Healthcare organizations are constantly faced with difficult decisions about how to prioritize their time, energy, and resources in order to avoid unnecessary risk exposure. To manage this environment of increasing risks and limited resources, healthcare internal audit departments must align their risk assessments and subsequent internal audit plans to the areas most critical to achieving organizations’ strategic goals and business objectives, as well as maintaining compliance with critical regulatory and other requirements. This risk-based approach prioritizes the most critical risk areas while recommending that less effort, if any, be applied to low-risk areas. The greater the alignment between an organization’s internal audit plan and its most critical risks, the greater the return on risk achieved for its internal audit investment.
ORDER WITH US AND GET FULL ASSIGNMENT HELP FOR THIS QUESTION AND ANY OTHER ASSIGNMENTS (PLAGIARISM FREE)
Even as we approached 2020, healthcare organizations’ internal audit resources were already stretched thin, despite the fact that the industry had grown more complex and the number of significant risks had increased over the previous decade. When the United States was hit by the COVID-19 pandemic in early 2020, the delicate balance between an increasing number of risks and the level of internal audit resources became even more difficult. Although the industry had been preparing for natural disasters, terrorist attacks, and other events that could result in a large influx of patients, the COVID-19 pandemic has quickly caused major shifts in the healthcare industry, resulting in new and significant risks that had not previously been considered.
A healthcare organization’s failure to prepare for new risks can cost it money and its reputation at a time when it can least afford to lose either. The best way to achieve a return on risk is to thoroughly understand the organization’s operations and strategic direction, as well as identify current and emerging risks. Crowe has identified the top risks confronting healthcare organizations in 2020 to assist with this. The list was compiled with the help of executive management and board members from some of the country’s largest health systems, as well as data compiled from risk assessments conducted at more than 250 hospital clients in 2019. The Crowe article “5 COVID-19 Emerging Risks for Healthcare Organizations” identifies significant risk areas that have emerged as a result of the COVID-19 pandemic, in addition to risks identified as part of the 2019 assessment process.
Because of the rapidly increasing use of technology and the formation of complex partnerships and vendor relationships throughout the healthcare industry, what is a top risk at one healthcare organization may not be a top risk or even relevant at another; thus, the risks have not been ranked.
Examine the most recent management risks in healthcare.
Find out more
As the use of technology in patient care and communication grows, cybersecurity remains a top priority for healthcare executives, audit committees, and boards. Well-established cybersecurity program guidance focuses on identifying information assets and related cyberrisks, implementing protective controls, detecting and responding to security threats, and recovering from incidents. Regulations and ongoing breach reports have demonstrated the importance of cybersecurity to healthcare organizations, and many have taken steps to perform the necessary risk assessment activities and implement robust preventive controls.
While healthcare organizations continue to improve their ability to identify and protect physical, intellectual, and data assets, a lack of preparedness for detecting and responding to cyberthreats persists. Detecting cyberthreats necessitates significant investment in personnel and technology to support monitoring of networked systems, which presents challenges to IT and security budgets that are already stretched thin. To make matters more complicated, the healthcare industry is unique in that it must consider security events such as ransomware and distributed denial of service (DDoS), as well as Health Insurance Portability and Accountability Act (HIPAA) regulations, which require healthcare entities to plan for violations of patient privacy and unauthorized access to sensitive patient information. This combination complicates the detective capabilities and incident response plans. Walk-throughs of response plans, tabletop exercises, and disaster recovery tests necessitate coordination and time from groups other than IT. The high integration rate of mobile devices, cloud services, and network-connected biomedical devices in the healthcare industry complicates even the best efforts to monitor all systems and have proper response plans in place. It’s easy to overlook the costs of developing, maintaining, and constantly improving security detection and response capabilities. Security incidents are unavoidable, and leadership recognizes the importance of shifting its focus to developing strong detective and corrective processes and controls to supplement the protective controls already in place.
