Healthcare organizations continually face difficult decisions about how they focus time, energy, and dollars to avoid undue risk exposure, especially given anticipated changes to the Affordable Care Act with the new administration.
An evaluation of recent risk assessments conducted for healthcare clients of CHAN Healthcare reveals 20 top risk concerns. The data analyzed included nearly 4,000 risks across more than 280 healthcare entities. Results are grouped into the following categories: care transformation, compliance, information technology, healthcare operations, and revenue cycle management.
Quality patient care and patient safety are primary strategic objectives for healthcare systems. Data on quality measures and safety initiatives can be collected and reported through claims, metrics, chart abstraction, electronic health records (EHRs), and disease-specific registries. The advent of electronic medical records and patient care technology has drastically increased the ability to assess care methods and results and to identify areas for improvement in quality of care and patient safety. Quality and patient safety risks include:
- Monitoring implementation of evidence-based practices
- Increasing reliability and sustainability of clinical processes
- Reporting accurately and in a timely manner on publicly available quality initiative measures
Many healthcare organizations are adding clinical expertise to the internal audit function to better address these critical areas.
Accountable Care Organizations
As healthcare systems have become engaged and now have experience with accountable care organizations (ACOs) and clinically integrated networks, healthcare executives increasingly are interested in an assessment of risks and are seeking help in designing or strengthening controls to manage those risks. During risk assessment discussions, management and governance professionals identified the following areas as specific ACO concerns:
- Accuracy of cost allocation, capitation payments, and shared savings
- Meeting cost and quality targets
- Accurate and timely reporting of quality data
- Meeting performance expectations outlined in ACO agreements
- Potential regulatory compliance issues if patient information is not adequately protected
The 340B Drug Discount Program
The 340B drug discount program has been an area of concern for the past several years. Savings and revenue from the program can affect an entity’s bottom line significantly. Having operations in place to validate compliance requires near constant attention, so 340B must be an area of focus for all registered covered entities. Its appearance as a top risk again this year also reflects a continued uncertainty about the complex and changing regulatory requirements. Additionally, it is an indication of the focus on both the performance and compliance risks related to increased numbers of retail and contract pharmacies. Covered entities and drug manufacturers have been anxiously awaiting the finalization of the 340B Drug Pricing Program Omnibus Guidance (mega-guidance), which was expected to have significant operational and control implications and thus affect future program savings and revenue. However, on Jan. 30, 2017, the White House Office of Management and Budget withdrew the pending mega-guidance so that the new administration could determine how best to proceed with program changes. The timeline for updated guidance is unknown at this time.
Physician integration still is a major area of concern for healthcare systems. Increased focus on establishing new physician arrangements and the complexity of the related contracts continue to elevate the risk in this area. Physician contracting risks are centered on the need to execute contracts quickly, without sacrificing a thorough review of contract provisions by all appropriate parties. Without a thorough review, healthcare systems are vulnerable to compliance and performance risks.
Physician compensation remains on the top 20 list this year due to risks related to regulatory restrictions and poorly designed or implemented internal controls. These control gaps could result in noncompliance with IRS tax filing requirements if physicians are not appropriately classified. In addition, contract terms might not be met, resulting in legal issues related to Stark Law and anti-kickback and fraud and abuse statutes and even financial, legal, and reputational consequences.
Health Insurance Portability and Accountability Act (HIPAA) privacy and security compliance is of critical importance to healthcare systems in light of increased security and privacy threats and heightened regulatory focus. The frequency and scope of healthcare breaches has been on the rise in the past several years, resulting in significant financial, regulatory, and reputational issues for victim organizations. In addition, the Department of Health and Human Services Office for Civil Rights (OCR) modified its approach and increased the number of HIPAA compliance audits beginning in 2016. Because the resulting documentation and support burden on subject hospitals has been significant, healthcare systems are looking for early insight into both their readiness to respond to compliance audits and their ability to pass examination.
