What is Risk Management in Healthcare: Strategies, Importance, and Challanges
The average healthcare organization spends nearly $200,000 each year on risk management1 โ but what exactly are they trying to achieve? From reducing compliance risks to protecting patients, the concept of โriskโ can appear extremely broad, making it difficult to understand what โrisk managementโ really means in a healthcare context.
This article addresses that confusion and provides a comprehensive overview of the subject โ along with a clear breakdown of the most important risk management categories.
What is Risk Management in Healthcare?
Risk management is an approach that seeks to assess, identify, and mitigate risks that may impact an organization, ranging from threats to operational integrity to financial security. Rather than responding to incidents as they occur โ and essentially โputting out fireโ – a risk management function seeks to understand and remediate vulnerabilities so that incidents are less likely โ and the organization is better prepared.ย
Why is Risk Management in Healthcare Important?
While risk management is essential for a wide range of organizations, it has a deeper resonance for healthcare companies:
- Heightened Risk: Healthcare is unusually vulnerable to a range of risks. It is the most common target for cybersecurity attacks and faces far more severe repercussions if a vulnerability is exploited. For example, all companies are damaged by operational downtime, but for a healthcare organization, it can put patients’ lives and safety at risk.ย
- Heavy Regulation: Healthcare is among the most heavily regulated industries in the US โ placing greater pressure on leaders to manage and mitigate compliance risks.ย
- Complex Systems: Healthcare organizations are often far more complex than other companies, with larger vendor networks and complicated IT systems that present a wide range of risks.ย
These factors make risk management a core part of any effective healthcare organization, and essential to mitigate the wide range of risks they face.ย
Types of Risk in Healthcare
There are numerous forms of risk healthcare leaders should consider in their risk management program. A few of the most common include:
- Operational Risks: Vulnerabilities that could lead to core systems being disrupted, potentially causing downtime or delay to patient care. For example, outdated machines may present a risk of sudden failure, which would significantly reduce a hospitalโs capacity to deliver care.ย
- Financial Risks: Threats to the financial security of an organization, including sudden costs or legal fines. For example, poor documentation during billing could create a significant risk that insurance reimbursements will be delayed or even denied โ hitting the organizationโs bottom line.ย
- Compliance Risk: Oversight or vulnerability that could lead to non-compliance, such as a failure to implement vital HIPAA safeguards. This could lead to fines, reputational damage, and even jail time โ depending on the severity of the error.ย
- Cybersecurity Risk: Weaknesses within the IT system that make it easier for a criminal to infiltrate the system and extract patient data. Given that employee errors are responsible for a large proportion of data breaches, a common risk here is a lack of proper security or compliance training.ย ย
Given the range of risks covered, itโs easy to see how healthcare leaders may struggle to navigate the challenge โ especially given the volume of complex advice they are given by official bodies.
How Should Healthcare Organizations Assess Their Risk Levels?
Keeping track of all the regulatory risks in a healthcare setting is a daunting task. In addition to the myriad of laws passed by Congress, agencies such as the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), and the National Institutes of Health (NIH), promulgate lengthy regulations and frequent transmittals to administer those laws.
The Office of Inspector General (OIG) also issues guidance to warn about certain risks in laws and regulations that are especially prone to vigorous enforcement. The Department of Justice (DoJ) issues press releases about health care providers who have been convicted of crimes. The DoJ also announces, along with OIG, penalties, fines, and Corporate Integrity Agreements (CIAs) imposed on health care providers and related institutions.
How should a hospital keep track of the hundreds of risks prevalent in the regulatory and enforcement environment? What compliance tools should they use? How should they be organized? Are they all equally important? Having worked in OIG and at a consulting firm that has had contact with thousands of health care clients over the past 15 years, we have a suggested solution.
All this can be overwhelming โ and explains why so many healthcare organizations responded to our Compliance Today article outlining the four key steps in an effective compliance process: risk assessment, risk remediation, risk auditing, and risk response and reporting. If conducted properly, these four steps can help provide logic and order in attaining the outcomes desired in the seven elements of an effective hospital risk management program for your company.
