Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
Building Scalable Regulatory Infrastructure
Multi-site behavioral health organizations stay compliant when their leaders run compliance as a centralized operating system, not as a stack of site-level binders. That means one policy library, one credentialing source of truth, one incident reporting workflow, and a fractional or full-time compliance officer who actually owns the risk register across every location.
The stakes are not theoretical. In fiscal year 2024, the U.S. Department of Justice recovered more than $2.9 billion in False Claims Act settlements and judgments, and recoveries from the health care sector remained steady at $1.68 billion. Behavioral health is squarely in the crosshairs. In one widely covered example, behavioral health care provider Acadia Healthcare Company paid $16.6 million over alleged billing for unnecessary services, improper discharges and staffing shortcomings. The cases I see at Atlantic Health Strategies follow a pattern: a Florida operator opens a second site in Tennessee, the EMR templates drift, supervision logs go missing at one location, and twelve months later the SIU audit lands.
Operating outpatient mental health clinics, addiction treatment programs, and integrated networks across state lines pulls leaders into a regulatory environment where state licensing boards, the HHS Office of Inspector General, the DEA, SAMHSA, and commercial payer SIUs all want different documentation. Reactive compliance loses to that environment every time.
The Regulatory Complexity of Multi-Site Behavioral Health Systems
The population of regulated entities is bigger than most operators realize. SAMHSA’s 2024 National Substance Use and Mental Health Services Survey catalogs tens of thousands of substance use and mental health treatment facilities across the United States and its territories, and the N-SUMHSS is designed to collect data on the location, characteristics, service provision and utilization of substance use and mental health treatment facilities. Every one of those facilities sits inside its own state licensing framework, with its own supervision rules, staffing ratios, and program definitions.
Layered on top: federal authority. The OIG provides summaries of the primary federal fraud and abuse laws (including the Anti-Kickback Statute, Physician Self-Referral Law (the “Stark Law”), False Claims Act, Civil Monetary Penalty Authorities, Exclusion Authorities) and the HIPAA Privacy and Security Rules. Add CMS billing requirements, OSHA workplace rules, and 42 CFR Part 2 confidentiality for SUD records. The Part 2 rewrite is not abstract either. HHS finalized changes to 42 CFR Part 2 on February 8, 2024 to align confidentiality protections for substance use disorder (SUD) records with HIPAA. Entities subject to HIPAA and handling Part 2 records must meet the Part 2 final rule by February 16, 2026, including updating their NPPs and revising internal policies, consents, and training to reflect these Privacy Rule-related modifications.
Once an operator moves from one site to four, the cracks I see during mock surveys are almost always the same:
- Documentation templates that diverge by clinic director preference
- Billing and coding protocols that vary between the Florida and Tennessee sites
- Credentialing files missing the supervision logs the state surveyor will ask for first
- Policy versions that nobody at the satellite site has actually read
- Incident reports that never make it past the local clinical director
These gaps grow because compliance evolved organically rather than being designed for multi-site governance. AHS replaces that with one policy framework, one reporting structure, and one set of audit cadences across the network, while leaving room for state-specific variation where licensure demands it.
Fractional Compliance Leadership for Behavioral Health Organizations
For most operators with two to eight sites, a fractional Chief Compliance Officer is the right answer before a full FTE makes financial sense. The OIG itself anticipates this. OIG recognizes that small entities may have less formal documentation or processes, but are still expected to have an effective compliance program. Small companies that cannot maintain a full-time compliance officer may consider designating a “compliance contact” who can ensure the completion of compliance activities.
A fractional engagement at AHS typically covers enterprise risk assessments, policy maintenance, documentation and billing audits, compliance committee reporting, exclusion screening, and ongoing staff education. The OIG is explicit that routine exclusion searches of employees, contractors, and vendors against OIG’s List of Excluded Individuals/Entities and state Medicaid exclusion lists belong inside the program. So does board-level oversight. The new guidance also includes recommendations to conduct annual internal risk assessments, to consider quality of care as a component of the compliance program, and to emphasize the importance of a board’s and executive leadership’s oversight of compliance.
One more piece that matters for behavioral health specifically: the OIG flagged private investment by name. OIG also specifically calls out the growing presence of private equity and other forms of private investment in health care and recommends that such investors scrutinize their operations and oversight to ensure compliance with fraud and abuse laws and the delivery of high-quality care for patients. If you are a PE-backed platform stitching together SUD and mental health assets across three states, the regulator is reading your cap table.
Designing Scalable Compliance Programs: The Seven Elements
The framework AHS builds around is the OIG’s General Compliance Program Guidance (GCPG), published November 6, 2023. On November 6, 2023, the OIG released an updated General Compliance Program Guidance (GCPG) manual, the first significant update in 15 years. It is not law, but it is the rubric prosecutors and surveyors use. OIG emphasized that the purpose of the GCPG and ICPGs is to set forth voluntary compliance guidelines and tips and not to be one-size-fits-all or binding on organizations. Treat it as voluntary in name and mandatory in practice.
The seven elements anchor any scalable program: written policies and a code of conduct, designated compliance leadership, training and education, effective lines of communication, enforcement through well-publicized disciplinary standards, auditing and monitoring, and structured response and corrective action. OIG sticks with the seven elements of compliance identified in the U.S. Sentencing Guidelines as the framework for its compliance program recommendations.
