The Top Risk Areas for Healthcare Organizations in 2019 - November 2018 An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA - Crowe LLP
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
November 2018 The Top Risk Areas for Healthcare Organizations in 2019 An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA Audit / Tax / Advisory / Risk / Performance Smart decisions. Lasting value.™
The Top Risk Areas for
Healthcare Organizations in 2019
The growing complexity of healthcare
delivery and financing is creating new risks
for hospitals, health systems, physician
practices, and other types of provider
organizations. Each innovation – whether
it’s a new medical technology, a new setting
of care, or a new value-based payment
mechanism – brings with it unforeseen
threats for which traditional internal audit and
compliance programs may not be prepared.
Lack of preparation for new risks can Early identification is the best strategy
cost a healthcare organization money and to mitigate those risks. To help with
its reputation at a time when it can least identification, based on what was learned in
afford to lose either. In a value-based 2018, Crowe has named the top risk areas
reimbursement environment, every facing healthcare organizations in 2019.
dollar is at risk. If an organization loses
that dollar to a compliance problem,
it can’t make it up simply by adding
a dollar of revenue elsewhere.
2 November 2018 Crowe LLPMethodology
The determination of top risk areas What may be a top risk at one healthcare
for healthcare organizations in 2019 is organization may not be a risk at
based on the results of risk assessments another, so the top risk areas are not
performed in 2018 for more than 250 Crowe ranked. Instead, they are grouped into
healthcare clients, including hospitals, five categories in alphabetical order:
health systems, physician practices,
and other provider organizations. • Compliance
• Information technology
A “risk area” is defined as anything that • Operations
might impede the organization’s ability • Patient care
to achieve its goals in critical areas such • Revenue cycle
as patient care, regulatory compliance,
operations, strategic growth, and financial It is important to note that many
performance. A risk area was considered of these top risks are multifaceted
a “top risk area” based on its frequency and may be relevant to more than
of inclusion in client risk assessments one of the five categories.
as well as its perceived potential impact
to strategic goal achievement. Twenty-
three risk areas met the criteria.
crowe.com 3The Top Risk Areas for
Healthcare Organizations in 2019
Compliance
340B Health Insurance
Compliance with the 340B Drug Portability and
Pricing Program remains a top Accountability Act (HIPAA)
concern for healthcare governance and Protected health information may be
management. Under the 340B program, communicated or stored via paper, oral,
eligible entities may take advantage or electronic methods. Safeguarding of
of significant discounts in the cost of protected health information in all of its
outpatient drugs, enabling them to forms is critical to manage regulatory,
stretch limited funds and provide more legal, reputational, and financial risks
comprehensive services to low-income related to internal and external security
patients and their local communities. threats. Failure to do so could result
The 340B regulatory requirements are in civil and criminal penalties on an
numerous and complex, and they often organizational and individual level. To
require substantial internal monitoring. minimize vulnerability to cyberattacks and
Noncompliance can have significant privacy breaches, healthcare organizations
negative financial risks ranging from must implement stringent controls,
regulatory penalties and manufacturer including risk assessments, state-of-the-art
repayments to total removal from the password and authentication methods,
340B program. The numbers of audits activity logging and monitoring, and
by the Health Resources and Services “minimum necessary” access to electronic
Administration (HRSA) and by drug protected health information (ePHI) for
manufacturers are likely to increase IT-managed systems and for systems that
again in the coming year for healthcare are managed outside of IT (shadow IT).
organizations. As a result, demand is Healthcare organizations also must design
rising for 340B program assessments and and implement strong HIPAA privacy and
independent audits to proactively identify security policies and processes to promote
and resolve potential compliance concerns compliance and support successful
before an external or regulatory review. completion of an Office for Civil Rights or
other regulatory agency compliance audit.
4 November 2018 Crowe LLPThe top risk areas are presented in alphabetical order first by
category and then within each category. They are not ranked.
