Last month marked the 25th anniversary of the game-changing report, To Err Is Human: Building a Safer Health System. Released by the Institute of Medicine (now the National Academy of Medicine) on Nov. 29, 1999, the report ignited the modern patient safety movement after estimating that nearly 100,000 people die each year from medical errors.  

Whether care has gotten any safer over the past two-and-a-half decades is for patient safety advocates, healthcare regulators, healthcare policy analysts, health services researcher, the public, the media, and others to decide. What is clear is that each day since (and before) the IOM released its infamous report, internal audit teams at hospitals and health systems across the country have been working tirelessly to identify and mitigate risks that not only threaten the quality and safety of patient care but every aspect of healthcare finance and delivery at their organizations.  

This annual Top Risks report from Kodiak identified the top four risk domains and specific risks within those four domains this year based on input from: 

• Executive management teams and board members at many of the largest U.S. hospitals and health systems. 
• Risk assessments, or risk audits, conducted by Kodiak’s risk and compliance team in 2024 at hundreds of hospitals, health systems, medical practices, and other provider organizations. 
  
  

Kodiak defines a risk domain or a specific risk as anything that might impede a healthcare organization’s ability to achieve its goals in critical areas. In 2024, the four top risk domains were: 

• Financial/operational 
• Compliance 
• Clinical 
• Information technology 
  
  

Kodiak’s risk and compliance team compiled the following detailed descriptions of the risk domains, the specific risks within in each domain, and audits for internal audit teams to consider to mitigate the risks. 

Financial/operational risks 

1. Generative artificial intelligence 

AI has powerful new abilities. When combined with other forms of AI, machine learning, and other technologies, it can streamline tasks through real-time consolidation of a complete array of clinical and financial information sources. It’s projected that through these new capabilities, AI could generate $1 trillion (about $3,100 per person in the U.S.) in improvements across the healthcare industry. Healthcare executives must weigh the benefits and risks of incorporating generative AI tools. Combining clinical/business judgement and clinical/business insights can help develop sustainable and equitable use cases. Using population-level data and broad data sets, generative AI can help tackle systemic issues such as accessibility, affordability, and equitable outcomes. This presents an opportunity and responsibility to make meaningful operational and financial improvements.  

Audits for consideration: 

• Quality and integrity of existing data sets, and strategies to improve them 
• Cross-functional process development and oversight 
• Assessing the testing, governance, policies, and legal frameworks critical to overseeing the use and fairness of generative AI 
• Assessing the resource training and support of AI-driven processes for adoption of safe and responsible use to ensure patient safety and security to keep trust in the health system 
  
  
  

2. Revenue cycle 

Since the COVID-19 pandemic, healthcare organizations have faced lost revenues due to changes in the service delivery models and higher employment and supply costs. The ability to bill and collect for all services provided has become even more important. Inefficiencies in revenue cycle operations and performance could result in delayed or reduced cash flow, unnecessary overhead, negative patient experience, and reduction in community benefit. Noncompliance with government billing regulations and payer contract requirements could result in lost reimbursement, fines, and exclusion from participation in governmental programs. These challenges might be magnified for organizations that rely on third-party vendors to provide some or all their revenue cycle functions on an outsourced basis and, therefore, have less day-to-day oversight and control.  

Similarly, risks increase for healthcare organizations relying on automated claims billing systems for which they have limited visibility to or control over functionality. Newer electronic medical record systems are incorporating “clinically driven revenue cycle” processes whereby the billing functions are triggered by clinician’s actions/documents. In addition, commercial payers might aggressively negotiate reimbursement terms or deny reimbursements in markets with little payer competition or where healthcare organizations wield minimal buying power.

Audits for consideration:  

• Revenue cycle process effectiveness assessment 
• Clinical documentation, coding, and billing compliance 
• Payer contracts / expected reimbursement 
• Chargemaster maintenance 
• Denials management 
• Patient access / registration 
  
  
  

3. Accounts payable 

Key business processes such as accounts payable are critical to every healthcare organization. While these processes are highly visible and typically well-managed, when significant changes occur within the AP process, e.g., leadership or employee turnover or staff reductions, or within the overall organization, e.g., changes in operating procedures due to a pandemic, implementation of a new enterprise resource planning system, or organizational consolidation or centralization post-merger), fraud risks might increase due to changes in people, processes, or technology, or suspension/elimination of key internal controls.  

