Top risks for healthcare organizations in 2020

By Scott C. Gerard, CPA; Eric R. Jolly, CPA; and Rebecca M. Welker, CIA
| 6/30/2020
Top risks for healthcare organizations in 2020

Healthcare organizations continually face difficult decisions about how they focus time, energy, and dollars to avoid undue risk exposure. To manage this environment of increasing risks and limited resources, healthcare internal audit departments must align their risk assessments and resulting internal audit plans to the areas most critical to achieving organizations’ strategic goals and business objectives and maintaining compliance with critical regulatory and other requirements. This risk-based approach focuses on the most critical risk areas and suggests less effort, if any, be applied to low-risk areas. The better the alignment between the internal audit plan and the most critical organization risks, the greater return on risk achieved for an organization’s internal audit investment. 

As we entered 2020, healthcare organizations’ internal audit resources already were limited even as the industry has become more complex and the number of significant risks has grown over the past decade. The delicate balance between an increasing number of risks and the level of internal audit resources became even more challenging in early 2020 when the U.S. was hit by the COVID-19 pandemic. Although the industry has been preparing for natural disasters, terror attacks, and other events that could cause a large influx of patients, the COVID-19 pandemic has rapidly caused big shifts in the healthcare industry and has resulted in new and significant risks that previously had not been considered.

Lack of preparation for new risks can cost a healthcare organization money and its reputation at a time when it can least afford to lose either. Thoroughly understanding the organization’s operations and strategic direction and identifying current and emerging risks is the best approach to achieve a return on risk. To help with this, Crowe has identified the top risks facing healthcare organizations in 2020. The list was created using input from executive management and board members from some of the largest health systems in the U.S. as well as data assembled from risk assessments conducted at more than 250 hospital clients in 2019. In addition to risks that were identified as part of the 2019 assessment process, the Crowe article “5 COVID-19 Emerging Risks for Healthcare Organizations” identifies significant risk areas that have emerged due to the COVID-19 pandemic.

With the rapidly increasing use of technology and the formation of complex partnerships and vendor relationships across the healthcare industry, what might be a top risk at one healthcare organization might not be a top risk or even relevant at another; therefore, the risks have not been ranked.

Check out the most up-to-date management risks in healthcare.


As technology-enabled care and communication with patients grows, cybersecurity continues to be a top concern for healthcare executives, audit committees, and boards. Well-established guidance for cybersecurity programs focuses on identifying information assets and related cyberrisks, applying protective controls, detecting and responding to security threats, and recovering from incidents that occur. Regulations and continual breach reports have demonstrated to healthcare organizations the importance of cybersecurity, and many organizations have been taking steps to perform the necessary risk assessment activities and implement robust preventive controls.

While healthcare organizations continue to mature in identifying and protecting physical property, intellectual property, and data assets, a lack of preparedness for detecting and responding to cyberthreats persists. Detecting cyberthreats requires significant investment in personnel and technology to support monitoring of networked systems, which presents challenges to thinly stretched IT and security budgets. To complicate matters, the healthcare industry is unique in the sense that it has to consider security events such as ransomware and distributed denial of service (DDoS) as well as Health Insurance Portability and Accountability Act (HIPAA) regulations, which require healthcare entities to also plan for violations of patient privacy and inappropriate access to sensitive patient information. This combination increases the complexity of the detective capabilities and incident response plans. Preparedness measures such as walk-throughs of response plans, tabletop exercises, and disaster recovery tests require coordination and time from several groups beyond IT. The healthcare industry’s high integration rate of mobile devices, cloud services, and network-connected biomedical devices further hinders even the best efforts to monitor all systems and have proper response plans in place. It is easy to overlook the costs of resources required to develop, maintain, and continually improve security detection and response capabilities. Security incidents are, unfortunately, inevitable, and leadership is seeing the need to shift its focus to developing strong detective and corrective processes and controls to support the protective controls already in place.

Clinical quality

As more payment models shift from volume to value, many commercial payers are reimbursing based on quality, following the lead of government payers. Federal and state regulators have required organizations to publicly report quality measures and have tied quality to reimbursement through incentives, payment reduction, and penalties. Healthcare organizations are facing increased risks related to not having processes in place to provide and improve quality care, adversely affecting patient outcomes, cost of care, reputation, and financial performance through pay-for-performance penalties.

The COVID-19 pandemic has highlighted the importance of strong processes and contingency plans to maintain quality performance through catastrophic times. For example, healthcare organizations need to consider how they will staff quality functions and other administrative responsibilities during an emergency, how they will deliver the consistent application of important nurse-driven protocols (such as Foley removal), and how they will address scope-of-practice issues as staff is redirected to other duties.

Physician alignment

Physician alignment risks have increased over recent years as physicians rapidly opt out of private practice. As healthcare organizations contract with more and more physicians, it is critical that the organizations verify that expectations and contract provisions are appropriate and complied with, without violating federal fraud and abuse statutes (for example, Stark Law and anti-kickback laws). Health systems also increasingly have integrated the operational and compliance risks related to physician practice management, including patient scheduling and registration, patient billing, cash handling, prescription and medication management, coding, human resource management, and information systems administration. Challenges still exist due to the geographic dispersion of physician practices; for example, many are remote from the hospital campuses to which they are associated and, therefore, might not be included within the day-to-day scope of work for all oversight functions including compliance, IT security, and patient safety.

However, the most critical integration risks are strategic and longer term: physician alignment and engagement. The increased efficiencies and coordination required by healthcare reform and new payment models cannot be contracted into existence. Physician leadership is essential to increasing the quality of patient care, managing health system costs, and successfully competing in the arena of patient consumerism and satisfaction. Clinical champions must be identified and empowered to address emerging clinical risks, including effectively responding to pandemics and combating the national opioid epidemic. The engagement required for such leadership is under constant threat of clinician burnout due to increased workloads, loss of control, and ever-changing administrative requirements.

Patient safety

Failures in patient safety might lead to preventable injuries or illnesses and death, high litigation costs, increased liability, and reputational impact to facilities and health systems. Virtually every clinical process has inherent patient safety risks, including emergency preparedness; medical device cleaning, disinfection, and sterilization; communication of critical lab results; and recognition of behavioral health needs. As reliance on technology and automation in healthcare increases, ineffective implementation of these solutions might compound many patient safety risks. Alarm management, for example, becomes a greater risk as complex algorithms alert healthcare workers to the potential diagnosis of sepsis or infection with varying degrees of accuracy. Effective collaboration and communication between providers, healthcare workers, and patients, as well as strong alignment of clinical processes and technology with evidence-based practices, must be balanced with limited resources and daily priorities of providing care to patients.


Few areas in healthcare are at the intersection of patient safety, cost management, compliance, and community health risk quite like pharmacy. Pharmacists and providers play an important role in preventing and detecting drug abuse and controlled substance diversion. Managing these risks is a collaborative effort necessitating detailed knowledge of Drug Enforcement Administration and state boards of pharmacy regulations. If physician-prescribing patterns and drug interactions are not monitored, harm might come to patients. An additional area of patient safety and community health risk is the growing resistance of many diseases to antibiotics; this development has occurred through overuse and noncompliance with evidence-based prescribing practices. Health systems should be deploying tools to monitor both drugs provided in hospitals and those prescribed to patients.

From a cost perspective, the 340B Drug Pricing Program is a complex federal program that provides access to affordable drugs to the most vulnerable members of society. This program requires extensive internal monitoring and inventory tracking. Noncompliance with 340B Program requirements can result in financial risks including repayment to manufacturers and elimination from the 340B Program (which could result in the loss of millions of dollars of annual cost savings). Health systems should obtain program assessments and have independent audits to confirm compliance with program rules.

Price transparency

While previous federal and state legislation has addressed healthcare price transparency for consumers, a new Centers for Medicare & Medicaid Services (CMS) rule published Nov. 27, 2019, will make hospital requirements more stringent. The “Price Transparency Requirements for Hospitals to Make Standard Charges Public” final rule (85 Fed. Reg. 65524) will become effective Jan. 1, 2021. Under the final rule, hospitals will be required to capture and publicly disclose significant amounts of information including gross charges, payer-specific negotiated rates, cash prices for the many inpatient and outpatient items and services offered by each hospital, and Healthcare Common Procedure Coding System codes. In addition, the final rule requires shoppable services (that is, services that can be scheduled by a consumer in advance, such as a knee replacement) to be publicly disclosed as well.

