The Importance of Full Threat Assessments

Author: Mike Manere, CHC, CHSP, Principal

Mar 30, 2023 | CMS-OIG, COVID-19, MIPS, Risk

After surveying thousands of physician practices over the last thirty years, we are still surprised at how many calls we receive about what a Full Threat Assessment looks like. This is especially true of the ones that are required by insurance companies, as well as by federal and state level regulation. The goal of a threat assessment is to determine the facility’s vulnerabilities, both physically and financially, and to ensure the safety of ALL! So, for the record, what is a Full Threat Assessment about?

The assessment begins with a fact-based survey that reviews and evaluates the strength and effectiveness of all policies and procedures that have regulatory implications with an emphasis on reasonably observing and identifying potential areas of risk. This review encompasses all regulatory areas, including full knowledge of a medical facility, its exits, workplace hazards, billing audits, cyber-threats, exclusions, natural disasters, and other dangerous situations, including workplace violence, active shooters, and bomb threats. Once this evaluation is complete, the identified areas are investigated, vulnerabilities identified, and remediation options are reviewed to best manage and address them.

COVID-19 awakened many business owners to the importance of knowing and staying on top of their operations and procedures at their locations and the importance of taking the time to walk through their work sites periodically. The list can be overwhelming — ensuring that the ventilation system is Merv13 compliant, proper location of eye wash stations, PPE, operational fire extinguishers, technology gaps, current emergency operations policies, ensuring the safety and training of employees under OSHA, HIPAA, OIG, etc.

The need to look at all vulnerabilities is a must, especially with the continued scrutiny of the government. The Department of Health and Human Services (HHS)-Office of Inspector General (OIG) projected recovering close to $4 billion as a result of HHS-OIG audits and investigation between October 1, 2021, and September 30, 2022[i]. This means including assessing financial vulnerabilities is an essential component of a full threat assessment.

Many assessments such as Hazard Vulnerability/Risk Assessment (HVA), Security Risk Analysis (SRA), and OSHA’s review are a directive of the government and are a required regulatory obligation. A reputable third-party assessment will include full inspection of areas, including the following areas.

  • Identifying This will include a walk-through of the facility, full company inspection, document review, employee interviews, and training review.
  • Assessing the identified threats and/or vulnerabilities. Examples include open penetrations, such as doors, windows, malfunctioning key-fobs, or buildings that sit near water that floods on an infrequent basis.
  • Developing and implementing controls in response to the identified threats/vulnerabilities. Conducting everyday walkthroughs to let staff know there is continuous checking for doors that should be locked, especially doors that staff tend to leave open for quick access to and from employee parking areas.
  • Evaluating the response and implementation. This will include making adjustments to fill any remaining vulnerability gaps. Implementation should be ongoing and include annual reviews. Employee training is a key component to the long-term success of implementation.

Some areas that should be on the assessment checklist include the following areas.

Cybersecurity threat

  • Having a clear plan for asset management, such as computers, as well as paper files and other hardcopy documents.
  • Checking on Business Associates (BAs) and Business Associate Agreements (BAAs) and making sure they submit a copy of their plan and their training for their staff.
  • Establishing a back-up plan to return to full operations after a cyber-attack.

Safety, OSHA, Department of Labor (DOL)

  • There are 26 safety topics OSHA looks for during an inspection, including:
  • reviewing and updating written company-specific policies and procedures.
  • conducting trainings and education that meet guideline standards.
  • ensuring things such as first aid kits, and eyewash stations are operational.
  • having a hazard protection plan.

CMS/OIG: Billing and Coding

  • Conducting an annual audit of at least 10 charts per provider.
  • Having staff educated on all Fraud, Waste & Abuse (FWA).
  • Checking your communication lines are known and are acted upon.
  • Conducting monthly checks to ensure that no employees or contractors are on the OIG’s exclusion list.

These assessments can feel overwhelming, and implementation can be challenging. But, understanding the vulnerabilities and having the information to properly address them helps to maintain a complete culture of compliance, which keeps a medical practice compliant, running smoothly, and safely. Some additional government resources can be found through these links, Checklist for OSHA Inspectors, HHS Office of Civil Rights Cyber-Attack Checklist, OIG Health Care Compliance Program Tips, and the FEMA Disaster Supplies Checklist, and, of course, we are always here as a resource.

[i]U.S. Department of Health and Human Services Office of Inspector General, Semiannual Report to Congress. June 2022. Retrieved on March 17, 2023,