Compliance Perspectives

By Adam Turteltaub What do a secret wedding and Richard Nixon have in common with HIPAA? A lot more than you might think, shares Bailey Mack, Chief Compliance Officer at Together for Youth. In this podcast she tells us the interesting history of privacy and the law.  We begin in 1890 when a photographer trespassed to photograph a wedding he wasn’t supposed to be photographing.  Thirty eight years later in the Olmstead case, wiretapping wasn’t deemed intrusive because no one entered the room.  It was as if a privacy violation could occur only if there was trespassing involved. That began to change in the 1960s in which thinking evolved and the idea gained currency that privacy was about violations of the person’s right to privacy, rather than to property. Watergate led to further changes in which citizens were given access to government records about them.  And, since then, more legislation has come and likely will. Listen in to learn more, and if you’re an SCCE or HCCA member, don’t miss her article in Compliance & Ethics Professional® magazine.

Jay Greenberg, a former Chief Compliance Officer at the FBI, shares his insights on executive presence, defined as making a positive contribution driven by core values. He emphasizes that this skill is learned through experience, self-reflection, and mentorship. Jay discusses the importance of preparation and learning from failures, particularly when engaging with both leaders and rank-and-file employees. He encourages understanding audience perspectives and respecting others' mental preparation rituals, all to enhance one's own presence.

Gabor Sulyok, Global Head of Commercial and Healthcare Compliance at BioNTech, and Luciane Mallmann, senior compliance counsel, dive into the essentials of a people-centered ethics and compliance framework. They discuss the importance of fostering a speak-up culture that ensures psychological safety, enabling employees to raise concerns freely. Their approach emphasizes relatable training through storytelling and real-life case studies. With a focus on tailored education and leader visibility, they stress the need for accountability balanced with support to promote a culture of integrity.

By Adam Turteltaub The rise of generative AI has brought transformative potential to healthcare—from streamlining administrative tasks to supporting clinical decision-making. But alongside these benefits comes a growing concern: Shadow AI. Alex Tyrrell, Chief Technology Officer, Health at Wolters Kluwer explains in this podcast that this term refers to the use of unauthorized, unmonitored AI tools within organizations. In healthcare, where data privacy and patient safety are paramount, Shadow AI presents a unique and urgent challenge both now and in the future. Healthcare professionals often turn to generative AI tools with good intentions—hoping to reduce documentation burdens, improve workflows, or gain insights from complex data. However, many of these tools are unproven large language models (LLMs) that operate as black boxes. They’re prone to hallucinations, lack transparency in decision-making, and may inadvertently expose Protected Health Information (PHI) to the open internet. This isn’t just a theoretical risk. The use of public AI tools on personal devices or in clinical settings can lead to serious consequences, including: Privacy violations Legal and regulatory non-compliance Patient harm due to inaccurate or misleading outputs Despite these risks, many healthcare organizations lack visibility into how and when these tools are being used. According to recent data, only 18% of organizations have a formal policy governing the use of generative AI in the workplace, and just 20% require formal training for employees using these tools. It’s important to recognize that most employees aren’t using Shadow AI to be reckless—they’re trying to solve real problems. The lack of clear guidance, approved tools, and education creates a vacuum that Shadow AI fills. Without a structured approach, organizations end up playing a game of whack-a-mole, reacting to issues rather than proactively managing them. So, what can healthcare organizations do to address Shadow AI without stifling innovation? Audit and Monitor Usage Start with what you can control. For organization-issued devices, conduct periodic audits to identify unauthorized AI usage. While personal devices are harder to monitor, you can still gather feedback from employees about where they see value in generative AI. This helps surface use cases that can be addressed through approved tools and structured programs. Procure Trusted AI Tools Use procurement processes to source AI tools from vetted vendors. Look for solutions with: Transparent decision-making processes Clear documentation of training data sources No use of patient data or other confidential information for model training Avoid tools that lack explainability or accountability—especially those that cannot guarantee data privacy. Establish Structured Governance Governance isn’t just about rules—it’s about clarity and oversight. Develop a well-articulated framework that includes: Defined roles and responsibilities for AI oversight Risk assessment protocols Integration with existing compliance and IT governance structures Make sure AI governance is not siloed. Those managing AI tools should be at the table during strategic planning and implementation. Educate and Engage Education is the cornerstone of responsible AI use. Employees need to understand not just the risks, but also the right way to use AI tools. Offer formal training, create open forums for discussion, and build a culture of transparency. When people feel informed and supported, they’re more likely to choose safe, approved tools. Protect PHI with Precision In clinical workflows, PHI is often unavoidable. That’s why it’s critical to: Deidentify patient data whenever possible Ensure only authorized systems, processes, and personnel have access to PHI Maintain up-to-date business associate agreements and data processing contracts As you get closer to the bedside, the margin for error shrinks. Public devices and unlicensed LLMs should never be used in direct patient care. The regulatory landscape around AI is evolving rapidly—especially at the state level and in the EU. Even if federal guidelines are still catching up, organizations must be proactive. Bake privacy by design into your AI strategy from the beginning. Treat compliance not as a burden, but as a strategic advantage that protects patients and enables innovation. And be sure to listen to this podcast to learn more about the risks of shadow AI

