Claude Project: Build a Persistent Compliance Operations Assistant

What This Builds

Instead of re-explaining your regulatory environment, organizational context, policy framework, and compliance program structure every time you use Claude, you'll build a Claude Project that holds all of that context permanently. Every conversation starts with your regulatory domains, key policies, organizational risk profile, and compliance program documentation pre-loaded. You spend zero time on setup and go straight to the actual work — drafting policies, analyzing regulations, reviewing vendor documents — for your specific organization.

Prerequisites

• Comfortable using Claude for single-session analysis tasks (Level 3)
• Claude Pro account ($20/month at claude.ai)
• Key reference documents to upload: regulatory framework summary, key policy list, common compliance questions, vendor assessment criteria
• 1–2 hours for initial build; minimal time for ongoing use

The Concept

A Claude Project is like hiring a compliance consultant who has read all your policies, knows your regulatory environment, and remembers everything from your last conversation. You write a set of instructions (the "system prompt") that tells Claude about your organization, your regulatory domains, your compliance program structure, and how you like things done. You upload reference documents as project knowledge. Every conversation in the project starts from this shared understanding — no re-explaining, no context-loading, just work.

Build It Step by Step

Part 1: Set up the Claude Project

1. Go to claude.ai → click Projects in the left sidebar
2. Click New Project → name it "Compliance Operations — [Your Organization Name]"
3. Click Edit Project Instructions → write your system prompt

System prompt template for a Compliance Operations project:

You are an expert compliance advisor for [Organization Name],
a [hospital system / community bank / pharmaceutical manufacturer / insurance company]
operating in [state(s)].

## Regulatory Environment
Primary regulations we comply with:
- [HIPAA Privacy Rule (45 CFR Part 164)] — [brief description of our scope]
- [BSA/AML — Bank Secrecy Act] — [brief description of our scope]
- [OSHA General Industry Standards] — [brief description of our scope]
- [state-specific requirements] — [brief description]

## Organization Profile
- Organization type: [hospital system / bank / manufacturer / etc.]
- Employee count: [approximate]
- Geographic scope: [states we operate in]
- Primary regulator(s): [OCR / FDIC / OSHA / FDA / state DOI / etc.]
- GRC platform: [MetricStream / LogicGate / NAVEX / Workiva / Excel-based]

## My Role
I am the Compliance Manager. I oversee: [list key responsibilities — policy management,
audit program, training, vendor management, regulatory monitoring].
My team includes: [brief team structure description].

## How to Help Me
- Draft policy language and procedure updates when I provide regulatory requirements
- Analyze regulatory text and identify compliance implications for our specific organization
- Review vendor compliance disclosures and identify risk flags
- Write compliance communications for different audiences (staff, leadership, board)
- Generate training scenarios, quiz questions, and knowledge checks
- Draft audit findings with root cause analysis and corrective action plans
- Summarize long regulatory documents into action-oriented briefings

## Communication Standards
- Use standard compliance terminology (BAA, CARC, SAR, SOC 2, gap analysis, etc.)
- When drafting policy language: use precise, legally clear language
- When writing employee communications: plain language at 8th-grade reading level
- When writing board/leadership reports: concise, non-technical, decision-focused
- Always flag when advice may require legal counsel verification

## What Not to Include in Responses
- Never include individual employee names, patient names, or account holder information in outputs
- We work with de-identified aggregate data and policy-level information only
- Flag if a request seems to involve specific individual data that should not be processed through AI

Click Save Instructions.

Part 2: Upload reference documents as project knowledge

Click Add Content → Upload Files → upload your most important reference documents:

High-value uploads:

1. Regulatory framework summary — A one-page summary of your key regulations, their core requirements, and your organization's compliance approach
2. Policy inventory — Your list of compliance policies with policy number, title, effective date, and owner
3. Common compliance Q&A — The top 20 questions you get from employees with your standard answers
4. Vendor assessment criteria — Your vendor risk tiers and specific requirements for each tier (e.g., Tier 1 vendors with PHI access require SOC 2 Type II + BAA)
5. Audit finding templates — Your standard finding format with required fields

What you should see: Uploaded documents listed in the project's knowledge section. Claude reads these before every conversation.

Part 3: Test the project with real tasks

Start a new conversation inside the project → test with actual work:

Test 1: Regulatory analysis

Check: Does Claude reference our regulatory environment? Does it generate organization-specific implications rather than generic advice?

Test 2: Policy drafting

Check: Does the draft match your organization type and use appropriate language for your employee audience?

Test 3: Board report narrative

Check: Is the language appropriate for a board (non-compliance) audience? Does it identify priority items clearly?

Part 4: Refine based on test results

If outputs aren't right, update the project instructions:

• Add sector-specific nuances: "Our hospital is a Critical Access Hospital — this affects which CMS Conditions of Participation we must meet"
• Add style preferences: "Board communications should open with an overall compliance posture statement (Green / Yellow / Red) before any details"
• Add scope limits: "Only provide policy language for regulations listed in our regulatory environment section — flag when a question is outside our compliance scope"

Real Example: Weekly Compliance Manager Workflow

Setup: You've configured the project with your regulatory framework, policy inventory, and common Q&A.

Monday morning, in your Compliance Operations project:

You: "Here is this week's regulatory monitoring summary: [paste 5 new regulatory items from your monitoring service]. Which of these affect our compliance program? Rank by urgency and tell me what action each requires."

Claude: "Based on your regulatory environment and organization type:

1. URGENT — HHS HIPAA Security Rule interim final rule (effective April 1): Directly affects your HIPAA security program. You'll need to update your risk assessment procedure and may need to add technical safeguard controls. I can draft the policy update if you share your current security rule policy.
2. MONITOR — State privacy law amendment ([your state]): Affects your Notice of Privacy Practices. Not urgent for Q1 but schedule a policy review before the effective date in Q3.
3. NOT APPLICABLE — FinCEN guidance on cryptocurrency: This applies to money services businesses, not hospital systems. No action required.
4. INFORMATIONAL — OIG Work Plan addition: New focus on telemedicine billing compliance. Worth reviewing your telemedicine program against the new work plan focus, but no immediate action required.
5. NOT APPLICABLE — FDA drug labeling guidance: Pharmaceutical manufacturer scope; not applicable to your hospital."

Time saved: What was 2–3 hours of manual regulatory screening and analysis becomes a 20-minute AI-assisted triage.

What to Do When It Breaks

• Claude doesn't reference uploaded documents → Remove and re-upload the documents; check that each file is under 10MB
• System instructions are being ignored → Move the most critical context to the top of your instructions; Claude weighs earlier instructions more heavily
• Outputs are too generic → Add more specific organizational context: "We are a Critical Access Hospital with Medicare and Medicaid as our primary payers" or "Our primary banking product is small business lending — most BSA risk comes from cash-intensive commercial customers"

Variations

• Simpler version: Use Claude's Custom Instructions (Settings → Custom Instructions) to set basic organizational context without managing a full project — less powerful but zero setup time
• Extended version: Create a separate project for each major regulatory domain — one for HIPAA, one for CMS/billing compliance, one for vendor risk — uploading full regulation text and relevant policies for each

What to Do Next

• This week: Set up the project with your regulatory framework and top 5 most-referenced policies; run one real regulatory analysis through it
• This month: Add your policy inventory and vendor assessment criteria; use the project for weekly regulatory monitoring triage
• Advanced: Combine with your Notion AI knowledge base (Level 3 guide) — use Notion for staff self-service and Claude Project for compliance manager-level analysis and policy drafting

Advanced guide for Compliance Manager professionals. These techniques use more sophisticated AI features that may require paid subscriptions.