During periods of disruption, the operational resilience of healthcare institutions faces a test. It could be a government shutdown, system outage, or staffing furloughs, but in a highly regulated sector like healthcare, the general concern is that disruption can create an opportunity for noncompliant behavior. In these moments, compliance functions face a unique dilemma: when official systems are inaccessible, how can staff continue to communicate efficiently and effectively, without falling out of regulatory bounds?
The Risks of Going Off-Channel
The temptation to relax standards when “the regulator is not looking” can be a dangerous one. History has shown that when oversight diminishes, even temporarily, organizations may allow small offenses to slide. For example, in instances where government agencies have locked furloughed employees out of their official devices, small lapses such as turning to unmonitored messaging apps to communicate with others for work-purposes, can quickly escalate into significant compliance breaches.
For healthcare companies this might look like employees reverting to unsecured channels to continue work communications during a network outage. In this event, healthcare employees may use WhatsApp to coordinate patient care. However, the channel is not natively compliant with rules like the European GDPR and U.S. HIPAA Act. Additionally, if an investigation is opened into events during this time, communications on the native WhatsApp application are not auditable – leading to missing data and investigatory gaps.
Maintaining Compliance During a Shutdown or Outage
For healthcare organizations, the stakes are high. Off-channel communications can obscure critical records tied to patient care, data protection, or clinical decision-making. For government healthcare agencies facing a prolonged shutdown or technology outage, essential public health work at the likes of the CDC, NIH, and FDA are hindered, with risk increasing around fragmented data and communications, delayed regulations and oversight, and cybersecurity threats.
Shutdowns can also open the door to more serious risks, such as off-label marketing, misselling, or bribery and corruption, all of which are areas of increasing regulatory scrutiny for the U.S. Department of Justice. The agency has recently emphasized the importance of maintaining complete and accessible records of business communications, including guidance around modern messaging tools that automatically delete content (i.e. disappearing or “ephemeral” message features).
Capture – Don’t Curb – Communications
A frequent knee-jerk reaction during times of disruption is to ban certain channels like WhatsApp or iMessage. Yet experience from the healthcare sector demonstrates that prohibition alone is not a control measure – it is merely a stopgap that often drives behavior underground.
In contrast, institutions that embrace compliant capture technologies are more able to maintain operations without sacrificing compliance. These tools, which can record and archive communications across instant messaging, voice, and text channels, have proven essential to ensuring business conversations remain transparent, traceable, and secure.
What separates organizations that maintain control during disruption from those that struggle is not just policy, it is preparedness. The strongest compliance programs continuously test recordkeeping systems, ensure Bring Your Own Device policies are properly monitored, and maintain constant alignment between compliance, legal, IT, and operations teams.
Post-Crisis Recovery: When the Lights Turn Back On
Disruption rarely ends when systems come back online. The real challenge often emerges afterward, when organizations must reconcile off-channel communications and inaccurate recordkeeping that occurred during downtime. Without comprehensive archiving and surveillance infrastructure in place, compliance teams are left piecing together conversations from fragmented data sources, which can be costly and inefficient. Recent largescale tech outages have underscored the potential risks associated with relying on solutions built on large scale, public cloud models that are increasingly liable to disruptive events.
Even if communications were mismanaged during a shutdown, recovery is possible. The DOJ Corporate Enforcement Policy, for example, explicitly incentivizes self-reporting of misconduct by offering reduced penalties for any organization that proactively reports instances of noncompliance. In healthcare, where penalties and reputational damage can have serious implications for a company’s bottom line, proactive reporting is crucial to secure declination or reduce fines.
Putting Words into Action
Technology alone is not a silver bullet. Effective compliance programs require leadership buy-in and cross-department collaboration. Compliance cannot function in isolation—it must be embedded into the organization’s culture. This way, employees understand that monitoring tools exist not to police them, but to protect the organization. Compliance buy-in now becomes part of everyday behavior rather than simply ticking a box.
Employees may feel exempt from compliance requirements during a government shutdown, system outage, or furlough period. However, ungoverned communications will always come back to bite organizations later. Regulators don’t just care about the present moment; they want to see a history of proactive communications governance – and a future of it, too.
Rob Mason
Rob Mason is Director of Regulatory Intelligence for Global Relay.
