OCR’s finding was blunt: Deer Oaks had not conducted an accurate and thorough risk analysis. That is the exact gap a fractional CIO closes before it becomes a settlement.
Why Behavioral Health HR Cannot Be Run by a Generalist
The workforce math is brutal. HRSA’s National Center for Health Workforce Analysis projects shortages through 2036 of 87,630 addiction counselor FTEs, 69,610 mental health counselor FTEs, 62,490 psychologist FTEs, and 42,130 psychiatrist FTEs. That is the pipeline you are recruiting from.
Retention is worse. In the 2023 National Council for Mental Wellbeing / Harris Poll survey of 750 behavioral health workers, 93% said they had experienced burnout and 62% reported moderate or severe levels. National Council President and CEO Chuck Ingoglia urged policymakers “to listen to the voices of those in the field.” Operators cannot wait on policymakers. AHS fractional HR leaders fix the workplace directly.
Inside our engagements, an HR leader owns the specific things a generalist misses:
- Workforce planning and clinical recruitment. Building candidate pipelines with LCSW, LMHC, LCDC, and LMFT programs in your state before a position opens.
- Onboarding and credentialing that survives a CARF survey. A 90-day sequence that produces documented competencies, not a folder of signed forms.
- Retention diagnostics. Supervision frameworks, compensation benchmarking, and caseload review against the actual drivers of turnover in your facility.
- HR compliance specific to behavioral health. ADA, FMLA, mandated reporter obligations, supervision of licensed staff, and substance use policies for employees in recovery, written so a surveyor in Tallahassee or Nashville cannot punch a hole in them.
Why Fractional IT Leadership Beats a Generic Managed Service Provider
Your local MSP is not equipped to defend a behavioral health record. The cost of getting this wrong is now quantified. Sophos’s State of Ransomware in Healthcare 2024 reports the mean cost for healthcare organizations to recover from a ransomware attack was $2.57 million in 2024, up from $2.20 million in 2023, with 67% of healthcare organizations hit by ransomware in the past year, up from 60% in 2023. Sector-wide, the ransomware attack rate actually fell from 66% in 2023 to 59% in 2024. Healthcare is the target.
The 2025 Sophos update identifies the root cause most operators do not want to hear: a lack of people and capacity, an insufficient number of cybersecurity experts monitoring systems at the time of the attack, was named by 42% of healthcare ransomware victims. That is exactly the gap a fractional CIO closes.
OCR’s enforcement pattern is just as direct. OCR Director Paula M. Stannard put the point plainly in the Deer Oaks announcement: “Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information.”
A fractional IT executive inside an AHS engagement owns:
- HIPAA Security Rule program management. Administrative, physical, and technical safeguards, plus the documented risk analysis OCR asks for first.
- EHR selection, configuration, and optimization. Behavioral health-specific platforms with documentation, outcome measurement, e-prescribing, and accreditation reporting built for CARF and Joint Commission elements of performance.
- Cybersecurity posture. Layered controls, workforce training, MFA enforcement, backup testing, and an incident response plan the on-call team can execute at 2 a.m.
- Telehealth and BAA management. Every vendor touching PHI under a signed Business Associate Agreement, with an inventory an operator can produce in 10 minutes.
- 42 CFR Part 2 technical controls. The SUD record protections HIPAA alone does not cover.
What Fractional Compliance Leadership Looks Like Between Survey Cycles
Compliance is not a triennial event. The programs that pass a Joint Commission Behavioral Health Care and Human Services survey cleanly are the ones whose leaders treated the survey window as 1,095 days long, not the six weeks before the surveyor arrived. A fractional Director of Quality and Compliance runs that continuous cadence.
Inside an AHS engagement, that work includes:
- Mock surveys and gap analysis conducted by leaders who have sat through real CARF and Joint Commission surveys, including EOC tours, tracer methodology, and clinical record review.
- Policy and procedure currency. Tracking changes to 42 CFR Part 2, state licensing standards in jurisdictions like Florida (DCF / AHCA) and Tennessee (TDMHSAS), and the 2024 HHS final rule aligning Part 2 more closely with HIPAA.
- ASAM Criteria, 4th Edition alignment. Level of care documentation that matches the current ASAM nomenclature, not the prior edition. If a medical necessity narrative still uses 3rd-edition language, a payer reviewer will notice.
- Utilization management infrastructure. Concurrent review documentation, medical necessity criteria, and payer readiness for SIU audits and timely filing windows.
- Survey-ready EOC, HR file, and clinical record sampling on a 90-day rolling basis, so the surveyor’s first pull is a confirmation, not a discovery.
