Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
ILLUMINATING THE TOP GLOBAL RISKS IN 2020
Regulatory Changes and Talent Challenges Are Top Concerns for Healthcare Delivery Organizations AI, robotics and other rapidly developing digital technologies. Changes in the geopolitical landscape. Shifting customer preferences and demographics. Record lows in unemployment, tightening labor markets and escalating competition for specialized talent. Cyber breaches on a massive scale. A strong U.S. dollar.
These and a host of other significant risk drivers are contributing to the risk dialogue in today’s boardrooms and executive suites. They highlight the influence of the economy and digital disruption on the risk landscape.
The need for greater transparency about the nature and magnitude of risks undertaken in executing an organization’s strategy continues to be high as the expectations of key stakeholders regarding risk management and risk oversight remain strong. Pressures from boards, volatile markets, intensifying competition, demanding and potentially disruptive regulatory requirements, changing workplace dynamics, shifting customer preferences, uncertainty regarding catastrophic events, and other dynamic forces are leading to increasing calls for management to design and implement effective risk management capabilities, as well as response mechanisms to identify, assess and manage the organization’s key risk exposures.
In this eighth annual global survey, Protiviti and North Carolina State University’s ERM Initiative report on the top risks on the minds of boards of directors and executives. Our respondent group, which includes 1,063 board members and C-suite executives from around the world, provided their perspectives about the potential impact over the next 12 months of 30 risk issues across the following three dimensions:
• Macroeconomic risks likely to affect their organization’s growth opportunities
• Strategic risks the organization faces that may affect the validity of its strategy for pursuing growthopportunities
• Operational risks that might affect key operations of the organization in executing its strategy
Protiviti ● 2
Commentary — Healthcare Industry Group
The risk landscape for healthcare delivery organizations (e.g., physician groups, hospitals, post-acute and ancillaries) is significant on numerous fronts, according to views shared by board members and C-suite executives in the industry. In this white paper, we offer our commentary on the 10 risks most often cited by leaders, including implications and strategies for effective risk management. The chart below shows 10 of those top risks.
Top 10 Healthcare Risks for 2020
Protiviti ● 3
“As healthcare organizations look forward to 2020, the risk profile has a familiar appearance. The industry not only faces change on the regulatory, privacy and digital fronts, but it also is contending with human capital challenges and internal change resistance. As increased transparency looms on the horizon, healthcare leaders can expect increased competition for services.”
Richard Williams, Managing Director, Healthcare Industry Leader, Protiviti
1. More regulatory changes and heightened scrutiny
In 2020, regulatory changes and heightened scrutiny will continue to shape the Healthcare industry and impact not only how organizations identify, address and manage risks, but more importantly, how they deliver care.
Regulatory compliance will remain a top concern in several areas, including, but not limited to, billing and reimbursement; fraud, waste and abuse; physician compensation; and the opioid crisis. In 2019, the Healthcare industry saw significant regulatory and enforcement actions that will impact healthcare organizations in 2020. Those actions include several Final and Proposed Rules issued by the Centers for Medicare and Medicaid Services (CMS); increased fraud, waste and abuse actions from the Department of Justice (DOJ) and the Office of Inspector General (OIG); and the Health and Human Services (HHS) Office for Civil Rights (OCR) settlements that continue to take penalties past the US$100 million mark. In 2020, new mandates and regulations that were born in 2019, such as President Donald Trump’s executive order mandating hospitals to provide healthcare prices to patients and consumers to improve transparency, will take effect, leaving healthcare providers responsible for mandates entirely new to the industry. The coming year will also bring new areas of risk as trends, such as patient care innovation, telehealth and transitions to value-based care.
Finalized changes to the CMS Conditions of Participation (CoPs) will face increased scrutiny from regulators, affecting many different providers by challenging accreditation status through a greater focus on patient rights, complaints, grievances and the overall patient experience. For example, CMS released its Discharge Planning Final Rule, which requires acute and post-acute care providers to focus on patient goals of care, rights to medical records and the discharge planning process as a new CoP.