Many commercial payers are reimbursing based on quality, following the lead of government payers, as more payment models shift from volume to value. Federal and state regulators have mandated that organizations publicly report quality metrics and have linked quality to reimbursement via incentives, payment reductions, and penalties. Healthcare organizations face increased risks due to a lack of processes in place to provide and improve quality care, which has a negative impact on patient outcomes, cost of care, reputation, and financial performance via pay-for-performance penalties.
The COVID-19 pandemic has highlighted the importance of having strong processes and contingency plans in place to maintain quality performance during disasters. Healthcare organizations, for example, must consider how they will staff quality functions and other administrative responsibilities during an emergency, how they will deliver consistent application of important nurse-driven protocols (such as Foley removal), and how they will address scope-of-practice issues as staff is redirected to other duties.
Physician alignment risks have risen in recent years as more physicians leave private practice. As healthcare organizations contract with an increasing number of physicians, it is critical that they ensure that expectations and contract provisions are appropriate and being followed without violating federal fraud and abuse statutes (for example, Stark Law and anti-kickback laws). In addition, health systems are increasingly incorporating operational and compliance risks associated with physician practice management, such as patient scheduling and registration, patient billing, cash handling, prescription and medication management, coding, human resource management, and information systems administration. Due to the geographic dispersion of physician practices, there are still challenges; for example, many are remote from the hospital campuses with which they are associated and, as a result, may not be included in the day-to-day scope of work for all oversight functions such as compliance, IT security, and patient safety.
The most critical integration risks, on the other hand, are strategic and long-term: physician alignment and engagement. Healthcare reform and new payment models require increased efficiencies and coordination, which cannot be contracted into existence. Physician leadership is critical for improving patient care, managing health-care costs, and competing successfully in the arena of patient consumerism and satisfaction. Clinical champions must be identified and empowered to respond to emerging clinical risks, such as pandemics and the national opioid epidemic. Due to increased workloads, loss of control, and ever-changing administrative requirements, the engagement required for such leadership is constantly threatened by clinician burnout.
Failures in patient safety may result in preventable injuries or illnesses, as well as death, as well as high litigation costs, increased liability, and a negative reputation for facilities and health systems. Patient safety risks are inherent in almost every clinical process, including emergency preparedness, medical device cleaning, disinfection, and sterilization, communication of critical lab results, and recognition of behavioral health needs. As healthcare’s reliance on technology and automation grows, ineffective implementation of these solutions may exacerbate many patient safety risks. Alarm management, for example, becomes a greater risk as complex algorithms alert healthcare workers with varying degrees of accuracy to the possibility of sepsis or infection. Effective collaboration and communication among providers, healthcare workers, and patients, as well as strong alignment of clinical processes and technology with evidence-based practices, must be balanced with limited resources and day-to-day patient care priorities.
Few areas of healthcare are more closely linked to patient safety, cost management, compliance, and community health risk than pharmacy. Pharmacists and providers play an important role in preventing and detecting drug abuse and the diversion of controlled substances. Managing these risks is a collaborative effort that necessitates a thorough understanding of Drug Enforcement Administration and state pharmacy board regulations. Patients may be harmed if physician prescribing patterns and drug interactions are not monitored. The growing resistance of many diseases to antibiotics is another area of patient safety and community health risk; this development has occurred as a result of overuse and noncompliance with evidence-based prescribing practices. Health systems should deploy tools to monitor both hospital-provided drugs and those prescribed to patients.
The 340B Drug Pricing Program is a complex federal program that provides access to affordable drugs to society’s most vulnerable members. Internal monitoring and inventory tracking are essential for this program. Noncompliance with 340B Program requirements can result in financial risks such as manufacturer repayment and exclusion from the 340B Program (which could result in the loss of millions of dollars of annual cost savings). To ensure that program rules are followed, health systems should obtain program assessments and have independent audits performed.