Nonphysician contracts Physician contracts and
Healthcare systems also may face compensation
financial, legal, and compliance Physician contracting and
implications without strong controls over compensation continue to be significant
the execution and management of contracts risk areas for healthcare organizations
for nonphysician services. Common due to the complexity of contracts and
problem areas in nonphysician contracts compensation models and because of the
include the need for a single, complete, regulatory risks when relationships and
accurate, and secure database of contracts; contracts are not carefully negotiated,
failure to monitor contract performance and reviewed, executed, and monitored.
compliance against terms (resulting in legal Contract review processes are vital to
liability and unnecessary expenses); failure establish relationships and contract
to incorporate preapproved, standardized provisions that do not violate the Stark
contract terms within all contracts to Law, anti-kickback laws, or other federal
safeguard corporate interests; and fraud and abuse statutes. Physician
inefficiencies in the contract negotiation performance monitoring is also critical
and execution processes that inhibit to identify areas where expectations and
patient care and business operations. contract provisions are not being met,
and careful review of compensation and
Pharmacy bonuses is needed to reduce the potential
for overpayments or underpayments
Inadequate controls in the area
and violations of federal statutes.
of pharmacy and controlled
substances can introduce significant
financial, compliance, patient care, and
reputational risks. Pharmacists and other
healthcare providers share accountability
to help prevent and detect prescription
drug abuse and diversion, particularly
with regard to controlled substances. To
help manage the risks in this area and to
support national efforts to stem the opioid
epidemic, organizations must establish and
enforce policies, procedures, standards of
practice, and protocols in pharmaceutical
prescribing, ordering, dispensing, and
administration. In addition, robust inventory
methodologies and routine monitoring
processes are critical to help detect and
address potential diversion activities.
crowe.com 5The Top Risk Areas for
Healthcare Organizations in 2019
Information technology
Business continuity and IT governance
disaster recovery IT governance is an important
IT systems must be available and component of corporate
working at all times. To promote continuous governance and is focused on delivering
availability of systems and the related data, technology services to support business
healthcare organizations must have primary initiatives in a manner that mitigates risk.
and secondary data centers for redundant IT governance is critical to ensuring that
operations in the event of a disaster or the provision of information services is
downtime. Each of these primary and strategically aligned with the business
alternative processing sites should be ready and that adequate resources are made
for use and must have appropriate physical, available to support achievement of
environmental, and operational controls to technology and business goals. In addition,
promote secure and continued operation a strong IT governance program must
when needed. Patient safety, productivity, include promoting and monitoring IT
and revenue could be severely affected if compliance with technology-oriented laws
systems and data are not always available. and regulations such as HIPAA, the Health
Information Technology for Economic and
Clinical Health Act, and meaningful use.
Cybersecurity
Cybersecurity continues to be
a high priority for executive
Systems access
leadership, boards, and audit committees. management
They want to know how ePHI and other A well-designed systems access
sensitive data are protected and whether program and associated user provisioning
system security is strong enough to processes are crucial to secure an
withstand an internal or external attempt organization’s information systems and
at unauthorized access. A robust meet fiduciary and regulatory requirements.
cybersecurity program requires strong Strong controls in this area protect data
controls to prevent or minimize computer and systems availability, confidentiality, and
system security vulnerabilities. This includes integrity by limiting access to information
user authentication and access controls, and resources based on the concepts
data loss prevention programs, network of least privilege and need to know. If
security controls, and data encryption. systems access processes are poorly
Also included in the cybersecurity risk designed or incorrectly implemented, ePHI
area is network-connected biomedical and other sensitive information will be
device and internet of things (IoT) risk, put at risk for inappropriate disclosure or
which includes aspects of patient safety, manipulation, potentially resulting in fines
HIPAA privacy, and network security risk. and penalties for regulatory noncompliance
and damage to the organization’s brand.
In addition, without strong access
management controls, operating systems
and business and clinical applications
may be vulnerable to loss or failure due
to external or internal manipulation.
6 November 2018 Crowe LLPThe top risk areas are presented in alphabetical order first by
category and then within each category. They are not ranked.
