Privacy: Changing a Corporate Culture Insights on Building a 'Culture of Compliance'

A successful effort to build a corporate culture that values privacy should be built on ideas that come from the rank-and-file staff in all departments, not just upper management, says Jan Hillier, a specialist in managing change.

"Leaders frequently want to form a committee with representatives of various departments on it to manage change," Hillier says in an interview with Information Security Media Group's Howard Anderson (transcript below). "Management by committee is a mistake."

Instead, senior department leaders should explain the reasons for a cultural change to the entire staff and then ask everyone to "give us your best ideas of how you think we need to go about doing this," she says.

In an interview, Hillier outlines her three-step approach to managing change, including:

  • Define the vision. "Identify what needs to change and why and paint a picture of what the culture needs to look like in two or three years."
  • Create a change vision value proposition. "Explain why a culture of compliance and patient confidentiality is important and why we need to do it now," she says. "What's going to happen if we don't change? And how will this culture provide value?" For example, she advises stressing that a healthcare organization could lose money if patients feel that their confidentiality is not respected and take their business elsewhere.
  • Manage the process. Be sure to involve all staff in identifying ways to change the culture. "Take the time to explain the problem to people and ask for their help in coming up with a solution to the problem."

Hillier is a clinical assistant professor of management at the Kelley School of Business, Indiana University-Bloomington. She brings an extensive background in management consulting, organization effectiveness, change management and leadership development to her teaching. At McKinsey & Co., where she consulted for five years, she worked on a variety of team-based projects for major industrial, service and healthcare clients. As the vice president of a medical center, Hillier developed a change management/leadership development program based on the concept of "emotional intelligence." She has an MBA and a Ph.D. in organization theory from Indiana University.

Culture of Compliance

HOWARD ANDERSON: One of the important ways that healthcare organizations can help prevent data breaches is to create a culture of compliance. That means that HIPAA compliance, including understanding the importance of protecting patient privacy, has to be part of the mindset of all employees. If a CIO or a chief information security officer wants to play a key role in building a culture of compliance, where should they begin?

JAN HILLIER: The CIO needs to be the catalyst and the champion for change, but the challenge of cultural change is that you can't dictate it. It's not business as usual, and business as usual usually is, "We have a plan and I'm going to delegate it to one of my direct reports and then they'll get back to me where there are problems." And that just doesn't work. What they need to do initially is create this vision of what a culture of compliance needs to be, and this is really about painting a picture of what patient privacy and compliance would look like.

Once they've done that, then their most important role is to really lead the change process and engage others in determining how to create such a culture. It can't just be the CIO. When you're doing cultural change, you really have to involve more members of the senior leadership team, and in particular, the CEO. But as I said before, this isn't a project that can be delegated. It has to have a top-down message, but that's not enough.

I really put it into three steps. The first step is to define the vision, as I talked about just a minute ago, and that means identifying what needs to change and why, and then painting this picture of what the culture needs to look like, say, in two or three years. Then I always recommend that this leadership team do what we call "contrast analysis," and these are from/to statements that leaders complete that are more specific on where we are today and where do we need to be in three years.

For example, we know that hospital personnel often use the same computer and forget to log off. This is one of the ways where they can lose valuable information or people can get access to information they're not supposed to have. This is where we are today, so that would be a "from" statement. The "to" statement would be that in a culture of compliance, everybody would remember to log off as soon as they're done with their computer usage.

The second step then would be to create what I call the change vision value proposition. This is the information that you're going to end up using to sell your change vision to your employees, and this basically is coming up with why the culture of compliance and patient confidentiality is important and why do we need to do it now. What's going to happen if we don't change, and how will this culture provide value to our hospital?

Then the last one, which I think is really important, is what are the trade-offs between changing and staying the same? What will happen if we don't do this? For example, patient satisfaction scores are now available online. If we're the kind of place where we talk about patient information, or patient confidentiality is not respected, this is going to get out there and we could lose patients and we could lose money. Another way to do this, to paint the picture, is [to ask staff to consider,] "What if you or a family member are patients at our hospital and somebody forgets to log off of the computer and all of a sudden people have access to private family information. How would you feel about that?" Again, it's making it real for the employees. Why is this so important to them?

The third step then is managing the process. How do you get them to do it? That's where the rubber really meets the road.

Ensuring Privacy Compliance

ANDERSON: What are some of the essential steps to help ensure that privacy protection is a priority for everyone, from janitors all the way to the CEO? How do you gain their buy-in?

HILLIER: This is a really important question, and what's critical is that you involve people in the process, but not the usual way. The reason I say this is important is because frequently what leaders want to do is have a committee that has representation from different departments on it, and they think this is how they're going to manage change. I have seen companies make this mistake of "management by committee," each department sends a representative to the task force and they're vaguely told what's going to be the new culture, so we're going to have a cultural of compliance, and then they're asked to comment on it. But the managers are still making decisions, and they're not really engaging people in the process. The committee representative is not really speaking for the department. They're often not even communicating to other people in the department, and the buy-in just isn't there. ...

What works [instead] is when senior leaders go to the employees and they start presenting the change vision. This doesn't mean the CEO has to do it all, but it does mean that senior vice presidents go out and start talking about it and senior department leaders go out and start talking about it, and they're presenting the information and they're talking about the value proposition of this culture, and why we have to do this.

