What are Policies (and Procedures)?

Compliance programs require organizations to write down What they will do and How they will do it. The What is considered a policy statement and the How is the procedure. These are the necessary first ingredients of a compliance program. Together with evidence of actually implementing the procedures, they complete the trifecta that is evaluated for all compliance programs

The difficulty with Creating Policies

The simple distinction of Why, What and How, while obvious to many, is, interestingly, quite uncommon. So much so, that entire sets of business books and self-help talks are devoted to this topic. The second challenge comes from making sense of regulatory compliance text, such as the code of federal regulations (CFRs) for HIPAA. The regulation is written to be broadly applicable - from an individual doctor’s practice to a health technology startup in a garage, all the way to large organizations, such as Mayo Clinic, United Healthcare and beyond. This can make it difficult to parse the language and determine how to respond to the requirements in a policy statement in a way that suits your organization.

The Template Temptation

When presented with this challenge, organizations take what appears at first glance to be a pragmatic approach - use a template

“Why Reinvent the Wheel?”

It makes no sense to write policies from scratch when someone else must have done it already? After all, there is nothing new in the regulation, right?

“They’ve Probably Done a Better Job”

It makes no sense to write policies from scratch when someone else must have done it already? After all, there is nothing new in the regulation, right?

“Their Stuff has Already Passed Audits”

Most importantly, the material in the templates was likely used by someone successfully to pass an audit. If you start writing something today, with no prior experience, would your brand new text pass an audit? Why take the risk?

The Trouble with Templates

If you cannot read the label on the pill bottle, you should not be taking the medicine. When you consume a template, you are organizationally ingesting a ton of unknowns sight unseen. Let’s break it down

These are Formal Obligations

Policy and procedure text is serious business. These are formal obligations that your organization is taking on. Your company’s senior management will put their signature on it and attest that this is how your organization is promising to operate. This deserves more care and attention than downloading the first search result of “free HIPAA policies” and doing a find and replace of the company name

Taking on too Much

Most templated text online is written by legal, compliance and policy nerds. The documentation is designed to look good on paper. It leans towards taking on obligations and away from business scalability (and dare we say, actionability). You end up with a tome that looks great, and heavy! However, when you get around to actually operationalizing it, you realize that it cannot be done by an organization of your size and scale. Sometimes, it cannot be done by organizations of any size and scale.

Being beset with obligations you cannot fulfill is not a great place to be. It is even worse when you get audited

Not a Good Look

Most external auditors are suspicious of templated documentation. Your policies are the first impression of your compliance program. If an auditor senses that you did not invest the time and organizational energy in creating your own, your compliance program comes across as non-serious. This will lead to disproportionately severe scrutiny of everything else in your organization

Finding the Right Balance

Thanks to recent advances in AI, especially large language models (LLMs), we finally have the tools to bring highly customized, accurate and actionable policies and procedures to organizations of all sizes. At ComplianceBot, we implement a unique approach to document generation that combines the power of LLMs with human expertise to create best in class documentation. Regulatory requirements can be hard to navigate and interpret. We break up the regulatory text into bite-sized pieces. These are fed into an LLM for policy generation. Keeping the inputs small helps prevent LLM “hallucinations”. It also allows effective human review of the generated language. The policy text is combined with metadata about the organization and specific instructions on effective procedure generation to produce highly targeted procedure text.
The text snippets are compiled into a finished document set. This document set is highly customized for the organization. The contents are unique and not from a template. Importantly, all contents are linked to specific compliance criteria. This makes it easy for internal compliance teams and external auditors alike to efficiently validate the documents and ensure they meet all compliance requirements

Don’t miss this opportunity to take control of your finances and join the AirWise community today!

‍