Specific risks include fraudulent or unauthorized payments to existing vendors or employees, creation of and payment to fictitious vendors, and inappropriate or unauthorized updates to vendor master data causing payments to be diverted from the correct vendor. 

Audits for consideration: 

• Analysis of AP transaction data to identify potential unauthorized, fraudulent or duplicate payments 
• Analysis of corporate purchase card transaction data for nonbusiness uses 
• AP and vendor master file system access and general IT controls audit 
• Vendor master file change management process 
• Procure-to-pay end-to-end process audit 
  
  
  

4. Human resources and workforce challenges 

The workforce challenges that healthcare organizations face include recruiting, hiring, and retaining qualified employees as demand for healthcare services increases due to the aging U.S. population and the competition for healthcare workers intensifies. Workers leaving the healthcare sector due to pandemic-related burnout and accelerated retirements have only worsened the challenge over the past three years.  

One way healthcare organizations have responded is through increased reliance on travel nurses. Some formed their own travel nurse programs to limit related costs. Others offered increased benefits or incentives to retain workers. Some of those that could not respond with creative solutions reduced or eliminated services or service lines at select sites of care.  

The situation has created several specific risks that hospitals and health systems historically have not had to deal with before on such a scale. These risks include:  

• Decreased quality and safety of patient care and clinical outcomes, leading to higher readmission rates, higher hospital-acquired infection rates, and higher mortality rates  
• Lower quality scores leading to lower reimbursement rates  
• Higher labor costs attributable to higher salary and benefit expenses and travel nurse program expenses resulting in impaired financial performance  
• Increased difficulty in filling openings in the executive ranks, especially in organizations where the approach to succession planning (that is, identifying and mentoring successors) has not been formalized or well-established 
• Inefficient benefit plan structure and design, creating excessive costs for both the employer and employee, leading to dissatisfaction with potential turnover and decrease ability to attract scarce resources  
  
  

Audits for consideration:  

• Travel nurse management and contract compliance  
• Critical department staffing levels assessment 
• Recruiting and retention processes 
• Succession planning program 
• Premium employees pay levels 
• Employee benefit plan review, including enrollment criteria and processes 

5. Physician compensation 

Physician contracts continue to be a significant risk area for healthcare organizations due to the high operational, reputational and financial exposures. Risks include violating federal fraud and abuse statutes, e.g., Stark, false claims, and anti-kickback statutes, through payments to physicians without a contract, in excess of contractual amounts, and/or above fair market value; physicians using hospital space without proper lease or compensation to the health system; recruitment arrangements that do not meet regulatory requirements; and failure to monitor compliance with contract and recruitment arrangement terms. 

Audits for consideration:  

• Physician payment processes  
• Physician contracting process, including recruitment and Leases  
• Physician compensation models, e.g., RVU, incentive payments, administrative services 

Compliance risks 

1. 340B program compliance 

Compliance with the 340B drug discount program remains a top concern for healthcare organizations. Under the 340B program, eligible entities may take advantage of significant discounts in the cost of outpatient drugs, enabling them to stretch limited funds and provide more comprehensive services to low-income patients and their local communities. The 340B regulatory requirements are numerous and complex, and they often require substantial internal monitoring. Noncompliance can have significant negative financial risks ranging from regulatory penalties and manufacturer repayments to total removal from the 340B program.  

Beginning in 2020, manufacturers began implementing policies refusing to provide or restricting 340B pricing for drugs dispensed through contract pharmacies. Currently, 39 pharmaceutical manufacturers have imposed distribution limitations on covered outpatient drugs dispensed through the 340B program, undermining the 340B drug pricing program. 

Audits for consideration:  

• 340B program compliance audit  
  
  
  

2. No Surprises Act 

The No Surprises Act protects patients covered under group and individual health insurance plans from receiving surprise medical bills when they obtain emergency services from out-of-network facilities. Noncompliance can result in civil monetary penalties for each violation. Additionally, uninsured or self-pay patients who receive a medical bill at least $400 more than the expected charges on the Good Faith Estimate can initiate the patient provider dispute resolution process, which can result in lost revenue for facilities and providers and negatively impact the reputation of the hospital organization.  