On the provider-based billing front, hospitals with grandfathered provider-based departments may benefit from potential financial recourse in the coming year, resulting from the U.S. Court of Appeals for the District of Columbia Circuit’s determination that CMS’s 60% reduction in reimbursement of clinical services paid to grandfathered off-campus provider-based departments was improper. Although the effect of the court’s decision is not entirely clear, CMS is expected to resolve both past and future reimbursements furnished at these sites.
Regulatory changes regarding physician compensation and fraud and abuse are expected to take shape as well, as CMS proposed changes to the Anti-Kickback Statute and Stark Law, further supporting care coordination and promoting efforts to improve quality and patient outcomes. If finalized, many of the proposed changes include new exceptions for physician compensation arrangements, such as an exception for physicians to participate in value-based care arrangements and payment models.
Protiviti ● 4
The OCR has not demonstrated signs of slowing the pace of its privacy and security enforcement actions, emphasizing equal enforcement actions for both small- and large-scale data breaches. This raises the significance of third-party risk management and the existence of business associate agreements (BAAs) in place, as well as the importance of patient access to information, as the Healthcare industry continues its drive toward the goal of coordinated care.
Other significant government enforcement actions that likely will remain in 2020 include penalties to post-acute care providers, inpatient rehabilitation facilities, drug diversion fraud stemming from the ongoing opioid crisis, violations of the 60-Day Rule governing overpayments, and unauthorized disclosures of protected health information (PHI) on social media.
As the DOJ, OIG and OCR continue to enforce penalties and fines against healthcare organizations for fraud, waste and abuse, and privacy and security violations, overall compliance program design and effectiveness are only becoming more important for healthcare organizations to have. In fact, many healthcare organizations are successfully using compliance program effectiveness assessments as a mitigating factor to address and adapt to regulatory change effectively. They are also identifying and addressing noncompliant practices in their early stages by performing risk assessments, implementing appropriate controls, and conducting auditing and monitoring activities. Incorporating compliance risk as part of a greater enterprise risk management (ERM) function is crucial due to the vast number of rapidly emerging and complex compliance changes happening across the Healthcare industry, which are making it increasingly harder for healthcare organizations to manage risks proactively.
2. Succession challenges and the ability to attract and retain top talent
According to the U.S. Bureau of Labor Statistics, U.S. unemployment has reached its lowest rate since 1969. Relatively low unemployment levels prevail in many other regions worldwide as well. While this could be seen as a positive driver for economic performance, low unemployment rates actually create a new set of challenges for healthcare organizations looking to take on ambitious strategic objectives. While establishing a comprehensive retention strategy remains a top priority, healthcare organizations now must take a contemporary approach to organizational development, one that is not focused solely on marketing to and recruiting new talent, but also on developing and retaining existing internal talent.
Cultivating organizational talent is imperative for healthcare organizations looking to escape the current talent shortages unscathed. Instead of only targeting candidates with specific skill sets, healthcare organizations should consider defining and developing talent that will support their future initiatives and goals. This approach enables the business to further develop its overall direction and identify and cultivate existing talent.
Should internal talent cultivation fall short of operational goals, another option is to recruit workers from nontraditional talent pools. For example, companies such as Google and Facebook have loosened their once-stringent recruitment standards to access professionals with valuable, if not necessarily core, skill sets and then provide those hires with additional training. Targeting professional associations, along with hiring based on soft skills that are difficult to teach, opens a pathway to a previously untapped and broader talent pool. This approach to recruitment not only helps to create diverse populations of thought but also lessens instances of employees coming into an organization with “bad habits” that are difficult to change.
Protiviti ● 5
Despite the difficulty of attracting and retaining top talent, healthcare organizations will also want to focus on fostering a culture of engagement that involves physicians, nurses, clinical staff, executives, administration and even the associated boards of these organizations. One oft-cited quote by management expert Peter Drucker clearly underscores the importance of having this focus: “Culture eats strategy for breakfast.”
