Financial and operational risks
Accounts payable processing fraud
Key business processes such as accounts payable (AP) are critical to every healthcare organization. While these processes are highly visible and typically well-managed, when significant changes occur within the AP process (for example, leadership or employee turnover or cutbacks) or within the overall organization (for example, changes in operating procedures due to a pandemic, implementation of a new enterprise resource planning system, or organizational consolidation or centralization post-merger), fraud risks might increase due to changes in people, processes, or technology, or suspension or elimination of key internal controls.
Specific risks include:
- Fraudulent or unauthorized payments to existing vendors or employees
- Creation of, and payment to, fictitious vendors
- Inappropriate or unauthorized updates to vendor master data, causing payments to be diverted from the correct vendor
Audits for consideration to mitigate AP processing fraud risks
- Procure-to-pay process audit
- AP and vendor master file system access and general IT controls audit
- Vendor master file change process
- Corporate purchase card audit
How audit and compliance professionals can use technology to expand AP processing fraud risk coverage
- Analyze AP transactions to identify fraudulent payments to employees.
- Analyze payments made to the same bank account for multiple vendors.
- Analyze vendor payments that lack an associated purchase order.
- Analyze vendor payments issued for amounts just under standard approval levels.
- Analyze instances in which vendors were added and removed from the vendor master file immediately before and after payments were made.
- Analyze corporate purchase card transactions for nonbusiness uses.
Community benefit
Due to increased scrutiny of not-for-profit healthcare organizations, proving that hospitals are deserving of their tax-exempt status is more important than ever. Not-for-profit hospitals are required to demonstrate community benefit in many ways, including meeting the “community benefit standard” under IRS Revenue Ruling 69-545 and meeting certain requirements under Section 501(r) of the Affordable Care Act. But those are simply baseline requirements for not-for-profit hospitals. The real focus is how much they are doing in addition to those baseline requirements.
Unflattering media reports and congressional inquiries of how much community benefit and charity care hospitals provide in exchange for their preferential tax treatment are putting pressure on not-for-profit hospitals to differentiate themselves from their for-profit counterparts.
Risks associated with incomplete and inaccurate community benefit reporting include:
- Public scrutiny
- Inquiries from state charity officials and other local officials
- Challenges to property tax exemption, sales tax exemption, and possibly income tax exemption
Audits for consideration to mitigate community benefit reporting risks
- Community benefit calculation accuracy
- Community benefit reporting with a focus on unreported or underreported community benefit activities
- Community benefit policy and procedures review
- Review of environmental, social, and governance reporting that might incorporate community benefit
Inflationary economy
“Everything Everywhere All at Once” won the 2022 Oscar for best picture. The movie wasn’t about myriad challenges facing hospitals and health systems, but it could have been. Challenges such as labor shortages, wage pressures, declining operating margins, new COVID-19 surges, runaway expenses, rising interest rates, bank failures, investment losses, and more continually buffeted hospitals and health systems from all sides in 2022 and during the first quarter of 2023.
As patient volume slowly returns to pre-COVID rates and state and federal COVID relief funds end, rising inflation presents an additional hurdle to providers’ financial health. Entering 2023, hospital and health system management and governance need a full range of resources to counter the ongoing barrage of operating and financial headwinds.
An inflationary economy presents healthcare organizations with specific financial risks, including:
- Deteriorating liquidity metrics leading to credit downgrades
- Uncertain investment returns contributing to deteriorating liquidity
- Slow and unpredictable patient volume recovery
- Intractable labor issues and wage pressures
- Rising supply, pharmaceutical, and equipment costs
To combat the inflationary economy and strengthen operations, healthcare leaders are using some of the following resources and tactics with a focus on performance and margin enhancement:
- Increasing clinical operation efficiencies
- Clinical excellence and value-based payments
- Clinical efficiencies and outcomes
- Improving revenue cycle management performance
- Billing and collections
- Charge capture and clinical documentation improvement
- Increased digital transformation and creating value
- Labor efficiencies
- Increased risk coverage at lower cost
- Identifying cost saving opportunities
Audits for consideration to mitigate inflationary economy risks
- Denials management
- Revenue charge capture
- Procurement (with focus on spend)
- Timekeeping and payroll (with focus on overtime and premium pay)
How audit and compliance professionals can use technology to expand inflationary economy risk coverage
- Use data from organizations’ enterprise resource planning, EMRs, payroll, and other systems to design and roll out automated digital transformation to provide continuous auditing of accounts payable, payroll, general ledger, and supply chain risk areas, which can help reduce risk and identify revenue enhancement and cost saving opportunities.
