Being a State Regulator in Healthcare

Compliance
Written By Phoebe Gutierrez


By Phoebe Gutierrez

After spending over a decade at the California Department of Healthcare Services (DHCS), I often get asked, “What exactly does a state regulator do?” To many, the world of government healthcare regulation feels like a black box—slow, bureaucratic, and, at times, frustrating. But having lived and breathed it for 12 years, I can confidently say it’s one of the most impactful, challenging, and misunderstood jobs in healthcare.

For those unfamiliar, my role was centered on overseeing Medicaid-managed care plans, particularly through special projects and programs called waiver programs. These are large-scale initiatives funded by the federal government, much like venture capital funds startups. The difference? In government, the process is deliberately slow. Every dollar comes with a chain of accountability. Every decision is weighed, documented, reviewed, and cross-checked.

Here’s a look into what it’s like to be a state regulator and some insights into the processes that often frustrate people on the outside looking in.

A Bureaucratic Balancing Act

One of the first things to understand about state regulation is that every level of government—city, county, state—functions like its own mini-organization. Each department is its own ecosystem with its own priorities, workflows, and processes. Coordination between these entities isn’t always seamless, and that can make things feel slow or disjointed.

While the private sector leans heavily on automation for efficiency, government processes remain manual for a reason. Checks and balances are built into every step to ensure that decisions are fair, compliant, and above all, protective of the public. Yes, this can mean things take longer, but it also ensures that changes to healthcare programs aren’t made hastily, risking patient safety or mismanagement of funds.

The Reality of Audits

A big part of my role involved conducting audits—a word that sends shivers down the spine of many healthcare organizations. But audits aren’t about catching people out; they’re about ensuring the system works as intended.

Here’s how a typical audit might go:

  1. Request for Policies & Documentation
    An auditor will start by asking for your policies and procedures. These are the “rules of the road” for your organization. Next, they’ll want proof that you’ve actually been following those policies. This could include logs, reports, or meeting minutes showing when the policy was last reviewed or updated.

  2. Verification Process
    The auditor will then dig deeper. For instance:

    • Who last reviewed this policy?

    • How was it approved?

    • Are there gaps between what the policy states and how it’s being implemented?

  3. Audit Findings
    Findings are simply observations or areas where improvement is needed. Common findings might relate to billing errors, patient rights violations, or lapses in privacy and security protocols. These findings result in recommendations, and organizations are typically placed on a Corrective Action Plan (CAP) to address them.

  4. Compliance & Sanctions
    If you fix the issues, great—you’re back in compliance. But if you fail to address the findings, that’s when penalties, sanctions, or even revocations can happen.

How to Prepare (and Stay Prepared)

Preparing for an audit doesn’t have to feel like a last-minute scramble. Many states and agencies provide free resources to help you stay ahead of the curve. Here’s a roadmap to help you leverage existing tools and build your compliance processes proactively:

1. Use Audit Checklists and Tools

Most state regulatory agencies provide downloadable audit checklists to help organizations understand what auditors will be looking for. For example:

  • California Department of Healthcare Services (DHCS): Offers audit tags and compliance tools that outline exactly what policies, procedures, and evidence are required.

  • Centers for Medicare & Medicaid Services (CMS): Provides resources on federal requirements for billing, patient rights, and privacy.

  • State-Specific Tools: Many states have tools available on their health department websites. For example:

    • Texas Medicaid & Healthcare Partnership (TMHP) Audit Tools

    • New York Department of Health Compliance Checklists

These checklists often serve as the foundation for an internal audit, allowing you to spot potential issues before the state does.

2. Leverage Intake Forms for Documentation

Audit preparation starts with good documentation practices. Intake forms, whether digital or manual, can ensure you’re capturing all necessary information upfront. Examples include:

  • Policy Intake Forms: Use these to log when a policy was created, reviewed, and updated. Include who approved it and what changes were made.

  • Billing Documentation Logs: Ensure all billing submissions are tracked with supporting documentation.

  • Employee Credentialing Records: Keep digital or physical copies of all licenses, certifications, and annual reviews in a centralized location.

3. Conduct Internal Audits

Before the state comes knocking, do your own audit. Simulate the questions an auditor will ask:

  • Do you have written policies for key areas like billing, patient rights, and privacy?

  • Can you show proof of compliance with those policies?

  • Are you using the most up-to-date federal and state requirements?

Internal audits can help identify weaknesses and give you time to correct them before external scrutiny.

Key Focus Areas in Audits

No matter what type of healthcare organization you run, auditors are always going to focus on these key areas:

  • Billing: Are your billing processes accurate and compliant with state and federal requirements?

  • Patient Rights: Are you protecting patient autonomy, access to care, and quality of service?

  • Federal Requirements: Are you adhering to the standards set by CMS (Centers for Medicare & Medicaid Services)?

  • Privacy & Security: Are you safeguarding patient data in line with HIPAA and other privacy laws?

Why It’s Worth It

Healthcare regulation is a massive, ever-evolving system. Rules take time to develop because they’re meant to serve as guardrails, ensuring that care is safe, effective, and equitable. As frustrating as the process may seem, those of us who work behind the scenes know that slowing down often leads to better outcomes for everyone.

If you find yourself on the receiving end of an audit, remember: it’s not the end of the world. It’s an opportunity to improve. Whether you’re updating billing protocols, implementing new privacy safeguards, or refining your policies, every step you take strengthens your organization—and ultimately, the care patients receive.

This is just one glimpse into a day in the life of a state regulator. Next time, I’ll dive into the world of startups and how working on waiver programs at DHCS prepared me to build health tech companies from the ground up.

Until then, stay compliant—and if you’re not sure where to start, reach out. There are resources (and people like me) who can help.

Phoebe

Phoebe Gutierrez
Previous

Building a team for a start-up: Healthcare Edition