What changed in 2023 and what AHS actually operationalizes for clients: quality of care now sits inside the compliance program rather than next to it. OIG highlights that quality of care considerations should be included in a compliance program to mitigate patient harm and False Claims Act liability. For a PHP or IOP operator, that means your utilization management documentation, your ASAM Criteria, 4th Edition level-of-care decisions, and your discharge planning are all compliance artifacts, not just clinical ones. The Acadia case made that point in dollars.
Workforce Credentialing, HIPAA Exposure, and Building a Compliance Culture
Workforce drift is where most multi-site programs fail their first real audit. Licensure renewals slip. Continuing education hours go untracked. Supervision logs at the Georgia site look nothing like the ones at the Arizona site. When a state surveyor asks for proof at 9:14 a.m. On a Tuesday, you have until lunch to produce it.
HIPAA and Part 2 sit right next to credentialing on the risk register. Since the compliance date of the Privacy Rule in April 2003, OCR has received over 374,321 HIPAA complaints and has initiated over 1,193 compliance reviews. We have resolved ninety-nine percent of these cases (370,578). The dollar exposure has teeth. OCR aligns fines with culpability: lack of knowledge (Tier 1), reasonable cause (Tier 2), willful neglect corrected (Tier 3), and willful neglect uncorrected (Tier 4). OCR also applies, by enforcement discretion, lower annual caps in 2024 for Tiers 1–3 ($35,581; $142,355; $355,808 respectively), while Tier 4 remains capped at $2,134,831. A recent illustration: HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations.
Behavioral health-specific enforcement reinforces the point. The United States’ allegations under the CSA arise from audits and investigations the Drug Enforcement Administration (DEA) conducted at RCA facilities in Pennsylvania and Maryland between 2019 and 2024. Based on those audits and investigations, the United States contends that RCA dispensed controlled substances in an unlawful manner, that certain controlled substances were missing from the company’s records, and that the company failed to comply with additional recordkeeping requirements of the CSA. In addition, the United States alleges that, at certain facilities during a period from 2017 through 2019, RCA violated the FCA by billing the Federal Employees Health Benefits Program and Medicaid for the care of beneficiaries to whom it failed to provide and document the requisite treatment services. As the HHS-OIG agent said in announcing the resolution, “Unlawful dispensing of controlled substances and billing for unprovided care endanger patients and defraud taxpayers.”
AHS integrates licensure tracking, training completion, exclusion screening, incident reporting, and Part 2 / HIPAA documentation inside one operational backbone. Clinical leadership runs the care. The compliance program runs underneath it. When the surveyor knocks at the Georgia site or the SIU letter lands in your Florida office, the answer should already be in the system.
Frequently asked questions
What does an effective compliance program look like for a multi-site behavioral health organization?
It follows the OIG’s seven elements from the 2023 General Compliance Program Guidance: written policies and a code of conduct, designated compliance leadership, training, lines of communication, enforcement standards, auditing and monitoring, and structured response and corrective action. The 2023 update added annual internal risk assessments, board-level oversight, and quality of care as a compliance domain. For multi-site operators, that translates into one centralized policy library, one credentialing system, exclusion screening against OIG and state Medicaid lists, and a fractional or full-time compliance officer who owns risk across every location.
How big is the HIPAA penalty exposure for a behavioral health provider?
For 2024, OCR applied tiered annual caps of $35,581 (Tier 1), $142,355 (Tier 2), $355,808 (Tier 3), and $2,134,831 (Tier 4, willful neglect uncorrected). Recent enforcement includes a $1.19 million penalty against Gulf Coast Pain Consultants for HIPAA Security Rule violations and a $100,000 penalty against a mental health center for failure to provide timely patient access. Behavioral health operators also need to plan for the 42 CFR Part 2 final rule compliance date of February 16, 2026.
Why does the OIG specifically mention private equity in its compliance guidance?
The 2023 GCPG calls out the growing presence of private equity and other private investment in health care and tells those investors to scrutinize operations and oversight for compliance with fraud and abuse laws and quality of care. For PE-backed behavioral health platforms operating across multiple states, that signals heightened scrutiny of ownership incentives, growth assumptions, and clinical decision-making at the portfolio level.
When should a behavioral health operator hire a fractional compliance officer versus a full-time CCO?
The OIG acknowledges that smaller entities may not be able to maintain a full-time compliance officer and may designate a compliance contact instead, but they are still expected to have an effective program. In practice, multi-site behavioral health operators with two to eight locations usually get better coverage from a fractional CCO who specializes in behavioral health regulation, ASAM Criteria 4th Edition utilization management, 42 CFR Part 2, and payer SIU audits than from a single internal hire at the same cost.
References
- HHS-OIG, General Compliance Program Guidance (November 6, 2023)
- U.S. Department of Justice, False Claims Act Settlements and Judgments Exceed $2.9 Billion in Fiscal Year 2024
- HHS Office for Civil Rights, HIPAA Enforcement Highlights
- HHS OCR, Resolution Agreements and Civil Money Penalties
- SAMHSA, 2024 N-SUMHSS Annual Report on Substance Use and Mental Health Treatment Facilities
- U.S. Attorney’s Office, E.D. Pa., Recovery Centers of America $2 Million CSA / FCA Settlement
- Fierce Healthcare, DOJ Secured $1.7B from Healthcare False Claims Settlements in FY24