If you’re a paralegal and you’ve asked yourself, where do I want to take my career from here or if you’ve ever questioned if the skills that you’re obtaining as a paralegal working in a law firm could eventually transfer to a career that’s outside the typical law firm this interview will give you great insights.
Melissa Andrews was a paralegal for around 15 years and is now working in health care compliance and privacy. For the past 10 years, she’s been working outside the typical law firm environment and in an area, to be honest, I never thought of as a potential career transition for a personal injury paralegal or any paralegal, really.
Even if you’re not a personal injury paralegal, when you hear Melissa’s journey, if nothing else, it’s going to get you to think outside the box. For the past three years, she’s been serving as a Virtual Chief Compliance Officer and Virtual Chief Privacy Officer at Clearwater Security.
What does that mean? Well, stick around. Melissa will tell us all about it. Melissa has her Associate’s Degree in Paralegal Technology and a CP designation from NALA. She also has a Bachelor’s Degree and some other certifications. But she didn’t get those until after she took on that first new role.
I want to let her tell you that story because I don’t want you to think that it was her undergraduate degree and all these other high-end certifications that got Melissa to where she is today. She started this new journey with this paralegal career. She started it with just an associate’s degree, her paralegal certification, and around 15 or so years of paralegal experience working primarily in personal injury, but with a sprinkling in of some family law, criminal, and real estate.
Prefer Audio Instead of Reading?
Q.
How did you go from working as a personal injury paralegal to a privacy and compliance officer for a corporation?
A.
It was really kind of simple, and I’m sure some of the exact same things that all your readers have gone through. I was a mother of two small children, and we did large product liability cases. We did large medical malpractice cases. We sued pharmaceutical companies. And with that comes federal courts and travel.
Anybody who’s done any kind of trial work knows it is a 60+ hour work week. And I had two little kids, and I just couldn’t do it anymore. I was exhausted all the time. A friend of mine let me know that the local hospital was hiring a paralegal. It would just be some simple property management stuff, but I would be great for it.
I thought, sure, why not? I’ve never worked for a health system before, never worked on that side of the house anyway, so I would give it a try. I did, and it just kind of exploded from there.
Get tips on balancing being a mom and a rockstar paralegal.
Personal Injury Paralegal Boot Camp
As a personal injury paralegal, you have an important role in the pre-litigation phase of your claim files.
But where do you even start when you’re managing 80+ active files?
This online course will give you all the tools to manage that heavy case load. It walks you through every phase of your personal injury claim files, from the case intake through the demand package and more.
Q.
Wow, okay, you started as a paralegal in-house at a hospital. So how does that lead to a privacy and compliance officer?
A.
This was one of those things that I tripped and fell into. As a paralegal, I had all this experience, all this education, and I could pick up on just about anything. So they kept piling more and more things on. They were like, “Hey, as a paralegal, you’ve done some deposition prep. Would you mind prepping some of our physicians?”
I was like, sure, I can do that. They asked me to review some contracts. I said, sure, I can do that. They had some family law questions because of who has parental rights. Those types of things. Sure, I can do that. They asked some employment questions. Sure, I can do that. And then it got into contract management.
And I was like, sure, not a problem. But as I was doing the contract management, I came across these agreements. They were called business associate agreements. I looked into it a little bit more and I was like, okay, this has to do with HIPAA.
What’s HIPAA? So I started doing my own research like we always do and I read the regulation and I was like, wow, this is kind of a big deal.
I went to our general counsel and I said, “Hey, are we paying attention to this?” He said, “Yes, but if you could take this on, that would be great. It’ll only take up 10% of your job. That’s all it’ll be really simple, really easy.” I think it was maybe a year later, I became the privacy officer for the hospital.
Q.
Okay, that’s where privacy comes in. What year was this? Was this just when HIPAA was first coming out?
A.
HIPAA came out in 1996, but they didn’t do enforcement actions until about 2012. It just kind of took off in 2014 where you started to read that people were getting in trouble for things.
That was when I really kind of started taking on that role as a privacy manager while still being the paralegal.
Q.
Before we move on to the next part, the next stepping stone, I want readers to understand what Melissa was saying there. She took on the role as paralegal at the hospital, but she didn’t just say, This is my little box. This is what my job responsibilities are.