Audits for consideration:  

• No Surprises Act compliance  

3. Price transparency 

Stricter technical price transparency requirements took effect in 2024, including:  

• New terms defined 
• Good faith effort and machine-readable file attestations 
• Standardizing the MRF format and data elements 
• Improving access to hospital MRFs 
• Enhanced enforcement 
  
  

There are additional federal requirements that will go in effect Jan. 1, 2025, as Estimated Allowed Amount, Modifier, Drug Unit of Measurement, and Drug Type of Measurement become required data elements in MRF.  

Because price transparency files are required to be publicly posted, CMS is able to remotely validate compliance and has begun publicly citing hospitals for noncompliance. Monetary fines can be imposed and impact a hospital’s reputational risk stemming from public criticism if a hospital knowingly does not comply with requirements or revenue cycle bills do not match charges posted on a hospital’s website.  

Audits for consideration:  

• Compliance with CMS and any applicable state regulations  

4. Advance beneficiary notice 

Medicare provides coverage for a wide variety of medical services, but that coverage is not absolute. There are circumstances where services generally covered by Medicare are denied as either not reasonable or necessary, or as constituting custodial care. Healthcare organizations must notify a beneficiary in advance by providing an Advance Beneficiary Notice when the provider believes that items or services will likely be denied because of the above criteria. If the provider does not deliver a valid ABN to the beneficiary, the beneficiary cannot be billed, resulting in lost revenue to the healthcare organization. 

If an ABN is used inappropriately to collect from a Medicare beneficiary, a refund to the beneficiary may be required. Refunds must be made within specified time limits; healthcare organizations who knowingly fail to make a required refund within these time limits may be subject to civil money penalties and/or exclusion from the Medicare program.  

Audits for consideration:  

• ABN compliance  

 

5. Credentialing 

A healthcare organization’s medical staff bylaws should require that medical staff are credentialed and privileged upon new hire and at least every two years. Procedures to flag all Licensed Independent Practitioners, i.e., any individual permitted by law and by the organization to provide care, treatment and services, without direction or supervision, requiring credentialing and re-credentialing and the tracking of credentialing and re-credentialing activities are critical to make certain it is done and completed timely. Both CMS and Joint Commission have developed detailed guidance. Successful credentialing thus requires sound initial assessment procedures, as well as access to comprehensive, reliable and practitioner-specific performance data.  

Organizations can be at risk of lawsuits alleging negligent credentialing practices if privileges are approved without fully verifying an applicant’s qualifications and proficiency or professional liability insurance coverage or licensing lapses in off years of the biennial credentialing process.  

Audits for consideration:  

• Practitioner credentialing 

Clinical risks

Clinical Audit

Patient safety is of the utmost importance to healthcare provider organizations. It’s also a continuous journey. With nearly one in four patients admitted to a U.S. hospital experiencing an adverse event, it’s clear there is so much more work to do. To minimize the potential for patient harm, healthcare organizations need every tool at their disposal, and that includes clinical audits. These essential audits support the core aims of an organization’s patient safety efforts by improving the care experience for patients and caregivers, improving the health of the organization’s patient population, and reducing the per capita cost of care. 

Audits for consideration:

·       Sterile processing

·       Device disinfection

·       Surgical safety (universal protocol)

·       Behavioral health

·       Coding optimization and compliance

Information technology 

1. System access management 

Effective system access management is a critical component of a healthcare organization's overall security framework, ensuring that only authorized personnel can access sensitive systems and data. However, when access is not properly managed, it introduces significant risks to both the security of patient information and the integrity of healthcare operations. The risks associated with system access management extend across a variety of areas, including the timeliness of access provisioning and deprovisioning, performance of periodic access reviews, restricting access to the least privilege necessary, managing privileged access, and handling transfers of healthcare professionals between departments or roles. 

Audits for consideration: 

• Access and privileged management 
• Role-based access assessment  
• Third party access  
• Remote access  

2. Business continuity  

Business continuity is essential for maintaining operations during and after disruptive events, including system outages, cyberattacks, natural disasters, or vendor failures. For healthcare organizations, where time-sensitive patient care is paramount, effective business continuity planning can mean the difference between a minor disruption and a critical, prolonged downtime that impacts patient outcomes and operational effectiveness. The risks associated with business continuity are particularly relevant in the face of growing cybersecurity threats, such as ransomware, as well as the potential for third-party service disruptions. Without a robust business continuity framework, healthcare organizations risk extended downtime, compromised patient care, and financial loss. 