What does an engaged workforce look like in the Healthcare industry? It is an environment where employees (1) have a personal connection to the mission and values of the organization; (2) are empowered to make decisions that best serve patients; (3) feel valued and recognized; and (4) are encouraged and supported in their ongoing development. The resulting benefits include higher retention rates and performance levels. More specifically, highly engaged employees have a positive impact on the patient experience and overall quality of care.
Healthcare organizations must continue to innovate their recruitment and retention practices to ensure they have a steady pool of talent to help them make progress toward achieving strategic objectives. Establishing a culture of continuous learning, ensuring employees are engaged in fostering a positive culture, and embracing nontraditional talent pools can not only reduce challenges surrounding identifying appropriate successors, but also serve as a catalyst to increase employee morale and strengthen the organization’s position as a best place to work.
3. Privacy/identity management and information security
Scrutiny on protecting sensitive information continues to increase, while the seemingly ever-changing threat landscape has the Healthcare industry struggling to keep pace. For the most part, those in the healthcare delivery segment recognize the importance of protecting patients’ health information and just how critical it is to do so — not only because of confidentiality concerns but also the evolving implications to patient safety. However, the plethora of third parties with which healthcare organizations interact do not consistently possess the same understanding and appreciation for their role in helping to protect this information. As healthcare organizations rely more on outsourced technology services and third-party partnerships, many struggle to find a balance among responsibility, accountability and constrained resources. Not only do they have to make sure they are protecting patient information, but also that third-party partners are doing the same.
Given the significant investments that many healthcare organizations have made in recent years to improve their security and privacy posture, it is not surprising that leadership is growing somewhat tired of hearing, “We need to spend more money to protect ourselves properly.” It’s a never-ending battle: The organization takes steps to protect itself, the bad guys change their tactics and the vicious cycle repeats. Healthcare organizations must come to grips with this reality to a degree, but it doesn’t mean surrendering to constant attacks and breaches. Yet the Healthcare industry, as a whole, is struggling mightily with the fact that significant resources are required to continue waging this battle from a people, process and technology perspective.
Further compounding matters, as healthcare moves toward more widespread adoption of true digital transformation initiatives — such as robotic process automation (RPA), advanced analytics, telehealth, artificial intelligence (AI), machine learning and wearables — the threat landscape will also grow. Without question, the industry will face new and emerging risks in the future that will be even more challenging than those of today. Along the way, healthcare organizations will need to assess, and realistically manage, their resource constraints.
Protiviti ● 6
4. Resistance to change operations
Clinical and operational performance is also top of mind for healthcare systems and executives. The pressure is growing on healthcare organizations to lower costs, increase market share, improve clinical outcomes and eliminate waste. If it were simply a matter of changing processes to achieve these goals, healthcare organizations could implement best practices and move on. This is why culture matters; it impacts an organization’s ability to make the necessary adjustments to clinical practices and operations.
But change management is difficult, and cultural challenges remain considerable roadblocks in creating the change needed to achieve operational excellence. Changing behavior requires letting go of long-held habits that are familiar and comfortable. That can incite fear among employees that they are at risk of losing something they value. Regardless, healthcare systems must continue to evolve and transform, and that requires changing clinical practices, operations, behaviors and habits. Healthcare organizations need to establish a clear vision of why change is necessary and understand the key components of change management.
Most organizations will set annual goals and roll out key priorities that impact changes to technology, people, processes, habits, beliefs, resources, budgets and cultures. Due to the complex environment of most healthcare organizations, they typically use a top-down approach to implement change. Practices are reviewed based on the literature, solutions are developed, and new practice guidelines are deployed. And many healthcare organizations will adhere to this same process without achieving effective implementation of the desired changes.
