Publication

Healthcare Risk Management: Ten Risk Categories for the Four-Step Process

From cybersecurity and regulatory changes to workforce shortages that make it harder for hospitals to fulfil their staffing needs, the healthcare industry faces a wide range of threats. This helps explain why the average organization reportedly spends nearly $200,000 each year on risk management operations.

It also explains why so many healthcare organizations responded to our Compliance Today article outlining the four key steps in an effective compliance process: risk assessment, risk remediation, risk auditing, and risk response and reporting. If conducted properly, these four steps can help provide logic and order in attaining the outcomes desired in the seven elements of an effective hospital risk management program for your company.

But many have asked for further details on the process: what is the content in the four steps? What risks do we have to consider and examine? What risks do we need to take to the CEO and the board? How do we keep track of all the risks while proceeding with the four steps in the compliance plan?

The purpose of this article is to address those questions and help healthcare organizations elevate their risk management programs in 2024 and beyond.

Learn About Our Risk Management Services

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

The Basics of Healthcare Risk Management

Keeping track of all the regulatory risks in a hospital setting is a daunting task. In addition to the myriad of laws passed by Congress, agencies such as the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), and the National Institutes of Health (NIH), promulgate lengthy regulations and frequent transmittals to administer those laws.

The Office of Inspector General (OIG) also issues guidance to warn about certain risks in laws and regulations that are especially prone to vigorous enforcement. The Department of Justice (DoJ) issues press releases about health care providers who have been convicted of crimes. The DoJ also announces, along with OIG, penalties, fines, and Corporate Integrity Agreements (CIAs) imposed on health care providers and related institutions.

How should a hospital keep track of the hundreds of risks prevalent in the regulatory and enforcement environment? What compliance tools should they use? How should they be organized? Are they all equally important? Having worked in OIG and at a consulting firm that has had contact with thousands of health care clients over the past 15 years, we have a suggested solution.

Analyzing Risk Management

Because tracking hundreds of risks by lining them up in alphabetical or chronological order is not efficient, we first analyzed the risks to determine if they could be grouped in broader categories. These groupings were based on OIG Guidances; the subjects of investigations and CIAs; the areas of overpayments identified by Program Safeguard Contractors (PSCs), and more recently, Recovery Audit Contractors (RACs); and Congressional testimony given by OIG, CMS, FDA, NIH, and others.

We also examined the time periods covered by risks to determine if the risks presented short-term or longer-term vulnerabilities. In addition, we wanted the categories to be broad enough to encompass all the appropriate risks, but not be so broad that any one category would be overwhelming. We felt that the categories should be manageable enough to take to a board meeting and be understood by the vast majority of the board members.

As a result, we have settled on ten broad categories that we think represent all major risk areas, have long-term implications, and are concise enough to present to CEOs and board members. We realize that not all ten categories will be applicable to all facilities. In particular, the Research and Physicians at Teaching Hospitals categories will not apply to all hospitals.

However, they earned their own risk categories due to the many administrative agencies and regulations to which they are subjected. In addition, each category should be tailored to the needs of your specific facility by adding subcategories as exemplified below.

Ten Healthcare Risk Management Program Categories

1. Quality of care

In recent years, CMS, OIG, and DoJ have stated very clearly that they consider quality of care to be a top priority item for evaluation, investigation, and enforcement.OIG may exclude health care entities from participation in federal health care programs if the entity provides unnecessary or substandard items or services.

Hospitals must develop and implement a quality assessment and performance improvement program that will identify patient safety issues and reduce medical errors in hospitals. Subcategories may include: medical necessity, deficient care, practitioner qualifications, and accuracy of quality-reporting data.

2. Anti-kickback and Stark

The Anti-kickback Statute and Stark Law have been consistently and vigorously enforced by OIG and DoJ. A review of CIAs over the years demonstrates the strong presence of these laws in enforcement actions. More recently, physician arrangements have been a prime focus for enforcement.

Violations of the Anti-kickback or Stark Law may lead to a denial or refund of payment, criminal liability, exclusion from federal health care programs, and/or civil monetary penalties.  Subcategories may include: physician arrangements, joint ventures, leasing arrangements, physician recruitment, professional courtesy, and safe harbors.

3. Emergency Medical Treatment and Active Labor Act (EMTALA)

OIG reports every 6 months to Congress on actions it has taken to resolve allegations that hospitals have violated EMTALA, also known as the anti-dumping statute. Recently, OIG assessed fines against hospitals for failure to provide an on-call specialist, for failure to provide adequate screening and stabilization, and for failure to provide an appropriate transfer of a patient. Both the hospital and physician may be subject to a civil monetary penalty of up to $50,000 per violation and may be excluded from participation in the Medicare program.

Subcategories may include: stabilization, signage, physician on-call response, transfer, medical screening exam, and medical emergency response to areas outside the hospital buildings and non-clinical areas within the hospital.