She was open to taking on these other responsibilities, not knowing, if it was just extra work she was getting. She didn’t realize at the time that this was going to lead to a whole new possibility for her career.
Now you’re the privacy officer at the hospital. What was that like?
A.
For probably about a year, I was just learning about the privacy. I was getting invited to the meetings to talk to different departments, HR, anybody who’s done any kind of paralegal work that has to do with human resources or EEOC. I became heavily involved with doing all of that and workers comp, because all of that involved that privacy work.
In 2015, I officially became the system privacy officer, and that covered, four hospitals and 30 clinics. I was responsible for building that privacy program to fit with everything that the health system needed. But I was still the paralegal. I was still doing investigations and interviews.
I was still doing deposition preps for physicians. I was meeting with governmental agencies to handle those types of investigations. I was meeting with Human Resources. Talking about disciplinary actions and what we could legally do for disciplinary actions versus what we couldn’t do. Because once again, anybody who’s worked in Human Resources knows that’s a fine line.
I did that for quite a bit of time. Then it slowly started again with compliance. They were like, “Hey, there are these regulations for these different government agencies. We only have one compliance officer. Do you think if we broke it apart, you could handle the compliance for the other side for the clinics while we have the compliance officer for the hospital?”
I said, “Well, let me take a look and see what we’re talking about” because I had never done compliance before. I started looking into it and it became a lot of, once again, kind of the same things that I did as a paralegal, but just with a little twist to it.
You have to worry about real estate agreements that you have with physicians are a special type of real estate agreement. You have to be careful of things like fraud, waste, and abuse, anti kickback, all of those types of things. You have to be careful about doing agreements within family members, referring things to the hospital. Criminal law is a big thing.
The Office of Inspector General gets heavily involved with enforcement actions and all of those types of things. Employment becomes a huge thing. And then of course, I’m still involved in the medical malpractice side of it and collections. We were involved in collections at this point, so these are all things that I had done as a paralegal and I’m now doing as a compliance officer.
These regulations and these little whispers that I had heard as a paralegal, I’m more involved in as the compliance officer. All of it, 100 percent of it, was strictly on-the-job training.
Read this if you’re still waiting for that on-the-job training.
Free Guide for
Personal Injury Paralegals
Are you ready to be a rockstar personal injury paralegal?!
Our free guide shares the 8 steps you need to take to get you there. If you’re ready to start standing out at your firm, sign up below, and get started now!
Q.
What I’m hearing from a compliance perspective is this would be similar to a paralegal role where you’re constantly looking up what’s the court rule or how can we follow it to the letter?
Are we crossing all of our T’s and dotting our I’s, but in just a different area?
A.
Yes and no. The biggest thing with compliance is what is the intent of the law. Like with criminal procedures, you’re very, these are the elements of the crime. We do have that in compliance, but we also have what is the intent.
If the intent is to prevent physicians from doing self-referrals because they own a separate business or their wife owns a separate business, so they’re kind of funneling patients into that business, that is the intent, is to prevent that from happening. So you don’t get really strict elements of a crime in compliance regulations as you do in Criminal types of laws and regulations.
There are still some, but it’s usually more of these are exceptions to the law, as opposed to these are the specific elements of the law.
Q.
Are you now no longer doing paralegal work, or have the paralegal title anymore?
A.
I lost the paralegal title in 2017 when they officially removed it from me.
I became a regional compliance and privacy manager for the health system that I work for. At the time, it was 10 hospitals and 100 clinics that I was personally responsible for. And once again, I had nothing but my associate’s degree and my paralegal certifications. I had gotten some compliance and privacy certifications by 2019.
But that was all the additional education I had done at that point.
Here’s why continuing education for paralegals is important.
Q.
How do you then transition?
A.
When I worked for the health system, they told me they wanted to promote me to more of a system level, but I didn’t have a bachelor’s degree. They said, basically, you’ll do the exact same job.
As a matter of fact, they were nice enough to give me all the work that I would receive when I got promoted early. I just wouldn’t receive the title or the pay raise. So I was like, oh, gee, thanks. I need to get my Bachelor’s Degree then. When I started to get my Bachelor’s Degree, I had posted on LinkedIn and let some peers know that I was doing this.
