What factors should be included when considering risk?
Several factors should be included when considering risk, such as department size, complexity of the activities conducted, past compliance issues, organization trends, internal perceptions and opinions, and emerging risks. To help focus the risk assessment, consider the answers to questions such as the following, which are adapted from DOJ,1 OIG,2 and Health Care Compliance Association3 compliance guidance:
- Will the compliance team focus on defined areas of legal compliance risk, or will it address other risk areas?
- Will the risk assessment focus on high-risk operational areas, or will it be organizationwide?
- Has an operational area experienced recent or significant turnover?
- Has a change in management or other restructure occurred in the past 12 months?
- Is an operational function shared with or supported by a vendor, or is the function performed entirely by a vendor?
How should a compliance risk assessment be performed?
To start, compliance staff should gather all relevant internal documents and industry information (for example, litigation history, results of internal monitoring, policies and procedures, excluded provider screening results, scope of new organizational strategic initiatives, information on new industry regulations, patient and employee complaints, external audit reports, and OIG work plans) to better understand the organization’s current compliance environment. In addition, the team should consider any organizational areas where employees might have the capacity or motivation to engage in wrongdoing. Other considerations include where decision-making and delegation authority reside within the organization, whether these areas lack supervision or internal controls, and whether internal pressures, temptations, or incentives for wrongdoing exist.
In addition to conducting interviews with clinical staff, as described earlier, compliance teams should interview members at all levels of management to gather insights. They also should not underestimate the value of data such as claims data, denial information, and quality performance dashboards in analyzing and understanding existing and emerging risks. Data should be ingrained throughout the compliance process, and staff should consider incorporating data-mining tools to help access and analyze data throughout the organization.
All this legwork should help identify risks, which can then be prioritized based on their impact, the degree of vulnerability the organization faces with respect to each risk, and the strength of the controls currently in place to mitigate risks.
Compliance program effectiveness
While compliance regulations are not new to the healthcare industry, they do evolve, just like the risk climate in a dynamic healthcare industry. A healthy compliance program depends on a robust risk assessment process that is performed continually, uses data to identify and monitor risk trends, and involves almost everyone across the organization.
In addition, organizations might want to consider an external assessment of their compliance program. Having a third party conduct an assessment every three to five years can be a good way to bring important issues to light that the compliance team might not notice in the course of day-to-day work. An outside viewpoint can be a valuable tool in keeping a compliance program effective, proactive, and adaptive to the ever-changing healthcare industry.