Telemedicine
With a significant increase in telemedicine use, risks have increased related to noncompliance with government and payer requirements for documentation and billing of telehealth services (for example, modifiers, place of service, and consents), resulting in denied claims and lost reimbursement. Telemedicine risks also relate to technology failures or cyberattacks on telemedicine technology, resulting in system failure or disruption that can affect quality of care, patient experience, and HIPAA compliance.
Audits for consideration:
- Compliance with documentation and billing requirements for telehealth services
- IT assessment of telehealth platform and devices
- Cybersecurity assessment of network and unified communications supporting telehealth
ESG and DE&I
Organizations are facing increased pressures from key stakeholders, including their boards, executive management, employees, and consumers, to measure, evaluate, and accurately disclose efforts toward environmental, social, and governance (ESG) standards for operations, which include diversity, equity, and inclusion (DE&I). Aligning these initiatives with the organization’s strategic goals and objectives presents internal and external risks.
With current market shifts, stakeholders (such as employees, vendors, and patients) want to be associated with organizations that can demonstrate their ESG focus (on, for example, climate change, pollution, energy, and natural resource consumption) through actions and reporting. Healthcare organizations can experience increased reputational risk if patients and communities feel underrepresented and misunderstood, resulting in decreased quality of care and a widening of healthcare disparities. Additionally, healthcare providers can be viewed as failing to offer services that meet the unique social, cultural, and linguistic needs of patients and communities.
Internal risks include failing to protect worker health and safety and embodying a workplace culture that lacks focus on environmental issues, governance matters, and inclusivity. Additional risks include failing to attract and retain talent, lacking trust from employees, and missing out on emerging opportunities and areas for innovation.
Audits for consideration:
- Assessment of current ESG and DE&I programs (determination of social and financial materiality, goal and metric setting, quantification and reporting of metrics and results, and board oversight)
- Executive and employee pay analysis
New regulations
Regulators are introducing legislation focused on consumer protections. These new regulations affect healthcare organizations in the areas of revenue cycle billing, patient and employee safety, and data privacy and protection. Development and implementation of processes and controls to mitigate the financial, operational, regulatory, and reputational risks associated with noncompliance with these regulations might be affected by the workforce turnover issues healthcare organizations are facing. Internal audit and compliance professionals need to understand the impact of these risks and related controls to limit exposure to the organization.
No Surprises Act compliance. Risks include civil monetary penalties for each violation where a patient receives a surprise medical bill as well as reputational risks resulting in lost revenue for facilities and providers.
Audits for consideration:
- No Surprises Act process effectiveness
- No Surprises Act compliance
Price transparency. Risks include noncompliance with federal and state transparency regulations resulting in monetary fines, reputational risk stemming from public criticism if a hospital knowingly does not comply with requirements, and revenue cycle bills not matching charges posted on a hospital’s website.
Audits for consideration:
- Compliance with CMS and state regulations
- Assessment of pricing accuracy
CMS vaccine mandate. Risks include noncompliance with regulations resulting in civil monetary penalties to the facility, denial of payment, and – as a final measure – termination from the Medicare and Medicaid program.
Audits for consideration:
- Vaccine process assessment
- Regulatory audit preparedness
Coronavirus Aid, Relief, and Economic Security Act (CARES Act) provider relief funds and federal grant compliance. Risks include recoupment of pandemic-related funds due to inadequate support of healthcare-related expenses or lost revenue calculations and noncompliance with terms and conditions for use of the funds.
Audits for consideration:
- Assessment of pandemic reporting
- Special project: Preparation of pandemic fund submission(s)
- Office of Inspector General audit preparedness
State-regulated data privacy. Risks include noncompliance with emerging state-specific privacy regulations and reputational risk stemming from how consumers’ personal data is being used and organizations’ failures to fully deidentify personal information.
Audits for consideration:
- Data governance assessment
- Data privacy compliance
Physician practice clinical operations
Clinical, legal, regulatory, reputational, medical malpractice, and patient safety risks increase when key processes within a physician practice (for example, results management, referral management, medication reconciliations, device sterilization, and medication storage) are not functioning as designed.
Although the risks within a physician practice or other ambulatory site have been known for years, a few trends have caused these risks to increase in recent years. First, many health systems continue to acquire more and more physician practices, and the pre-acquisition due diligence often is focused on financial matters such as revenues, collections, and productivity instead of on clinical processes. Also, due to the volume of staff turnover within physician practices and the increase in resignations experienced across the healthcare industry, some clinical processes that were once properly functioning as designed are now not working as employees with years of process knowledge and experience leave.
Audits for consideration:
- Physician practice (or ambulatory site) clinical assessment
- Physician practice results management assessment
- Ambulatory site device disinfection assessment
Robotic process automation (RPA)
As healthcare organizations implement robotic applications (“bots”) within standardized and rules- based processes (such as billing, collection, cash application, and prior authorization within the revenue cycle management process), it is critical that leadership and board members understand how these technology solutions are controlled. To provide assurance related to RPA, internal audit and compliance professionals need to understand the risks and related controls associated with the accuracy and completeness of data processed by bots, data governance processes, and access controls to prevent unauthorized and untested changes to the RPA programming (scripts and coding).
Audits for consideration:
- Review of overall RPA governance process
- Assessment of RPA security controls and disaster recovery
- Assessment of RPA change management