Creating a Culture of Compliance

Joint Blog with HIPAATrek, Co-Author: Sarah Badahman, CHPSE, CEO/Founder, HIPAAtrek

Office culture has greatly evolved over the years, impacted by generational differences, laws and legislature, and even design aesthetics. And as technology has changed, one of the most impactful influences on office culture has been digital transformation.

Fueled by growing usage of applications, remote work technologies, and virtual meeting platforms, a new age of digital transformation has allowed employees to work from almost anywhere. It has forced leaders to rethink how to keep employees engaged and connected and, for IT leaders and compliance officers, ways to ensure that compliance requirements continue to be met and maintained. This is especially true for care facilities in the highly regulated healthcare industry.

CAHs and Compliance

Whether employees are remote and using digital tools or work onsite, critical access hospitals (CAHs) are unique. Rurally located, care facilities are smaller and may lack a dedicated compliance officer. In fact, it would not be unusual to find an IT leader acting as a compliance leader or a compliance leader also tasked with networking, data testing, or security duties. Nevertheless, adherence to compliance requirements must be front of mind.

Financial information, private patient records, personal information – adherence to compliance requirements is designed to protect this and more. When it passed, the Health Insurance Portability and Accountability Act (HIPAA) was landmark legislation and being HIPAA-compliant established across the board processes for the protection of sensitive data and remaining compliant in the cloud.

An in-depth, consistent, and recognized compliance program can also lead to competitive advantages. Beyond financial, personnel resources can be a struggle for CAHs, and a care facility that places high importance on compliance is attractive and aids in employee retention. With compliance requirements from national, regional, and internal regulators often intertwining, a culture focused on compliance is seen as trustworthy, by both employees and patients, who share some of their most sensitive, personal information with hospital staff.

Building Your Culture of Compliance

Due to the lack of personnel resources, limited budgets, and a bit of “if it ain’t broke, don’t fix it” outlook, CAHs need a long-term plan to create a compliance-centered workplace. Not just for team adoption, but to avoid a trap of “point-in-time” compliance solutions versus continuous compliance strategies that promote long-term buy-in.

Building a culture of compliance for a CAH goes far beyond regulation adherence, however.  Although CAH structure may vary, there are some best practices that can be modified as needed to help create the culture your CAH wants – and needs.

  • Top-Down Structure – It’s time for change
  • Change happens from the top, and it is no different when it comes to creating or evolving a compliant culture. CAH leadership must make a highly visible and highly vocal commitment to compliance and communicate it effectively to department leaders, from maintenance to medical. In doing this, teams remain fully aware of the importance of compliance and can be held accountable when they violate any practices.

  • Be Aware of Your Budget – Find something that fits your budget
  • Because CAHs operate on limited funds, consideration must be given to budgets when creating a culture of compliance. Will there be costs to publicizing any compliance campaigns? How much can be allocated to training materials or programs to promote new compliance processes? What costs may be associated with hiring a third-party vendor, like a software-as-a-service (SaaS) provider or one who specializes in HIPAA automation software, to protect data and accelerate HIPAA compliance?

  • Count on Your Teams – Own it
  • Employees are the most valuable assets when it comes to fostering a compliance culture. When it comes to practices and processes that simplify their work, bring clarity to daily operations, and provide them with a sense of ownership in both public and private CAH perception – employee relevance cannot be denied.

  • Training Tactics – Stay aware and up to date
  • While compliance is critical for CAHs overall, each department will need customized training on how their team contributes to the program. From understanding HIPAA compliance to ensuring patient safety, what compliance looks like will be different for the entire organization. But every aspect of it matters.

  • Is It Safe to Say? Violation Reporting – Avoid dumb mistakes
  • Whether intentional or accidental, compliance practices can be violated. In these instances where compliance procedures are not being followed – putting the entire CAH at risk – a culture centered around compliance equates to one where employees feel safe reporting violations. The silver lining is that these violations can be used as training scenarios and could even warrant a re-examination or modification of compliance structure.

  • Take Advantage of Tech – Don’t be afraid of the cloud
  • Healthcare IT teams have and continue to pivot to adopt new technologies that facilitate direct patient treatment and support back-end office functions. These teams bear significant responsibility for protecting patient information, regardless of the locations where CAH medical and support are working. Working with tech experts who understand the intricacies of healthcare compliance not only simplifies the process but can accelerate compliance adherence.

CAHs are unique in their healthcare models and the communities served. With a renewed perspective, commitment, and a few tips, CAHs can highlight compliance and embed it in corporate culture to be of even greater service.

Sarah Badahman

Sarah Badahman, CHPSE, CEO/Founder, HIPAAtrek

Blog contributor Sarah Badahman is the CEO of HIPAAtrek. She regularly speaks at healthcare and compliance industry conferences on HIPAA, risk management, security, training, and more. Learn more at

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals