Compliance, training, regulatory oversight and accreditation is fun. I’m serious.
Following the rules certainly helps your legal team sleep at night, especially in an era of big data breaches and sexual harassment scandals (more on that below). But just as importantly, regulatory compliance that is embedded in your culture will support your mission to deliver value to your clients, customers and shareholders.
Where do you start? More than likely your industry has a regulatory body or two or an accreditation association with regulations, rules, standards—and free resources. Several financial service regulators offer a wealth of information, even outside the banking industry. As an example, see www.fdic.gov/regulations/resources. The Cybersecurity Resources pages and related links also have information that is helpful across industries.
The Federal Reserve has many resources, guidelines and information online at www.federalreserve.gov/publications. The manuals and other useful compliance information there are intended to provide guidance to supervisory personnel in planning and conducting inspections, but they can also give you examples of what is to be expected from those who work with federal banking laws.
In health care, regardless of your size, start with your regulatory or accreditation agencies like The Joint Commission at www.jointcommission.org. The commission standards can help document, measure, assess and improve your performance. The standards help your company make many of your own business decisions in the right way. Accreditation agencies offer guidelines for your operation, from hiring, training and leadership to patient care, safety, cleaning and food preparation. Following these guidelines, standards and related compliance regulations will drive safe, high quality care.
What is next in developing a compliance program? With tools from your industry, develop plain English policies and procedures. All companies should adopt a code of conduct that promotes prevention, detection and resolution of behavior that does not comply with applicable state and federal laws. A code or business ethics policy can also be the framework for your company culture. If you are just starting, before rolling out, have a cross-functional team (invite folks from all levels in the organization) at a breakfast or pizza party to review, read and give comments on the code of conduct. This gets buy-in and builds a team that can help you train later, and it can be fun.
Be sure to describe responsibilities and empower everyone to meet or exceed the expectations customary within your industry. Your code of conduct does not need to be exhaustive list of all policies or procedures; it can be a high level statement outlining what is meant by good compliance. To put it simply, if everyone in your company understands the obligation to abide by applicable laws, rules and regulations, the rest should fall into place.
Finally, train on new policies and make it fun and engaging. Encourage questions, ask someone to keep up with people who ask or answer questions and tell folks in advance the top five will get a prize (use company-branded giveaways or store gift cards). Or tape a $2 bill to the bottom of a few of the chairs in the front rows. During the presentation, ask people to stand and look under the chair. Making it fun is all part of good compliance training.
What are the current trends in compliance of big issues for corporations? If you read the paper or watch the news, you are struck by all the many claims of data breaches and sexual harassment.
Privacy and Data Breaches
This summer, one credit-monitoring company had a massive data breach that exposed the personal data of about 143 million Americans. If worrying about losing personal financial information was not enough, health care has also become a target for cybersecurity attacks. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that mandates standards to protect health information. HIPAA imposes certain obligations when protected health information (PHI) in that entity’s possession is disclosed. The consequences of allowing others who should not have access to see health information can be tough and costly, even if this happens by accident.
On the other hand, as with all regulatory frameworks, HIPAA guidelines help prevent unauthorized use and disclosure of PHI. The key is that you must be able to recognize PHI and the ways breaches can occur. If you see something that looks like a breach or violates the Privacy Rule, the key is not to ignore it. Following good policies and procedures, you can protect your company and individuals with their health care information.
The news of sexual harassment in the media, in Hollywood and in politics is everywhere. Everyone understands what the hashtag #metoo means. The courts have been clear in directing businesses to take proactive measures to prevent sexual harassment, but what is considered “sexual harassment,” and what you should do about it?
Sexual harassment is used to describe unwelcome sexual advances, requests for sexual favors and other verbal or physical conduct of a sexual nature when this (explicitly or implicitly) affects an individual’s employment, unreasonably interferes with work performance, or creates an intimidating, hostile or offensive work environment.
Even if someone isn’t trying to offend or make someone feel uncomfortable, some actions can still be sexual harassment. Often, larger businesses have prescribed procedures for handling sexual harassment complaints. If your company does not have a formal procedure, now is the time to develop one, and in the meantime document and report allegations to management or your law firm so that things can be appropriately addressed.
It does not take much for good regulatory compliance and documentation to save a company real money and drive a successful business. That’s why compliance can be fun.
Betsy Edelman is general counsel and chief compliance officer at RiverMend Health LLC , Atlanta.