Transparency in pricing
While previous federal and state legislation addressed consumer healthcare price transparency, a new Centers for Medicare & Medicaid Services (CMS) rule published on November 27, 2019, will make hospital requirements more stringent. The final rule “Price Transparency Requirements for Hospitals to Make Standard Charges Public” (85 Fed. Reg. 65524) will take effect on January 1, 2021. Hospitals will be required to capture and publicly disclose significant amounts of information under the final rule, including gross charges, payer-specific negotiated rates, cash prices for the many inpatient and outpatient items and services offered by each hospital, and Healthcare Common Procedure Coding System codes. Furthermore, the final rule requires shoppable services (services that can be scheduled in advance by a consumer, such as a knee replacement) to be publicly disclosed.
Obtaining and disseminating this information will be difficult and will necessitate diligence and collaboration. Hospitals may need to redesign their current data collection processes, as effective data management and retrieval will be critical to meeting deadlines. According to CMS, one cause of rising healthcare costs is a lack of price transparency, and greater transparency is expected to encourage choice and competition, lowering prices. CMS now has the authority to monitor, audit, and mandate corrective action plans under the final rule. Compliance with price transparency requirements poses a new reputational risk to hospitals, as CMS has the authority to levy – and publicize – civil monetary penalties of $300 per day for noncompliance.
Preparedness for an emergency
The risk of healthcare providers being unprepared in the event of a natural or man-made disaster resulting in a large influx of patients has previously been significant, but it has gained attention as healthcare organizations around the world work to address the COVID-19 pandemic. CMS announced in March 2020 that it would be issuing temporary new rules and waivers of federal requirements to ensure that healthcare organizations would be able to absorb and treat surges of COVID-19 patients. Previously, CMS issued an emergency preparedness final rule in September 2016, requiring healthcare providers to have an emergency plan based on a risk assessment, supporting policies and procedures, a communication plan that includes coordination with state and local health departments, and a training and testing program that includes drills at least once a year. In addition to not being able to adequately care for existing and new patients or protect staff, the risks to healthcare organizations of being unprepared for emergencies and disasters include deficiencies in meeting CMS Conditions of Participation (which could eventually result in program termination) and fines.
Management of third-party vendors
Healthcare organizations frequently rely on third-party vendors to enable mission-critical services, which can expose them to additional risks. Because third-party vendors frequently have access to hospital facilities and data, as well as direct access to patients, the risks to compliance, patient safety, and regulatory compliance can be significant. Third-party failure to comply with federal, state, and local laws can have immediate and devastating financial, legal, and reputational consequences. Risks associated with using third-party vendors for core services must be carefully considered before contracts are signed, and they must be managed throughout the vendor relationship. To mitigate these risks, a thorough vendor management program with ongoing monitoring of third parties (including pricing compliance, quality of service, background checks on vendor employees, and IT security) is required.
Acute care case management promotes safe, cost-effective, patient-centered strategies to maximize the ideal level of care, from hospital admission to safe transition to a lower level of care in accordance with Medicare Conditions of Participation (CoP). It is critical to pay attention to new requirements in order to avoid the risk of noncompliance. According to the recently updated CoP Section 482.43, “Discharge Planning,” for patients discharged home and referred for home health agency (HHA) services, or for patients transferred to a skilled nursing facility (SNF), inpatient rehabilitation facility (IRF), or long-term acute care hospital (LTCH), the hospital is required to include a list of HHAs, SNFs, IRFs, or LTCHs in the geographic area requested by the patient, in the discharge plan. Furthermore, the hospital must provide the patient with quality and resource use measures to help the patient choose the best post-acute care (PAC) provider for his or her care goals and preferences (the detailed information-sharing portion of the CoP). Relevant medical information and treatment goals must also be provided to the PAC provider, which can be difficult if there is no interoperability between the hospital’s and the PAC provider’s computer systems. The hospital’s ability to transition patients for post-acute follow-up can also be hampered by a lack of PAC providers.
Although CMS issued a blanket waiver of the detailed information-sharing requirements through the end of the COVID-19 emergency declaration, the waiver does not apply to the requirement to discharge patients to an appropriate setting with the necessary medical information and goals of care. Furthermore, hospitals should plan to implement and monitor compliance with the detailed information-sharing requirements upon return to normal operations.
