How a multi-location health system finally got genuine OCR audit confidence — and why the shared-pool model was the root cause of their compliance exposure.
This multi-location health system in the Mid-Atlantic region had been through three different BPO contact center providers in four years. Each transition was driven by the same fundamental problem: the shared-pool model was creating compliance exposure that the organization couldn't control, audit or defend.
OCR's audit cycle had become active in their region. The Director of Practice Operations had been asked directly by the health system's compliance officer to demonstrate that the contact center had documented HIPAA training at the agent level — not just at the provider level. With a shared pool, this was structurally impossible to prove.
In a shared pool, the agent who handled patient calls on Monday may have been handling insurance claims for a different client on Tuesday and customer service for a retailer on Wednesday. Their HIPAA training is generic. Their familiarity with PHI handling is broad, not specific to your protocols. And you cannot produce documentation proving that the agent who handled a specific patient call was trained to your standards — because they weren't. They were trained to a pooled standard that may or may not match what your payer auditor expects.
Two of the three previous providers offered a BAA, but both were structured at the provider level rather than the practice level. When OCR's guidance specifies that BAAs should cover the specific handling of PHI at the point of contact, provider-level BAAs leave a documentation gap that auditors can and do flag.
The health system had been advised informally that payer auditors conducting secret-shopper calls after hours had found that their after-hours answering did not meet Joint Commission standards for live clinical triage access. This was a direct compliance failure that had gone uncorrected through three provider relationships.
"We'd been through three generic BPO providers in four years. The shared pool model simply doesn't work for a healthcare organization — you can't audit an agent who worked on five other accounts that week. Dedicated seats changed everything. Our OCR audit last year was the first one we felt genuinely prepared for."
Director of Practice Operations · Multi-location health systemWithin weeks of go-live, the compliance picture was fundamentally different. Every agent had a documented training record. Every call had an audit trail. The BAA covered all multiple locations at the practice level. After-hours calls were answered by live, trained agents with access to on-call routing — every time.
When OCR conducted their next audit cycle, the Director of Practice Operations described it as the first audit they'd entered with genuine confidence rather than anxiety. The documentation was complete, accurate and available on demand. The audit was passed without remediation requirements.
The compliance officer formally closed the internal review that had been open since the compliance gap was first identified — two years earlier.
The shared-pool compliance problem is structural. It cannot be solved by switching shared-pool providers. The documentation gap exists because the model itself makes agent-level accountability impossible. If your compliance audit requires you to prove that a specific agent handling a specific patient call was trained to your standards — and it does — then you need dedicated agents who work exclusively on your account.
This is not a niche requirement. It is what OCR, Joint Commission and payer auditors increasingly require. The shared pool is not a compliant model for healthcare. It is a liability that compounds with every audit cycle.
Book a 30-minute discovery call. We'll walk through your current compliance setup, your BAA status and what a dedicated seat model looks like for your organization.
Book a discovery call Download free preview Get full guide →
HIPAA Compliant
SOC 2 Type II
17× Award of Excellence