Understandably, cybersecurity risks are top of mind for healthcare organizations again this year, given the seemingly endless reports of network security breaches, ransomware, and other cyberattacks. Management and governance professionals want insight into potential cyberrisks and their organizations’ threat exposure. Most healthcare organizations have adopted a “not if, but when” point of view. As a result, they are seeking input and advice concerning alternative controls they can implement to strengthen their cybersecurity defenses and minimize the negative impact from an attack.
While most healthcare organizations have now implemented electronic medical records, system implementation risks continue to be an area of significant concern. Organizations have begun to identify necessary changes to EHR systems to address workflow, process, and documentation issues. In addition to focusing on these changes, organizations are implementing new technology to support clinical and business initiatives related to quality of care, data analytics and reporting, and the expansion of service delivery methods such as telemedicine. System implementation projects must meet timeline and budget constraints without sacrificing project management methods or internal controls.
System Access Management
Without strong access management controls, operating systems and business and clinical applications may not be protected from unauthorized access to or theft of sensitive information. Users should have access only to information they need to perform their job functions, and access for users who have been terminated or transferred must be removed on a timely basis. Weak system access management controls also may affect the integrity of information generated from a system, and the system may be vulnerable to loss or failure due to external or internal manipulation.
IT General Controls
IT general controls are the foundation for healthcare systems that strive to conduct ongoing business and clinical operations effectively. Weak controls in program change management, physical and logical security, data and system backup, system interfaces, and data center operations can have a significant impact on the confidentiality, integrity, and availability of systems used to provide safe and effective patient care.
Third-Party Vendor Management
Healthcare systems continue to embrace the use of third-party providers for a variety of crucial operational, clinical, and technology functions, often with the objective of cost savings and efficiency gains. However, use of third parties to provide core services is not without risk. Some of those risks include:
- Failure to meet performance requirements as outlined in the contract
- Failure to meet financial terms in accordance with contract provisions
- Billing for services not provided
- Potential compliance risks and related reputational damage due to weak vendor privacy and security controls
Care (Case) Management
This risk area was added to the top 20 list this year because of expressed concerns over the potential relationship between weak care (case) management controls and identified increases in observations and denials. Management and governance professionals also indicated they want insight into the effectiveness of the utilization process, including validation of medical necessity and patient status. Effective care (case) management monitoring is essential in confirming whether patients are at the right level of care, minimizing readmissions, and promoting compliance with Medicare and the two-midnight rule. Absent strong controls in this area, healthcare systems might over- or underbill for services provided, or they might experience unnecessary denied claims and revenue reductions.
Clinical Documentation Improvement
Clear and accurate documentation of patient care encounters and services is critical from a regulatory, reputational, financial, and patient care perspective. The inclusion of clinical documentation improvement as a top risk area this year demonstrates heightened concern about the ability to rely on clinical documentation for patient care that translates into coded data for quality reporting, billing, and reimbursement and serves as support for physician compensation decisions (pay for performance). The primary risk associated with clinical documentation is insufficient provider documentation to support accurate ICD-10 reporting. In addition, steps taken to obtain additional information (for example, physician queries) require extra resources and might cause delays in the revenue cycle. The potential negative implications from use of the copy-and-paste functionality built into many EHR systems also is an area of concern.
Medication Management and Drug Diversion
Inadequate controls on medication management and controlled substances can have significant financial, compliance, patient care, and reputational impacts. Pharmacists and care providers have a shared responsibility to help ensure the right patient, right medication, right dosage, and right route in order for patients to receive safe and effective care. In addition, they share responsibility to prevent prescription drug abuse and diversion, particularly with regard to controlled substances. This assurance is accomplished through establishing and enforcing strong internal controls over ordering, dispensing, and administering drugs as well as maintaining inventory records and drug diversion monitoring processes. Due to both patient care and compliance risks, healthcare system leaders have continued interest in whether the design of, implementation of, and adherence to internal controls are as intended.