Once they've explained to people this is what we're going to do and this is why we're going to do it, they say to them, "How do we do it at this hospital? Give us your best idea of how we think we need to go about doing this." You're engaging them in the process and you're asking them to help problem-solve this big change: "We need your help to figure out the steps to go forward with this."

Once you've done that, all of a sudden you're getting people saying, "Oh, alright, well I have some ideas." What I think is almost magical about this is that once you get people starting to solve the problem, rather than being told you have to do this - and by the way if you don't do it you're going to get fired, which is always in the back of their mind - you're inviting them to be a part of the process and you're trying to access their creativity. Even though you're doing this many, many times - I've been involved in change programs where I've seen roughly the same presentation maybe 50 times to the point where I'm dreaming about it in my sleep at night - the same answers keep coming up over and over and over again. When the CIO or the senior person starts saying, "We've had 47 meetings and there's clear consensus and this came up in every department I talked to ...," all of a sudden you've got buy-in right off the bat. It doesn't happen every place the same way. But when you have involved people in the process, I just find it very interesting how you're able to get consensus around what you need to do about the problem when there's a compelling need for the change and that you've taken the time to explain the problem to people and ask for their help in coming up with a solution to the problem.

Types of Training

ANDERSON: What kind of training is most effective when carrying out a big project that involves managing change? How can organizations make sure that all policies and procedures are not only understood, but also carefully followed?

HILLIER: That's another really good question. The reason I think it's a good question is that too often people think that training is the answer to creating change, and I see training as being only a small part of the change package and it comes more toward the middle and end of the overall change program, rather than that at the beginning. If you've gone through the process of defining the problem, defining where you need to be and creating that vision and involving people in the process, by the time they need to be trained, it's much simpler to engage them in the process and have your training be effective. But if you haven't laid the foundation, you can do training from now until when the cows comes home and you're not going to have an effective change program.

The other thing that I don't want to leave out here is that this change is not just about individuals, and training implies that if you just get the people to change that everything's going to be okay. The other thing you have to take a look at are organizational systems, and you have to be really careful how you reward people - who you promote, who you give bonuses to, who you give awards to and who you recognize in the organization - these are all reinforcements of the old way of doing things. You have to make sure that you're aligning the rest of the organization with this cultural change and that you're actually rewarding people for the right behavior and not inadvertently rewarding the wrong people for the wrong behavior. When you're only looking at training, it's the assumption that we can just get individuals to change; everything's going to be okay. And cultural change is bigger than that. It's more than just the individuals. It's having to look at the entire organization as the integrated system that it is and then making sure that you're looking at all different parts so that it's actually effective.

Emotional Intelligence

ANDERSON: I understand that you served as a vice president of a medical center where you developed a program based on a concept called "emotional intelligence." Please describe that concept and how it might apply to an organization attempting to emphasize the importance of protecting patient privacy?

HILLIER: "Emotional intelligence" is a really interesting concept that has gotten a lot of publicity in the last 10 years or so. It looks at one's behavior and how it affects relationships. It's about this capacity to recognize my own feelings and then other's feelings as well, and how to manage my emotions and then, as a result, be able to work well with other people. It's based on self-awareness and self-control, and it has everything to do with management and leadership, because both management and leadership occur within a relationship between a manager and a direct report.

Teaching managers emotional intelligence really can help improve their relationships with direct reports. I found it to be particularly attractive in the healthcare setting because the first book on "emotional intelligence" talks about brain functioning and how the brain effects our emotional actions and reactions, and so the medical field is interested in this and doctors find it interesting, and nurses can understand the physiology that's described.

I liked it for that reason, but there also were several articles in the Harvard Business Review [about the concept], so for the kind of cynical managers who call the stuff "touchy feely," when you hand them an article from Harvard Business Review, they're a little more interested in it. But successful change programs are asking people to change their behavior. And managers are on the front line of that change, so you need them to "walk the talk' in service role models. But most managers who are promoted into management are promoted for their technical skills and not for their interpersonal skills, and managers end up dealing with some pretty complex behavioral interactions that managers simply are not equipped for. We just haven't trained them to do that very well.

Emotional intelligence really helps managers learn how to influence others by understanding themselves and their relationships with others. When you get managers to change, they will be the chief promoters of change among the direct reports. Emotional intelligence is just one way to help them become far more effective people as managers, because they're influencing people in a different way. And it's just perfect for the medical setting because it does talk about brain functioning. ...

Lessons for Organizations

ANDERSON: When it comes to changing the corporate culture, what other lessons can healthcare organizations learn from other industries?

HILLIER: Everything I have talked about is really an integration of change techniques from other industries. This approach, especially the one I put together at the hospital, was really building on other industries, but healthcare is idiosyncratic in a certain way because it doesn't have a lot of crossover from other industries. The change that's occurring in most other industries is starting to affect healthcare, so I think there's a lot of integration that can occur. But everything that I have talked about is stuff that I used when I was a hospital vice president. I can't recall any time that I had to make adjustments for healthcare. ... I could just adapt it really easily. ...

Around the Network