Compliance Perspectives

By Adam Turteltaub Michael Savicki, Senior Vice President and Chief Risk & Compliance Officer at American Express Global Business Travel (Amex GBT), best known as Amex GBT, knows the challenges and opportunities in merger’s and acquisitions. The company  recently completed the acquisition of CWT, a global business travel and meetings solutions provider. In this podcast he shares their playbook for effective due diligence, born out of their experience and the heightened regulatory requirements that they face. Among the insight he provides: Integrate your efforts with the business unit’s and work cross-functionally Partner with finance and the commercial team Have a solution-oriented “yes and” mindset Be sure the due diligence process focuses on all the risks: legal, regulatory, operational and reputational Perhaps most importantly: think beyond the transaction. Look to what the acquired entity will need post-acquisition. Embrace the technology that will help get you where you want to be, including AI, which can help spot emerging risks sooner, while freeing your team up to do more strategic work.

Katie Roemer, VP and Compliance & Privacy Officer at Alta Hospital Systems, sees neurodiversity as a powerful asset in compliance. She highlights how neurodivergent individuals excel in pattern recognition and root cause analysis, enhancing compliance efforts. Roemer shares practical training strategies that accommodate various learning styles, such as breaking information into digestible pieces. She emphasizes the importance of creating a psychologically safe environment to encourage diverse perspectives and foster innovation within teams.

By Adam Turteltaub What do a secret wedding and Richard Nixon have in common with HIPAA? A lot more than you might think, shares Bailey Mack, Chief Compliance Officer at Together for Youth. In this podcast she tells us the interesting history of privacy and the law.  We begin in 1890 when a photographer trespassed to photograph a wedding he wasn’t supposed to be photographing.  Thirty eight years later in the Olmstead case, wiretapping wasn’t deemed intrusive because no one entered the room.  It was as if a privacy violation could occur only if there was trespassing involved. That began to change in the 1960s in which thinking evolved and the idea gained currency that privacy was about violations of the person’s right to privacy, rather than to property. Watergate led to further changes in which citizens were given access to government records about them.  And, since then, more legislation has come and likely will. Listen in to learn more, and if you’re an SCCE or HCCA member, don’t miss her article in Compliance & Ethics Professional® magazine.

Jay Greenberg, a former Chief Compliance Officer at the FBI, shares his insights on executive presence, defined as making a positive contribution driven by core values. He emphasizes that this skill is learned through experience, self-reflection, and mentorship. Jay discusses the importance of preparation and learning from failures, particularly when engaging with both leaders and rank-and-file employees. He encourages understanding audience perspectives and respecting others' mental preparation rituals, all to enhance one's own presence.

Gabor Sulyok, Global Head of Commercial and Healthcare Compliance at BioNTech, and Luciane Mallmann, senior compliance counsel, dive into the essentials of a people-centered ethics and compliance framework. They discuss the importance of fostering a speak-up culture that ensures psychological safety, enabling employees to raise concerns freely. Their approach emphasizes relatable training through storytelling and real-life case studies. With a focus on tailored education and leader visibility, they stress the need for accountability balanced with support to promote a culture of integrity.

By Adam Turteltaub The rise of generative AI has brought transformative potential to healthcare—from streamlining administrative tasks to supporting clinical decision-making. But alongside these benefits comes a growing concern: Shadow AI. Alex Tyrrell, Chief Technology Officer, Health at Wolters Kluwer explains in this podcast that this term refers to the use of unauthorized, unmonitored AI tools within organizations. In healthcare, where data privacy and patient safety are paramount, Shadow AI presents a unique and urgent challenge both now and in the future. Healthcare professionals often turn to generative AI tools with good intentions—hoping to reduce documentation burdens, improve workflows, or gain insights from complex data. However, many of these tools are unproven large language models (LLMs) that operate as black boxes. They’re prone to hallucinations, lack transparency in decision-making, and may inadvertently expose Protected Health Information (PHI) to the open internet. This isn’t just a theoretical risk. The use of public AI tools on personal devices or in clinical settings can lead to serious consequences, including: Privacy violations Legal and regulatory non-compliance Patient harm due to inaccurate or misleading outputs Despite these risks, many healthcare organizations lack visibility into how and when these tools are being used. According to recent data, only 18% of organizations have a formal policy governing the use of generative AI in the workplace, and just 20% require formal training for employees using these tools. It’s important to recognize that most employees aren’t using Shadow AI to be reckless—they’re trying to solve real problems. The lack of clear guidance, approved tools, and education creates a vacuum that Shadow AI fills. Without a structured approach, organizations end up playing a game of whack-a-mole, reacting to issues rather than proactively managing them. So, what can healthcare organizations do to address Shadow AI without stifling innovation? Audit and Monitor Usage Start with what you can control. For organization-issued devices, conduct periodic audits to identify unauthorized AI usage. While personal devices are harder to monitor, you can still gather feedback from employees about where they see value in generative AI. This helps surface use cases that can be addressed through approved tools and structured programs. Procure Trusted AI Tools Use procurement processes to source AI tools from vetted vendors. Look for solutions with: Transparent decision-making processes Clear documentation of training data sources No use of patient data or other confidential information for model training Avoid tools that lack explainability or accountability—especially those that cannot guarantee data privacy. Establish Structured Governance Governance isn’t just about rules—it’s about clarity and oversight. Develop a well-articulated framework that includes: Defined roles and responsibilities for AI oversight Risk assessment protocols Integration with existing compliance and IT governance structures Make sure AI governance is not siloed. Those managing AI tools should be at the table during strategic planning and implementation. Educate and Engage Education is the cornerstone of responsible AI use. Employees need to understand not just the risks, but also the right way to use AI tools. Offer formal training, create open forums for discussion, and build a culture of transparency. When people feel informed and supported, they’re more likely to choose safe, approved tools. Protect PHI with Precision In clinical workflows, PHI is often unavoidable. That’s why it’s critical to: Deidentify patient data whenever possible Ensure only authorized systems, processes, and personnel have access to PHI Maintain up-to-date business associate agreements and data processing contracts As you get closer to the bedside, the margin for error shrinks. Public devices and unlicensed LLMs should never be used in direct patient care. The regulatory landscape around AI is evolving rapidly—especially at the state level and in the EU. Even if federal guidelines are still catching up, organizations must be proactive. Bake privacy by design into your AI strategy from the beginning. Treat compliance not as a burden, but as a strategic advantage that protects patients and enables innovation. And be sure to listen to this podcast to learn more about the risks of shadow AI