Gathering and disseminating this information will be complex and require diligence and collaboration. Hospitals might need to redesign current data collection processes, as robust data management and retrieval will be vital to timely compliance. According to CMS, lack of price transparency is one cause of escalating healthcare costs, and greater transparency is expected to encourage choice and competition, thereby lowing prices. The final rule provides CMS with the authority to monitor, audit, and mandate corrective action plans. Compliance with price transparency requirements presents a new reputational risk to hospitals as CMS is authorized to impose – and publicize – civil monetary penalties of $300 per day for noncompliance.

Emergency preparedness

The risk of healthcare providers being unprepared in the event of a natural or human-created disaster that leads to a large influx of patients has been significant in the past but has gained attention as healthcare organizations around the world work to address the COVID-19 pandemic. In March 2020, CMS announced that it was issuing temporary new rules and waivers of federal requirements to make sure that healthcare organizations would have the capacity to absorb and treat surges of COVID-19 patients. Previously, in September 2016, CMS issued an emergency preparedness final rule requiring that healthcare providers have an emergency plan based on a risk assessment, supporting policies and procedures, a communication plan that includes coordination with state and local health departments, and a training and testing program in which drills are conducted at least annually. In addition to not being able to adequately care for existing and new patients or to protect staff, risks to healthcare organizations in being unprepared for emergencies and disasters include deficiencies in meeting CMS Conditions of Participation (which ultimately could result in termination from the CMS program) and fines.

Third-party vendor management

Healthcare organizations routinely rely on third-party vendors to enable mission-critical services, which in turn can increase business exposures. Because third-party vendors often have access to the hospital facility and hospital data as well as direct access to patients, compliance, patient safety, and regulatory risks can be significant. Failure by third parties to comply with federal, state, and local laws can have immediate and devastating negative financial, legal, and reputational results. Risks related to use of third parties for core services must be considered carefully before contracts are signed, and they must be managed throughout the vendor relationship. A thorough vendor management program with ongoing monitoring of third parties (including pricing compliance, quality of service, background checks of vendor employees, and IT security) is critical to mitigate these risks.

Case management

Acute care case management drives safe, cost-effective, patient-centered strategies to maximize the ideal level of care, from hospital admission to safe transition to a lower level of care according to Medicare Conditions of Participation (CoP) requirements. Attention to new requirements is important in preventing the risk of noncompliance. Per the recently updated CoP Section 482.43, “Discharge Planning,” for those patients discharged home and referred for home health agency (HHA) services, or for those patients transferred to a skilled nursing facility (SNF), inpatient rehabilitation facility (IRF), or long-term acute care hospital (LTCH), the hospital is required to include in the discharge plan a list of HHAs, SNFs, IRFs, or LTCHs in the geographic area requested by the patient. Additionally, the hospital must provide the patient with quality and resource use measures to aid the patient in selecting the post-acute care (PAC) provider best aligned with his or her care goals and preferences (the detailed information-sharing portion of the CoP). Applicable medical information and goals of care also must be provided to the PAC provider, which can be a challenge if interoperability between the hospital’s and the PAC provider’s computer systems does not exist. Limited PAC providers also can affect the hospital’s ability to transition patients in a timely manner for post-acute follow-up.

Although CMS issued a blanket waiver of the detailed information-sharing requirements through the end of the COVID-19 emergency declaration, the waiver does not apply to the requirement to discharge patients to an appropriate setting with the necessary medical information and goals of care. Furthermore, hospitals should plan to implement and monitor compliance with the detailed information-sharing requirements upon return to normal operations.

Joint venture management and oversight

In recent years, health system growth has been defined through partnership and affiliation in the delivery of services. Joint venture relationships commonly are used as financial vehicles to operate across an expanded spectrum of care, obtain access to improved technology, and serve a greater community. While many people look at joint ventures from a financial perspective, risks in this area are not just financial but also related to all aspects of patient care, digital security, compliance, and reputation. Joint venture arrangements have become increasingly complex in sharing of revenues and expenses; achieving performance and return on investment; and complying with a broad spectrum of regulations, including HIPAA, Stark Law, antitrust, and the False Claims Act.

