An evaluation of risk assessments conducted by CHAN Healthcare, a subsidiary of Crowe, during the first six months of 2014 provides some valuable information for healthcare organizations. The evaluation analyzed more than 3,200 risks across 13 health systems and 270 entities and computed average risk scores based on two primary factors – strategic and business impact and business environment complexity. Risks 11 through 20, ranked highest to lowest, follow, in the first article of a two-part series.
11. Physician Practice Revenue Cycle
Healthcare organizations continue to acquire physician practices, which leads to revenue cycle risks as a result of a lack of formal process documentation, inadequate staff training, and issues with accountability. In addition, many practices recently have implemented new systems, and these process changes also boost risk. Organizations should review the entire revenue cycle – from pre-appointment insurance verification and payment arrangements to billing and claims submissions – for weaknesses and potential problem areas.
Data breaches are in the headlines regularly, and numerous healthcare organizations have been among the victims. Unlike other types of organizations, though, healthcare providers must comply with the Health Insurance Portability and Accountability Act (HIPAA). Enforcement activities by the Office of Civil Rights have been on the rise, with the number of resolved complaints jumping from about 9,400 in 2012 to 14,300 in 2013.1 To avoid fines and penalties, hospitals routinely should audit their administrative, physical, and technical safeguards for vulnerabilities in their security policies, processes, and systems. And, of course, security risk assessments are a requirement of the HIPAA Security Rule and for reimbursement through the meaningful use program.
13. Financial Statement Close Process
The close process consistently has ranked among the top risks facing the healthcare industry. Accurate and timely financial reporting is required of healthcare organizations, and the associated risks of not meeting reporting requirements and standards include misstated financial position, fraud and misappropriation, and lost balances. An organization needs to have in place policies and procedures to guide the staff and management on how to properly close financial statements, addressing, among other things, account reviews, balance sheet and income statement balances, and reconciliations.
14. Billing and Collection
Producing a timely, error-free claim that can be adjudicated and paid quickly is an ongoing challenge for healthcare organizations and remains a burdensome process. An ineffective or inefficient process translates to lost revenue. Many organizations recently have implemented significant changes to their billing and collection functions, including centralization or outsourcing. These shifts can mean greater efficiency but only if they are managed properly. Hospitals should run daily accounts reports to monitor unbilled services and past-due balances and should respond accordingly.
15. Third-Party Vendor Oversight
Vendors that are subject to inadequate oversight can easily inflate charges, bill for services not provided or contracted for, or engage in other fraudulent schemes, sometimes even with an organization’s own employees. Management oversight of contracts is crucial. Management should be involved in negotiations and then reconcile services received against contracts (to confirm the organization is receiving the services contracted for) and invoices (to confirm the organization isn’t being charged for services not received).
16. Charge Capture
Leaking revenue from inadequate charge capture remains an area of concern for a variety of hospital departments, particularly as electronic health record systems are implemented and other systems are updated. Hospitals must reconcile patient schedules and records against the respective billing to verify that charges are passing accurately between systems.
17. Health Insurance Plans
This area is new to the list of top risk areas for healthcare providers, as many health systems are venturing into the health insurance market. The unique risks of insurers are a different consideration for most providers. For example, insurers must maintain adequate risk-based capital reserves. They also must comply with a far-reaching web of federal and state regulations and monitor medical loss ratio limits.
18. IT System Access
Unauthorized access to data or applications is a significant organizational risk. Healthcare organizations often struggle to maintain consistent core controls (for example, passwords, timeouts, and lockouts) around system access, especially given the speed with which they are implementing new systems and Web-based portal applications. Provisioning – or granting the right type of access to the right user – also has come up regularly in healthcare organizations’ risk assessments. Tight deadlines and a lack of oversight and enforcement can’t be allowed to usurp proper controls.
Payroll is the single largest expense for most healthcare organizations. Related payroll risks include timekeeping, pay practices, and the potential for payroll fraud (for example, ghost employees). One of the most powerful controls for payroll risks is segregating payroll duties, so that different employees are responsible for payroll preparation, authorization, check generation, and distribution. Also, access to payroll records should be restricted to those who legitimately require it.
As organizations seek to control rising costs, purchasing continues to be a focus. Purchasing-related risks include the accuracy of pricing compared with contracts as well as processes related to vendor selection. Another common problem arises when multiple suppliers provide different types of the same products (for example, different types of gloves based on individual physician preferences). Healthcare organizations can improve cost efficiency by consolidating suppliers. This also is an area where invoices should be reconciled with contracts to catch price changes and other disparities.
The risks facing the healthcare industry are complex and constantly changing. Organizations need to monitor their risks regularly by conducting a robust risk assessment. Processes should be in place to test controls in high-risk areas, uncover gaps, and take the appropriate actions to mitigate risks. The second article in this series, to be published March 24 in Healthcare Connection, will cover the top 10 risks.