By Adam Turteltaub There are few parts of an investigation that are more stressful than the interview with the investigation’s subject.  Done right it can close all the loops.  Done wrong, everything can unravel. To learn how to handle things best we turn in the second of our two podcasts on investigations to Wendy Evans, Senior Corporate Ethics Investigator, Lockheed Martin and Georgina Heasman, Senior Manager, Global Investigations at Booking Holdings.  The two of them are the co-authors of our new book Fundamentals of Investigations:  A Practical Guide  and lead our Fundamentals of Compliance Investigations Workshop. In this podcast they offer a host of great insights including: While it’s generally best to interview the subject last, there are times, such as in cases of alleged harassment or data theft, where you likely will need to sit down for a preliminary interview sooner Be sure to get a read on the subject and be respectful of the stress that they are under, including giving them psychological space before asking tough questions Clarify your role in the process as a collector of facts and that you have not already decided that they are guilty Invite them to share their perspective both in the interview and, if other things come to mind, afterwards Remind them of the confidentiality of the process and the need to focus on the allegation, not who made it Listen in to learn more, and be sure to investigate their book Fundamentals of Investigations:  A Practical Guide  and the Fundamentals of Compliance Investigations Workshop.

By Adam Turteltaub Few people know more about conducting a compliance investigation than Georgina Heasman, Senior Manager, Global Investigations at Booking Holdings and Wendy Evans, Senior Corporate Ethics Investigator, Lockheed Martin.  The two of them are the co-authors of our new book Fundamentals of Investigations:  A Practical Guide  and lead our Fundamentals of Compliance Investigations Workshop. Not wanting to miss out on their expertise, we scheduled two podcasts with them. In this, the first of the two, they share a broad overview of best practices for conducting investigations.  Those include ensuring that even compliance team members not responsible for investigations have at least a fundamental understanding of them. As for the investigation itself, they explain, to go well it begins with the first report.  There has to be a clear line of communication and a culture that encourages employees to come forward. Once you receive that initial contact, it’s important to remember that it tells the story only from one side. You need to ask questions to clarify what was seen and heard and start thinking about what other information you will also need to gather.  To keep the information flowing, they recommend telling the reporter and everyone else you interview to reach out to you again if additional information comes to mind. While testimonial evidence is invaluable, don’t stop there.  As you gather the who, what, when and where, be sure to look for the documentary evidence that you need, which requires having strong relationships with departments that have it, such as HR and security. And, throughout the process, stay focused to avoid going down rabbit holes or getting inundated with more information than you need. Listen in to learn more, and be sure to check out Fundamentals of Investigations:  A Practical Guide  and the Fundamentals of Compliance Investigations Workshop.

By Adam Turteltaub Uh oh.  The Feds are in the front lobby with a search warrant.  Things are bad, and you don’t want anyone on site to make it worse. The secret is preparation, shares Veronica Xu, SCCE & HCCA Board Member and Chief Compliance Officer, HIPAA Privacy Officer, ADA Administrator at Saber Healthcare Group.  That begins with establishing a cross-functional team that likely includes compliance, the general counsel, CEO, CTO and, depending on your industry, the chief medical officer and others. Each should play a part in shaping the plan and be ready to play their part if a raid occurs. In addition, onsite staff, right down to the receptionist, needs to understand their responsibilities, including whom to call for help.  Not only will that avoid very costly mistakes, it will help reduce errors, fear and stress at what will likely be an extremely difficult time. What an individual gets trained on will vary by role.  Yet, there is one commonality to the training.  Everyone needs to know the importance of staying calm, being polite and respectful. Be sure to also outline the do’s and don’ts. There’s one other thing she strongly advises: remember to communicate with your workforce.  Be as transparent as possible and avoid conflicting messages.  That will keep the lines of communication open and help avoid the speculation that can make the disruption even worse. Listen in to learn more, and then take a fresh look at your current plans for responding to a government raid.

Debbie Sabatini Hennelly, Founder and president of Resiliti with a focus on organizational ethics, dives into the world of AI chatbots in reporting processes. She reveals that nearly 70% of employees feel comfortable using AI for helpline issues, citing benefits like anonymity and fairness. Trust is key—employees are more likely to report concerns when they feel secure and informed. Debbie discusses the importance of transparency and clear communication, along with the need for a welcoming environment for inquiries, not just formal reports.