The owners of a joint venture should implement adequate oversight processes at both the owner level and the joint venture level. Additionally, joint ventures should maintain effective monitoring controls such as having a board of directors with broad business, technology, and clinical expertise; a compliance program; and an internal audit function. Without these, healthcare organizations are vulnerable to financial loss, fines and penalties for compliance violations, failure to achieve and sustain growth goals, and significant reputational and legal damages.

Quality payment program

With the first Medicare Quality Payment Program performance year completed in 2019, the risk of negative payment adjustments is now here, increasing, and ever-present. Physicians who avoided the initial unpredictability through participation in Medicare Advanced Alternative Payment Models are now bracing for their own volatility under post-2024 Quality Payment Program adjustments.

All providers face the distinct risk that revenue is being left on the table because of bad data. Electronic health records could be aggregating or submitting data incorrectly, or current documentation practices might not “check the right boxes” to establish credit for quality metrics achieved. Good data also could be accurately reflecting bad or deteriorating performance. However, the financial impact of Medicare payment adjustments could be less significant than the reputation risks if providers are not keeping pace with competitors. Health systems must have strong processes to verify that quality measure reporting is complete and accurate. Even more challenging, health systems must measure, monitor, and improve upon the right measures.


As the threat of COVID-19 expanded, telehealth and telemedicine evolved from an optional convenience to an absolute necessity in the span of a few weeks. This shift resulted in health systems scrambling to rapidly develop existing platforms or build out new ones in order to continue treating patients. In implementing the technologies and processes to support these initiatives, healthcare organizations also must implement strong controls for remote service delivery and supporting technologies. These controls are necessary to address and adhere to clinical standards (such as provider capabilities, credentialing, and standards of care), promote high-quality care, minimize the risk of patient harm, and comply with regulatory requirements for privacy and patient data security.

Revenue cycle improvement

More and more, healthcare organizations are turning to third parties and automated solutions to achieve revenue cycle improvements. However, increased revenue cycle outsourcing and automation can introduce additional risks if transparency in revenue cycle performance is reduced or if poor manual processes are hardwired into automated ones. In addition, hospitals that fully outsource their revenue cycle function might not be getting much of a financial benefit. Organizations cannot adopt a “set it and forget it” mentality. Robust monitoring is crucial for success with outsourced and automated functions, as it will help to identify gaps and risks in workflow processes. Monitoring also provides transparency in end-to-end revenue cycle management and allows communication across the entire revenue cycle. Some areas in which monitoring is especially important include:

  • Clinical documentation improvement, where outsourced and automated processes might not accurately direct resources to the greatest opportunities
  • Utilization management, where ineffective work queue automation might cause patient accounts to fall through the cracks
  • Emergency department (ED) coding, where organizations might not always have visibility into the logic used to assign ED levels

Government and politics

Since the beginning of the COVID-19 pandemic, the regulatory environment has moved faster than ever before, with $175 billion available to healthcare entities under the CARES Act and with fund distribution based on multiple factors including lost revenues, expenses related to COVID-19, net patient revenues, rural location, and low-income populations. At the time of publication, debate continued in Washington, D.C., over additional COVID-19 assistance funds. It is essential for health systems to keep in close contact with federal and state government representatives to be well positioned for COVID-19 reimbursement. Hospitals should assess the accuracy of the Relief Fund Payment attestations and maintain substantial supporting documentation to avoid future need for repayment of these funds.

While the Affordable Care Act (ACA) is considered by many to be established legislation, the U.S. Supreme Court continues to hear challenges that could eliminate provisions beneficial to health systems. Because the Trump administration, including the U.S. attorney general, is in agreement with ACA challengers and because the Supreme Court leans conservative, it is again possible that the ACA will be struck down or significantly changed. At the same time, the current period of economic uncertainty and high unemployment puts health systems at risk from patients without health coverage or with less coverage due to the loss of employer-funded insurance. Hospitals should continue to monitor their methodologies for net patient service revenue calculations and reserve estimates during this time of great upheaval.