I actually had a headhunter call me and say, “Hey, we found you. We heard about you. Would you be interested in doing consultant work? Because you have everything we want.” I explained to them that I didn’t have a Bachelor’s Degree. They said, “That’s fine if you promise to get it in two years.” And so I agreed to get my bachelor’s degree in two years.
I ended up getting it in 2021, but they hired me in 2019. As a matter of fact, this will be my four year anniversary working with this company. I started the job and got the job before I had ever finished my bachelor’s degree, which is in healthcare administration.
Q.
What do you think it was? Why did they seek you out, if you didn’t have the experience they wanted, or you maybe had the experience from the hospital, but you didn’t have the college degree that they wanted?
Did you just have a really good interview with them?
A.
It was the experience. 100% it was the experience. I am a member of a compliance association, the Healthcare Compliance Association. We do yearly meetings, and there are several thousand people who go, and I had just met so many connections there.
I am a huge advocate of networking. I introduced myself to everybody, I passed my card out to everybody. We talked a lot about things that we did, problems that we have, and that’s what introduced me to the right people. When they looked me up and saw my LinkedIn and talked to some of my peers who I’d actually worked with in the past, they decided to offer me the position.
Q.
What are some of the things that you’re doing in your current role? Could you give us a little bit of a background on the company that you work for? It might help readers understand more when you tell them what the company is, what it does, and then what your role is there.
A.
The company I work for is called Clearwater Security Inc. They do strictly consulting work. They do I. T. security. We specialize in health care, but we do branch out to other things, like D. O. D. work. We can also assess organizations before they get in trouble and determine what they need to do.
Either it’s on the I. T. security side of it or my side of the house, which is compliance and privacy. Sometimes we get phone calls after the Office of Civil Rights has come in and find that individuals have gotten them in trouble. We put them on corrective action plans and will kind of go through and help them get to where they need to be so they don’t get in trouble anymore.
Sometimes they’re just short staffed. I will tell you there’s a huge job market out there for compliance officers and privacy officers so they will call me in and I will be their interim. For a compliance officer or a privacy officer, the longest I’ve ever done that role was two years, and I will do everything that a compliance officer does for them or everything that a privacy officer does for them.
If you want us to write your policies for you, we write policies. As an organization, we really strive to cover that health care compliance component in all sides of the house.
Q.
Other than being their virtual compliance officer when they’re short-staffed, what does a typical day look like for you?
Maybe not typical, but what are some of the things that you’re doing?
A.
You’re going to see me get really excited because I’m one of those people who truly, truly loves their job. I have several clients right now. One of them, I am their virtual privacy officer and they are not-for-profit organization.
They do a lot of charity work. A lot to do with research, mother baby type things, neonatal, all of that kind of stuff. I get to be their privacy officer and lead them in the right direction. I do their research studies, which means every regulation that has to do with research components, if you’re using human subject research, I go in and I help them.
A lot of times they get a lot of other organizations who want to use their data to do their own research or to do data aggregation. I make sure that those organizations are appropriate and understand what their obligations are to protect this organization and those types of things.
I also am a compliance officer for a value-based care business associate, and a business associate is not someone who normally does healthcare, but they partner with a healthcare organization. If any of you guys have read anything about Medicare Advantage, value- based care is the new thing, as opposed to fee for service, which is most doctors would pay you for every little thing that they do.
Value-based care is they pay you one price for the whole treatment. There are a lot of regulations with that. So I’m helping them kind of make sure they are abiding by those regulations. I have a client who is based in the UK and they want to move into the United States and do some stuff here.
They are digital health. They have an app. It’s a women’s reproductive health app. Since we have a ton of laws about that going on right now, I’m helping them kind of go through and understand what their obligations are. And, you know, you have Federal Trade Commission, you have TCPA, you have HIPAA.
There are different state laws which is a huge thing that I’m helping them with. I do a lot of digital health organizations because everybody’s getting into that healthcare space, but they just don’t understand it. I have another client who’s a law firm that I am helping with mergers and acquisitions.
Because a lot of time their clients don’t know that HIPAA applies to them or that they really are a healthcare organization. I go in and do a compliance evaluation to make sure that the company that they and their client are looking at has all of the required elements.
