A Thousand Compliance Boxes, One Individual Plan

Share

What it takes to help an early-stage company scale in one of the most regulated corners of American healthcare - and why, underneath a thousand federal requirements, the work was always about people.

Picture the least romantic project you can: a small startup, more than a thousand federal requirements, a security audit, and a government certification program that was never designed for a company like ours. That was my 2024.

I spent it leading our pursuit of CMS Enhanced Direct Enrollment (EDE) certification - the credential that would let us connect directly to the federal health-insurance marketplace and finally scale. On paper, it's an acronym factory. In practice, it taught me the same thing every role I've ever held has taught me: even the most technical, regulated, buttoned-up work is, underneath, a people problem.

A quick orientation, because the domain matters. We administered ICHRAs - Individual Coverage Health Reimbursement Arrangements, where an employer funds a tax-advantaged allowance and each employee buys their own individual health plan. It's a genuinely better model for a lot of people, and it runs headfirst into the most complex machinery in American healthcare: the federally facilitated marketplace (FFM), the state-based exchanges (SBE) some states run instead, fifty states' worth of individual plans, and the alphabet of CMS rules governing all of it. To grow, we couldn't keep enrolling members by hand. We needed to connect to the marketplace directly - which is exactly what EDE unlocks, and exactly what those thousand-plus requirements stand in front of.

The build

While still holding and executing on my official title of Director of People & Culture, I added the hat of Program Manager for our EDE project in early 2024. This was after a first attempt had stalled - mostly, I think, because no one had grasped the true breadth of the thing. My job was to turn a mountain of federal requirements, security findings, and audit observations into work a small engineering team could actually execute.

That looked like the unglamorous fundamentals, done well. Daily standups across multiple fronts - identity proofing, the application build, the security layer, the consumer communication library. Writing acceptance criteria into every ticket, and researching the scenarios behind them so engineers weren't guessing: how do we handle multiple matches in a person search? When is a dropdown right, and when to use a single-select? Which questions should even appear at this step, and why? I unblocked PR reviews, helped assemble the required toolkits, and built a habit of incremental demos - not only to check the work, but to keep asking the question that actually governs a project like this: how will this be audited?

And there was a wrinkle that made all of it harder. The federal EDE program was built for consumers and agents shopping the marketplace directly. We were something new to it - an ICHRA administrator serving employer-sponsored members. Explaining that nuance to the CMS Direct Enrollment Help Desk, again and again through early 2024, was its own uphill climb; we were quietly asking the government to recognize a use case its own program hadn't been designed for.

The regulatory depth

If you've never lived inside a federal certification, here's the shape of it. To integrate with the Federally Facilitated Exchange, you build and prove out remote identity proofing (RIDP, through Experian), store and retrieve the federal Data Services Hub's reference numbers, verify agents and brokers against NIPR, check eligibility, submit and retrieve enrollments in real time, manage special enrollment periods and data-matching issues, and hand consumers off cleanly for payment - each of those a single line item with pages of requirements behind it.

Then you get audited, twice over: an Operational Readiness Review of the business, and a Security & Privacy Audit against CMS and NIST controls. I owned the documentation that carries all of it - the System Security Plan, the Security Assessment Plan and Report, the Plan of Action and Milestones, the Interconnection Security Agreement - plus the ongoing compliance operations underneath: penetration-test findings, vulnerability remediation, change-management evidence, POA&M submissions.

All of it during a genuine crisis in the market. In 2024, ACA marketplace fraud exploded - bad actors switching people's plans without consent to harvest broker commissions - and CMS responded, rightly, by tightening the rules and turning up scrutiny on every entity that touched enrollment. For legitimate ICHRA administrators, the compliance burden spiked overnight. Knowing that landscape cold - what changed, why, and what it meant for our members - wasn't optional. It was the job.

Where it became a people problem

Here's what surprised me. Most of the conflicts on a program like this look like competing priorities, but they almost never are. They're understanding gaps between groups optimizing for different things. Engineering was focused on what's feasible and shippable. CMS was focused on regulatory and security controls. The auditors needed evidence and documentation. Leadership needed transparency into timeline, risk, and readiness. Four groups, four languages, one project.

So the highest-leverage thing I did wasn't tracking dependencies, though I did plenty of that. It was translation. I had the engineers complete REGTAP training - not to turn them into compliance experts, but so they could see the consumer-protection, privacy, and security intent behind the requirements they were implementing. Once an engineer understands that an identity-proofing step exists because a real person is about to be enrolled in a real health plan, and that fraud at that step can wreck someone's coverage, the requirement stops being bureaucratic friction and starts being the point. I did the same in reverse - helping reviewers and auditors understand the realities of what we were building. Close the misunderstanding, and most of the friction dissolves with it.

That's the thing a thousand federal requirements make easy to forget: every one of them traces back to a human being trying to get covered. Read the regulation for the person inside it, and it stops being an acronym.

Then everything scaled at once

We didn't, in the end, get EDE across the line - we were a novel use case in a program that wasn't built for us, and our timing ran straight into the fraud crackdown. But the work moved CMS's understanding of ICHRA administrators forward, and it left us with a real compliance backbone.

And then the ground shifted under all of us: heading into open enrollment, our customer base grew 21x.

So I changed hats again. From late 2024 into 2025, I stepped in as interim head of insurance operations to stabilize a company suddenly running at many times its previous scale. I started where I always do - a clear-eyed SWOT - then built the execution plan: named owners, real SLAs, and a daily cross-functional operating rhythm to keep product, engineering, operations, compliance, and member services aligned. We re-read the compliance landscape against new legislation, found the manual work engineering could automate away, tightened audit accuracy and the payments cadence against our customer invoicing, and I built the training and enablement that kept a fast-growing team - temporary hires included - consistent under real pressure. The result was a coordinated, high-accuracy operation that met our members' needs through the surge and produced a set of learnings that fed straight back into the product and our resourcing plans.

And - because this is a post on a blog called Built for People, and because it's simply true - I was doing all of that while also being the entire People Operations function. Payroll, benefits, recruiting, hiring, onboarding: one person, me.

What it takes

People ask what it takes to help an early company scale in an industry this complex. The honest answer isn't a single specialty. It's the willingness to hold a lot of roles at once - project manager, compliance lead, operator, people team, advisor - and the discipline to keep every one of them pointed at the same human outcome.

The rules are real, and you have to know them cold. But the rules are just the shape the care takes. Underneath every requirement, every audit, every late-night remediation ticket, there's a person trying to get themselves and their family covered. Build for them, and the rest is execution.