How Organizations Can Build a True Culture of Compliance

In a recent discussion with Pharmaceutical Commerce, Faisal Khan, a GRC solutions expert with Vanta, highlights how internal employee error continues to drive nearly half of all HIPAA-related data incidents. According to Khan, most of these breaches stem from fundamental lapses in access control and data management—specifically, employees having broader data access than their roles require. Without strict adherence to the principles of least privilege and role-based access control, sensitive patient health information (PHI) can easily be exposed, misused, or mishandled.

Khan explained that excessive access privileges often create a “trickle effect” across operations, leading to unintentional errors such as sending PHI to incorrect recipients, storing it in unsecured locations, or using it inappropriately for nonessential functions. These mistakes are not always malicious but are frequently the result of poor oversight, unclear data ownership, and insufficient process documentation.

To address these issues proactively, Khan recommended that healthcare and life sciences organizations map their data flows in detail—identifying how sensitive information moves within and beyond their systems. This process should include documenting the to’s, from’s, and how’s of data transfers to reveal vulnerabilities or inefficiencies in how PHI is handled.

Once these flows are understood, organizations can establish comprehensive asset and data inventories, helping security teams monitor what information exists, who can access it, and how it’s used. With these insights, leaders can implement targeted access controls, correct overly permissive roles, and reinforce policies for data storage and sharing.

Ultimately, Khan emphasized that protecting PHI requires more than compliance checkboxes—it demands a continuous, structured approach to data visibility and accountability. By aligning access control and data management with operational needs, organizations can meaningfully reduce risk while maintaining compliance with evolving HIPAA standards.

He also dives into the threat that third-party noncompliance poses to healthcare data security; best practices to close the perception gap of leaders feeling confident in vendor compliance despite limited oversight; and much more.

A transcript of his conversation with PC can be found below.

PC: How can companies build a culture of compliance that integrates HIPAA best practices into everyday operations, rather than treating it as a periodic checklist?

Khan: To build that culture of compliance, you want to focus on integrating those cybersecurity and privacy domains as a whole into your data workflows, where you set the tone at the top with leadership, having buy in and messaging from upper management that HIPAA compliance and security, privacy, and integrity of what you're trying to accomplish is not just a checkbox exercise. It's something that should be actively maintained and be made aware of to deliver safe and ethical services or care at the end of the day, depending on who that organization is, because security and privacy, they're not just a specific team's responsibility—that's really everyone in the organization, because we all have a role to play in it.

There're a few ways of seeing that happen. The first, of course, is being through training, not just cybersecurity training that you may give for your organization as a whole, but really thinking about role-based training, based off of again, the data that they might have access to, the capabilities that are part of their roles and responsibilities, and ensuring they understand what those measures might be for themselves.

But then also, what I've also seen successful is activities like cyber moments. In a past life, I used to work with a few oil and gas clients, and across them all, there would be this concept of safety moments on all-hands meetings, and the purpose of them is to reinforce safe practices when at work.

Similarly, doing a cyber moment for security and privacy topics—whether it's internal practice reminders, info based on current events in the world—can go a very long way, and it would also become a very effective way to set that tone across the organization and be sort of an iterative reminder. It's all about staying macro aware of what you need to do to uphold security, privacy, integrity of your organization at a more micro level.