Based on insights shared during a Clearwater webinar featuring Beth Israel Lahey Health’s Chief Compliance Officer, Lori Dutcher, and Clearwater Board Advisor, Steve Cagle.
Key Takeaways
- The exact documentation that satisfied OCR after a breach and helped one organization avoid penalties.
- How to tackle asset inventory when IT resources are stretched thin and systems are scattered.
- Why starting with 10-100 high-risk systems creates momentum without overwhelming your team.
- Proven language to secure executive buy-in by connecting cyber risk to patient safety and financial exposure.
When OCR investigators show up after a breach or for a routine audit, they’re not interested in your plans – they want proof.
That’s a lesson Beth Israel Lahey Health learned firsthand through its partnership with Clearwater, whose team guided the organization through an OCR-quality risk analysis that ultimately helped it avoid penalties.
As Lori Dutcher, Chief Compliance Officer at Beth Israel Lahey Health, learned firsthand, OCR investigators are relentless about the details.
“They want everything,” Dutcher says of the 900+ pages her team submitted post-breach as part of an OCR review.
About Beth Israel Lahey Health:
Beth Israel Lahey Health is an integrated healthcare system with academic medical centers, hospitals, and physician practices serving communities in Massachusetts and New Hampshire. The healthcare organization employs more than 35,000 people and partnered with Clearwater to strengthen its risk analysis and compliance posture following an OCR review.
But unlike many organizations facing similar scrutiny, Beth Israel Lahey walked away without penalties.
What did OCR find that satisfied them? Here’s what Dutcher learned regulators really expect—and how her organization’s approach to risk analysis made all the difference.
The Resource Reality
When it comes to preparing and completing an OCR-quality risk analysis, it’s all about resources.
“Everybody is competing for limited resources,” Dutcher explained. “You have to make a business case (to senior leadership) as to why the risk is significant enough to invest in this.”
And while Beth Israel Lahey has thousands of electronic systems with ePHI in them, the challenges they face aren’t unique.
“When you go and say, ‘We need to do this in-depth analysis,’ you’ve got the competition for IT resources. For us, we were installing Epic at the time that we felt we wanted to engage in this work. That’s no small feat.”
“It’s not an easy thing to do, and I think there’s a lot of education as well,” Steve Cagle, Clearwater Board Advisor, added in a recent Clearwater webinar about secure and compliant OCR-quality risk management.
Cagle and the Clearwater team worked closely with Dutcher’s compliance leaders to align their risk analysis process with OCR expectations, using Clearwater’s proven frameworks to build internal momentum and executive support.
The Inventory Challenge
With hundreds or even thousands of electronic systems and related devices across most modern healthcare organizations, many struggle knowing what’s in use, who approved it, and how employees are using it. When ePHI accesses those overlooked or forgotten systems, it significantly increases risk.
Dutcher recalled that few of the organizations she’s been with in the past actually have a quality asset inventory.
“When you ask for that right up front, ‘what’s the inventory?’ That in itself is a lot of manpower to pull that together,” she said. “I don’t think it’s something that’s commonly maintained.”
Cagle agreed, saying it’s a common issue across Clearwater clients.
Often, asset inventory is part of the risk analysis process, but Cagle cautioned that OCR sometimes wants to see the inventory before an organization conducts one.
In those cases, it’s OK to explain to the auditors or reviewers that your initial inventory may change as you work through the risk analysis process, he explained.
Key here is to understand that there is no one-size-fits-all approach that works for every healthcare organization. But those who approach it from a programmatic perspective often see success.
Getting Started and Setting the Risk Analysis Scope
While every organization may approach an OCR-compliant risk analysis differently, there are some foundational steps Beth Israel Lahey used that are applicable across the industry.
It starts with your IT and IT security teams, Dutcher explained, drawing on her own experience. They are generally the system owners who carry the bulk of work in this process.
For Beth Israel Lahey specifically, the first step was understanding the scope of the risk analysis process.
“We can’t look at everything,” Dutcher clarified.
But, drawing on Clearwater guidance, the company decided to begin with a risk focus on the top 100 systems it wanted to continuously monitor over the next three years.
“The risk factors could be the volume of ePHI included,” she said, explaining that for some, it could be because they’re not where they should be in terms of overall security.
Quick Business Wins
Stepping back after the first of three years in this process, Dutcher says she thinks the biggest business win so far has been that the process is manageable.
“We started this process before we had a breach,” Dutcher said. “We identified this was an area of risk for the organization.”
From that, they quickly understood the value of working closely with other healthcare risk analysis professionals, like Clearwater.
Clearwater’s collaboration helped Beth Israel Lahey demonstrate the work behind its risk analysis efforts—a key factor, Dutcher noted, in the organization’s ability to satisfy OCR reviewers and avoid enforcement action.
Translating the Approach to Your Program
Beth Israel Lahey’s success with OCR didn’t happen by accident. It stemmed from a strategic partnership with Clearwater and a shared commitment to treating risk as a business problem, not just an IT security issue.
That mindset shift is foundational, regardless of your organization’s size.
“I would ask organizations to align their risk practice to recognized frameworks,” Bailey advised. The NIST Cybersecurity Framework is a strong starting point to address risk and elevate it to enterprise risk management.
The more your business understands all types of risk—cyber, operational, and financial—and can manage them from a business perspective, the better off you’ll be in the long run.
OCR Wants Proof, Not Promises
Making the mindset shift about risk is no easy task, but you can pave the way forward by framing risk in terms of the impact of patient data on patient safety. Not only is that a resonating point for your employees, it’s also directly related to compliance.
Dutcher shares these key takeaways from this experience:
- Talk about risk all the time.
- Never view risk in a silo.
- Get senior leadership and the board involved.
“It didn’t take a lot of education to get senior leadership to say, ‘We’re going to commit the resources’—people, processes, and dollars—because you don’t have to look far every day to see a healthcare entity that’s being impacted by a cyber breach,” Dutcher said.
Clearwater’s collaboration with Beth Israel Lahey Health is one example of how evidence-based compliance transforms OCR expectations into operational confidence.
Clearwater is available to help you with the frameworks, expertise, and operational structure to close that gap before regulators—or attackers—find it first.
The post Inside an OCR Audit: Lessons From Beth Israel Lahey Health appeared first on Clearwater.
