In a previous post, we discussed the potentially disastrous consequences of companies’ failing to adhere to the compliance requirements impacting their business by looking at several high-profile examples.
The challenge for most companies faced with regulatory and compliance obligations is not necessarily knowing what compliance obligations they face or the potential consequences of failing to meet those obligations but rather ensuring compliance throughout the organization.
Finding the Right Balance
It only takes one employee, at any level, to expose a company to significant liability for violating a law or regulation, but compliance rules are often lengthy and complex.
Is it realistic for a bank to expect every teller to be an expert on anti-money-laundering laws? Is it efficient for a healthcare organization to require every receptionist to be an expert on Health Insurance Portability and Accountability Act (HIPAA) compliance? Probably not.
At the same time, companies can’t expect their compliance team or general counsel’s office to be engaged in every detail of the organization that could potentially expose it to liability.
Therefore, some balance is required between overtraining all staff and over-involving the highly trained compliance staff. The solution used by many organizations is training all staff on standard policies for common situations and instructions on escalation for less common situations.
A Case in Point
For example, a healthcare organization might train all staff on the basics of HIPAA and the general idea that patient information is confidential.
That training would also include standard policies for common practices, such as patient check-ins, requests for patient information from other healthcare organizations, insurance providers, etc. Additionally, that training would include instructions on when, how, and to whom to escalate issues beyond that standard training.
If a law enforcement official turns up at a clinic demanding a file on a patient from the clinic’s receptionist, for example, the policy may be to take down information on the request and inform the person making the request that it must be escalated to the compliance department.
Reinforce Escalation Procedures
Compliance violations can cost companies enormous amounts of money and even put them out of business entirely. Therefore, staff need to be aware of the key compliance obligations facing their organization. At the same time, it’s unrealistic for every staff member to be a compliance expert.
Therefore, the approach that has worked well for many organizations is providing all staff with the most basic, general compliance knowledge and training them on escalation procedures.