Adapting your compliance program is now more important than ever

Rebecca Welker, CIA, FHFMA, CHIAP; Nicolle Brooks, CIA; and Amy Uldrick, M.S.N., RN, CPHRM
| 12/14/2021
Adapting your compliance program is now more important than ever

For the healthcare industry to thrive in challenging times, it has to evolve. The same is true for healthcare compliance programs. To remain successful at monitoring and mitigating risks across the organization, compliance programs need to adapt to the changing environment.

At the foundation of any healthy compliance program is a strong risk assessment process. As industry regulations become more complex and organizations are exposed to increasing risks (operational, financial, or reputational), compliance leaders need to have a better understanding of their risk exposure. To achieve this, they need to improve their risk assessment process. Following are the “why, when, who, what, and how” of an effective risk assessment process.

Why should organizations conduct a risk assessment?

The U.S. Department of Health and Human Services Office of Inspector General (OIG) and the U.S. Department of Justice (DOJ) have set expectations for healthcare entities for conducting compliance risk assessments. Beyond meeting those expectations, however, other benefits of completing a risk assessment include enabling an organization to identify priorities so that compliance resources can be allocated effectively and used more efficiently. A robust risk assessment process also provides a compliance department with a methodical, proactive approach to its compliance efforts. Without a thorough risk assessment process in place, a compliance department might find itself in a reactive position, throwing resources at crises as they come up. In a proactive position, a compliance program is nimble and ready to adapt to new risk, having already identified risk areas and targeted resources to best mitigate them.

Sign up to receive updates on the latest healthcare industry trends, developments, and business needs.

When should a risk assessment be performed?

Typically, compliance risk assessments are conducted every year as part of an organization’s annual compliance work plan development. But ideally, compliance risk assessments should be a continual process to keep pace with emerging risks and changing risk levels within the organization. Compliance work plans will need to be evaluated accordingly based on the continual risk assessment results.

Who should be involved in a compliance risk assessment process?

While the compliance department leads and oversees the assessment process, it is important to emphasize across the organization that compliance is everyone’s responsibility, and the risk assessment process should reflect that. The risk assessment should involve stakeholders from every department, such as managers and staff from legal, revenue cycle, administration, risk management, human resources, quality, and clinical areas. Interviewing individuals from these departments can help the compliance team gain insights into the top issues and risks these areas face and the degree to which established controls will mitigate these risks.

Staff members on the front lines have invaluable, in-depth knowledge about how processes actually work versus how policies and procedures state they should work. To get the most benefit out of interviewing staff members in each department, compliance department staff should ask open-ended questions such as:

  • What can go wrong?
  • Where is the organization most vulnerable?
  • What are the issues that concern you the most?

Answers to these types of questions help get to the root causes of identified risks. And asking what resources are available for addressing the top issues will help determine whether sufficient resources exist. If top issues that need to be addressed and available resources to address them are misaligned, the compliance department should be aware that the risk level might not change.

A note about clinical compliance: When considering clinical staff to interview, the compliance team should take care not to overlook staff beyond physicians and nurses, including those who work outside the inpatient setting, such as in physician practices or other ambulatory settings. This could include advanced practice providers, laboratory staff, pharmacists, radiology technicians, respiratory therapists, and staff members who don’t have formal medical training, such as assistants and clerical staff. Gathering information from all these different individuals helps create a full picture of compliance risk across the enterprise. It also helps pinpoint where gaps might exist between practice and policies. Hospitals often have formal training programs for staff, but it is important from a compliance perspective that knowledge about policies and procedures is the same for clinicians who work at the hospital and those who work in other settings. Effective risk assessment processes – and effective compliance programs overall – depend on awareness and alignment across the entire organization.

It is not practical to interview the entire organization; however, compliance departments can establish a two- or three-year rotating schedule so that all areas are covered within a longer time span. Organizations might be well aware of compliance concerns and efforts in larger, high-risk areas; however, significant risk can exist in smaller, less mainstream areas of the organization, so don’t leave these areas uncovered.

What factors should be included when considering risk?

Several factors should be included when considering risk, such as department size, complexity of the activities conducted, past compliance issues, organization trends, internal perceptions and opinions, and emerging risks. To help focus the risk assessment, consider the answers to questions such as the following, which are adapted from DOJ,1 OIG,2 and Health Care Compliance Association3 compliance guidance:

  • Will the compliance team focus on defined areas of legal compliance risk, or will it address other risk areas?
  • Will the risk assessment focus on high-risk operational areas, or will it be organizationwide?
  • Has an operational area experienced recent or significant turnover?
  • Has a change in management or other restructure occurred in the past 12 months?
  • Is an operational function shared with or supported by a vendor, or is the function performed entirely by a vendor?

How should a compliance risk assessment be performed?

To start, compliance staff should gather all relevant internal documents and industry information (for example, litigation history, results of internal monitoring, policies and procedures, excluded provider screening results, scope of new organizational strategic initiatives, information on new industry regulations, patient and employee complaints, external audit reports, and OIG work plans) to better understand the organization’s current compliance environment. In addition, the team should consider any organizational areas where employees might have the capacity or motivation to engage in wrongdoing. Other considerations include where decision-making and delegation authority reside within the organization, whether these areas lack supervision or internal controls, and whether internal pressures, temptations, or incentives for wrongdoing exist.

In addition to conducting interviews with clinical staff, as described earlier, compliance teams should interview members at all levels of management to gather insights. They also should not underestimate the value of data such as claims data, denial information, and quality performance dashboards in analyzing and understanding existing and emerging risks. Data should be ingrained throughout the compliance process, and staff should consider incorporating data-mining tools to help access and analyze data throughout the organization.

All this legwork should help identify risks, which can then be prioritized based on their impact, the degree of vulnerability the organization faces with respect to each risk, and the strength of the controls currently in place to mitigate risks.

Compliance program effectiveness

While compliance regulations are not new to the healthcare industry, they do evolve, just like the risk climate in a dynamic healthcare industry. A healthy compliance program depends on a robust risk assessment process that is performed continually, uses data to identify and monitor risk trends, and involves almost everyone across the organization.

In addition, organizations might want to consider an external assessment of their compliance program. Having a third party conduct an assessment every three to five years can be a good way to bring important issues to light that the compliance team might not notice in the course of day-to-day work. An outside viewpoint can be a valuable tool in keeping a compliance program effective, proactive, and adaptive to the ever-changing healthcare industry.

Contact us

Rebecca M. Welker
Managing Director, Healthcare Consulting
Nicolle Brooks
Amy Uldrick

1 “Evaluation of Corporate Compliance Programs,” U.S. Department of Justice, updated June 2020,
2 “Compliance,” U.S. Department of Health and Human Services Office of Inspector General,
3 Health Care Compliance Association,