Nonphysician Contract Management
This risk area reflects healthcare system concerns over the potential financial, legal, and compliance issues that might result without strong controls over the execution and management of contracts for nonphysician services. The following risks were specifically noted in risk assessment discussions:
- Databases used to house and maintain contracts might not be secure or complete.
- Parties to a contract might not adhere to agreed-upon terms (resulting in legal or cost implications).
- Standard terms required for all contracts might not be used.
- Contracts might not be executed in a timely manner, resulting in an inability to meet patient or business needs.
Revenue Cycle Management
Billing and Collections
Many healthcare systems struggle to manage billing and collection processes and to promote timely and error-free claims effectively. Strong controls are needed in this area for claims to be quickly adjudicated and paid in order to secure expected revenue streams. Billing and collections had a higher overall perceived risk ranking this year, likely due to organizational, system, and process changes related to the billing and collection functions.
Patient access gets attention during risk assessment discussions due to heightened concerns over the existence and effectiveness of controls over patient scheduling, registration, and admission processes. Weak controls in these critical patient access areas may result in billing and patient accounting issues, lost revenue, and poor patient and physician satisfaction.
Accurate coding of conditions treated and treatment provided is critical to support accurate and timely recognition of revenue and quality reporting initiatives. Risks in this area include noncompliant billing and reporting (including under- and overpayments) due to inaccurate coding as well as denials, penalties, and possible sanctions if regulatory requirements are not met. Inaccurate reporting of healthcare data also might jeopardize quality, administrative, and cost-saving initiatives. Risk discussions demonstrated concern over coder proficiency with ICD-10, application of ever-changing official coding guidelines, and absence of physician documentation to support specific codes. These challenges could result in a higher-than-average number of coding errors and in missed opportunities to report all services provided.
While charge capture remains a significant area of risk for health systems, its overall relative risk is somewhat lower this year. Many of the charge capture challenges anticipated with the advent of EHRs have now been addressed, and ICD-10 has been adopted and implemented. Concerns over the accuracy and completeness of charges were still noted, however, and health systems continue to seek assurance that charge capture processes will support revenue recognition goals.
Physician Practice Coding and Billing
Organizations continue to acquire physician practices, resulting in revenue cycle risks. Controls over physician practice coding and billing help promote the accurate and complete billing for services rendered, which has a direct impact on revenue recognition. Management and governance professionals mentioned the following specific concerns with regard to risks in this area:
- Failure to bill correctly for specialty services
- Observed physician gaps in understanding of coding and billing processes
A Look to the Future
The following is a list of “rising stars” on the risk scene. These are escalated risk areas in which risk ratings were high but not mentioned as frequently as the risks already noted.
- 501(r) compliance. Management, governance, and internal audit groups are more aware of 501(r) compliance risks and the potential impact on an organization’s federal tax-exempt status.
- Revenue cycle outsourcing. More clients have entered into, or are considering, agreements with third-party vendors for revenue cycle services. Risks here are largely related to vendor contract performance and the ability to achieve expected improvements in cost reduction and revenue recognition.
- IT as a service. Healthcare systems increasingly are becoming engaged as providers of IT services. As a result, awareness of risk is rising with regard to the ability to maintain system security and availability and to comply with laws and regulations.
- Cloud computing. Use of cloud computing services is on the rise due to the perceived benefits of reduced costs, improved security, and increased speed of delivery. Cloud computing risks center on vendor performance with regard to security, privacy, and availability.
- Population health management. Population health management requires the aggregation and analysis of patient data in multiple information systems, coming from multiple sources. Risks in this area largely relate to data integrity, security, and privacy but also deal with the ability to successfully use data to achieve population health improvement goals.
If not well managed, all of these risks can have a negative impact on healthcare systems’ business. If an organization is able to control these risks, however, it can be better-positioned to achieve its strategic and business objectives and keep its focus on quality patient care.