The Most Dangerous Words in Compliance: “We Have a Policy for That”
There is one phrase I hear in almost every healthcare organization I visit.
Whether I am conducting a mock survey, preparing a facility for accreditation, reviewing licensing compliance, or assisting with corrective actions after a finding, the response is often the same:
“We have a policy for that.”
At first glance, it sounds like the right answer.
A surveyor asks how incidents are reported.
“We have a policy for that.”
A regulator asks how staff are trained on overdose prevention.
“We have a policy for that.”
Someone asks how emergency evacuations are coordinated.
“We have a policy for that.”
A reviewer asks how quality indicators are monitored.
“We have a policy for that.”
The organization feels confident because the answer exists somewhere. It may be in a binder, a shared drive, a policy management system, or a three-ring notebook sitting on a shelf in an administrator’s office.
The problem is that surveyors are not evaluating whether you have a policy.
They are evaluating whether your organization is actually following it.
And those are two very different things.
The Great Compliance Misconception
One of the most common misconceptions in healthcare compliance is the belief that policies create compliance.
They do not.
Policies establish expectations.
Compliance is demonstrated through implementation.
Unfortunately, many organizations spend the majority of their compliance efforts focused on documentation rather than execution.
They purchase templates.
They update manuals.
They revise procedures.
They add signatures.
They reorganize binders.
They create beautiful systems of documentation.
Then survey day arrives.
Within the first few hours, a surveyor identifies something leadership never expected.
The staff do not understand the process.
Documentation is inconsistent.
Required steps are being missed.
Leadership assumed that because the policy existed, the process was occurring.
The survey reveals otherwise.
The issue was never the policy. The issue was the gap between policy and practice.
What Surveyors Are Actually Evaluating
Many people assume surveys are primarily document reviews.
They are not.
Policies are only the starting point.
A policy tells a surveyor what you say you do.
The rest of the survey determines whether you actually do it.
Surveyors verify compliance through three primary methods: staff interviews, documentation review, and direct observation.
Can staff explain the process?
Can they describe their responsibilities?
Can they explain how they were trained?
Can they identify what actions they would take in specific situations?
Policies are not implemented by binders.
Policies are implemented by people.
If the people responsible for carrying out the process cannot explain it, the organization has a problem regardless of how well the policy is written.
Documentation tells the story of daily operations.
If your policy requires treatment plan reviews every thirty days, are they occurring every thirty days?
If your policy requires annual competencies, are they completed and documented?
If your policy requires incident investigations, can you demonstrate that investigations occurred consistently and appropriately?
Documentation either validates the policy or exposes the gap.
Then comes observation.
Surveyors observe medication storage.
They observe staff interactions.
They observe shift handoffs.
They observe emergency preparedness.
They observe leadership engagement.
What they see must align with what your policies describe.
When practice conflicts with policy, practice wins every time.
The Findings I See Most Often
The majority of findings I encounter are not caused by missing policies.
They are caused by organizations believing that having the policy is enough.
I have reviewed facilities with hundreds of policies and procedures that still received findings because the systems behind those policies were not functioning.
Staff training is one of the most common examples.
The policy requires annual education.
The organization has the policy.
The training matrix looks excellent.
Yet training records are incomplete.
Competencies are missing.
Staff cannot explain the procedure.
The policy exists.
Compliance does not.
The same occurs with suicide risk assessments.
The organization has a detailed policy describing screening, assessment, reassessment, and intervention.
Yet documentation is inconsistent.
Different clinicians follow different processes.
Required reassessments are missed.
The issue is not the policy.
The issue is implementation.
Emergency management presents another common example.
The emergency management plan is comprehensive.
The binder is impressive.
The evacuation procedures are clearly outlined.
Then leadership is asked a simple question:
“Where are clients going if you receive a mandatory evacuation order tomorrow?”
Different leaders provide different answers.
Staff are uncertain.
Transportation logistics have not been tested.
Again, this is not a policy problem.
It is an operational problem.
Quality improvement programs often suffer from the same challenge.
The organization has a QAPI plan.
Meetings occur.
Indicators are tracked.
Minutes are documented.
Yet when negative trends are identified, no action is taken.
Data is collected but never used.
The organization has a quality program on paper.
The surveyor is evaluating whether the quality program functions in reality.
Every Finding Starts With a Gap
Over the years, I have noticed a pattern.
Nearly every finding starts with a gap.
A gap between policy and practice.
A gap between leadership expectations and staff understanding.
A gap between training and execution.
A gap between documentation and reality.
A gap between what the organization believes is happening and what is actually occurring.
The larger the gap becomes, the greater the risk.
The most successful organizations are not necessarily the ones with the most policies.
They are the ones with the smallest gaps.
They understand that compliance is not a binder, a policy manual, or a document stored on a shared drive.
Compliance is operational.
It is demonstrated every day through staff actions, documentation, leadership oversight, and accountability.
What Strong Organizations Do Differently
The strongest organizations I work with approach compliance differently.
They do not assume compliance because a policy exists.
They verify it.
They conduct audits.
They perform rounds.
They observe processes.
They review documentation.
They interview staff.
They ask questions.
Most importantly, they understand that compliance is not a project completed before a survey.
It is a daily operational responsibility.
These organizations do not depend on policies to demonstrate compliance.
They depend on systems.
Leadership understands that survey readiness is not something achieved a few weeks before a visit from regulators or accreditation surveyors.
Readiness is created through consistency.
When a surveyor walks through the door, there should be nothing special happening that day.
The same processes being demonstrated during the survey should have been occurring the day before and the month before.
That is what sustainable compliance looks like.
The Question Every Leader Should Ask
The next time someone says:
“We have a policy for that.”
Do not ask where the policy is located.
Do not ask when it was last updated.
Do not ask who approved it.
Ask a different question.
“Show me.”
Show me the training records.
Show me the audit results.
Show me the documentation.
Show me the competency validation.
Show me the evidence that the process is occurring exactly as described.
Because that is what surveyors will ask for.
The organizations that perform best during surveys understand a simple truth:
Policies establish expectations.
Systems create consistency.
People demonstrate compliance.
The goal is not to have a policy.
The goal is to have a process that works whether a surveyor is in the building or not.
Because when a surveyor arrives, the answer that matters most will never be:
“We have a policy for that.”