Healthcare’s Assurance Infrastructure Is Broken. The Compliance Industry Built It That Way

For years, healthcare organizations have operated on the assumption that if you fill out the right paperwork, be it a SOC 2 report, a HITRUST (Health Information Trust Alliance) certification, or a signed Business Associate Agreement (BAA), your patient data is safe, and from there, the vendor review process moves forward. That assumption collapsed with the Delve scandal. 

For those not familiar with Delve, it’s a well-funded (the company recently raised $32 million at a $300 million valuation) compliance automation platform designed to help startups get compliant 10 times faster and at a fraction of the cost of existing tools. In a world where speed often trumps quality, Delve’s immediate success came as no surprise, and its promises blinded people to what was happening behind the scenes — Delve was recently accused of systematically faking audit reports for hundreds of clients. 

This discovery was exposed by a group of former customers dubbed DeepDelver, which published a detailed investigation based on a leaked internal spreadsheet featuring 494 SOC 2 reports. Of these, all but one were nearly identical. They included the same paragraphs, grammatical errors, and incoherent descriptions. There were even pre-written auditor conclusions and test procedures included in the report before clients had the opportunity to provide any evidence. That’s like being given a test where the answers are included before you even start.

For healthcare organizations, the exposure is very real, and the consequences can be significant. Any entity that has relied on fabricated or inadequate vendor compliance documentation can be found liable by federal regulators under HIPAA’s willful neglect penalty, with fines reaching up to $50,000 per violation and organizations facing potential criminal liability. 

How did we get here?

Delve is the most visible and recent example of a much larger problem that began with the advent of compliance-automation companies. These businesses promised speed and savings, a trend the market rewarded. But when the goal is the report rather than the security posture behind it, the report no longer reflects reality. In the case of Delve, the reports were an outright fabrication. The incentive structure that enabled it is not unique to one company. It is industry-wide, and healthcare is no exception.

The BAA problem

This problem does not stop at the certification layer. It impacts the entire network that healthcare organizations rely on, starting with the Business Associate Agreement (BAA) and compounding as PHI moves downstream. That’s because in 2013, HIPAA Omnibus extended liability down to every vendor and subcontractor. The issue is that healthcare organizations have near-zero visibility into how data flows beyond their direct vendors.

Here’s how it plays out. A health system signs a BAA with a billing platform that uses a cloud infrastructure vendor, a managed security provider, and a data analytics tool. At each link in the chain, the health system’s visibility diminishes. The BAA says the obligation follows the data, but in reality, most health systems can’t confidently confirm that PHI is being handled securely as required by HIPAA.

HITRUST is facing the same erosion

HITRUST, long considered a more rigorous standard, is experiencing the same issues as SOC 2. Speed pressure, cost competition, and inconsistent quality are eroding the comprehensive work that made the certification meaningful. “HITRUST in 90 days” has become a marketing pitch, a promise to reduce a project that could take 6 to 18 months into just three months or less. In the process, the thoroughness with which assessors examined the evidence varies from one firm to the next.

HITRUST has responded by tightening its program and introducing quality assurance reviews. These actions are a clear acknowledgment that the erosion is real. Certification bodies do not overhaul their quality controls unless the quality has degraded.

A broader pattern

The same dynamic shows up across the ecosystem. MSPs compete on price, and that pressure shows up directly in how thoroughly they actually monitor. Compliance consultants sell “HIPAA in a box” packages that produce documentation without building a real program behind it. Clearinghouses handling PHI transactions are under the same margin pressure. When speed and cost become the primary levers of competition, the substantive work that made these intermediaries trustworthy in the first place vanishes altogether.

Change healthcare and EHR exposure

Change Healthcare is what this looks like at scale. The attack took down claims processing across a huge portion of the U.S. healthcare system, and the vendor had the certifications you’d expect. The paperwork wasn’t the problem. The problem was that nobody downstream had real visibility into whether the controls behind the paperwork were actually working.

EHR and EMR integrations make this worse by design. These vendors have direct, real-time access to live patient data. When the control attestation for one of them is weak or unverified, that isn’t a compliance gap on a spreadsheet. It’s an open door.

What healthcare organizations should do now

SOC 2, HITRUST, and BAAs should be treated as starting points, not trust signals. They tell you what a vendor claims about its controls. They do not tell you whether those controls are actually working today or whether the evidence behind the attestation was real. The only question that matters in vendor risk is whether a vendor actually does what their documentation claims, and whether that can be verified through direct evidence. In healthcare, that is the only standard that tells you whether a vendor is actually safe to trust with patient data.

Photo: porcorex, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.