Publication

How Can CEOs and Board Members Keep Score on Compliance Risks?

Catie Heindel | January 2010

The U.S. Sentencing Commission and the Office of Inspector General (OIG) gave health care institutions a clear guide to effective compliance programs when they laid out the seven elements. Any hospital that has looked at the effectiveness of their compliance program knows and understands the elements; and in all likelihood, the CEO and board members have been exposed to them. These elements have been a solid guide for measuring the structure of the compliance program and how it should be carried out. Effective guidance at the top of the organization, strong policies and procedures, ongoing monitoring and auditing (including yearly risk assessments), effective training, open lines of communication, quick response to deficiencies, and consistent enforcement of disciplinary standards have become recognizable yardsticks for taking stock of the compliance program.

Although the seven elements have been indispensable for judging whether the compliance program is properly up and running, it doesn’t necessarily lay out the specific risks. The elements tell you what the end game should be for the structure and process of the compliance program, but leaves the risk content up to the health care provider to determine. As a result, CEOs and board members in the hospital environment, who understand the structure and processes required by the seven elements, need to know more. They need to know to which risks they should pay attention, and the relative differences between them. They need to know which risks can cause them the most headaches. They understand that a solid risk assessment process is required, but they need to know how to assess the outcomes of the risk assessment. They need the answers to questions such as: Are there broad categories of risk? How many are there? What are the risk areas within those risks? Are there key questions I should ask about the categories and risk areas? Is there a way to quantify the risks? In other words, can someone give me a scorecard to keep track of regulatory risks?

I would like to suggest that based on my experience in the Office of Inspector General, my observations of health care clients I have worked with, and discussions with expert colleagues, there are answers to these questions.

To the CEO and board member, I would say there are ten major categories of risk to which you need to pay attention. From an enforcement perspective, these are the categories that have been around over the longest period of time and received the most attention. These are the categories that are still relevant in today’s environment. The ten categories are:

  • Anti-kickback and Stark
  • Emergency Medical Treatment and Active Labor Act (EMTALA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Research
  • Quality
  • Cost reports
  • Laboratory services
  • Physicians at Teaching Hospitals (PATH)
  • Corporate governance and compliance
  • Claims development and submission

Many hospitals will need to address all ten categories, but some will not. Hospitals that are not teaching hospitals will not need to address PATH. Some hospitals do not conduct research. Certain other hospitals do not have an Emergency Department.

Each of the categories contains key risk areas, which can be expressed through questions asked about the category. To quantify the risks, you can assign values or numbers to the answers to those questions. After answering all the questions, you can add up the numbers and evaluate how well you are doing. You now have a scorecard to inform yourself about your compliance risks. See Chart A on page 38 for an example scorecard, including risk questions and suggested values.

As you notice in the chart, not all risk categories have the same value. Some, such as anti-kickback and Stark and claims development and submission, are ranked higher due to their inherent risks and strong enforcement by the government. Also, risk areas within the categories can also differ in value due to focused regulations, strong enforcement, or other factors. Every hospital system will have their own unique issues, so the values assigned should be modified based on past and current actual experiences.

Risk areas can change over time, so the scorecard will need to be updated periodically. I suggest updating once a year when the new OIG Work Plan is published, or at a time when significant new legislation is passed.

Over the past ten years or so, compliance programs have established themselves as a vital part of the health care system. CEOs and board members have become more familiar with the structure and process of the compliance program. The compliance scorecard can be used to help the CEO and board members delve a little deeper into the enforcement risks the hospital system is facing. It can provide them with the quantitative data they need to help evaluate and track those risks.