Systems implementation
The implementation of electronic IT risks include lack of security, poor
health record (EHR) and other change management, inadequate backup
critical clinical and business systems and recovery, improper segregation
poses a significant risk to healthcare of duties, insufficient infrastructure to
organizations. Many operational, clinical, sustain and optimize the EHR systems
financial, and IT risks can result when after implementation, and lack of proper
systems are not implemented on time, interfaces with other systems.
within budget, and using industry standards
for design, testing, training, and support.
Operations
Case management Financial performance
Case management, often Business processes such as
referred to as care management, accounts payable, accounts
is intended to help patients reach receivable, payroll, and financial statement
their optimum level of wellness while close are a standard part of day-to-day
promoting cost-effective, high-quality operations for healthcare organizations
outcomes. As such, it affects both clinical and generally are well-controlled. However,
and financial aspects of a healthcare when significant changes occur in the
organization. Absent strong controls in organization or environment – such as
this area, organizations may see increased leadership changes, regulatory changes,
readmissions, regulatory noncompliance, mergers, or acquisitions – or when new
and increased denials and billing problems. technologies supporting these processes
To minimize these risks, governance are introduced, financial, fraud, and
and management functions continue legal risks may increase. To minimize
to seek insights into ways to optimize these risks, healthcare organizations
processes related to discharge planning, must proactively plan for and manage
utilization management, validation of change through additional process
medical necessity, and patient status. guidance as well as through increased
management oversight and timely
and regular monitoring processes.
crowe.com 7The Top Risk Areas for
Healthcare Organizations in 2019
varying degrees of oversight for JVs. Risks
Health information
related to these arrangements center
management around whether the parties are meeting
Health information management the terms of contractual agreements
(HIM) is critical to managing compliance and achieving performance and return
and coding risks. To maximize healthcare on investment expectations. In addition,
reimbursement, clinician documentation of regulatory, IT, and compliance risks must
patient encounters and services delivered be considered, including compliance
must be timely, complete, and accurate. with the Stark Law, anti-kickback laws,
Effective HIM also is needed to support the False Claims Act, HIPAA, antitrust
patient privacy, quality reporting, quality laws, state insurance regulations, and
process improvement, and pay-for- medical tort liability regulations. Without
performance decisions. EHR systems play oversight and monitoring of operational,
an important role as the origination point, compliance, and IT controls in these
secure repository, and vehicle for diagnoses areas, healthcare organizations may
and care documentation. To promote be vulnerable to fines and penalties for
accurate and complete documentation and compliance violations and could suffer
billing, clinicians must be trained to use reputational and legal damages.
EHR functionality to meet documentation
requirements. System access must be
Physician practices
managed in accordance with job function,
and use of copy-and-paste functionality in Physician integration continues
the EHR must be limited and managed to to be a major area of focus
promote clinical documentation integrity. as healthcare organizations work to
realize the increased efficiencies and
coordination required by healthcare reform.
Joint ventures Organizations must develop processes
In the healthcare industry, joint and monitoring to effectively manage
ventures (JVs) commonly are physician relationships and contracts.
leveraged for ambulatory surgery centers, In addition, strong controls need to be
imaging centers, radiation therapy offices, implemented and enforced in day-to-day
urgent care centers, and real estate operations such as patient scheduling
investments. Collaborating with insurance and registration, patient billing, cash
payers also is on the rise as healthcare handling, and prescription and medication
organizations seek to reduce time, cost, management. Robust controls in each
and regulatory burdens. JV agreements of these areas are critical to accomplish
often result in complex arrangements, strategic goals in the areas of quality
including the sharing of revenues and patient care, patient satisfaction, regulatory
expenses between the entities. This sharing compliance, and revenue recognition.
(or splitting) can be difficult to monitor if
appropriate processes are not established.
In addition, as there is no direct transfer
of ownership, organizations typically have
8 November 2018 Crowe LLPThe top risk areas are presented in alphabetical order first by
category and then within each category. They are not ranked.