Furthermore, searching for additional tax revenues to recover from economic struggles, state and local governments might continue to challenge not-for-profit health systems’ executive pay, community benefit provided, and tax-exempt status.

Legal and regulatory compliance

Compliance with federal and state laws and CMS regulations remains a top concern for healthcare governance and management teams. Healthcare is a highly regulated industry with special rules applicable to transactions between health systems and physicians to avoid referrals of Medicare or Medicaid patients where financial relationships exist (Stark Law); filing of fictitious, miscoded, nonmedically necessary, or otherwise inaccurate claims for Medicare or Medicaid beneficiaries (False Claims Act); and many other compliance matters. Health systems also have been challenged by elements of Americans With Disabilities Act compliance and quality of care requirements.

Possible results of noncompliance with the many regulations faced by healthcare organizations include class-action lawsuits and significant legal, regulatory, and financial consequences. And, even in cases in which the government doesn’t take action, whistleblowers (often from within an organization) might be financially rewarded using “qui tam” lawsuits to take action on the government’s behalf to recoup government funds under the False Claims Act. Other common results of noncompliance include fines, reputational loss, and costly corporate integrity agreements.

To avoid these risks, it is important that healthcare providers understand the federal government’s focus areas relative to combating fraud, waste, and abuse, which can be accomplished through regular review of state and federal regulator websites. For example, the Office of Inspector General’s (OIG) Work Plan is updated monthly and made publicly available on the OIG website. Current OIG focus areas include inpatient hospital billing, CMS oversight of nursing facility staffing levels, compliance with CMS transfer policies, billing of critical care service levels, and use of condition codes. Although lengthy, the OIG Work Plan is organized by the date that each plan item was announced or revised and provides the reader with a condensed, summarized list of current focus areas. Conducting regular monitoring and independent audits based on the OIG Work Plan is a vital strategy in proactively mitigating or detecting regulatory risk.

Health systems also should be proactive and undertake audits of physician transactions, care coordination functions, billing, and claims coding. In addition to these audit areas, health systems should consider periodic reviews of the effectiveness of their compliance programs, which help safeguard against regulatory and “qui tam” legal action through providing means to report and take corrective action internally.

HIPAA privacy and security

Enforcement of HIPAA by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been picking up speed in recent years. With millions of dollars recovered from breach incidents in 2018 and 2019,1 in late 2019, OCR announced its first settlement under the Right of Access Initiative for failure to respond to a patient’s request for medical records in a timely manner.2 This settlement sends a clear sign that healthcare entities will be held accountable for not providing access to patients per HIPAA requirements. Additionally, state attorneys general increasingly are taking action against noncompliant health systems and providers.3 While enforcement has slowed due to the COVID-19 pandemic,4 there is every reason to believe that regulatory action eventually will resume. Health systems should continue to audit HIPAA compliance and maintain records demonstrating timely response to patient access requests.

Data breaches continue to be a significant risk for healthcare organizations. The healthcare industry again leads all industries in cyberattacks and breaches,5 particularly with the advancement of internet of things (IoT) technology, personal health monitors, artificial intelligence, and access to large databases of protected health information. Healthcare organizations must begin or take additional steps to evolve and modernize their infrastructure to combat this risk. They also should think of HIPAA compliance as a baseline and work to exceed requirements for better protection. Organizations often think, incorrectly, that insurance will cover a data breach, but this is rarely the case – and, even when cybersecurity coverage is in place, the damage from a breach to a health system’s reputation is immense. Health systems should perform or procure security risk assessments as part of their HIPAA program.

Want more insights on addressing coronavirus-related challenges?
Go to the Crowe COVID-19 resource center for more analysis and updates.

Financial operations

Business processes, such as accounts payable, accounts receivable, payroll, and the financial statement close, are critical to every healthcare organization. Generally, such processes are well managed, but when significant developments occur, such as leadership changes, consolidations, and employee turnover resulting from a merger, regulatory changes, or implementation of new technology, the risk of financial process deterioration greatly increases. When financial processes are no longer adequately controlled, there is a higher risk of a negative financial impact (for example, liquidity is hurt by aged accounts receivable or denials that are not adequately managed), increased risk of fraud, higher likelihood of accounting errors (such as missed or duplicate entries), and increased legal and compliance risk. To minimize these risks, healthcare organizations must thoroughly and proactively plan for and manage change through additional process guidance, increased management oversight, and timely and regular monitoring processes.