How should a healthcare organization keep track of the hundreds of risks prevalent in the regulatory and enforcement environment? What compliance tools should they use? How should they be organized? Are they all equally important? Having worked in OIG and at a consulting firm that has had contact with thousands of health care clients over the past 15 years, we have a suggested solution.
Analyzing Risk Management
Because tracking hundreds of risks by lining them up in alphabetical or chronological order is not efficient, we first analyzed the risks to determine if they could be grouped in broader categories. These groupings were based on OIG Guidances; the subjects of investigations and CIAs; the areas of overpayments identified by Program Safeguard Contractors (PSCs), and more recently, Recovery Audit Contractors (RACs); and Congressional testimony given by OIG, CMS, FDA, NIH, and others.
We also examined the time periods covered by risks to determine if the risks presented short-term or longer-term vulnerabilities. In addition, we wanted the categories to be broad enough to encompass all the appropriate risks, but not be so broad that any one category would be overwhelming. We felt that the categories should be manageable enough to take to a board meeting and be understood by the vast majority of the board members.
As a result, we have settled on ten broad categories that we think represent all major risk areas, have long-term implications, and are concise enough to present to CEOs and board members. We realize that not all ten categories will be applicable to all facilities. In particular, the Research and Physicians at Teaching Hospitals categories will not apply to all hospitals.
However, they earned their own risk categories due to the many administrative agencies and regulations to which they are subjected. In addition, each category should be tailored to the needs of your specific facility by adding subcategories as exemplified below.
Ten Healthcare Risk Management Program Categories
1. Quality of care
In recent years, CMS, OIG, and DoJ have stated very clearly that they consider quality of care to be a top priority item for evaluation, investigation, and enforcement.OIG may exclude health care entities from participation in federal health care programs if the entity provides unnecessary or substandard items or services.
Hospitals must develop and implement a quality assessment and performance improvement program that will identify patient safety issues and reduce medical errors in hospitals. Subcategories may include: medical necessity, deficient care, practitioner qualifications, and accuracy of quality-reporting data.
2. Anti-kickback and Stark
The Anti-kickback Statute and Stark Law have been consistently and vigorously enforced by OIG and DoJ. A review of CIAs over the years demonstrates the strong presence of these laws in enforcement actions. More recently, physician arrangements have been a prime focus for enforcement.
Violations of the Anti-kickback or Stark Law may lead to a denial or refund of payment, criminal liability, exclusion from federal health care programs, and/or civil monetary penalties. Subcategories may include: physician arrangements, joint ventures, leasing arrangements, physician recruitment, professional courtesy, and safe harbors.
3. Emergency Medical Treatment and Active Labor Act (EMTALA)
OIG reports every 6 months to Congress on actions it has taken to resolve allegations that hospitals have violated EMTALA, also known as the anti-dumping statute. Recently, OIG assessed fines against hospitals for failure to provide an on-call specialist, for failure to provide adequate screening and stabilization, and for failure to provide an appropriate transfer of a patient. Both the hospital and physician may be subject to a civil monetary penalty of up to $50,000 per violation and may be excluded from participation in the Medicare program.
Subcategories may include: stabilization, signage, physician on-call response, transfer, medical screening exam, and medical emergency response to areas outside the hospital buildings and non-clinical areas within the hospital.
4. Cost reports
Cost reports are reviewed to determine the adequacy and completeness, and the accuracy and reasonableness of the data recorded.
In its ongoing auditing of healthcare cost reports, OIG has identified numerous instances where unallowable costs were included on hospital cost reports. Misrepresentation or falsification of any information in a cost report is punishable by criminal, civil, and administrative actions, fines and/or imprisonment. Subcategories may include: bad debts, credit balances, wage indices, discounts, and disproportionate share hospital.
5. Claims development and submission
Perhaps the single biggest risk area for many healthcare organizations is the preparation and submission of claims or other requests for payment from the federal healthcare programs.
Specific areas of concern to OIG include: inaccurate or incorrect coding; duplicate billing; incorrect procedure coding; improper billing for observation services; incorrect claims due to outdated Charge Description Masters; abuse of partial hospitalization payments; abuse of Diagnosis-Related Group (DRG) outlier payments; improper claims for clinical trials; and improper claims for cardiac rehabilitation services.