Third-party vendor
management
Healthcare organizations meet the financial terms of the contract,
routinely use third-party vendors in a and billing for services not provided.
variety of important operational, clinical, Compliance, patient safety, and regulatory
and technology capacities, usually with risks are also significant, and failure by
the intention of reaping cost savings third parties to comply with federal, state,
and operational efficiencies. Third-party and local laws can have immediate and
vendors often have access to the hospital devastating negative financial, legal, and
facility and hospital data as well as direct reputational results. This is especially true
access to patients. Risks related to use with regard to weak information systems
of third parties for core services must controls where vendor vulnerabilities may
be considered carefully before contracts result in a privacy or security breach. A
are signed, and they must be managed thorough vendor management program
throughout the vendor relationship. These with ongoing monitoring of third-party
risks include failure to meet contracted entities is critical to mitigate this risk area.
performance requirements, failure to
Patient care
Quality and safety Telehealth and
Ensuring the quality and safety telemedicine
of patient care is inherent to the Healthcare organizations
mission of healthcare providers. Diligent are rapidly embracing telehealth and
and continuous focus is needed to manage telemedicine as a means to improve
the countless new and evolving patient access to healthcare services, reduce
safety, quality improvement, and reporting or contain the cost of healthcare
initiatives. Healthcare organizations must services, and improve the quality of
balance funding and support for these services provided. In implementing the
initiatives with other organizational needs technologies and processes to support
and goals. This is particularly difficult in light these initiatives, healthcare organizations
of the increasing shortage of skilled nursing also must implement strong controls for
staff and limited monetary resources, remote service delivery and supporting
both of which affect quality of care and technologies. These controls are necessary
patient safety outcomes. Management is to address and adhere to clinical standards
challenged to aggregate, secure, and use (provider capabilities, credentialing,
the influx of care data from a wide variety standards of care), promote high-quality
of EHRs, patient care technologies, and care, minimize the risk of patient harm,
care delivery platforms. Failure to do so and comply with regulatory requirements
can have immediate and profound impacts for privacy and patient data security.
not only on the health and well-being of
patients but on the financial, regulatory, and
reputational strength of the organization.
crowe.com 9The Top Risk Areas for
Healthcare Organizations in 2019
Revenue cycle
Billing and collections records, and bill claims in accordance with
charging and billing guidance provided
Management of billing and
by Medicare and other payers. Pricing for
collections, including accounts
services provided must be accurately and
receivable, is a core function required
completely loaded, and the CDM must
to keep revenue streams flowing to fund
be updated periodically, in a controlled
healthcare operations and initiatives.
manner, for correct pricing. Clinicians
Healthcare organizations must produce
must be trained in how to accurately
error-free claims that are transmitted
code and document services provided,
in a timely manner to clearinghouses
and management must monitor charge
and payers. Failure to produce bills that
metrics to enable prompt identification
meet payer requirements can result in
and correction of charge issues. Risks
costly rework, increased denials, and lost
of significance relate to the accuracy
reimbursement. To help manage these
and completeness of charges, especially
risks, many healthcare organizations
where new technology is in use and where
have outsourced billing and collections
high-dollar procedures and services are
functions. While outsourcing can help
involved, such as surgery and cardiology.
with standardization of processes, careful
management and oversight of third-party
provider performance are required to Coding
ensure that strategic objectives are Healthcare systems and
being addressed. Risks are related to the providers face growing scrutiny
completeness and accuracy of billing, lost of coding and billing in a quickly changing
revenue, inadequate denials management, and increasingly complex regulatory
and lack of visibility into controls at third- environment. The effective evaluation
party billing and collections providers. of ICD-10-CM (clinical modification),
ICD-10-PCS (procedure coding system),
Charge capture and Current Procedural Terminology/
Healthcare Common Procedure Coding
Managing the charge capture
System (CPT/HCPCS) coding and billing
process and maintaining
compliance is a challenge that has
a complete and accurate charge
significant ramifications from a regulatory
description master (CDM) are essential but
standpoint as well as for the bottom line of
complex processes for most healthcare
a healthcare system or provider. Common
organizations. EHRs and other patient care
coding challenges include lack of adequate
subsystems are the genesis for charge
physician documentation and increased
records, which then interface with hospital
workloads due to the complexity of
billing systems and coding systems to
coding guidelines. In addition, third-party
create the patient bill. Healthcare providers
coding vendors require regular monitoring
must establish charges, code medical
for performance and effectiveness.