Technology company access to data

Third-party companies have been provided access to healthcare organizations’ data more than ever before. Technologies such as IoT devices, blockchain, 5G wireless networks, mobile apps, and partnerships with tech companies are creating excitement for patients and customers who have easy access to their data. But these technologies also are a big concern within the healthcare industry. While more data being made available for enhanced analytics and shared across various organizations offers many benefits, it also introduces an emerging significant risk of patient data exposure that organizations need to control.

Interoperability of systems, technology platforms, and data sharing across the healthcare industry is on the rise. These features exacerbate the data privacy concern related to tech companies having access to protected health information. Healthcare executives should be aware of new data sharing technologies and new regulations, and they need to understand what tech companies are doing to make patient and customer records more electronically available, how they are limiting access, and how they are implementing increased security to protect patient data.

A healthcare organization’s compliance, security, and internal audit functions need to understand if their organization is safeguarding against privacy and security risks that come with data being more widely available and potentially accessible on the cloud. They also should ask these questions:

  • Are third-party companies considered covered entities, and what HIPAA violations do healthcare organizations face in partnering with them?
  • Are there comprehensive, understandable agreements in place between healthcare organizations and third-party technology companies accessing and distributing patient data?
  • What are these third-party companies doing with their patients’ healthcare records and data in addition to the contracted service provided?
  • What is the healthcare organization doing to limit its liability if patient data is exposed and potentially breached?

Although cyberthreats and data access have been significant risks within the healthcare industry for more than a decade, with the increasing complexities introduced by using advanced technologies and sharing large quantities of data with third-party technology companies, these risks continue to grow.


Healthcare organizations today face competitive challenges from a broader range of entrants than they did just a few years ago. While traditional battles for market share across the continuum of care exist among local, regional, and national health systems, new organizations are entering the healthcare marketplace and adding even more competitive pressures. Some retailers have developed healthcare options including specialized clinics, online pharmacies, and partnerships, thereby providing new access points for primary care, behavioral health, dental, and other needs. Risks posed in this landscape include reduced volumes in hospital emergency departments, urgent care centers, outpatient clinics, and physician offices; market share loss; and reduced financial performance. To mitigate these risks, healthcare organizations should proactively and continuously assess the impact of existing and new entrants in their markets, align and nimbly adjust their operating plans and strategic objectives accordingly, and consider expanding into untapped markets and service lines, pursuing strategic partnerships or acquisitions, seeking ways to innovate their delivery of patient care, and working to drive out cost from their delivery models.

Business continuity and disaster recovery

A healthcare organization’s operations and network can be greatly affected, or even made unavailable, due to a natural disaster or the harmful actions of bad actors. When disaster strikes in an industry as complex as healthcare, the effects can be far-reaching and have a negative impact on patient lives. The consequences of IT failures within a healthcare facility in today’s increasingly electronic, data-reliant environment are great, and clinical, operational, and financial areas all are at risk should critical systems go down.

Healthcare organizations know the importance of having emergency response plans in place to immediately address disasters, whether natural or human-caused. Furthermore, hospitals are required to follow CMS, Joint Commission, and state authority regulations for emergency preparedness. A primary component of an organization’s disaster response is its ability to continue operations as the organization works to recover from a disaster. Business continuity management accomplishes this by preemptively identifying and establishing plans to continue managing critical business functions, processes, and their associated IT- and non-IT-related dependencies to minimize the impact of unexpected events on the organization while trying to maintain seamless, uninterrupted operations. Though they might intersect with emergency management plans that are concerned with keeping patients and staff safe from harm during a disaster, business continuity plans are focused on continuing operations when main systems are down.