Pharmaceuticals: Drug diversion and 340B
Drug Enforcement Agency (DEA) regulations can be complex and difficult to understand, and citations involving these regulations can lead to multimillion-dollar settlements for organizations. A DEA audit or inspection also can lead to criminal prosecution and administrative action against a DEA registrant if the agency finds violations of the Controlled Substances Act.
The dispute between safety net hospitals and drug manufacturers over new price limitations by manufacturers on hospitals’ use of the federal 340B Drug Pricing Program is heading into a new phase of legal battles that ensures this fight will remain a dominant issue in the 340B arena for months to come. Furthermore, hospitals’ lack of compliance with 340B Program regulations might result in repayment to drug manufacturers or removal from the program. Also, rapidly rising costs along the pharmaceutical supply chain combined with the complexities of accurately capturing medication charges can contribute to a reduction in revenue and additional compliance risks.
Specific risks for hospitals and health systems include:
- Removal from the 340B Program due to lack of compliance
- DEA monetary penalties and/or criminal prosecution
- Loss of pharmacy revenue
- Patient harm/addiction
Audits for consideration to mitigate drug diversion and 340B Program risks
- 340B Program compliance assessment
- Drug diversion monitoring controls assessment
- Medication billing assessment
How audit and compliance professionals can use technology to expand drug diversion and 340 B Program risk coverage
- Test 100% of critical data elements related to 340B Program compliance.
- Test 100% of critical data elements related to drug diversion monitoring controls.
- Test 100% of medication charges to confirm drugs administered and wasted are accurately billed.
Physician practices
Physician practices provide continuing care in the community and are the primary entry and exit points for many health systems. Although acute care facilities are highly regulated and frequently audited, ambulatory care settings, where processes are often manual, face less regulatory oversight of the operations and processes. In acquired physician practices, medical groups, and ambulatory clinics, lack of staff training, staff turnover, temporary staff, staff shortages, and time pressures can easily derail high-touch processes and can introduce additional unknown risks to a hospital or health system acquirer. Hospitals and health systems must establish “closed loop” processes and workflows to prevent patient harm, avoid liability, and improve quality.
Risks related to physician practices include:
- Missed referrals (for example, to cardiology), resulting in avoidable patient injury or death
- Lost screening results leading to a failure to diagnose or a misdiagnosis of a disease like cancer in time to initiate optimal treatment
- Missing or poorly performed medication reconciliation leading to clinicians concurrently prescribing contraindicated medications
- Unidentified temperature variations within a refrigerator resulting in the need to revaccinate patients and increased risk of reputational damage and legal liability
- Failure by hospitals or health systems to notify primary care physicians of patient admissions, discharges, or transfers resulting in gaps in care
Audits for consideration to mitigate physician practice risks
- New acquisition or pre-acquisition clinical practice assessment
- Diagnostic test and referral management
- Medication management (physical controls and reconciliation)
- Device disinfection (sterilization and/or high-level disinfection)
How audit and compliance professionals can use technology to expand physician practice risk coverage
- Identify diagnostic tests or specialist referrals ordered but not completed.
- Analyze medication reconciliation frequency and completion.
Vendors and business associates
Hospitals and health systems increasingly rely on third-party vendors in a variety of clinical, financial, and operational areas to augment staffing levels and achieve cost savings and increased efficiency. As technology has become increasingly critical to healthcare operations, vendors often require access to key information technology systems and networks. Sophisticated cybercriminal attacks are becoming more frequent, with many ransomware and cyberattacks targeting vendors and vendor systems as an entry point into a provider organization’s IT systems.
Strong contracting and oversight processes for these significant vendor relationships are critical for provider organizations to achieve their business goals and objectives. When an essential vendor fails to perform as expected, operational, financial, compliance, and reputational risks can ripple across the entire enterprise.