Joint venture management and oversight
In recent years, health system growth has been defined through partnership and affiliation in the delivery of services. Joint venture relationships commonly are used as financial vehicles to operate across an expanded spectrum of care, obtain access to improved technology, and serve a greater community. While many people look at joint ventures from a financial perspective, risks in this area are not just financial but also related to all aspects of patient care, digital security, compliance, and reputation. Joint venture arrangements have become increasingly complex in sharing of revenues and expenses; achieving performance and return on investment; and complying with a broad spectrum of regulations, including HIPAA, Stark Law, antitrust, and the False Claims Act.
The owners of a joint venture should implement adequate oversight processes at both the owner level and the joint venture level. Additionally, joint ventures should maintain effective monitoring controls such as having a board of directors with broad business, technology, and clinical expertise; a compliance program; and an internal audit function. Without these, healthcare organizations are vulnerable to financial loss, fines and penalties for compliance violations, failure to achieve and sustain growth goals, and significant reputational and legal damages.
Quality payment program
With the first Medicare Quality Payment Program performance year completed in 2019, the risk of negative payment adjustments is now here, increasing, and ever-present. Physicians who avoided the initial unpredictability through participation in Medicare Advanced Alternative Payment Models are now bracing for their own volatility under post-2024 Quality Payment Program adjustments.
All providers face the distinct risk that revenue is being left on the table because of bad data. Electronic health records could be aggregating or submitting data incorrectly, or current documentation practices might not “check the right boxes” to establish credit for quality metrics achieved. Good data also could be accurately reflecting bad or deteriorating performance. However, the financial impact of Medicare payment adjustments could be less significant than the reputation risks if providers are not keeping pace with competitors. Health systems must have strong processes to verify that quality measure reporting is complete and accurate. Even more challenging, health systems must measure, monitor, and improve upon the right measures.
Telemedicine \sAs the threat of COVID-19 expanded, telehealth and telemedicine evolved from an optional convenience to an absolute necessity in the span of a few weeks. This shift resulted in health systems scrambling to rapidly develop existing platforms or build out new ones in order to continue treating patients. In implementing the technologies and processes to support these initiatives, healthcare organizations also must implement strong controls for remote service delivery and supporting technologies. These controls are necessary to address and adhere to clinical standards (such as provider capabilities, credentialing, and standards of care), promote high-quality care, minimize the risk of patient harm, and comply with regulatory requirements for privacy and patient data security.
Revenue cycle improvement
More and more, healthcare organizations are turning to third parties and automated solutions to achieve revenue cycle improvements. However, increased revenue cycle outsourcing and automation can introduce additional risks if transparency in revenue cycle performance is reduced or if poor manual processes are hardwired into automated ones. In addition, hospitals that fully outsource their revenue cycle function might not be getting much of a financial benefit. Organizations cannot adopt a “set it and forget it” mentality. Robust monitoring is crucial for success with outsourced and automated functions, as it will help to identify gaps and risks in workflow processes. Monitoring also provides transparency in end-to-end revenue cycle management and allows communication across the entire revenue cycle. Some areas in which monitoring is especially important include:
Clinical documentation improvement, where outsourced and automated processes might not accurately direct resources to the greatest opportunities
Utilization management, where ineffective work queue automation might cause patient accounts to fall through the cracks
Emergency department (ED) coding, where organizations might not always have visibility into the logic used to assign ED levels
Government and politics
Since the beginning of the COVID-19 pandemic, the regulatory environment has moved faster than ever before, with $175 billion available to healthcare entities under the CARES Act and with fund distribution based on multiple factors including lost revenues, expenses related to COVID-19, net patient revenues, rural location, and low-income populations. At the time of publication, debate continued in Washington, D.C., over additional COVID-19 assistance funds. It is essential for health systems to keep in close contact with federal and state government representatives to be well positioned for COVID-19 reimbursement. Hospitals should assess the accuracy of the Relief Fund Payment attestations and maintain substantial supporting documentation to avoid future need for repayment of these funds.