The challenges that healthcare organizations are facing in recruiting, hiring, and retaining qualified employees are increasing. The current shortage of nurses and physicians is projected to intensify as the U.S. population ages, the need for care grows, and retirement rates for nurses and physicians increase. Recruiting challenges will further intensify as existing healthcare organizations ramp up expansion plans in an attempt to grab market share and as new competitors enter the marketplace. Challenges in retaining healthcare workers also will be affected as nonhealthcare businesses move into local markets offering higher salaries and better working conditions to traditionally lower-skilled workers. Lack of staff, lack of experienced staff, and stronger competition for workers leads to increased risk within healthcare organizations. Specific risks include financial performance risk due to higher salary and benefit costs, quality and financial risk related to higher readmission and hospital-acquired infection rates, higher patient mortality rates, reduced quality scores, and potentially reduced reimbursement. Healthcare organizations should be proactive and creative in understanding and addressing the recruiting and retention challenges in their local markets. In addition to traditional responses such as increasing salaries, they should consider measures that address working conditions (such as improving staff safety) and educational costs (such as extending loan forgiveness programs beyond the physician ranks).

Leadership succession planning also is becoming a more prominent topic for healthcare organizations as the U.S. population ages and leadership retirements increase. In many organizations, succession planning has not been formally developed or has been limited to a small number of individuals. Risks related to not having an effective succession planning program include unidentified leadership needs, lack of qualified or diverse internal successor candidates, failure to develop and prepare otherwise worthy successor candidates, and exit of significant talent from within the organization. Healthcare organizations also might face reputational risks if leadership ranks do not reflect the markets they serve. In seeking to address succession planning risk, healthcare organizations should consider a formal succession planning program that includes an assessment of current and future leadership demand, identification and preparation of internal successors, a successor transition program, and periodic assessment of the succession program effectiveness.

System implementations

System implementations typically are major projects requiring significant resources and time. Examples of projects include electronic health record applications, ancillary applications, operating systems, databases, individual modules within applications, interfaces, and upgrades, among others. If a comprehensive implementation plan is not completed, approved, and followed, implementations might not be successful or might fall short of clinical, operational, financial, and IT management expectations. Such deficits could lead to inefficient system operations, system disruption, negative impacts to expected production, and ultimately untimely and ineffective patient care. Implementation plans should include requirements for design, testing, training, and support for all user types and departments. Implementation risks include lack of user access controls, inadequate cybersecurity considerations, lack of interface operability, inadequate data privacy controls, poor change management, inadequate backup and recovery, improper segregation of duties, insufficient infrastructure to sustain and optimize systems after implementation, insufficient user training, elevated numbers of administrative users, incomplete policy and procedure updates to reflect new processes, and ineffective user issue management and remediation.

Social determinants of health

Social determinants of health (SDOH) are conditions in places where people live, learn, work, and play (for example, school, church, workplace, neighborhood) that affect a wide range of quality-of-life risks and outcomes. Health experiences are influenced greatly by basic resources including safe and affordable housing, employment with adequate wages, access to education, public safety, availability of healthy foods, local emergency and health services, and environments free of life-threatening toxins. Evidence shows the absence of these resources is related to higher risks for negative health outcomes.

CMS Conditions of Participation Section 482.43, “Discharge Planning,” requires early identification of patients who might suffer negative health outcomes in the absence of discharge planning. The discharge planning process should include an evaluation of SDOH and procedures to address identified health disparities and consider the patient’s capacity for self-care and home environment. Failure to effectively address SDOH can result in negative health outcomes, increased length of stay, and preventable readmissions. Furthermore, as CMS continues initiatives to deliver high-quality healthcare, organizations are held accountable for and must publicly disclose results of healthcare services, with providers contributing quality data for public reporting. While this reporting has increased transparency of outcomes for consumers, it also has resulted in reimbursement penalties for metrics falling outside of prescribed CMS benchmarks.

Organizations’ commitment to prioritizing SDOH assessments and interventions should include educating about organizational requirements; using defined codes to help clinicians capture a patient’s socioeconomic and psychosocial needs; establishing, communicating, and monitoring performance; and collaborating with post-acute providers, public health agencies, social services, other state and community organizations, and CMS-designated Accountable Care Organizations.

