5 COVID-19 emerging risks for healthcare organizations

By Andrei De Vore; Scott C. Gerard, CPA; and Daniel T. Yunker
| 6/16/2020
5 COVID-19 emerging risks for healthcare organizations

Changes brought on by the COVID-19 pandemic are likely to have a long-term – possibly permanent – impact on how hospitals conduct business and how patients gain access to healthcare. As healthcare organizations anticipate what the new normal will look like in a post-COVID-19 world, they will need to consider necessary short-term and long-term adjustments to their operations. Here are five of the emerging risks that healthcare organizations face.

1. Telemedicine

With the onset of the COVID-19 crisis, many healthcare organizations have either started or increased the use of telemedicine as patients and caregivers seek safer alternatives to traditional delivery models and as states and payers have relaxed previous telehealth billing restrictions. The increase in telehealth brings with it both positive and negative results for healthcare providers as well as several new risks.

From a provider perspective, if the provider implements the right technology, patients have access to adequate broadband internet, and documentation and coding processes are properly established, telemedicine makes it possible for a physician to safely see more patients in a shorter duration of time. Alternatively, to date, telemedicine documentation and coding processes have been more cumbersome, and when combined with technology issues the results often have resulted in a greater burden on healthcare providers, less patient contact, and a generally lower standard of care. Risks include:

  • Because more patients and providers might be “socially distant,” increased telemedicine volumes after the pandemic likely will adversely affect demand for ancillary services and outpatient volumes.
  • Increased telemedicine use might create challenges in appropriately and completely capturing charges for services rendered and could lead to decreased facility fees and increased denials.
  • Some patients are refusing to be seen, because in-person visits that are covered by some health insurance plans no longer are being covered when the patients are “seen” remotely.
  • Increased telehealth volumes also might lead to additional stress on IT infrastructure, exposure to cybersecurity threats, and potential Health Insurance Portability and Accountability Act (HIPAA) breach risk as digital and physical patient information safeguards are relaxed. These risks might be exacerbated as organizations rush to establish or expand telehealth services absent appropriate operational cybersecurity discipline, inadvertently use improperly vetted third-party service providers, and struggle with efficiency and care quality as providers adjust to working from home for the first time.
  • Healthcare organizations might face a higher malpractice risk related to telemedicine services as demand spikes and providers deal with unusually high workloads.

Some lax practices (for example, staff using personal phones and other devices for video calls, medical personnel sending unsecured texts and emails of protected health information and medical information, and hospital departments purchasing and implementing video conferencing and other software and services without IT department approval) allowed during the pandemic should be assessed and remediated as provider organizations experience relief from the crisis.

Sign up to receive updates on the latest healthcare industry trends, developments, and business needs.

2. Supply chain

At the beginning of the pandemic, the U.S. healthcare system experienced supply chain breakdowns in obtaining personal protective equipment (PPE), ventilators, pharmaceuticals, and other critical equipment and supplies. Breakdowns often were due to a pre-pandemic emphasis on lean stocking levels and just-in-time delivery models as well as overreliance on sole-source suppliers and foreign vendors.

In the rush to obtain much-needed supplies, healthcare organizations might have increased their risk in several ways:

  • Bypassing existing procurement processes and controls and therefore increasing the risk of overpayment or vendor fraud
  • Inadvertently engaging fraudulent vendors or suppliers excluded from participating in federally and state-funded healthcare programs including Medicaid and Medicare
  • Entering into unfavorable agreements (price, terms, etc.) while vendor oversight controls were relaxed

As healthcare providers enter the post-COVID-19 world, they should increase focus on supply chains, supplier diversification, and the maintenance of appropriate inventory levels of critical materials and equipment to address a recurrence of the coronavirus or other future pandemics. In addition, they should consider and prepare for potential federal and state regulations that might require minimum PPE and critical supply inventory levels to handle increased capacity. These regulations might require providers to redesign existing supply chain procurement, operations, and structure.

Due to lessons learned during the coronavirus pandemic, providers also are likely to establish emergency processes that require:

  • Real-time checking for excluded providers
  • Verification of the legitimacy of new vendors before disbursing payments in advance of receiving supplies and equipment
  • Physical controls over PPE and supplies at a higher risk for theft or diversion for sale on the black market

3. Liquidity

Healthcare provider viability might be affected by increased spending in response to the pandemic at the same time as the postponement or cancellation of high-margin elective surgeries and declining investment performance. As the impact of the coronavirus has become more visible, many healthcare organizations have quickly reacted by implementing short-term liquidity strategies to closely monitor and conserve cash. In the long term, organizations will need to stay focused on many areas that could affect their liquidity, including these:

  • Healthcare organizations might face increased risk of fraud due to relaxed or ineffective internal controls – especially in organizations that have paused internal audit and other oversight activities. The fraud could relate to:
    • Vendors – price gouging; fictitious vendors
    • Employees – payroll hours abuse
    • Billing – aggressive physician billing to make up for an extended period of lost revenue
  • Relaxed scrutiny of new vendor agreement approval could lead to overspending by entering into inappropriately long-term agreements, agreeing to unfavorable pricing, or purchasing software or services already on hand.
  • The opening of new and temporary facilities absent appropriate attention to underlying compliance requirements could result in fines and penalties. 
  • Lack of knowledge of coding and documentation requirements related to COVID-19 could lead to increased denials and readmissions.
  • As patient visits shift from in-person physician appointments to telemedicine, demand for ancillary services and outpatient volumes might decrease. In addition, accurately capturing and documenting charges for telemedicine services – already a challenge for many organizations – might be especially difficult for those organizations with little or no prior telemedicine experience.
  • Accelerated receipt of Centers for Medicare & Medicaid Services (CMS) reimbursements or currently available loans for payroll tax dollars that must eventually be paid back might create a false sense of security and result in reduced future cash inflows.
  • The increase in joblessness and resulting spike in the number of uninsured patients likely will affect provider liquidity as hospitals experience a meaningful shift in their payer mix away from commercial insurance and a significant increase in the number of self-pay accounts.
  • Government fines and penalties related to a healthcare organization’s inability to adequately support and defend funds received from the Federal Emergency Management Agency (FEMA) or provided as part of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) also could affect an organization’s liquidity, although the extent of such an impact will not be known until after a government audit has occurred at a later date. Hospitals should make sure they have a clear and well-documented process to calculate the funds requested.