While the Affordable Care Act (ACA) is considered by many to be established legislation, the U.S. Supreme Court continues to hear challenges that could eliminate provisions beneficial to health systems. Because the Trump administration, including the U.S. attorney general, is in agreement with ACA challengers and because the Supreme Court leans conservative, it is again possible that the ACA will be struck down or significantly changed. At the same time, the current period of economic uncertainty and high unemployment puts health systems at risk from patients without health coverage or with less coverage due to the loss of employer-funded insurance. Hospitals should continue to monitor their methodologies for net patient service revenue calculations and reserve estimates during this time of great upheaval.
Furthermore, searching for additional tax revenues to recover from economic struggles, state and local governments might continue to challenge not-for-profit health systems’ executive pay, community benefit provided, and tax-exempt status.
Legal and regulatory compliance
Compliance with federal and state laws and CMS regulations remains a top concern for healthcare governance and management teams. Healthcare is a highly regulated industry with special rules applicable to transactions between health systems and physicians to avoid referrals of Medicare or Medicaid patients where financial relationships exist (Stark Law); filing of fictitious, miscoded, nonmedically necessary, or otherwise inaccurate claims for Medicare or Medicaid beneficiaries (False Claims Act); and many other compliance matters. Health systems also have been challenged by elements of Americans With Disabilities Act compliance and quality of care requirements.
Possible results of noncompliance with the many regulations faced by healthcare organizations include class-action lawsuits and significant legal, regulatory, and financial consequences. And, even in cases in which the government doesn’t take action, whistleblowers (often from within an organization) might be financially rewarded using “qui tam” lawsuits to take action on the government’s behalf to recoup government funds under the False Claims Act. Other common results of noncompliance include fines, reputational loss, and costly corporate integrity agreements.
To avoid these risks, it is important that healthcare providers understand the federal government’s focus areas relative to combating fraud, waste, and abuse, which can be accomplished through regular review of state and federal regulator websites. For example, the Office of Inspector General’s (OIG) Work Plan is updated monthly and made publicly available on the OIG website. Current OIG focus areas include inpatient hospital billing, CMS oversight of nursing facility staffing levels, compliance with CMS transfer policies, billing of critical care service levels, and use of condition codes. Although lengthy, the OIG Work Plan is organized by the date that each plan item was announced or revised and provides the reader with a condensed, summarized list of current focus areas. Conducting regular monitoring and independent audits based on the OIG Work Plan is a vital strategy in proactively mitigating or detecting regulatory risk.
Health systems also should be proactive and undertake audits of physician transactions, care coordination functions, billing, and claims coding. In addition to these audit areas, health systems should consider periodic reviews of the effectiveness of their compliance programs, which help safeguard against regulatory and “qui tam” legal action through providing means to report and take corrective action internally.
HIPAA privacy and security
Enforcement of HIPAA by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been picking up speed in recent years. With millions of dollars recovered from breach incidents in 2018 and 2019,1 in late 2019, OCR announced its first settlement under the Right of Access Initiative for failure to respond to a patient’s request for medical records in a timely manner. 2 This settlement sends a clear sign that healthcare entities will be held accountable for not providing access to patients per HIPAA requirements. Additionally, state attorneys general increasingly are taking action against noncompliant health systems and providers. 3 While enforcement has slowed due to the COVID-19 pandemic,4 there is every reason to believe that regulatory action eventually will resume. Health systems should continue to audit HIPAA compliance and maintain records demonstrating timely response to patient access requests.
Data breaches continue to be a significant risk for healthcare organizations. The healthcare industry again leads all industries in cyberattacks and breaches,5 particularly with the advancement of internet of things (IoT) technology, personal health monitors, artificial intelligence, and access to large databases of protected health information. Healthcare organizations must begin or take additional steps to evolve and modernize their infrastructure to combat this risk. They also should think of HIPAA compliance as a baseline and work to exceed requirements for better protection. Organizations often think, incorrectly, that insurance will cover a data breach, but this is rarely the case – and, even when cybersecurity coverage is in place, the damage from a breach to a health system’s reputation is immense. Health systems should perform or procure security risk assessments as part of their HIPAA program.
Want more insights on addressing coronavirus-related challenges?
