How Can CEOs and Board Members Keep Score on Compliance Risks?
The U.S. Sentencing Commission and the Office of Inspector General (OIG) gave health care institutions a clear guide to effective compliance programs when they laid out the seven elements. Any hospital that has looked at the effectiveness of their compliance program knows and understands the elements; and in all likelihood, the CEO and board members have been exposed to them. These elements have been a solid guide for measuring the structure of the compliance program and how it should be carried out. Effective guidance at the top of the organization, strong policies and procedures, ongoing monitoring and auditing (including yearly risk assessments), effective training, open lines of communication, quick response to deficiencies, and consistent enforcement of disciplinary standards have become recognizable yardsticks for taking stock of the compliance program.
Although the seven elements have been indispensable for judging whether the compliance program is properly up and running, it doesn’t necessarily lay out the specific risks. The elements tell you what the end game should be for the structure and process of the compliance program, but leaves the risk content up to the health care provider to determine. As a result, CEOs and board members in the hospital environment, who understand the structure and processes required by the seven elements, need to know more. They need to know to which risks they should pay attention, and the relative differences between them. They need to know which risks can cause them the most headaches. They understand that a solid risk assessment process is required, but they need to know how to assess the outcomes of the risk assessment. They need the answers to questions such as: Are there broad categories of risk? How many are there? What are the risk areas within those risks? Are there key questions I should ask about the categories and risk areas? Is there a way to quantify the risks? In other words, can someone give me a scorecard to keep track of regulatory risks?
I would like to suggest that based on my experience in the Office of Inspector General, my observations of health care clients I have worked with, and discussions with expert colleagues, there are answers to these questions.
To the CEO and board member, I would say there are ten major categories of risk to which you need to pay attention. From an enforcement perspective, these are the categories that have been around over the longest period of time and received the most attention. These are the categories that are still relevant in today’s environment. The ten categories are:
- Anti-kickback and Stark
- Emergency Medical Treatment and Active Labor Act (EMTALA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Research
- Quality
- Cost reports
- Laboratory services
- Physicians at Teaching Hospitals (PATH)
- Corporate governance and compliance
- Claims development and submission
Many hospitals will need to address all ten categories, but some will not. Hospitals that are not teaching hospitals will not need to address PATH. Some hospitals do not conduct research. Certain other hospitals do not have an Emergency Department.
Each of the categories contains key risk areas, which can be expressed through questions asked about the category. To quantify the risks, you can assign values or numbers to the answers to those questions. After answering all the questions, you can add up the numbers and evaluate how well you are doing. You now have a scorecard to inform yourself about your compliance risks. See Chart A on page 38 for an example scorecard, including risk questions and suggested values.
As you notice in the chart, not all risk categories have the same value. Some, such as anti-kickback and Stark and claims development and submission, are ranked higher due to their inherent risks and strong enforcement by the government. Also, risk areas within the categories can also differ in value due to focused regulations, strong enforcement, or other factors. Every hospital system will have their own unique issues, so the values assigned should be modified based on past and current actual experiences.
Risk areas can change over time, so the scorecard will need to be updated periodically. I suggest updating once a year when the new OIG Work Plan is published, or at a time when significant new legislation is passed.
Over the past ten years or so, compliance programs have established themselves as a vital part of the health care system. CEOs and board members have become more familiar with the structure and process of the compliance program. The compliance scorecard can be used to help the CEO and board members delve a little deeper into the enforcement risks the hospital system is facing. It can provide them with the quantitative data they need to help evaluate and track those risks.
| Category | Questions | Points Awarded / Per question | Total Points |
| Anti-kickback/ Stark | Are all physician contracts in a single database?How many independent physicians have an administrative contract (teacher, director)?Is there a written need for the administrative function? Is there a written statement why this person is best for the function? Does the contract accurately describe the task? Is the contract actively monitored for performance? Do all independent physician contracts meet the AKS/Stark requirements, including fair market value? | Yes: 3 pts 0-3: 1pt Yes: 2 pts Yes: 2 pts Yes: 2 pts Yes: 2 pts Yes: 4 ptsTOTAL POINTS | ___/3 ___/1 ___/2 ___/2 ___/2 ___/2 ___/4 ———- ___/16 |
| EMTALA | Are there adequate procedures to ensure every Emergency Dept (ED) patient receives a medical exam?
Are medical exams given in order of need?
Is every ED patient stabilized prior to transfer?Have any physicians not responded when called?
Are the required signs posted?
Are there any pending complaints or adverse publicity regarding the ED? | Yes: 1pt Yes: 1pt Yes: 2 pts Yes: 0 pts Yes: 1pt Yes: 1ptTOTAL POINTS | ___/1 ___/1 ___/2 ___/1 ___/1 ___/1 ———- ___/7 |
| HIPAA Privacy and Security | Do the safeguards to protect personal health information (PHI) comply with federal regulations?