Overcoming resistance to change requires alignment of clinical, administrative and economic goals. Creating alignment is dependent on developing a deep understanding of what happens on the front line, where work is performed and delivered. This requires a change in approach, from strategic planning to one of cultural alignment. Using the top-down creation of annual goals with a bottom-up design of solutions is a more effective way to overcome resistance to change. It is this creative design approach that yields positive change and sustains it over time. Leaders develop strategic goals and implement operational improvements. Great leaders engage their teams at the beginning and understand the importance of culture in achieving goals. Healthcare organizations that have led transformation and innovation programs successfully are not confined by traditional approaches; instead, they embrace disruption led by the frontline clinicians and staff.
Before charging ahead with developing solutions that require changes in processes or people, it is essential to gain clarity about the problem that needs to be solved. Healthcare organizations should research the perceived shortcomings and visit locations where work is being performed to gather firsthand knowledge of the current state. They should also set aside assumptions and beliefs to gain a more nuanced understanding of how work is currently being completed — and why. It is also important to gather intelligence from data. Data analytics is the lifeblood of modern healthcare, driving clinical outcomes, reimbursements and effective operations. Achieving change in the Healthcare industry hinges on providing solid evidence that the change is required.
To overcome barriers to change, many healthcare organizations can benefit from employing a new framework for thinking about change management. This framework should include employing an effective change management process using a step-by-step approach that incorporates proven techniques and tools, such as lean management, lean process improvement, design thinking and data analytics.
Protiviti ● 7
Of note, one major challenge organizations face in achieving desired changes is how best to influence a highly educated and independent workforce. Engagement in research, involvement in idea generation and participation in solution design are the cornerstones to making change stick. Management must evolve from problem-solver to facilitator and move from trying to create a perfect solution to co-designing solutions using an iterative process. It is useful to have a mindset that is tolerant of failing small and failing fast until a workable solution is developed. Engaging with frontline staff and clinicians to design solutions and create lasting change results in higher employee and provider satisfaction and retention.
In the Healthcare industry, competitive advantage comes from the ability to adapt, transform and innovate — and to do so better than other organizations. The convergence between change management and innovative problem-solving can generate breakthrough ideas and is a proven way to garner buy-in from even the most recalcitrant person to changes the organization needs to make. Healthcare organizations will have a competitive advantage when they leverage their teams to both (1) understand the problem (based on facts and data), and (2) design sustainable solutions with widespread support.
5. Existing operations meeting performance expectations, competing against “born digital” firms
Today’s healthcare landscape is changing rapidly in terms of how and where care is delivered, as well as how the payment for care is rendered. To keep up, healthcare organizations are investing heavily in cutting-edge technology to manage these changes and meet consumer demand and expectations for “connectedness” through digital capabilities. Digital innovation translates to improved business performance through innovative products and services, stronger relationships with customers, and enhanced operational performance and decision-making. One limiting factor for many healthcare organizations is that their existing operations and legacy IT systems and infrastructure can’t support digital innovation in terms of quality, speed to market, and cost in relation to direct competitors and non-Healthcare industry disruptors (e.g., Amazon, Apple, Walmart).
Traditional healthcare organizations must adapt their core business and create new business models to keep pace with emerging, digitally focused companies. As the number of “born digital” companies expands, the competition for customers demanding higher quality and lower costs intensifies. For healthcare organizations, the pressure is on to invest in emerging technology, replace legacy infrastructure and systems, embrace the cloud, create customer-facing websites and apps, and roll out other innovations. At the same time, managing digital transformation comes with risks that healthcare organizations must address to remain in business and achieve their growth and profitability goals for the future. These risks come in the form of data and cybersecurity, legal, regulatory compliance, system interoperability, and reimbursement, to name just a few.