Go to the Crowe COVID-19 resource center for more analysis and updates.
Business processes, such as accounts payable, accounts receivable, payroll, and the financial statement close, are critical to every healthcare organization. Generally, such processes are well managed, but when significant developments occur, such as leadership changes, consolidations, and employee turnover resulting from a merger, regulatory changes, or implementation of new technology, the risk of financial process deterioration greatly increases. When financial processes are no longer adequately controlled, there is a higher risk of a negative financial impact (for example, liquidity is hurt by aged accounts receivable or denials that are not adequately managed), increased risk of fraud, higher likelihood of accounting errors (such as missed or duplicate entries), and increased legal and compliance risk. To minimize these risks, healthcare organizations must thoroughly and proactively plan for and manage change through additional process guidance, increased management oversight, and timely and regular monitoring processes.
Technology company access to data
Third-party companies have been provided access to healthcare organizations’ data more than ever before. Technologies such as IoT devices, blockchain, 5G wireless networks, mobile apps, and partnerships with tech companies are creating excitement for patients and customers who have easy access to their data. But these technologies also are a big concern within the healthcare industry. While more data being made available for enhanced analytics and shared across various organizations offers many benefits, it also introduces an emerging significant risk of patient data exposure that organizations need to control.
Interoperability of systems, technology platforms, and data sharing across the healthcare industry is on the rise. These features exacerbate the data privacy concern related to tech companies having access to protected health information. Healthcare executives should be aware of new data sharing technologies and new regulations, and they need to understand what tech companies are doing to make patient and customer records more electronically available, how they are limiting access, and how they are implementing increased security to protect patient data.
A healthcare organization’s compliance, security, and internal audit functions need to understand if their organization is safeguarding against privacy and security risks that come with data being more widely available and potentially accessible on the cloud. They also should ask these questions:
Are third-party companies considered covered entities, and what HIPAA violations do healthcare organizations face in partnering with them?
Are there comprehensive, understandable agreements in place between healthcare organizations and third-party technology companies accessing and distributing patient data?
What are these third-party companies doing with their patients’ healthcare records and data in addition to the contracted service provided?
What is the healthcare organization doing to limit its liability if patient data is exposed and potentially breached?
Although cyberthreats and data access have been significant risks within the healthcare industry for more than a decade, with the increasing complexities introduced by using advanced technologies and sharing large quantities of data with third-party technology companies, these risks continue to grow.
Healthcare organizations today face competitive challenges from a broader range of entrants than they did just a few years ago. While traditional battles for market share across the continuum of care exist among local, regional, and national health systems, new organizations are entering the healthcare marketplace and adding even more competitive pressures. Some retailers have developed healthcare options including specialized clinics, online pharmacies, and partnerships, thereby providing new access points for primary care, behavioral health, dental, and other needs. Risks posed in this landscape include reduced volumes in hospital emergency departments, urgent care centers, outpatient clinics, and physician offices; market share loss; and reduced financial performance. To mitigate these risks, healthcare organizations should proactively and continuously assess the impact of existing and new entrants in their markets, align and nimbly adjust their operating plans and strategic objectives accordingly, and consider expanding into untapped markets and service lines, pursuing strategic partnerships or acquisitions, seeking ways to innovate their delivery of patient care, and working to drive out cost from their delivery models.
Business continuity and disaster recovery
A healthcare organization’s operations and network can be greatly affected, or even made unavailable, due to a natural disaster or the harmful actions of bad actors. When disaster strikes in an industry as complex as healthcare, the effects can be far-reaching and have a negative impact on patient lives. The consequences of IT failures within a healthcare facility in today’s increasingly electronic, data-reliant environment are great, and clinical, operational, and financial areas all are at risk should critical systems go down.