Management also should monitor these areas that could affect future liquidity and, in some instances, bond covenants:

  • Organizations with ownership in senior living facilities might face a risk of future fines or penalties associated with the efficacy of infection prevention and control measures undertaken at those facilities.
  • New federal and state regulations might drive additional PPE investment costs and other costs required to comply with future pandemic preparedness.
  • Pre-pandemic financial valuation models used for hospitals, physician practices, or other healthcare entities might require significant evaluation and change before establishing the fair market value of a potential acquisition or entity offered for sale.
  • Unplanned capital consumption, including expanded bed capacity and medical equipment purchases, might stress cash flow. Organizations should increase their analysis and review of capital expenditures and equipment leasing decisions.

4. Legal and regulatory compliance

Due to their need to act quickly and serve a large influx of infected patients during a crisis, healthcare organizations might see increased legal and regulatory compliance risk across the entire enterprise. These are some possible increased risk areas:

  • Healthcare organizations might experience an uptick in malpractice lawsuits and other legal actions as the large number of unexplained or misunderstood deaths could lead family members seeking to determine if their loved ones were not timely diagnosed or properly cared for.
  • Hospital staff might file lawsuits related to employee safety if they contracted COVID-19 while serving infected patients, regardless of whether the hospital provided adequate PPE.
  • Many hospitals quickly reacted to the COVID-19 pandemic by opening temporary drive-thru testing sites and new treatment locations that might not have addressed all corresponding aspects of HIPAA compliance requirements during a time of crisis. Noncompliant activities could include:
    • Provider use of unsecured personal technology, including video or texts on personal phones or tablets
    • Employee use of unsecured networks while working from home
    • Excessive (more than minimally necessary) access to electronic protected health information
  • Healthcare organizations might have engaged clinicians and suppliers without first making sure they are not providers excluded from participating in federally funded healthcare programs including Medicaid and Medicare.
  • Hospitals must properly account for funds received from CMS as part of the Accelerated Payment Program and the Advance Payment Program as well as for future claims submitted that will not result in payment from CMS.
  • Hospitals and similar healthcare organizations have a legal responsibility to verify providers’ identity, education, work experience, malpractice history, professional sanctions, and license verifications to protect patients from unqualified providers. During the pandemic, some organizations might have hastily privileged and credentialed physicians to shorten the process of bringing them out of retirement to assist in patient treatment.
  • Hospitals likely will be audited and will need to demonstrate clear and well-documented processes for accounting for funds (including unreimbursed expenses and lost revenues) requested through FEMA and CARES Act federal government programs.
  • When COVID-19 blanket waivers granted by the U.S. Department of Health and Human Services have been lifted, healthcare executives might face increased compliance risk as well as fines and penalties if they haven’t developed a path for the organization to return to pre-COVID-19 protocols.
  • In addition to today’s laws and regulations, regulatory compliance risk likely will increase due to new regulations related to pandemic preparedness. Potential future regulations might establish required levels of PPE, other equipment, medical staff, and beds to handle a sudden increase in patient volume.

5. Patient and staff safety

As they operate through the pandemic, hospital organizations might face increasing challenges in protecting patients and staff. Numerous reasons exist:

  • Patients and staff might encounter crowded conditions in the emergency department or other locations where patients are gathering to obtain COVID-19 testing or treatment.
  • Equipment used to treat infected patients might be cleaned improperly.
  • Patient care might be put at risk through workload- or fatigue-related bypassing of safety protocols and reluctance of staff to work where PPE shortages exist. 
  • Because of a concentration of at-risk patients, healthcare organizations with senior living services might face increased patient safety risk in preventing COVID-19 infection and controlling the spread of further infection.
  • Patients previously infected with the virus might encounter pulmonary and other health complications in future months or years resulting from their COVID-19 infection.
  • Patient safety might be further affected by increased incidents of doctors, nurses, and hospital staff experiencing post-traumatic stress disorder (PTSD). The potential impact of PTSD might lead to clinician retirements in late 2020 or in 2021 because of the fear of another wave of COVID-19 before a vaccine or therapy is produced.
  • Hospitals and physicians might experience an influx of more seriously ill patients once the COVID-19 crisis has subsided and patients with chronic conditions begin addressing their conditions that have deteriorated during the pandemic.
Want more insights on addressing coronavirus-related challenges?
Go to the Crowe COVID-19 resource center for more analysis and updates.

Contact us

Learn more about how Crowe can provide industry-specific financial, regulatory, and technology expertise for your healthcare organization.
people
Andrei De Vore
Scott-Gerard-225
Scott Gerard
Partner
people
Daniel Yunker
Healthcare Internal Audit Services Leader