Frequently Asked Questions
Questions worth
Questions worth
asking before
you engage.
We believe the decision to engage an external auditor deserves a clear-eyed evaluation. These are the questions we hear most often — answered directly, without qualification.
Working with Us
Records, Security & Confidentiality
The Audit Process
After the Audit
Working With Us
Every engagement is conducted personally by Madison Fournier, BSN, RN — the firm's founder. Your audit is never delegated to non-clinical staff or contracted reviewers. The nurse who scopes your engagement is the same nurse who reviews your records, writes the findings, and delivers your report.
Madison holds a Bachelor of Science in Nursing (BSN) and brings over ten years of clinical nursing experience in post-acute and long-term care settings. She holds an active RN license through the Nurse Licensure Compact (NLC), allowing remote practice in 41+ member states. Additional compliance and documentation credentialing is ongoing.
Yes. A signed BAA is a standard requirement of every engagement — executed before any records are shared or any audit work begins. We do not proceed without one. If your organization has a preferred BAA template, we are happy to review it.
All engagements are conducted fully remotely. Records are exchanged through a HIPAA-compliant secure file transfer process — no on-site presence is required. This allows us to serve organizations nationwide and keeps scheduling flexible for your team.
No. We do not require login credentials or direct access to your EHR. Before the audit begins, we schedule brief workflow meetings with your appropriate staff to understand how records are organized, exported, and structured in your system. This ensures we know exactly what we are reviewing and eliminates the need for any system access on our end.
Yes. Because we work from exported records rather than direct EHR access, we are not limited to specific platforms. Whether your organization uses PointClickCare, MatrixCare, Netsmart, WellSky, or any other system, our process adapts to however your records are produced and transferred. The workflow meetings at the start of each engagement are specifically designed to account for these differences.
Yes. Remote practice under the NLC compact license covers 41+ member states. All engagements are conducted remotely, so geography is not a barrier. If you are unsure whether your state is included, reach out directly and we will confirm before you proceed.
Records, Security & Confidentiality
Records are transferred through a HIPAA-compliant, secure Google Drive environment. You will receive a dedicated, access-controlled folder for your engagement. Files are uploaded by your designated staff and are accessible only to authorized individuals. We will walk your team through the process at the start of the engagement — it requires no technical setup on your end beyond standard file export from your EHR.
Yes, when properly configured. Google Workspace for Business and Enterprise supports HIPAA compliance through a signed Google BAA, restricted access controls, audit logging, and encryption in transit and at rest. Our Google Drive environment is configured to meet these requirements. Google's BAA covers Google Drive as a permitted service under HIPAA.
Access is strictly limited to the auditor and the designated individuals your organization authorizes. Records are never shared with third parties, stored on personal devices, or used for any purpose beyond the scope of your engagement. Each organization's folder is isolated — no cross-client access is possible.
Record retention and disposition terms are addressed in the engagement agreement and BAA. Upon conclusion of the engagement and the included 30-day follow-up period, records are handled according to those terms. If your organization has specific retention or destruction requirements, we accommodate them. Nothing is retained beyond what is agreed to in writing.
Absolutely. Every engagement is treated as strictly confidential. Findings, records, organizational details, and the existence of an engagement are never disclosed to other clients, referenced in case studies, or used in any external materials without explicit written authorization. Confidentiality provisions are included in every engagement agreement.
Yes. The Nightingale Standard carries professional liability (errors and omissions) insurance. Documentation of coverage is available upon request and can be provided as part of your vendor credentialing process.
The Audit Process
Timeline varies by service and record volume. A Comprehensive Clinical Documentation Audit typically runs three to five weeks from record receipt to report delivery — including the workflow meetings, clinical review, findings analysis, and report preparation. A Focused Risk Assessment generally completes in two to three weeks. Timelines are confirmed during the strategic consultation and formalized in the engagement agreement.
Sample size and selection methodology are established during scoping — before the engagement begins. For a Comprehensive Audit, samples typically range from 20 to 60 records depending on the service tier selected. For a Focused Risk Assessment, samples are smaller and drawn from the specific high-risk area being reviewed. We discuss what your organization wants to learn from the audit and build the sample strategy around that goal.
Once the engagement agreement and BAA are signed, we schedule brief workflow meetings with your appropriate staff to understand your documentation environment and record export process. After those meetings, your team uploads the agreed-upon records to the secure shared folder. That is the full extent of what we need from you to begin the clinical review — we handle everything from there.
You receive three documents at the close of every Comprehensive Audit: the Audit Findings Report (narrative findings by record and theme, with regulatory citations), the Remediation Priority Matrix (findings stratified by severity — Critical, Significant, Advisory — with action guidance), and the Regulatory Appendix (applicable F-Tags, CMS standards, and Conditions of Participation referenced throughout the report). A structured leadership debrief follows delivery.
Yes. If your organization has a scheduled or anticipated survey, we can scope the audit to focus on the documentation areas most likely to be scrutinized — accelerate the timeline where possible, and prioritize findings that require the most immediate remediation. Bring this context to the initial consultation so we can structure the engagement accordingly.
Pricing is scoped per engagement based on service type and record volume. Comprehensive Audits and Focused Risk Assessments are priced as flat-fee engagements — no hourly billing, no scope creep surprises. Retainer pricing is structured by cycle frequency and record volume, with a 10–15% reduction compared to equivalent standalone engagements. Specific fee ranges are discussed during the strategic consultation. Schedule a consultation to receive a scoped proposal.
After the Audit
Every engagement includes a structured leadership debrief session following report delivery, and a 30-day post-delivery follow-up — available for clarifying questions, helping your team interpret findings, or thinking through your remediation approach. This is included at no additional cost. Extended advisory support beyond 30 days is available and scoped separately.
Our role is to find, analyze, and clearly communicate documentation deficiencies — and to give your team the specific, prioritized guidance needed to address them. The Remediation Priority Matrix is designed for your internal team to act on directly. We do not implement corrections on your behalf, but we give your clinical and compliance leadership exactly what they need to do so effectively. If your team needs extended guidance, that can be scoped as a follow-on engagement.
No. The Nightingale Standard provides independent documentation auditing and advisory services — we are not legal counsel and do not appear in regulatory proceedings, testify on your organization's behalf, or serve as a representative to CMS or state survey agencies. If your situation involves active regulatory action or litigation, we recommend engaging qualified healthcare counsel in addition to any audit services.
Significant findings are communicated clearly and directly — never buried in an appendix or softened to avoid discomfort. That is the value of an independent audit. Critical-level findings are flagged immediately in the Remediation Priority Matrix with the highest action priority. The leadership debrief is specifically designed to walk your team through these findings and discuss next steps. If a finding requires legal or compliance counsel, we will say so plainly.
A one-time audit gives you a precise picture of your documentation at a fixed point in time. A retainer gives you that picture on a recurring cycle — monthly or quarterly — so you can track remediation progress, catch new patterns before they compound, and maintain a state of continuous audit readiness. Retainer clients also receive priority scheduling, consistent methodology across cycles, and an annual summary report (for quarterly clients) that synthesizes findings longitudinally.
The best path is a strategic consultation — a 30-minute, no-obligation conversation where you can ask everything specific to your organization's situation. If you would prefer to send a question in writing first, use the contact form and we will respond within one business day.
Still have questions?
The consultation is
the right next step.
Every engagement begins with a no-obligation, 30-minute conversation. Bring your specific situation, your organization's context, and any questions this page didn't answer. We will tell you honestly whether an audit makes sense — and what it would look like for your organization.
Schedule a Strategic Consultation