Healthcare organizations know the importance of having emergency response plans in place to immediately address disasters, whether natural or human-caused. Furthermore, hospitals are required to follow CMS, Joint Commission, and state authority regulations for emergency preparedness. A primary component of an organization’s disaster response is its ability to continue operations as the organization works to recover from a disaster. Business continuity management accomplishes this by preemptively identifying and establishing plans to continue managing critical business functions, processes, and their associated IT- and non-IT-related dependencies to minimize the impact of unexpected events on the organization while trying to maintain seamless, uninterrupted operations. Though they might intersect with emergency management plans that are concerned with keeping patients and staff safe from harm during a disaster, business continuity plans are focused on continuing operations when main systems are down.
The challenges that healthcare organizations are facing in recruiting, hiring, and retaining qualified employees are increasing. The current shortage of nurses and physicians is projected to intensify as the U.S. population ages, the need for care grows, and retirement rates for nurses and physicians increase. Recruiting challenges will further intensify as existing healthcare organizations ramp up expansion plans in an attempt to grab market share and as new competitors enter the marketplace. Challenges in retaining healthcare workers also will be affected as nonhealthcare businesses move into local markets offering higher salaries and better working conditions to traditionally lower-skilled workers. Lack of staff, lack of experienced staff, and stronger competition for workers leads to increased risk within healthcare organizations. Specific risks include financial performance risk due to higher salary and benefit costs, quality and financial risk related to higher readmission and hospital-acquired infection rates, higher patient mortality rates, reduced quality scores, and potentially reduced reimbursement. Healthcare organizations should be proactive and creative in understanding and addressing the recruiting and retention challenges in their local markets. In addition to traditional responses such as increasing salaries, they should consider measures that address working conditions (such as improving staff safety) and educational costs (such as extending loan forgiveness programs beyond the physician ranks) (such as extending loan forgiveness programs beyond the physician ranks).
Leadership succession planning also is becoming a more prominent topic for healthcare organizations as the U.S. population ages and leadership retirements increase. In many organizations, succession planning has not been formally developed or has been limited to a small number of individuals. Risks related to not having an effective succession planning program include unidentified leadership needs, lack of qualified or diverse internal successor candidates, failure to develop and prepare otherwise worthy successor candidates, and exit of significant talent from within the organization. Healthcare organizations also might face reputational risks if leadership ranks do not reflect the markets they serve. In seeking to address succession planning risk, healthcare organizations should consider a formal succession planning program that includes an assessment of current and future leadership demand, identification and preparation of internal successors, a successor transition program, and periodic assessment of the succession program effectiveness.
System implementations typically are major projects requiring significant resources and time. Examples of projects include electronic health record applications, ancillary applications, operating systems, databases, individual modules within applications, interfaces, and upgrades, among others. If a comprehensive implementation plan is not completed, approved, and followed, implementations might not be successful or might fall short of clinical, operational, financial, and IT management expectations. Such deficits could lead to inefficient system operations, system disruption, negative impacts to expected production, and ultimately untimely and ineffective patient care. Implementation plans should include requirements for design, testing, training, and support for all user types and departments. Implementation risks include lack of user access controls, inadequate cybersecurity considerations, lack of interface operability, inadequate data privacy controls, poor change management, inadequate backup and recovery, improper segregation of duties, insufficient infrastructure to sustain and optimize systems after implementation, insufficient user training, elevated numbers of administrative users, incomplete policy and procedure updates to reflect new processes, and ineffective user issue management and remediation.
Social determinants of health
Social determinants of health (SDOH) are conditions in places where people live, learn, work, and play (for example, school, church, workplace, neighborhood) that affect a wide range of quality-of-life risks and outcomes. Health experiences are influenced greatly by basic resources including safe and affordable housing, employment with adequate wages, access to education, public safety, availability of healthy foods, local emergency and health services, and environments free of life-threatening toxins. Evidence shows the absence of these resources is related to higher risks for negative health outcomes.
CMS Conditions of Participation Section 482.43, “Discharge Planning,” requires early identification of patients who might suffer negative health outcomes in the absence of discharge planning. The discharge planning process should include an evaluation of SDOH and procedures to address identified health disparities and consider the patient’s capacity for self-care and home environment. Failure to effectively address SDOH can result in negative health outcomes, increased length of stay, and preventable readmissions. Furthermore, as CMS continues initiatives to deliver high-quality healthcare, organizations are held accountable for and must publicly disclose results of healthcare services, with providers contributing quality data for public reporting. While this reporting has increased transparency of outcomes for consumers, it also has resulted in reimbursement penalties for metrics falling outside of prescribed CMS benchmarks.