6. Technology advancements to support patient care exponentially increasing cyber threats
Cyber threats are another top concern for the Healthcare industry, beyond the pressure to protect PHI from malicious hackers and other bad actors. These threats are always expanding, especially as healthcare organizations continue to grow and evolve their systems with additional components, including specialty care delivery models; the build-out of more expansive accountable care organizations; the alignment of partnerships or acquisitions; the growing use of new technologies and devices that are connected in a multifaceted approach to the care delivery model; and the collection of information into massive data warehouses. There is also a growing focus on making the patient the center of the delivery model and empowering them to interact with their health information. All of the above initiatives add to an already complex business model when it comes to trying to manage a cyber and information security program effectively.
Protiviti ● 8
The complexity and explosion of technology, the need for fast access to vast amounts of sensitive information to provide care and determine potential health outcomes, and the push for interoperability across healthcare organizations are all expanding the potential risk for cyber threat exposure at a rate that is challenging for even the most mature organizations to manage. Applications and devices with known security flaws that cannot be patched, updated, or fully retired are another issue. Many of these apps and devices may be the only technology on the market to meet specific healthcare delivery needs for certain care specialties. Or, they may have involved large capital outlays, where the vendor has failed to provide or allow for ongoing security updates (as is the case with many medical devices).
While the Healthcare industry is dealing with the ever-expanding use of new technologies, along with all the cyber threats and risks that accompany them, organizations are further hindered by a significant shortage of skilled IT resources to help address these issues. As a result, many organizations lack detailed plans for responding to identified cyber incidents.
Many healthcare organizations that are more mature in addressing cyber threats have had success in managing the complexity of technology expansion. They have formal governance and assessment processes that include tight alignment with the information security group in assessing new business initiatives and technologies that include connectivity, control and security aspects. Additionally, these organizations are performing ongoing risk analyses, including regular vulnerability scanning and multifaceted penetration testing efforts to identify new areas of vulnerability. They also have implemented processes and controls to allow for proper incident response and contingency planning should key incidents occur.
7. The influence of culture on risk awareness and effective risk response
Respondents to our global risk survey continue to highlight the need for attention on the overall culture of the organization to ensure it is sufficient to encourage the timely identification and escalation of risk issues. Interestingly, this has been a top 10 concern in our survey since 2015. It highlights the fact that with the speed and complexity of the changing landscape of the Healthcare industry, many organizations feel like they are continually fighting fires instead of proactively managing risks, and therefore struggle to focus their efforts on performance and executing strategy.
Is there a sufficient platform for employees and management to promptly raise awareness of risks or escalate issues that could pose a threat to the achievement of organizational goals and objectives? In many cases, the conventional methods of communicating significant risk do not seem to be a coordinated effort. The traditional platforms for reporting risk are usually risk committees, internal audit, compliance, compliance committees and the catchall — the corporate hotline, which is often seen as a forum to raise concerns related to human resources issues. Among the host of other committees at healthcare organizations, is there alignment of risk issues that should be presented to and be resolved with the board, senior leaders and employees? Is there a platform for committees or department leaders to share risks openly across functional lines? A coordinated, streamlined process for evaluating, exposing and proactively mitigating potential risks in a timely manner means that everyone in the organization understands the concept of risks, shares a common vocabulary, and sees risk assessment, management and mitigation as part of their job. Organizations that can proactively anticipate, adapt and respond to change will be successful in achieving strategic objectives.
Protiviti ● 9
One approach to addressing risk is implementing an ERM process. An effective ERM program provides management with relevant information — regarding risks, uncertainties and opportunities — that could influence decision-making during strategy- and objective-setting and performance management. The recently updated COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM — Integrating with Strategy and Performance Framework emphasizes integrating risk with decision-making, recognizing the important interconnection between risk, strategy and enterprise performance. Whether healthcare organizations have robust ERM programs in place or have yet to create a program, the updated framework serves as a solid foundation for either testing current efforts or providing direction for future efforts.
