Transforming Compliance to a Department of Yes 

Transforming Healthcare Compliance to a Department of Yes

Five tips for creating cultural change and showing how healthcare Compliance adds value. 

Whether it’s “where good ideas go to die” or “the department of no,” compliance officers have likely heard negative descriptions of their department. 

I was motivated to change these misconceptions about Compliance in my current role as compliance and privacy officer. My team and I have worked hard to transition from the Department of No to the Department of Yes – With Guardrails. 

Our efforts to create cultural change and show how Compliance adds value include five key activities:  

  1. Making the most of metrics
  2. Being visible 
  3. Providing education
  4. Serving as a strategic partner
  5. Facilitating Compliance liaisons

What is a Department of Yes for Healthcare Compliance?

In compliance, the law and regulations are the basis for everything we do. We must adhere to law and regulations while helping the organization do what it needs to. The good news is, the laws and regs are not trying to keep us from doing what we need to do.  

Most healthcare regulations focus on enabling hospital systems to keep patients safe, provide quality patient care, and reduce risk. So, part of changing the culture is reevaluating how Compliance approaches the asks from business and operational leaders.  

There have been very few times when a colleague has come to me and said, “We’d like to do this,” and I’ve had to say no.  

I start by acknowledging the effort that went into the proposal, and asking questions: What is the plan or program trying to accomplish? How can we safely merge it together with the relevant regulation?

Most times, I marry the two – the goal with the rule – and say, “We can do this in some form or fashion, and here are the guardrails.” When colleagues feel heard, they’re more willing to adhere to those guardrails because they understand that you’re partnering with them.  

My collaboration with the Legal department is another reason I have been successful in establishing a Department of Yes. Whether it’s in-house or external counsel, they often understand the gray areas better than compliance officers do.  

Partnering with legal counsel is invaluable for considering different approaches to program and policy proposals, finding the gray areas, and defining which guardrails to stick to. 

1. Make the Most of Healthcare Compliance Metrics  

CEOs and CFOs always want to know how Compliance impacts the bottom line. But it can be hard to show the value of Compliance because it’s tough to quantify in dollars. 

Even if you can’t show a hard financial impact, you can demonstrate how Compliance delivers value by prioritizing metrics. This enables leaders to make data-driven decisions. 

I created dashboards to highlight high-level compliance issues, such as the number of concerns reported via our hotline. Metrics like this are effective both in gauging awareness of Compliance among employees and in showing the impact we make across the organization.

The most compelling measurement is the number of regulations we monitor that affect our organization. I use YouCompli to generate a report showing we had touched, in some way or another, over 500 regulatory changes throughout the year. 

When I showed that summary to my board at the end of our fiscal year, I saw the looks on all of their faces. They had no idea of the extreme administrative burden of regulations! The summary clearly demonstrated how Compliance manages all the risk associated with regulatory changes across the organization.  

2. Be Visible to Healthcare Operations and C-suite Leaders 

When I started as compliance and privacy officer, I scheduled meetings with C-suite and operational leaders. I asked about their pain points and what keeps them up at night. And I explained that my team and I want to support them in accomplishing their day-to-day and strategic goals. 

These conversations raised Compliance’s visibility and had an immediate impact in changing the culture. Leaders realized Compliance didn’t have to be the department where ideas go to die anymore. Colleagues started coming to me with questions and ideas, asking for guidance before making big decisions. 

We also raised our visibility by rounding, and we started each of our roundings with questions like:

  • Do you know about the compliance and privacy hotline?
  • Do you know how to record an issue?  

We would get deer-in-the-headlights looks, so we pulled out the computer to walk them through everything. Rounding helps build relationships, and it’s also an educational opportunity. 

3.Provide Ongoing Healthcare Compliance Education 


While we’re rounding, we share hot topics on the Office of the Inspector General (OIG)’s list. We talk about common risks across the organization, and we end every rounding session by asking: How can Compliance support you? 

There isn’t a cookie-cutter approach to effective education. It requires being visible and talking with employees to understand their concerns and how Compliance can help them. 

I develop educational materials that target knowledge gaps. For example, after we round, my compliance director reaches out to that department leader and says, “These are the takeaways from our rounding. Can I come to your next department meeting?” 

Then we tailor a presentation to fill the knowledge gaps identified during the rounding. We also engage employees via a Privacy & Compliance Corner in our organization’s weekly Monday Messages newsletter. And we partner with IT Security to email biweekly tips on keeping the organization safe and protecting patient information. 

Healthcare Policy Writing 

Another educational opportunity comes with policy writing. We emphasize showing staff how the policies apply to the work they do daily. Most policies are legalistic and are hard to read. Our job is to make them easier to understand, so that clinical staff can focus on providing quality patient care rather than wasting time interpreting policies. 