4. Cost reports

Cost reports are reviewed to determine the adequacy and completeness, and the accuracy and reasonableness of the data recorded.

In its ongoing auditing of hospital cost reports, OIG has identified numerous instances where unallowable costs were included on hospital cost reports. Misrepresentation or falsification of any information in a cost report is punishable by criminal, civil, and administrative actions, fines and/or imprisonment. Subcategories may include: bad debts, credit balances, wage indices, discounts, and disproportionate share hospital.

5. Claims development and submission

Perhaps the single biggest risk area for hospitals is the preparation and submission of claims or other requests for payment from the federal health care programs.

Specific areas of concern to OIG include: inaccurate or incorrect coding; duplicate billing; incorrect procedure coding; improper billing for observation services; incorrect claims due to outdated Charge Description Masters; abuse of partial hospitalization payments; abuse of Diagnosis-Related Group (DRG) outlier payments; improper claims for clinical trials; and improper claims for cardiac rehabilitation services.

These are just a few of the many vulnerabilities that, if not properly addressed, can result in fines, penalties, and Corporate Integrity Agreements. General subcategories may include: billing, coding, admissions and discharges, Charge Description Master, Advanced Beneficiary Notice, and medical records. Specific subcategories may include: evaluation and management; outpatient observation services; three-day stays; and incident-to services.

6. Laboratory services

Laboratory services could be included in the Claims development and submission category, but they earned their own risk category due to the many different regulatory agencies to which they are subject. In addition to OIG and CMS, a laboratory must comply with FDA, CDC, and OSHA regulations.

Claims submission, particularly unbundling, is only one part of the risks encountered in the laboratory environment. Subcategories may include: documentation, lab requisition forms, standing orders, physician notification, customized profiles, and lab administration.

7. HIPAA privacy and security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses two areas of protection for individualsโ€™ health information: privacy and security. These are vital areas to be addressed in a myriad of daily actions occurring in a health facility.

The movement to electronic health records (EHR) has helped to mitigate some HIPAA risks, but it also presented new problems. Recent actions by federal regulators indicate that HIPAA will be enforced more actively in the days to come. Subcategories may include: privacy, security, information technology, and documentation.

8. Physicians at Teaching Hospitals

The Physicians at Teaching Hospitals (PATH) initiative focuses on compliance with federal regulations that govern reimbursement to physicians at teaching hospitals. The specific objectives of the PATH audit initiative are to verify compliance with the Medicare rules that govern payment for physician services provided by residents and interns, and to ensure that all claims for physician services accurately reflect the level of service provided to the patient.

Submitting claims to government health care programs for resident and intern services that were not properly supervised can lead to criminal and/or civil penalties under the False Claims Act. Subcategories may include: billing, documentation, education, and oversight.

9. Research

Medicare covers the routine costs of qualified clinical trials as well as reasonable and necessary items, tools, and services used to diagnose and treat complications arising from participation in clinical trials.

Hospitals that participate in clinical trials should review the requirements for submitting claims for patients who participate in clinical trials. In addition, informed consent regulations require clinical investigators to obtain legally effective informed consent in an appropriate manner from the subject or the subjectโ€™s legally authorized representative before initiating a clinical trial using human research subjects. Time and effort reporting, financial conflict of interest, researcher misconduct, and proper cost allocation are some of the other risk areas in research activities.

Subcategories may include: time and effort reporting; financial support from other sources; principal investigator conflict of interests; patent, trademark, and copyright under federal funds; human subjects research; and animal subjects research.

10. Compliance program effectiveness

Hospitals with an organizational culture that values compliance are more likely to have effective compliance programs and will be able to better prevent, detect, and correct fraud, waste, and abuse, while at the same time furthering the fundamental mission of all hospitals: providing quality care to the patients.

Compliance programs should effectively articulate and demonstrate the organizationโ€™s commitment to the compliance process. The annual risk assessment should include an assessment of the compliance program itself. Subcategories may include: compliance officer, corporate compliance, and board oversight; written standards of conduct; policies and procedures; training; enforcement; auditing and monitoring; and investigation and remediation. It is critical to establish a functional and inclusive yet simple framework to successfully manage the hundreds of risk areas prevalent in the current compliance environment.

Conclusion: Using the Ten Categories to Improve Healthcare Risk Managementย 

With an ever-growing digital attack surface and growing regulatory scrutiny, many healthcare organizations feel overwhelmed trying to manage their risk exposure. But the ten categories outlined here provide a clear and reliable framework to work through your most urgent threats.

Whether you are preparing for a government audit by a RAC, Medicare-affiliated contractor (MAC), Zone Program Integrity Contractor (ZPIC), or conducting your annual internal assessment, the correct use of these ten categories and their respective subcategories should be used to guide you through:

  • Risk assessment
  • Risk remediation
  • Risk monitoring and auditing
  • Risk response and reporting

These steps will ensure you are across all aspects of risk โ€“ and keep both your patients and organization safe.