Advanced technologies

New technology options offer promising results for healthcare organizations in areas including value-based patient care and the revenue cycle. Although blockchain, robotic process automation, machine learning, and artificial intelligence might not currently be used widely in the healthcare industry, organizations need to be ready for their adoption and be knowledgeable about all of their potential benefits – and risks. Often, risks introduced by new technologies are overlooked in favor of focusing on the rewards they promise. But having a thorough understanding of risks involved and potential impacts to the organization can make for a smoother implementation when an organization takes steps toward new technology adoption. New technologies, when not tested or understood sufficiently by healthcare organizations, can pose risks to data quality, data security and user access, confidence in results, return on investment, and human oversight, among others. A lack of familiarity should not be an excuse to overlook these technologies, but associated risks should be understood and identified so that healthcare organizations can mitigate them before experiencing unforeseen impacts.

Interoperability and future technologies

Many technologies and applications still do not and cannot broadly exchange data across various organizations and technology platforms to make healthcare records easily available to patients, providers, and payers. However, some technology companies are committed to and investing heavily in healthcare interoperability, trying to lead the transition to true interoperability. Agreements between these technology companies and healthcare organizations are increasing, and as a result, mobile applications and other advanced technologies are being developed for patients to view their health records and for healthcare providers to remotely monitor more patients. The Fast Healthcare Interoperability Resource standard and application programming interfaces are not new to the healthcare industry, and they are integral for interoperability, making records available across organizations, electronic health record applications, and other technology platforms. Additionally, as large communication companies roll out 5G wireless networks and industries including healthcare are transformed, the use of medical telemetry and wearables is likely to grow exponentially. With the expansion of bandwidth and internet speed, these medical technologies and devices will be transmitting more data than ever before, and that means more volumes of data available and potentially at risk of exposure.

As new disruptive technologies and interoperability become commonplace within healthcare, a number of emerging and existing risks should remain top of mind for executives, leading to efforts to mitigate potential data exposure and breach. An organization’s financial liability, compliance, and reputation are all potentially at risk.

Staff safety

With incidents of workplace violence on the rise at many healthcare organizations,6 staff safety is an area of growing concern. Threats to staff safety include verbal and physical abuse, bullying, and battery (or worse) and might come from a variety of sources including patients or family members under the influence of drugs or experiencing mental health issues, facility visitors, and current or former staff members. Risks associated with these threats include mental or physical harm to workers, financial losses due to workers’ compensation claims, increased overtime, temporary staffing, litigation, declining staff morale, and increased difficulty in staff recruiting and retention. Healthcare organizations should take steps to combat threats to staff safety, which might include establishing goals, objectives, and resources aimed at workplace violence prevention; implementing programs to proactively identify and analyze potential threats to staff safety; establishing training programs to prevent or de-escalate potential workplace violence situations; and quickly responding to incidents that do occur.

International partnerships

U.S. healthcare organizations are taking more interest engaging in international partnerships and affiliations to seek additional revenue sources as more traditional revenue streams are being challenged. They can generate revenue by offering their management and clinical expertise to foreign hospital partnerships, providing consulting services focusing on education and training programs related to quality and safety, nursing, research, and leadership development. Depending on the type of engagement, healthcare organizations might face legal and regulatory risks including those related to Stark Law and anti-kickback statutes, the Foreign Corrupt Practices Act, and the venture’s potential impact on a not-for-profit health system’s tax-exempt status.

1 “HIPAA Violation Cases,” HIPAA Journal,
2 “OCR Settles First Case in HIPAA Right of Access Initiative,” HHS news release, Sept. 9, 2019,
3 Mary Chaput, “State Attorney General HIPAA Enforcement Ramps Up,” Clearwater blog, June 27, 2019,
4 Harris Meyer, “HHS Eases HIPAA Enforcement on Data Releases During COVID-19,” Modern Healthcare, April 2, 2020,
5 Jeff Orr, “Top 8 Industries Reporting Data Breaches in the First Half of 2019,” Cyber Security Hub, Sept. 4, 2019,
6 “Nurses Are Suffering More Violence in the Workplace,” OH&S, Feb. 10, 2020, nurses-are-suffering-more-violence-in-the-workplace.aspx

Sign up to receive updates on the latest healthcare industry trends, developments, and business needs.

Contact us

Learn more about how Crowe can provide industry-specific financial, regulatory, and technology expertise for your healthcare organization.
Scott Gerard
Eric Jolly
Eric Jolly
Rebecca M. Welker
Managing Director, Healthcare Consulting