CategoryQuestionsPoints Awarded / Per questionTotal Points
Anti-kickback/ StarkAre all physician contracts in a single database?How many independent physicians have an administrative contract (teacher, director)?Is there a written need for the administrative function?
Is there a written statement why this person is best for the function?
Does the contract accurately describe the task?
Is the contract actively monitored for performance?
Do all independent physician contracts meet the AKS/Stark requirements, including fair market value? 
Yes: 3 pts
0-3: 1pt
Yes: 2 pts
Yes: 2 pts
Yes: 2 pts
Yes: 2 pts
Yes: 4 ptsTOTAL POINTS 
___/3
___/1
___/2
___/2
___/2
___/2
___/4
———-
___/16 
EMTALA Are there adequate procedures to ensure every Emergency Dept (ED) patient receives a medical exam?
Are medical exams given in order of need?
Is every ED patient stabilized prior to transfer?Have any physicians not responded when called?
Are the required signs posted?
Are there any pending complaints or adverse publicity regarding the ED? Yes: 1pt
Yes: 1pt
Yes: 2 pts
Yes: 0 pts
Yes: 1pt
Yes: 1ptTOTAL POINTS 
___/1
___/1
___/2
___/1
___/1
___/1
———-
___/7 
HIPAA Privacy and Security Do the safeguards to protect personal health information (PHI) comply with federal regulations?
Have necessary procedures to comply with the HITECH breach notification rule been implemented?Have necessary procedures to comply with the HITECH Business Associates provisions been implemented?
Have necessary procedures to comply with the HITECH limits on use and disclosure provisions been implemented?Have necessary procedures to comply with the HITECH individual rights provisions been implemented?
Do the security procedures adequately address the required administrative, physical and technical safeguards? Yes: 3 pts
Yes: 1pt
Yes: 1pt
Yes: 1pt
Yes: 1pt
Yes: 3 ptsTOTAL POINTS 
___/3
___/1
___/1
___/1
___/1
___/3
———-
___/10 
Clinical Research Is there an effective system for time and effort reporting?
What is the error rate when billing for a patient enrolled in clinical research?
Do patients understand the consent forms?
Do we have adequate procedures to ensure against researcher misconduct?
What is the percentage of principal investigators who receive money from pharmaceutical, medical device, or other sources? Yes: 1pt
<3%: 3 pts
Yes: 2pts
Yes: 2pts
<25%: 2 ptsTOTAL POINTS 
___/1
___/3
___/2
___/2
___/2
———-
___/10 
Quality of Care Do procedures exist that ensure accurate data in reporting Quality information?Are any providers ordering medically unnecessary services?
Are any providers ordering too few services?
How many never events have occurred in the last quarter?Are there procedures to ensure that providers are properly credentialed and have no sanctions? Yes: 2pts
Yes: 0pts
Yes: 0pt
None: 2 pts
Yes: 2ptsTOTAL POINTS 
___/2
___/2
___/2
___/2
___/2
———-
___/10 
Cost ReportsAre there procedures in place to ensure compliance with bad debts regulations?
Are there procedures in place to ensure compliance with credit balances regulations?Are there procedures in place to ensure compliance with wage indices regulations?Are there procedures in place to ensure compliance with Disproportionate Share Hospital regulations?
Are there procedures in place to ensure compliance with discounts regulations? Yes: 2 pts
Yes: 2 pts
Yes: 1 pt
Yes: 1pt
Yes: 1 ptTOTAL POINTS 
___/2
___/2
___/1
___/1
___/1
———-
___/7 
Laboratory ServicesDoes billing occur after services are performed?
Are the bills for medically necessary services?
Are the tests ordered by the physician and provided by the hospital laboratory?
Do the CPT and HCPCS code accurately describe what was ordered?
When diagnostic information is obtained after receipt of the request for services, is the informationdocumented and maintained?Yes:1pt
Yes:1pt
Yes:1pt
Yes:1pt
Yes:1ptTOTAL POINTS 
___/1
___/1
___/1
___/1
___/1
———-
___/5 
Physicians
 at Teaching Hospitals (PATH)Do the physicians who provide or supervise services provide correct documentation of services?
Is the appropriate documentation placed in the patient record and signed by the teaching physician?Does the physician document their presence during the key portion of the service?When the physician provides evaluation and management (E&M) services, does the patient’s medical record include the applicable key components of the E&M service provided or supervised?Yes: 1 pt
Yes: 1 pt
Yes: 2 pts
Yes: 1ptTOTAL POINTS
___/1
___/1
___/2
___/1
———-
___/5
Corporate Governance and ComplianceIs the board of directors educated, informed, and active in major compliance issues?Is there an annual risk assessment that is informed by qualitative and quantitative analysis?
Are major risks monitored and audited?Are major risks reported to the executives and board of directors?
Is there a robust risk remediation process, including new/amended policies and proce- dures, and solid education and training?Yes: 2 pts
Yes: 2 pts
Yes: 2 pts
Yes: 2 pts
Yes: 2 ptsTOTAL POINTS
___/2
___/2
___/2
___/2
___/2
———-
___/10
Claims Development and SubmissionWhat is the error rate determined by the staff?
What is the error rate determined by external auditors?
What is the number of additional documentation requests from payers per month?
What is the number of denials by payer per month?
What is the number of audit recommendations for claims improvement?<3%: 5 pts 3-5%: 2 pts

<3%: 4 pts
 3-5%: 2 pts
<3/month: 3pts
<2 and/or <$10K: 4 pts
<5/year: 3ptsTOTAL POINTS
___/5
___/4
___/3
___/4
___/4
———-
___/20 
  TOTAL SCORECARD POINTS:_____/100
SCORECARD GUIDE to POINTS:90-100 pts = In good shape 80-90 pts = Needs some work 70-80 pts = Need some help 70 and below = Need lots of help

About the Author

Catie Heindel is an attorney who is certified in Healthcare Compliance (CHC), Healthcare Privacy Compliance (CHPC) and Healthcare Privacy and Security (CHPS). She has over 11 years of experience in the health care compliance industry and performs regulatory risk assessment and management services for clients, both general in scope, as well as more tailored towards specific risk areas.