When you talk about compliance, it’s things like:
- Do you have a harassment policy that to prevent workforce members from harassing each other?
- Do you have a reporting policy?
- Do you have a policy that says that people can report anonymously?
I had a client recently, that I just finished with. They were a children’s hospital that specialized in mental health and substance use disorder. Those are two separate regulations that I had the pleasure of working with them on.
It involved going through what that means, how you treat children differently than how you treat adults, what rights children have, etc. There was a big family law part to it.
I had to understand that in different states some children can consent at 12 while others can’t consent until 16. Also, when CPS gets involved, who has the right? Is it still the parents? Is it CPS? All of those things. That was something that was very easy to transition over to me. I’ve worked with county governments before.
When you say a day in a life, it’s anything you can think of. I could still go on and on about all the different things that I do, and depending on the client it’s just a huge diversity. I love my job. I love that I get to hop from different things, and I’m not in a box of I can only work on family law, or I can only work on Product liability.
It makes it exciting for me.
Q.
I have to ask so that the readers have realistic expectations because you said there’s no shortage in compliance officers. Do you believe that you could be in this current role as a privacy and compliance officer without those years, at least a few years of working in-house at the hospital?
A.
I think experience is important. I definitely think you need a couple of years of experience in whatever compliance field you choose to go into because compliance is more than just healthcare. But if you really want to get that foot in the door, there are tons of organizations out there.
There’s the Healthcare Compliance Association, the Society of Corporate Compliance and Ethics, the International Association of Privacy Professionals, and even the American Health Law Association. They are all great places to become members and to get certifications.
I am a big proponent of networking. Meet the people in the fields that you want to be in. Go to the national conferences and talk to people. A lot of times when I work for organizations and I’m being their interim privacy officer, their interim compliance officer, I am part of that onboarding process and that hiring process. I get to be a part of writing job descriptions and listing those qualifications.
I tell organizations all the time, if you get somebody who’s new, you can train them to do things your way. It’s just like being a paralegal. Every attorney is different. Every attorney wants to do things their own way. Same thing is true with healthcare organizations. They are all a little different.
They all want to do things their own way. I push them to say, “Hey, I realize this person only has two or three years experience, but you can look at their certifications. They have the knowledge and we can kind of push them to see things through our way.”
It’s great to come in as a lower level privacy analyst and work your way up to those bigger roles to where you can be the compliance officer or the privacy officer. Experience is probably a necessity within most fields you would want to go in.
Here are some tips for starting a paralegal career without a paralegal certificate.
Q.
I shouldn’t put words in your mouth, but I’m assuming that you need more than just a couple of years of experience. In your case your personal injury paralegal experience, was from working for 15 years as a paralegal before you went into this role.
You had a lot of background experience to transfer over. I can’t imagine you would say, if you’ve been a paralegal for two years, then just go get this certification or could you?
A.
I guess it would depend on what you would do for those two years, but no, I would think you would need a lot more.
I will tell you, if I knew then what I know now, I was probably more qualified for the role than I had realized. So much of that experience was family law, I never would have thought in a million years, because I hated family law, I’m not going to lie, that I would use any of that knowledge working in compliance, but I use it all the time.
Especially when you’re talking about divorce decrees and power of attorneys and all of those things. The biggest thing that I have when I’m doing privacy work is family drama. Most of the complaints, most of the issues, most of the concerns are family.
The mom comes in and says, “I have custody of this kid. Their dad can’t find out anything.” But because I did family law, I know that’s not true and I always tell them, can I see the divorce decree that states this? They don’t have it. They don’t have any legal documentation that states it. Knowing what I know from doing family law has helped me so much with those types of things.
And that’s something I never thought I would use. In compliance and privacy, I use it a lot because family drama, it’s the same everywhere.
Q.
Besides the skills and experience, what kind of traits or soft skills do you think you have that help you succeed in your role? Because it sounds to me like communication skills are pretty important.
The level that you’re communicating with in terms of the status with the client and the people who you’re dealing with and HR officers, it sounds like you’re going to need some communication skills.
A.
Yes, communication skills are a big thing and even on top of that is the ability to not react. You have to be able to stop and think and not give an answer right away.