10 November 2018 Crowe LLPThe top risk areas are presented in alphabetical order first by
category and then within each category. They are not ranked.
Denials management Patient access
Denied claims result in Controls over patient access
expensive rework and often lead to lost functions such as patient
reimbursement. Healthcare organizations scheduling, registration, and admission
must have procedures for effective processes must be rigorous to minimize the
denials management and third-party risk of billing and patient accounting issues,
payer follow-up. These procedures should lost revenue, and poor patient and physician
be interdisciplinary, as denials can be satisfaction. Information gathered during the
caused by numerous processes in multiple scheduling, preregistration, and registration
departments. Organizations should processes must be complete and accurate,
have an established process to quantify and processes should include checking
denials by dollar amount, by number of medical necessity for outpatient services
denials, by root cause, and by entity. and providing estimates of cost and patient
Additionally, a payment variance process liability. Third-party payers may require
typically is needed to compare amounts certain services to be authorized in advance
received to expected amounts and to or precertified, and failure to obtain required
identify and correct errors in payments authorizations from payers may result in
received from contracted payers. Reports denial of the claim. In addition, insurance
summarizing denials activity should be benefits should be verified prior to the date
prepared and reviewed periodically by of service or soon after to prevent billing
a denials work group that is focused on delays, and copayments and coinsurance
prevention and root cause analysis. funds should be collected in advance.
Finally, financial counselors should visit all
uninsured inpatients prior to discharge to
discuss patient liabilities, and they should
assist patients in identifying and applying for
Medicaid and other assistance programs.
What can be done about the risks?
Healthcare organizations’ resources are limited even as the number of potential
risks grows. To cope with the situation, internal audit departments should take
the following steps:
• Review the 23 risk areas identified here.
• Discuss which risk areas apply to their organization.
• Prioritize specific risk areas from highest to lowest risk.
• Channel resources to the top 10 risk areas on the list.
By targeting top risk areas, healthcare organizations can reduce unnecessary
expenses that eat away at profitability and financial sustainability.
crowe.com 11Learn more
Sarah Cole
Partner
+1 314 802 2049
sarah.cole@crowehrc.com
Scott Gerard
Partner
+1 818 325 8457
scott.gerard@crowehrc.com
crowe.com
“Crowe” is the brand name under which the member firms of Crowe Global operate and provide professional services, and those firms together form the Crowe
Global network of independent audit, tax, and consulting firms. “Crowe” may be used to refer to individual firms, to several such firms, or to all firms within
the Crowe Global network. The Crowe Horwath Global Risk Consulting entities, Crowe Healthcare Risk Consulting LLC, and our affiliate in Grand Cayman are
subsidiaries of Crowe LLP. Crowe LLP is an Indiana limited liability partnership and the U.S. member firm of Crowe Global. Services to clients are provided by the
individual member firms of Crowe Global, but Crowe Global itself is a Swiss entity that does not provide services to clients. Each member firm is a separate legal
entity responsible only for its own acts and omissions and not those of any other Crowe Global network firm or other party. Visit www.crowe.com/disclosure for
more information about Crowe LLP, its subsidiaries, and Crowe Global.
The information in this document is not – and is not intended to be – audit, tax, accounting, advisory, risk, performance, consulting, business, financial, investment,
legal, or other professional advice. Some firm services may not be available to attest clients. The information is general in nature, based on existing authorities,
and is subject to change. The information is not a substitute for professional advice or services, and you should consult a qualified professional adviser before
taking any action based on the information. Crowe is not responsible for any loss incurred by any person who relies on the information discussed in this document.
© 2018 Crowe LLP.
HC-19005-017AYou can also read