The federal context matters. The Deer Oaks settlement was OCR’s 17th financial penalty of 2025, and OCR has collected $7,610,566 in settlements and civil monetary penalties this year. Enforcement volume is up. The documentation a fractional compliance leader would catch is exactly what OCR pulls first.
How AHS Structures a Fractional Engagement (and What It Replaces)
A full-time CHRO, CIO, and Chief Compliance Officer in behavioral health will run $600,000 to $900,000 in combined base salary before benefits, based on our experience pricing executive searches across the Southeast and Mountain West. Most single-site and small multi-site operators cannot carry that load. They also do not need 40 hours a week of any of those roles. They need 8 to 20.
An AHS fractional engagement gives an operator three named executives on a defined schedule, with deliverables tied to:
- Accreditation cycle (CARF or Joint Commission) and state licensing renewal dates.
- Payer credentialing and SIU audit defense readiness.
- Workforce metrics: time-to-fill, 90-day retention, and supervision compliance.
- Cybersecurity posture: documented risk analysis, BAA inventory, and incident response testing.
We do this for startup operators in Utah opening their first 16-bed residential license. We do it for multi-site operators in Florida running PHP and IOP (both outpatient levels of care) across three counties. We do it for turnaround clients staring down a conditional accreditation. The model is the same: embedded executives, accountable to outcomes, priced to the actual hours required.
AHS does not provide ABA or autism services, and we do not operate in California or New York. If you can name three operational risks off the top of your head that nobody on your current team has the bandwidth to own, that is the conversation to have.
Frequently asked questions
What does a fractional HR, IT, or compliance leader actually do inside a behavioral health facility?
A fractional executive is embedded in your operations on a defined schedule, typically 8 to 20 hours per week per function, and is accountable for outcomes, not recommendations. In an AHS engagement, the fractional HR leader owns recruitment pipelines, onboarding, supervision frameworks, and HR compliance for CARF and Joint Commission. The fractional CIO owns HIPAA Security Rule program management, EHR optimization, cybersecurity posture, and BAA inventory (the same risk-analysis obligation OCR cited in its $225,000 Deer Oaks settlement announced July 7, 2025). The fractional compliance leader owns policy currency, mock surveys, ASAM Criteria 4th Edition alignment, and survey-window readiness across state licensing, 42 CFR Part 2, and accreditation standards.
How much does fractional executive leadership cost versus full-time hires?
A combined full-time CHRO, CIO, and Chief Compliance Officer in behavioral health typically runs $600,000 to $900,000 in base salary before benefits, recruiter fees, and search timeline. A fractional engagement covering all three functions is priced to the hours required, which for most single-site and small multi-site operators is a fraction of that load. The actual figure depends on facility count, accreditation status, and survey or audit posture.
Why can’t our existing MSP or local HR consultant handle this?
Behavioral health carries regulatory obligations that generalists are not built for. A standard MSP does not manage HIPAA Security Rule risk analysis documentation, 42 CFR Part 2 controls, or BAAs against OCR enforcement standards. Sophos’s 2025 healthcare report found that 42% of healthcare ransomware victims cited a lack of people and capacity as a root cause, and OCR’s July 2025 $225,000 settlement with Deer Oaks hinged on the absence of an accurate and thorough risk analysis. A general HR consultant does not write supervision policies for licensed clinicians, mandated reporter protocols, or substance use policies for employees in recovery that hold up under a CARF survey.
What states does Atlantic Health Strategies serve?
AHS provides fractional executive and MSO services to behavioral health and addiction treatment operators across multiple states, with active engagements in Florida, Tennessee, Texas, Utah, Arizona, Georgia, and the Carolinas, among others. AHS does not provide ABA or autism services, and does not operate in California or New York. We work with single-site startups, multi-site operators, and turnaround situations across residential, PHP, IOP, and outpatient levels of care.
References
- HHS OCR. HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with a Behavioral Health Provider (July 7, 2025)
- HIPAA Journal. Behavioral Healthcare Provider Settles HIPAA Risk Analysis Investigation for $225,000
- McKnight’s Long-Term Care News. Long-term care behavioral health provider pays $225K to settle HIPAA case
- HHS ASPE. Health Care Workforce: Key Issues, Challenges, and the Path Forward (HRSA/NCHWA projections through 2036)
- National Council for Mental Wellbeing. Help Wanted: Behavioral Health Workforce Shortage Will Negatively Impact Society (April 25, 2023)
- PR Newswire. National Council / Harris Poll 2023 Behavioral Health Workforce Survey release
- Sophos News. The State of Ransomware in Healthcare 2024
- Sophos. The State of Ransomware in Healthcare 2025