A lot of people will pressure you and say, “I need to know this right now.” You have to be able to respond, “I’ll get back to you tomorrow or I’ll get back to you in a couple of hours.” Do your research before you give answers. Talk to other people. I can’t tell you how many times a Department Head has called me saying they need to sign a contract right now. These are the details. Can I do it yes or no?
I would say, I haven’t seen the contract. I haven’t read the contract. This says it involves software and technology. I haven’t talked to IT about it. Being able to control your reaction and not buckle under that kind of pressure is huge. Take your time.
It’s okay to tell people you need time to think before you respond. We get a lot of government agencies that show up. We will have law enforcement that show up. We have accreditation agencies that show up. It’s important to be calm and to think about everything.
You want to be careful how you speak. HIPAA is the word breach. The second you say, we have a breach, you have a breach and there’s no going back. We learned very, very early on, after having an incident. Those types of things, like word choice, we learn as a paralegal real quick. Word choice is super important.
Being able to talk to every level within an organization is crucial. I have meetings with CEOs, presidents, nurses, janitorial staff, maintenance workers, managers, directors, you name the level in a healthcare organization. I’ve had meetings with them. I’ve talked to them. Being comfortable talking to those individuals and they feeling comfortable speaking to us is important because people report things to us.
If we are rude or short with people, they’re going to decide they don’t like you and won’t want to talk to you again even when they need your help or want to report something.
Being that open, happy personality is a big thing. Adaptability is a huge one. If you’ve ever been a trial paralegal, nothing goes on in court the way you expect it to so you’ve already got that down.
Become the rockstar paralegal in your PI firm with our Personal Injury Paralegal Training course in just 6 hours! It focuses on the pre-litigation phase of your personal injury claim files to help you master everything from case intake through the demand and settlement.
Not only do I have to know the regulations for certain things, but I also have to know how billing and coding works. I have to know how medical documentation works. If you’ve ever worked, even if it’s not just personal injury, if it’s any kind of case, you know, product liability is usually because somebody got hurt.
We know those medical records. I had a case when I was in personal injury where they had a massive bed sore. It was so huge you could stick a softball inside of it. I know everything there is to know about bed sores. One year CMS comes out with all these regulations. We had to go through all of our medical records and make sure we had appropriate medical documentation on bed sores.
I was like, Oh, I got this. I know, everything there is to know about bed sores.
Q.
I like to give people actionable strategies. Imagine there’s someone reading this and they’ve been a paralegal for let’s say 10, 15 years and they’re writing out their five year plan and it includes going into privacy and compliance.
They’ve heard your story and realize I’m doing a lot of that too. I want to do what she’s doing. Could you give them a few steps that they might want to add to their five year plan? Let’s say they’ve got their associate’s degree and their paralegal certificate like you did.
A.
The first thing I would do is figure out what industry you want to go in.
I’m in healthcare, so I’ve been talking a lot about the healthcare industry, but there are other industries. Finance is a huge one that has compliance programs. Real estate has a compliance programs. Anybody who takes government funding of any kind is required to have a compliance program.
Do a little bit of research. If there’s an area that you really like or you have a lot of knowledge of, do a little bit of research to see if that’s something you would want to do compliance in. Look at the resources that are out there. The regulations in reference to compliance programs.
The Office of the Inspector General has compliance guidance. HCCA and OIG also have a resource guide that gives you the seven elements of a compliance program and what you have to audit and review to know if it’s a good compliance program. U. S. Federal Sentencing Guidelines also has a manual for what is required of compliance.
The Dept. of Justice has their criminal fraud division that shares what’s required for compliance programs. Do that kind of research so you can familiarize yourself with what really is required of the role.
I hate to say it, I really hate to say it, but getting a bachelor’s degree is not a bad idea.
I was a compliance officer without it, but I would still be working with that same health system as a manager level person without that bachelor’s degree. That’s what opened that final door for me, so I hate it, but there are a lot of online universities now that you can do and do well.
Lastly, get in the industry that you want to and you’ll find when you work as a paralegal, you’ll get sucked into it. You can’t help it. Those would be the things that I would do to get into this field.
I’m one of the lucky few who actually loves their job. Once you get me talking about it, you can’t get me to stop.