8. Sustaining customer loyalty and retention increasingly difficult due to evolving customer preferences and/or demographic shifts in existing customer base
A simple principle of customer loyalty and retention across any industry has always been, simply, to be the best at what you do. However, this concept of “best” proves difficult in the Healthcare industry, as it relies heavily on patient perception and does not necessarily follow procedural and/or health-related outcomes to establish this precedent. A 2018 study published in the Journal of Multidisciplinary Healthcare revealed that patients’ perception of care quality was most affected by person-related conditions, such as time with care staff or staff attitudes, and external objective care conditions, such as technology or the cleanliness of facilities. Today’s patient is technologically savvy, expects convenience and demands transparency in all transactions. As demographics continue to shift, along with customer preferences for the delivery of care, understanding the future and ongoing needs and expectations of patients will prove pivotal to ensuring their loyalty.
Retail organizations have mastered practices surrounding customer loyalty and retention, especially in an industry where ongoing battles with competitors are common. While most industries can borrow and mold the majority of these concepts to fit their needs, this is not as easily transferable within healthcare. So, how do healthcare organizations balance concepts such as customer loyalty, customer retention and brand loyalty while continuing to deliver quality outcomes as they relate to patient care? The better question is this: What do organizations stand to lose should they not dedicate the necessary personnel to enforcing these concepts? Multiple studies show that it is more than twice as expensive to acquire new customers than to focus on their ongoing retention.
The Healthcare industry has seen an uptick in acquisitions, mergers and collaborations over the last several years, which also makes brand loyalty another important concept. Ensuring patients can identify additional avenues by which they may access care not only benefits the organization, but also aids in reducing barriers to care. Brand loyalty also addresses how healthcare organizations are perceived within the marketplace. Enhancing the relationship between organizations and patients has perhaps led to the additional focus we have seen within patient experience functions across the United States. According to the Beryl Institute, 82% of healthcare organizations have some focus on patient experience.
The customer’s experience from the very first contact with a healthcare organization will ultimately determine that customer’s loyalty and directly contributes to their retention. Overall, healthcare organizations should take stock of how they are managing their patient populations and curating communications with key segments. Quick wins can typically be found through analyzing patient feedback or looking for ways to streamline processes related to the financial experience, patient wait times and scheduling.
Protiviti ● 10
9. Big data and analytics — knowing what’s there and what to do with it
As technological innovation accelerates, there is an expectation that people will work smarter and faster and processes will become more efficient. Another expectation is that organizations will do more with less. The Healthcare industry is no exception, and there is a general perception that healthcare systems have fat to trim. Through various pay-for-performance programs and cost-reduction initiatives, most healthcare systems have cut costs and addressed low-hanging fruit to the fullest extent possible. Now, they are trying to figure out how to run a more efficient operation, with fewer resources, that will result in higher quality that can be definitively measured.
It's no secret that the Healthcare industry is significantly behind other industries when it comes to data analytics. Many health systems are still operating outdated software that does not support innovation and can produce only the most basic reporting. And yet, the data locked within these systems is quite possibly the most valuable data that exists across all industries, as it has the potential to save and enrich many lives. In an era where the overall reimbursement pool is shrinking and payment models are shifting toward rewarding outcomes rather than the provision of services, data is key. Healthcare organizations that realize this and can capitalize on it will be well-positioned to survive and thrive in the future. Those that ignore this reality or remain unable to utilize data in a meaningful way likely will not do as well.
Data in the Healthcare industry is largely siloed (across competing organizations, and across departments within the same organization). That results in many care decisions being based on incomplete information. Thanks to regulatory security and privacy concerns, much of the Healthcare industry has defaulted to building walls around data rather than finding ways to legally share information in a manner that is in the best interest of all involved. The value and overall quality of analytic results rely heavily on the availability and sharing of data so that conclusions can be reached based on a data set that considers the overall population. The more limited the data set is, the greater the chance that poor conclusions will be reached.