Have necessary procedures to comply with the HITECH breach notification rule been implemented?Have necessary procedures to comply with the HITECH Business Associates provisions been implemented?
Have necessary procedures to comply with the HITECH limits on use and disclosure provisions been implemented?Have necessary procedures to comply with the HITECH individual rights provisions been implemented?
Do the security procedures adequately address the required administrative, physical and technical safeguards? | Yes: 3 pts Yes: 1pt Yes: 1pt Yes: 1pt Yes: 1pt Yes: 3 ptsTOTAL POINTS | ___/3 ___/1 ___/1 ___/1 ___/1 ___/3 ———- ___/10 |
| Clinical Research | Is there an effective system for time and effort reporting?
What is the error rate when billing for a patient enrolled in clinical research?
Do patients understand the consent forms?
Do we have adequate procedures to ensure against researcher misconduct?
What is the percentage of principal investigators who receive money from pharmaceutical, medical device, or other sources? | Yes: 1pt <3%: 3 pts Yes: 2pts Yes: 2pts <25%: 2 ptsTOTAL POINTS | ___/1 ___/3 ___/2 ___/2 ___/2 ———- ___/10 |
| Quality of Care | Do procedures exist that ensure accurate data in reporting Quality information?Are any providers ordering medically unnecessary services?
Are any providers ordering too few services?
How many never events have occurred in the last quarter?Are there procedures to ensure that providers are properly credentialed and have no sanctions? | Yes: 2pts Yes: 0pts Yes: 0pt None: 2 pts Yes: 2ptsTOTAL POINTS | ___/2 ___/2 ___/2 ___/2 ___/2 ———- ___/10 |
| Cost Reports | Are there procedures in place to ensure compliance with bad debts regulations?
Are there procedures in place to ensure compliance with credit balances regulations?Are there procedures in place to ensure compliance with wage indices regulations?Are there procedures in place to ensure compliance with Disproportionate Share Hospital regulations?
Are there procedures in place to ensure compliance with discounts regulations? | Yes: 2 pts Yes: 2 pts Yes: 1 pt Yes: 1pt Yes: 1 ptTOTAL POINTS | ___/2 ___/2 ___/1 ___/1 ___/1 ———- ___/7 |
| Laboratory Services | Does billing occur after services are performed?
Are the bills for medically necessary services?
Are the tests ordered by the physician and provided by the hospital laboratory?
Do the CPT and HCPCS code accurately describe what was ordered?
When diagnostic information is obtained after receipt of the request for services, is the informationdocumented and maintained? | Yes:1pt Yes:1pt Yes:1pt Yes:1pt Yes:1ptTOTAL POINTS | ___/1 ___/1 ___/1 ___/1 ___/1 ———- ___/5 |
| Physicians
 at Teaching Hospitals (PATH) | Do the physicians who provide or supervise services provide correct documentation of services?
Is the appropriate documentation placed in the patient record and signed by the teaching physician?Does the physician document their presence during the key portion of the service?When the physician provides evaluation and management (E&M) services, does the patient’s medical record include the applicable key components of the E&M service provided or supervised? | Yes: 1 pt Yes: 1 pt Yes: 2 pts Yes: 1ptTOTAL POINTS | ___/1 ___/1 ___/2 ___/1 ———- ___/5 |
| Corporate Governance and Compliance | Is the board of directors educated, informed, and active in major compliance issues?Is there an annual risk assessment that is informed by qualitative and quantitative analysis?
Are major risks monitored and audited?Are major risks reported to the executives and board of directors?
Is there a robust risk remediation process, including new/amended policies and proce- dures, and solid education and training? | Yes: 2 pts Yes: 2 pts Yes: 2 pts Yes: 2 pts Yes: 2 ptsTOTAL POINTS | ___/2 ___/2 ___/2 ___/2 ___/2 ———- ___/10 |
| Claims Development and Submission | What is the error rate determined by the staff?
What is the error rate determined by external auditors?
What is the number of additional documentation requests from payers per month?
What is the number of denials by payer per month?
What is the number of audit recommendations for claims improvement? | <3%: 5 pts 3-5%: 2 pts 
<3%: 4 pts
 3-5%: 2 pts <3/month: 3pts <2 and/or <$10K: 4 pts <5/year: 3ptsTOTAL POINTS | ___/5 ___/4 ___/3 ___/4 ___/4 ———- ___/20 |
| TOTAL SCORECARD POINTS: | _____/100 | ||
| SCORECARD GUIDE to POINTS:90-100 pts = In good shape 80-90 pts = Needs some work 70-80 pts = Need some help 70 and below = Need lots of help |
