Project Description

HIPAA Audit Risk Management in Onspring

A Healthcare Case Study



With a goal of creating an efficient, consistent, and adaptable HIPAA audit risk management program, the Memorial Hermann Health System’s audit team dropped their legacy software and adopted Onspring.

Now able to simultaneously manage OCR compliance, HIPAA compliance, and report on privacy incidents—all under the HITRUST and NIST frameworks—the audit team had a HIPAA audit risk management program fully connected to the rest of the business.

Onspring really helps us understand what our primary risks are and not only in the types of problems but specifically where they exist in our environment.

 Clint Elston, CISSP
Director, HIPAA Audit Services, Memorial Hermann Health System


Memorial Hermann Health System


28,000 employees
6,500 physicians


For privacy reasons Vimeo needs your permission to be loaded.
I Accept


Reporting across all activities of their HIPAA audit risk management program was a huge pain point for Clint Elston, Director-HIPAA Audit Services at Memorial Hermann Health System. His audit team was spending hours each week pulling information from their legacy software system to then compile it into graph reports. 

  • Data was pulled to show compliance with HIPAA.
  • Data was pulled to evaluate OCR compliance.
  • Data was pulled to assess the organization’s overall risk posture.
  • Data was pulled to measure the status of risk mitigation activities.

Data extraction from the legacy software system to create reports for each of these needs had its own unique process, which meant measuring OCR compliance and risk associated with a HIPAA audit was never fast, simple, nor was it consistent. In fact, the team described evaluating HIPAA audit risk at Memorial Hermann as one of the most time-consuming and laborious tasks they had to undertake.

Conclusion: Clint realized Memorial Hermann was wasting money on an expensive legacy software system while frustrating everyone on his audit team.

In order to deliver the same level of impeccable service as the physicians and staff in their health system, the HIPAA audit risk management team at Memorial Hermann Health System dropped their legacy software system and chose Onspring for real-time reporting, connected data, automatic workflows, and scalability to accommodate future plans and focus areas. 


Memorial Hermann Health System began using Onspring to view real-time reporting of privacy incidents across their campuses, plus monitor the remediation activities associated with each individual incident. 

In addition, Clint’s HIPAA audit team immediately began using Onspring to review holistic risks and risks directly corresponding to HIPAA audits.

The team finally had a comprehensive view across their HIPAA audit risk management program. Utilizing Onspring delivered immediate reporting for HIPAA audit findings, privacy incidents, OCR compliance, and third-party risk assessments, and also showed the connectivity across each of these data points. 

HIPAA Audit Risk Management in Onspring

Map Controls to HITRUST & NIST Frameworks

Realizing the power of connecting data in Onspring’s relational database, Clint made the smart decision to map controls to the multiple frameworks Memorial Hermann Health System followed, including HITRUST and NIST. 

In doing so, the HIPAA audit risk management team could conduct an audit and report findings against HIPAA and the HITRUST and NIST frameworks simultaneously, saving his audit team hundreds of hours a year and providing an unprecedented level of visibility never seen before. 

HIPAA Audit Risk Program Mapping to HITRUST and HIPPA controls

Data elements captured in Onspring fed into formulas that automatically calculated scores for Memorial Hermann’s intrinsic risk, business risk, controls risk, and overall compliance risk. To provide transparency and clarity to everyone, the HIPAA audit risk management team documented how intrinsic risk measurements were divided into five categories, each based on financial values (fines) for issues of non-compliance. 

Calculating HIPAA Audit Risk Management

Out-of-the-box Report Templates Feed Real-time Data

Clint’s HIPAA audit team at Memorial Hermann Health System took advantage of the out-of-the-box compliance and audit reporting templates in Onspring. This meant no one had to pull data to then build out a report in Onspring. The reports were already there, populated by data captured in Onspring. 

This was a big win. Onspring immediately solved their biggest pain point: data collection and reporting. 

HIPAA audit risk management was suddenly easy to assess because of the availability of real-time data records and formulas calculating risk levels.

HIPAA Audit Risk Management Reporting in Onspring

Out-of-the-box reporting templates also solved Memorial Hermann Health System’s issues around data inconsistency.

In Onspring, data for every report was sourced from the same centralized library, eliminating confusion or skepticism around accuracy. Every report also maintained consistent visuals in both content organization and colors, which made reporting simple to view, understand, and make decisions against. 

Clint’s HIPAA audit team also maximized the automation capabilities in Onspring by setting up automatic emails to distribute up-to-date reports on a schedule. All of this required zero effort from the team, so they continued to reap time savings. These automated email templates also increased system-wide consistency by ensuring communication was sent the same way every time for the same problems.


Onspring significantly helped the HIPAA audit risk management teams at Memorial Hermann Health System understand what their primary risks are, and not only the types of problems they have, but specifically where they exist across their environment.

Biggest Benefits

“Onspring is the only software we’ve used that has actually empowered our business unit and created positive change.”

 Clint Elston, CISSP
Director, HIPAA Audit Services, Memorial Hermann Health System