Healthcare Compliance Education is Fun 

We have fun with education too. Part of our HIPAA educational campaign was awarding Starbucks gift cards to the first employees who called the compliance hotline and correctly shared what the acronym stands for. It raised awareness of HIPAA and our compliance hotline. 


Cybersecurity is another hot topic and an educational opportunity. It’s a never-ending battle in healthcare; it only takes one employee to click a link and let bad actors into our system, creating a domino effect of chaos. 

When my organization was dealing with a cyber issue, my team worked with the IT Security team to implement a simulated phishing email platform as an educational tool. When I presented the platform for approval to executives, it included increasingly punitive sanctions if employees clicked a link, responded to an email, or opened an attachment.  

Yet executives asked for more aggressive sanctions, including immediate termination. They likened it to not allowing an employee to set a fire in the operating room more than once.  

I pushed back, explaining that employees first need education – whether it’s on preventing a fire or avoiding a phishing scam. The executive team and I compromised on starting with a four-step escalation program.  

After six months of having this policy in place, no employees have made it past the second “failure” of clicking a link, responding to an email, or opening an attachment. It proves my point that education and training are effective. 

4. Be a Strategic Partner 

It also underscores how being visible and providing education are integral to serving as a strategic partner. I take the conversations I have with staff and leaders to the CEO and offer my guidance on managing the issues identified. 

This positions Compliance as a strategic partner and a problem solver and shows how we deliver value. As my team and I strengthened relationships across the organizations, these conversations happened more and more. In turn, the CEO was regularly asking the executive team and operational leaders, “Have you run this by Lisa?”  

I saw a trickle-down effect: the more we built relationships and engaged colleagues, the more they started bringing us into their discussions. Being an effective strategic partner starts with simply asking questions.

5. Engage Liaisons  

No Compliance department ever has enough full-time employees to do everything on our own. For example, we use the OIG work plan as the basis for our risk assessments and risk matrix. But in a large organization, how do you assess every item in the OIG workbook?  

I reached out to the executive leadership team and asked to engage someone in each area to partner with us on monitoring, auditing, and reporting. Once we identified liaisons, my director met with them and educated them on our expectations. We shared tools, spreadsheets, and audit plans, and reinforced that Compliance is a point of contact and resource – someone they can bounce ideas off of.  

In our compliance meetings, our liaisons get a voice at the table. They report out and highlight what their teams are doing to drive compliance in their areas. It’s a way to engage liaisons and celebrate the contributions they make.  

Impactful, Interrelated, and Critical Tactics for Healthcare Compliance 

I’ve had great success reinforcing the value of the work Compliance does by facilitating Compliance liaisons, making the most of metrics, being visible, serving as a strategic partner to leaders, and providing ongoing education. As my story about the educational tool for phishing scams showed, these five tactics are impactful, interrelated, and critical for demonstrating how Compliance delivers value. If you want to shape your organization’s culture, focusing on these five areas will put you on the path to success.

Related: Read “Five ways to show how healthcare Compliance delivers value: Build relationships to win the hearts and minds of operational leaders” to learn how to employ empathy and intellectual curiosity. It will help remind operational leaders of their role and the value Compliance delivers.

Lisa Herota, RHIA, CHC, CHPS, CCS

The opinions expressed in this blog are the author’s and do not represent the opinions of her employer.  Lisa Herota is the senior director of compliance and privacy for a Colorado-based nonprofit community health care system. She discussed her experience creating cultural change as a speaker on the HCCA webinar “How Compliance Creates Value for the Healthcare Organization” on Nov. 29, 2022. 

Lisa holds a Master of Science in Health/Health Care Administration/Management – Informatics from Colorado Technical University, a Bachelor of Science in Health Information Administration from the University of Cincinnati, and Associate of Science degrees in both Health Information Technology from Santa Barbara City College and Biology from Yuba College.

“How Compliance Creates Value for the Healthcare Organization” – Download the white paper now.

A Workflow for Effective Compliance

  1. Do you read an endless stream of regulations?
  2. Are they all relevant to your organization?
  3. When you find one that does matter, can you quickly tell what to do next?
  4. How will you know they picked up the ball if you delegate those responsibilities to colleagues?
  5. And how will you confidently report progress to your regulators or the Board? 

YouCompli developed a healthcare compliance management system that makes this work as simple as possible. Our clients are empowered to respond to regulatory changes quickly and confidently and can easily prove they’ve fulfilled their obligations.  

Get a strategic overview of the YouCompli Solution

Get a 15-minute strategic overview of YouCompli