By Adam Turteltaub There are few parts of an investigation that are more stressful than the interview with the investigation’s subject.  Done right it can close all the loops.  Done wrong, everything can unravel. To learn how to handle things best we turn in the second of our two podcasts on investigations to Wendy Evans, Senior Corporate Ethics Investigator, Lockheed Martin and Georgina Heasman, Senior Manager, Global Investigations at Booking Holdings.  The two of them are the co-authors of our new book Fundamentals of Investigations:  A Practical Guide  and lead our Fundamentals of Compliance Investigations Workshop. In this podcast they offer a host of great insights including: While it’s generally best to interview the subject last, there are times, such as in cases of alleged harassment or data theft, where you likely will need to sit down for a preliminary interview sooner Be sure to get a read on the subject and be respectful of the stress that they are under, including giving them psychological space before asking tough questions Clarify your role in the process as a collector of facts and that you have not already decided that they are guilty Invite them to share their perspective both in the interview and, if other things come to mind, afterwards Remind them of the confidentiality of the process and the need to focus on the allegation, not who made it Listen in to learn more, and be sure to investigate their book Fundamentals of Investigations:  A Practical Guide  and the Fundamentals of Compliance Investigations Workshop.

By Adam Turteltaub Few people know more about conducting a compliance investigation than Georgina Heasman, Senior Manager, Global Investigations at Booking Holdings and Wendy Evans, Senior Corporate Ethics Investigator, Lockheed Martin.  The two of them are the co-authors of our new book Fundamentals of Investigations:  A Practical Guide  and lead our Fundamentals of Compliance Investigations Workshop. Not wanting to miss out on their expertise, we scheduled two podcasts with them. In this, the first of the two, they share a broad overview of best practices for conducting investigations.  Those include ensuring that even compliance team members not responsible for investigations have at least a fundamental understanding of them. As for the investigation itself, they explain, to go well it begins with the first report.  There has to be a clear line of communication and a culture that encourages employees to come forward. Once you receive that initial contact, it’s important to remember that it tells the story only from one side. You need to ask questions to clarify what was seen and heard and start thinking about what other information you will also need to gather.  To keep the information flowing, they recommend telling the reporter and everyone else you interview to reach out to you again if additional information comes to mind. While testimonial evidence is invaluable, don’t stop there.  As you gather the who, what, when and where, be sure to look for the documentary evidence that you need, which requires having strong relationships with departments that have it, such as HR and security. And, throughout the process, stay focused to avoid going down rabbit holes or getting inundated with more information than you need. Listen in to learn more, and be sure to check out Fundamentals of Investigations:  A Practical Guide  and the Fundamentals of Compliance Investigations Workshop.

By Adam Turteltaub Uh oh.  The Feds are in the front lobby with a search warrant.  Things are bad, and you don’t want anyone on site to make it worse. The secret is preparation, shares Veronica Xu, SCCE & HCCA Board Member and Chief Compliance Officer, HIPAA Privacy Officer, ADA Administrator at Saber Healthcare Group.  That begins with establishing a cross-functional team that likely includes compliance, the general counsel, CEO, CTO and, depending on your industry, the chief medical officer and others. Each should play a part in shaping the plan and be ready to play their part if a raid occurs. In addition, onsite staff, right down to the receptionist, needs to understand their responsibilities, including whom to call for help.  Not only will that avoid very costly mistakes, it will help reduce errors, fear and stress at what will likely be an extremely difficult time. What an individual gets trained on will vary by role.  Yet, there is one commonality to the training.  Everyone needs to know the importance of staying calm, being polite and respectful. Be sure to also outline the do’s and don’ts. There’s one other thing she strongly advises: remember to communicate with your workforce.  Be as transparent as possible and avoid conflicting messages.  That will keep the lines of communication open and help avoid the speculation that can make the disruption even worse. Listen in to learn more, and then take a fresh look at your current plans for responding to a government raid.