Key considerations for business continuity in healthcare organizations include the importance of Enterprise Resilience, which is a collaborative effort across departments to recover and continue operations from the onset of a disruption through to the restoration of normal operations. Enterprise Resilience planning ensures the organization can recover and maintain essential business functions, provide safe and quality patient care, and safeguard sensitive data in the event of system downtime.  

Additionally, the organization must prioritize the restoration of applications that are vital to patient care and safety. Not all systems are equally essential, so a clear framework for application recovery prioritization is necessary. Applications such as electronic health records, patient monitoring systems, and other key healthcare tools must be restored first, while less critical systems can be brought online later. Enterprise Resilience also includes risk mitigation strategies such as business impact analyses, downtime procedures, and regular testing and training to ensure staff are prepared to respond effectively to any disruptions. Failure to address these risks could undermine patient safety and hinder the ability to comply with legal, regulatory, and financial obligations.  

Audits for consideration: 

• Business continuity plan for disruptions and resilience. 
• Third-party risk management audit for vendor resilience 
• Application recovery priority  

 

3. Biomed device security 

Biomedical devices are increasingly connected to the internet, which exposes them to cyberattacks that can compromise patient safety and disrupt care. Attacks can lead to device malfunctions that harm patients, theft of sensitive data for identity theft or blackmail, and disruptions in treatment. Older medical devices are especially vulnerable due to outdated software, lack of support, and regulatory challenges. Outdated software often contains known vulnerabilities that attackers can exploit, while lack of manufacturer support means these vulnerabilities remain unpatched. The complexity of medical devices and the time-consuming FDA approval process for software updates further complicate security. 

Many healthcare organizations still lack mature governance over medical device procurement, vendor oversight, and risk management. Insufficient security controls like poor access management, weak passwords, and inadequate network segmentation increase risks to patient safety and organizational security. 

Audits for consideration: 

• Biomedical device governance and procurement  
• Biomedical device security  
• Biomedical device maintenance and third-party service-level agreement compliance 

4. Cybersecurity  

Cybersecurity threats continue to evolve rapidly, with third-party incidents increasingly causing significant impacts on healthcare organizations. The lack of mature controls governing cybersecurity remains a top risk, particularly as the likelihood of an attack causing extended downtime has grown significantly in recent years. While layered technology solutions and the information security department form the first line of defense against these threats, the consequences of a cyberattack can span across the entire organization, affecting both IT infrastructure and business operations. Risks include system downtime, which hampers the ability to provide patient care, the exposure of sensitive data, employees falling victim to social engineering tactics, and attacks originating from trusted third parties, such as vendors or software providers. Additionally, healthcare organizations face challenges in quickly recovering from a substantial IT threat, and the risks associated with unauthorized access to systems and data continue to rise. In addition to the direct impact on patient care and operations, cyber threats can lead to significant financial losses, legal liabilities, and reputational damage. 

Audits for consideration:  

• Cybersecurity risk assessment  
• Third party security risk management  
• Cybersecurity controls and technology 
• Ransomware preparedness and response  
• Incident response and recovery  
• Vulnerability management  

5. Data governance 

Data governance refers to the comprehensive management of an organization’s data through well-defined procedures and plans. It ensures that both structured and unstructured data are accessible, accurate, secure, and usable. Effective data governance is considered both high risk and high reward, especially when data can be fully leveraged to enhance decision-making and analytics capabilities. Weak internal controls in data governance can compromise the reliability of data used in decision-making and heighten the risk of unauthorized or inappropriate data disclosure. 

A strong data governance program provides essential safeguards to ensure data security, privacy, accuracy, accessibility, and usability. Common risk areas include the potential for extensive patient data to reside on personal devices, unmanaged network shares, clinical devices, and various third-party platforms. 

Audits for consideration:  

• Data governance program maturing  
• Data location and inventory classification   
• Third-party data handling and security  
• Data loss prevention  
• Data retention and disposal  

Conclusion 

Every healthcare organization is different. A top risk domain for one healthcare organization might not be a top risk domain for another organization. That’s why it’s important for a healthcare organization to know its specific risks. In doing so, internal audit teams can focus their efforts on risk domains that give them the biggest return on risk. 

Kodiak offers both proprietary technology and deep industry experience to help organizations do just that. Please contact us today to discuss how our risk and compliance team can use our technology, deep expertise, and experienced resources to support your organization’s 2025 internal audit and compliance work plans and address these top risk areas. 

Kodiak has your back. Visit the risk and compliance section of our website to learn more about how we can work together to increase your return on risk.