Organizations’ commitment to prioritizing SDOH assessments and interventions should include educating about organizational requirements; using defined codes to help clinicians capture a patient’s socioeconomic and psychosocial needs; establishing, communicating, and monitoring performance; and collaborating with post-acute providers, public health agencies, social services, other state and community organizations, and CMS-designated Accountable Care Organizations.
New technology options offer promising results for healthcare organizations in areas including value-based patient care and the revenue cycle. Although blockchain, robotic process automation, machine learning, and artificial intelligence might not currently be used widely in the healthcare industry, organizations need to be ready for their adoption and be knowledgeable about all of their potential benefits – and risks. Often, risks introduced by new technologies are overlooked in favor of focusing on the rewards they promise. But having a thorough understanding of risks involved and potential impacts to the organization can make for a smoother implementation when an organization takes steps toward new technology adoption. New technologies, when not tested or understood sufficiently by healthcare organizations, can pose risks to data quality, data security and user access, confidence in results, return on investment, and human oversight, among others. A lack of familiarity should not be an excuse to overlook these technologies, but associated risks should be understood and identified so that healthcare organizations can mitigate them before experiencing unforeseen impacts.
Interoperability and future technologies
Many technologies and applications still do not and cannot broadly exchange data across various organizations and technology platforms to make healthcare records easily available to patients, providers, and payers. However, some technology companies are committed to and investing heavily in healthcare interoperability, trying to lead the transition to true interoperability. Agreements between these technology companies and healthcare organizations are increasing, and as a result, mobile applications and other advanced technologies are being developed for patients to view their health records and for healthcare providers to remotely monitor more patients. The Fast Healthcare Interoperability Resource standard and application programming interfaces are not new to the healthcare industry, and they are integral for interoperability, making records available across organizations, electronic health record applications, and other technology platforms. Additionally, as large communication companies roll out 5G wireless networks and industries including healthcare are transformed, the use of medical telemetry and wearables is likely to grow exponentially. With the expansion of bandwidth and internet speed, these medical technologies and devices will be transmitting more data than ever before, and that means more volumes of data available and potentially at risk of exposure.
As new disruptive technologies and interoperability become commonplace within healthcare, a number of emerging and existing risks should remain top of mind for executives, leading to efforts to mitigate potential data exposure and breach. An organization’s financial liability, compliance, and reputation are all potentially at risk.
With incidents of workplace violence on the rise at many healthcare organizations,6 staff safety is an area of growing concern. Threats to staff safety include verbal and physical abuse, bullying, and battery (or worse) and might come from a variety of sources including patients or family members under the influence of drugs or experiencing mental health issues, facility visitors, and current or former staff members. Risks associated with these threats include mental or physical harm to workers, financial losses due to workers’ compensation claims, increased overtime, temporary staffing, litigation, declining staff morale, and increased difficulty in staff recruiting and retention. Healthcare organizations should take steps to combat threats to staff safety, which might include establishing goals, objectives, and resources aimed at workplace violence prevention; implementing programs to proactively identify and analyze potential threats to staff safety; establishing training programs to prevent or de-escalate potential workplace violence situations; and quickly responding to incidents that do occur.
U.S. healthcare organizations are taking more interest engaging in international partnerships and affiliations to seek additional revenue sources as more traditional revenue streams are being challenged. They can generate revenue by offering their management and clinical expertise to foreign hospital partnerships, providing consulting services focusing on education and training programs related to quality and safety, nursing, research, and leadership development. Depending on the type of engagement, healthcare organizations might face legal and regulatory risks including those related to Stark Law and anti-kickback statutes, the Foreign Corrupt Practices Act, and the venture’s potential impact on a not-for-profit health system’s tax-exempt status.
Identify a potential risk within a healthcare organization and provide the rationale for choosing this issue.