Debbie Sabatini Hennelly, Founder and president of Resiliti with a focus on organizational ethics, dives into the world of AI chatbots in reporting processes. She reveals that nearly 70% of employees feel comfortable using AI for helpline issues, citing benefits like anonymity and fairness. Trust is key—employees are more likely to report concerns when they feel secure and informed. Debbie discusses the importance of transparency and clear communication, along with the need for a welcoming environment for inquiries, not just formal reports.

By Adam Turteltaub If all you’re worrying about is tone at the top, you’re missing a key portion of the choir.  With most people reporting to middle managers, they play in integral role in ensuring a culture of compliance and ethics truly permeates the organization. Evie Wentink, Senior Compliance Consultant at Ethical Edge Experts observes that while many organizations invest in crafting comprehensive codes of conduct and articulate expectations for ethical leadership, they often fall short in equipping managers with the tools, training, and support necessary to fulfill those expectations. This gap can undermine the effectiveness of compliance efforts and leave companies vulnerable to ethical lapses. At the heart of the issue is a lack of intentional communication. Middle managers are frequently expected to embody and promote ethical leadership, yet they are rarely given a clear understanding of what that entails. To bridge this gap, organizations must develop structured plans that define ethical leadership in practical terms. These plans should include specific deliverables, resources, and expectations tailored to the manager’s role. By doing so, companies can ensure that managers are not only aware of their responsibilities but also empowered to carry them out effectively. Authentic, ongoing conversations led by these managers are a cornerstone of a successful compliance culture. These discussions should not be limited to formal training sessions or annual reviews. Instead, they must be woven into the fabric of everyday operations. Managers should be encouraged—and required—to initiate “ethics or integrity minutes” at the start of team meetings. These brief segments provide a consistent opportunity to address ethical topics, reinforce values, and normalize open dialogue about compliance issues. To support these conversations, organizations should provide managers with practical tools. These might include: Ethics spotlight cards that highlight key compliance themes. News articles that can be used to spark discussion around real-world ethical dilemmas. Access to updated policies and codes of conduct, with notifications when changes occur. Tracking and analyzing these conversations is equally important. Compliance teams should maintain records of who is engaging in discussions, what topics are being covered, and which issues are generating the most questions. This data can be invaluable in identifying risk areas, refining training programs, and tailoring future communications. Often, the most common questions arise immediately after a training session, indicating that such moments are prime opportunities for deeper engagement. Moreover, it’s essential to recognize the broader impact of middle management on organizational integrity. Prosecutors and regulators increasingly view middle managers as pivotal figures in corporate misconduct cases. Their actions—or inactions—can significantly influence whether a company succeeds or fails in maintaining ethical standards. Consequently, fostering a culture of accountability and proactive communication at this level is not just beneficial—it’s critical. Ultimately, the goal is to create an environment where ethical conversations are natural, frequent, and valued. When managers consistently lead by example and facilitate open dialogue, employees become more comfortable raising concerns and asking questions. This cultural shift enhances transparency, reduces risk, and strengthens the overall integrity of the organization. In summary, bridging the compliance gap at the middle management level requires a multifaceted approach: clear expectations, practical tools, authentic conversations, and ongoing tracking. By investing in these areas, organizations can transform their compliance programs from static documents into dynamic, living systems that truly support ethical behavior at every level from the top on down.

Alessia Falsarone, a non-executive director at Innovate UK with a focus on AI governance, dives into the pressing issue of AI explainability. She discusses the urgent need for transparency in AI decision-making, which can avert crises when systems go awry. Alessia advocates for practical solutions, like dashboards and decision logs, to illuminate how AI reaches conclusions. She also addresses common misconceptions, stressing that explainability should not be viewed merely as a technical challenge, but as a cross-functional necessity.