These are just a few of the many vulnerabilities that, if not properly addressed, can result in fines, penalties, and Corporate Integrity Agreements. General subcategories may include: billing, coding, admissions and discharges, Charge Description Master, Advanced Beneficiary Notice, and medical records. Specific subcategories may include: evaluation and management; outpatient observation services; three-day stays; and incident-to services.
6. Laboratory services
Laboratory services could be included in the Claims development and submission category, but they earned their own risk category due to the many different regulatory agencies to which they are subject. In addition to OIG and CMS, a laboratory must comply with FDA, CDC, and OSHA regulations.
Claims submission, particularly unbundling, is only one part of the risks encountered in the laboratory environment. Subcategories may include: documentation, lab requisition forms, standing orders, physician notification, customized profiles, and lab administration.
7. HIPAA privacy and security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses two areas of protection for individualsโ health information: privacy and security. These are vital areas to be addressed in a myriad of daily actions occurring in a health facility.
The movement to electronic health records (EHR) has helped to mitigate some HIPAA risks, but it also presented new problems. Recent actions by federal regulators indicate that HIPAA will be enforced more actively in the days to come. Subcategories may include: privacy, security, information technology, and documentation.
8. Physicians at Teaching Hospitals
The Physicians at Teaching Hospitals (PATH) initiative focuses on compliance with federal regulations that govern reimbursement to physicians at teaching hospitals. The specific objectives of the PATH audit initiative are to verify compliance with the Medicare rules that govern payment for physician services provided by residents and interns, and to ensure that all claims for physician services accurately reflect the level of service provided to the patient.
Submitting claims to government health care programs for resident and intern services that were not properly supervised can lead to criminal and/or civil penalties under the False Claims Act. Subcategories may include: billing, documentation, education, and oversight.
9. Research
Medicare covers the routine costs of qualified clinical trials as well as reasonable and necessary items, tools, and services used to diagnose and treat complications arising from participation in clinical trials.
Hospitals that participate in clinical trials should review the requirements for submitting claims for patients who participate in clinical trials. In addition, informed consent regulations require clinical investigators to obtain legally effective informed consent in an appropriate manner from the subject or the subjectโs legally authorized representative before initiating a clinical trial using human research subjects. Time and effort reporting, financial conflict of interest, researcher misconduct, and proper cost allocation are some of the other risk areas in research activities.
Subcategories may include: time and effort reporting; financial support from other sources; principal investigator conflict of interests; patent, trademark, and copyright under federal funds; human subjects research; and animal subjects research.
10. Compliance program effectiveness
Hospitals with an organizational culture that values compliance are more likely to have effective compliance programs and will be able to better prevent, detect, and correct fraud, waste, and abuse, while at the same time furthering the fundamental mission of all hospitals: providing quality care to the patients.
Compliance programs should effectively articulate and demonstrate the organizationโs commitment to the compliance process. The annual risk assessment should include an assessment of the compliance program itself. Subcategories may include: compliance officer, corporate compliance, and board oversight; written standards of conduct; policies and procedures; training; enforcement; auditing and monitoring; and investigation and remediation. It is critical to establish a functional and inclusive yet simple framework to successfully manage the hundreds of risk areas prevalent in the current compliance environment.
Conclusion: Using the Ten Categories to Improve Healthcare Risk Management
With an ever-growing digital attack surface and growing regulatory scrutiny, many healthcare organizations feel overwhelmed trying to manage their risk exposure. But the ten categories outlined here provide a clear and reliable framework to work through your most urgent threats.
Whether you are preparing for a government audit by a RAC, Medicare-affiliated contractor (MAC), Zone Program Integrity Contractor (ZPIC), or conducting your annual internal assessment, the correct use of these ten categories and their respective subcategories should be used to guide you through:
- Risk assessment
- Risk remediation
- Risk monitoring and auditing
- Risk response and reporting
These steps will ensure you are across all aspects of risk โ and keep both your patients and organization safe.