“Big data” is a common buzzword in the Healthcare industry, and healthcare professionals recognize the pressing need to make use of data analytics to support and guide improvement initiatives. The challenge is not necessarily the availability of data, though. Rather, it’s how to use the vast amount of data that is available. Nobel Prize award winner Herbert Simon aptly stated: “The wealth of information creates a poverty of attention.”
With increased access to powerful data analysis software products, cloud provider services, and the expanded capabilities of Microsoft Access and Excel, the ability exists for people across the entire healthcare organization (not just in finance or decision support) to analyze large amounts of data in ways previously unimaginable. Power BI, Tableau and other data visualization software tools enable data to be aggregated quickly and presented in a visually appealing way. Also, innovative technologies such as process mining, RPA and even AI will play a role in the future of healthcare. However, in the absence of a clear vision and well-conceived plan, efforts to utilize data or extract anything meaningful from it will very quickly become overwhelming. Without the right plan, healthcare organizations are at risk of spending precious time, energy and resources only to end up with shiny new reports or dashboards that have visually enhanced charts and graphs, but no real actionable information.
Protiviti ● 11
10. Risk tolerance and acceptance — alignment between third parties and providers
There is a growing need in the Healthcare industry to focus more on improving how vendor and other third-party relationships are managed. Healthcare organizations are engaging a wide range of partners that either provide or support many key functions — from IT solutions to outsourced departments to joint ventures — all of which can have a direct impact on costs and revenues, and the ability to meet overall organizational targets and goals. However, many healthcare organizations overlook the importance of a formal management process for engaging and overseeing these third parties effectively.
The Healthcare industry has seen an explosion in the number of vendors and joint ventures that aim to provide specialty care services, consumer interactions, software, tools, technology, connected devices, web applications, mobile applications and more. Healthcare providers are looking to find the right approach to using these technologies and third parties to provide the best care and service to their patients. Third-party management is ever more important given the significant risk these additional parties can introduce from a reputational, legal and regulatory aspect, as well as their potential to make business models even more complex.
The HHS Breach Portal shows a significant number of cases and associated patients affected by a breach that involved a vendor/third party (business associate). When such a breach occurs, the responsibility for notifying all patients ultimately resides with the covered entity from where the electronic protected health information (ePHI) originated. As a result, it is likely that the covered entity will have their name somehow associated with the breach, such as in headline news. The HHS OCR continues to point to vendors and associated BAAs as key areas of deficiency based on their investigations and associated Health Insurance Portability and Accountability Act (HIPAA) violation settlement agreements.
Ideally, effective third-party management leverages a risk-based approach that takes into consideration many different risk factors of the third party or vendor. Security controls and BAAs are only one aspect. Healthcare organizations should also consider business use and criticality (the impact to the business or on the patient due to being without a service, technology, or another need, and for how long); pervasiveness of the use in the organization; availability, use, and portability of the data; third-party support needs; overall cost, spend and revenue; the expected customer and patient impact; and so on.
Taking these factors into consideration and assigning a risk rating to third parties allows the organization to provide a more focused approach to how it monitors and manages third parties on an ongoing or periodic basis, from the contracting process through to termination. Establishing assigned responsibilities and a defined but flexible process for monitoring these third parties is necessary for healthcare organizations to manage financial, regulatory and reputational risks, as their use of third parties continues to expand.
Closing Thoughts and Looking Ahead
The Healthcare industry is transforming at a rapid pace. Those agile healthcare players that have sound risk management practices in place will likely have a competitive advantage. This will involve the board employing effective risk oversight practices, management continually assessing and deploying risk mitigation efforts, staff who are empowered to both identify and manage risks, and third-party partners that have a strong risk management mindset. 2020 commences a new era for the Healthcare industry, and those organizations taking proactive steps toward this future will be ahead of their peers.
© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
About Protiviti
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60% of Fortune 1000® and 35% of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Contact
Richard Williams Managing Director, Healthcare Industry Leader +1.214.395.1662 [email protected]