Common risks associated with vendor relationships include:
- Inadequate vendor screening and selection procedures
- Overcharging or billing for services not provided
- Failure to meet service, performance, or financial terms in accordance with contract requirements
- Failure to comply with facility policies and standards, resulting in compliance and reputational risks
- Weak privacy and IT security controls for vendors that have access to hospitals’ IT systems and data
Audits to consider for mitigating vendor and business associate risks
- Vendor selection and contracting
- Vendor onboarding, management, and monitoring
- Vendor HIPAA privacy and IT risk assessment
- Business continuity planning with focus on critical vendor services
How audit and compliance professionals can use technology to expand vendor and business associate risk coverage
- Analyze the vendor master file to identify duplicate and incorrect entries.
- Analyze accounts payable transactions to identify duplicate and inaccurate payments to vendors as well as vendor payments that could represent conflicts of interest, particularly for physicians (for example, lack of compliance with the Sunshine Act).
- Analyze vendors’ access to systems to identify excess or inappropriate access.
Workforce
Hospital CEOs’ top concern in 2022 was workforce challenges, according to the 2022 survey of hospital CEO challenges conducted by the American College of Healthcare Executives (ACHE).3 It was the second consecutive year that workforce challenges ranked No. 1 on ACHE’s annual list of hospital CEO worries.
“Hospitals need to take both long- and short-term measures to address critical workforce issues so they can continue to provide safe, high-quality care now and in the future,” said Deborah Bowen, ACHE president and CEO, in a statement accompanying the ranking.
The workforce challenges that healthcare organizations face include recruiting, hiring, and retaining qualified employees as demand for healthcare services increases due to the aging U.S. population and the competition for healthcare workers intensifies. Workers leaving the healthcare sector due to pandemic-related burnout and accelerated retirements have only exacerbated the challenge over the past three years.
One way healthcare organizations have responded is through increased reliance on travel nurses. Some formed their own travel nurse programs in an attempt to limit related costs. Others offered increased benefits or incentives to retain workers. Some of those that couldn’t respond with creative solutions reduced or eliminated services or service lines at select sites of care.
The situation has created a number of specific risks that hospitals and health systems historically have not had to deal with before at such scale.
Those risks include:
- Decreased quality and safety of patient care and clinical outcomes, leading to higher readmission rates, higher hospital-acquired infection rates, and higher mortality rates
- Lower quality scores leading to lower reimbursement rates
- Higher labor costs attributable to higher salary and benefit expenses and travel nurse program expenses resulting in impaired financial performance
- Increased difficulty in filling openings in the executive ranks, especially in organizations where the approach to succession planning (that is, identifying and mentoring successors) has not been formalized or well-established
Audits for consideration to mitigate workforce risks
- Travel nurse management and contract compliance
- Critical department staffing levels
- Recruiting and retention processes
- Succession planning
- Premium employee pay levels
How audit and compliance professionals can use technology to expand workforce risk coverage
- Analyze travel nurse timekeeping and billing data to assess propriety of agency billings.
- Use data analytics to identify patient readmissions and assess for staffing-related root cause(s).
- Analyze employee retention expenses and turnover data to assess effectiveness of retention programs.
Workplace violence
Seventy-three percent of healthcare workers in critical care settings around the world said they experienced workplace violence over the past year, according to the Violence Study of Healthcare Workers and Systems survey conducted by researchers with Global Remote Research Scholars Program.4 The researchers conducted the survey in 2022 and released the results in January 2023.
The Joint Commission’s new workplace violence prevention accreditation standards for hospitals took effect in January 2022.5 The standards require hospitals to manage worker safety and security risks, collect information to monitor security incidents, participate in workplace violence prevention education and training, and develop and enforce workplace violence prevention programs.
More recently, ECRI named “physical and verbal violence against healthcare staff” as one of its top 10 patient safety concerns for 2023.6
Specific workplace violence risks include:
- Failure to comply with standards of The Joint Commission and other regulatory agencies related to prevention of workplace violence
- Failure to monitor security personnel and outsourced security vendors
- Adverse financial impact and lower quality resulting from employee turnover
- Harm to patients and healthcare provider team members
Audits for consideration to mitigate healthcare workplace violence risks
- Regulatory readiness, including compliance with Joint Commission standards
- Prevention of patient/visitor/family violence to staff audit
- Security event response assessment
How audit and compliance professionals can use technology to expand healthcare workplace violence risk coverage
- Evaluate reporting of violence resulting in staff harm.
- Analyze response time to events based on policy or service agreements with security vendors.
- Evaluate most frequent types of violent events and sources of violence threats.