December 26, 2018

As the year draws to a close, it is definitely not too soon for healthcare providers to start thinking about how they can marshal their resources to mitigate risk and reduce unnecessary expenses in 2019.

Based on the results of work with more than 250 hospitals, health systems, physician practices and other healthcare entities, consulting firm Crowe LLP has identified some of the major risk areas healthcare organizations are likely to face in 2019. These areas fall into five broad categories:  compliance, information technology, operations, patient care and revenue cycle, although there may be some overlap among the groups.

To make sense of the plethora of competing priorities, we recommend using the following list as a framework. Crowe suggests ranking the areas from highest to lowest risk and channeling resources to the top 10 areas. Where is your organization in developing and implementing programs that address each of the following?

Compliance

340B:  Audits of compliance with 340B regulations by the Health Resources and Services Administration (HRSA) and drug manufacturers are likely to increase in 2019.  Providers should monitor compliance and identify and remedy compliance concerns before a review takes place.

HIPAA:  Failure to protect patient health information can lead to civil and criminal penalties for organizations and individuals. Organizations must implement strong privacy and security policies and processes to minimize the risk of a cyberattack or privacy breach, including risk assessments, leading-edge password and authentication methods and other safeguards.

Physician contracts and compensation:  Relationships with physicians must be carefully negotiated, reviewed, executed and monitored to ensure compliance with all federal and state statutes, including the Stark Law and the Anti-Kickback Statute.

Nonphysician contracts:  Establish a single secure database of contracts for nonphysician services, monitor performance against contract terms, and use standardized terms in all contracts to safeguard your organization’s interests.

Pharmacy:  Create and enforce policies, procedures, standards and protocols in prescribing, ordering, dispensing and administering opioids, and deploy robust inventory and monitoring processes to detect potential diversion of controlled substances.

Information Technology

Business continuity and disaster recovery:  Healthcare organizations must have primary and alternative processing sites that are equipped with physical, environmental and operational controls to ensure secure and continued operation in the event of a disaster or downtime.

Cybersecurity:  How strong are your organization’s information system controls against unauthorized access to protected health information and other sensitive data?  Do these security measures include user authentication and access controls, data loss prevention programs and network security controls, as well as protection for network-connected biomedical devices?

IT governance:  Do your organization’s information systems support strategic business goals in a manner that minimizes risk and protects the organization? Among other things, a solid IT governance program should monitor compliance with HIPAA, meaningful use and other IT laws and regulations.

Systems access management:  Protect data and systems availability, confidentiality and integrity by limiting access to information and resources based on the principles of least privilege and need to know.

Systems implementation:  Problems can arise when electronic health records and other systems are not implemented on time, within budget and in compliance with industry standards. Risks include poor security, inadequate backup and recovery, and lack of proper interfaces with other systems.

Operations

Case management:  Hospitals and health systems that lack strong care coordination to help patients achieve favorable outcomes can experience unnecessary readmissions and increases in claims denials and billing problems. Effective discharge planning, utilization management, documentation of medical necessity and other processes can help address weaknesses in this area.

Financial performance:  Leadership changes, regulatory changes, mergers or acquisitions, and new system rollouts can increase financial, legal and other risks. Change management that includes heightened oversight and monitoring can help protect organizations during these vulnerable times.

Health information management:  Train clinicians to make optimal use of EHR functionality in order to meet documentation requirements and minimize unnecessary revenue loss. Manage and limit system access and EHR copy-and-paste functionality to help ensure the integrity of clinical documentation.

Joint ventures:  Joint venture agreements entail the complex sharing of revenues and expenses between entities. Organizations must establish operational, regulatory and IT controls to avoid compliance violations and other problems that could lead to reputational damage and legal risk.

Physician practices:  Organizations must develop effective processes to manage their relationships and contracts with physicians. In addition, robust processes related to patient scheduling and registration, billing, cash handling, and prescription and medication management are needed to foster quality care, patient satisfaction and regulatory compliance.

Third-party vendor management:  Failure by third-party vendors to meet contract requirements and comply with federal, state and local laws can have significant financial, legal and reputational consequences for hospitals and health systems, particularly as they relate to privacy and security breaches.

Patient Care

Quality and safety:  Failure to meet standards for the quality and safety of patient care can have immediate and profound effects on patients as well as on the financial and reputational well-being of hospitals and health systems.

Telehealth and telemedicine:  As reimbursement for telehealth and telemedicine services expands, organizations must acquire the technologies and implement the processes required to support these services, including strong controls related to remote service delivery.

Revenue Cycle

Billing and collections:  Error-free claims transmitted to payers in a timely manner can reduce costly rework, denials and revenue losses. Providers must pay careful attention to billing completeness and accuracy, denials management and revenue integrity.

Charge capture:  The charge description master (CDM) must be updated periodically for correct pricing, which means clinicians must also be trained in proper documentation and the organization must monitor metrics to pinpoint inaccuracies. Areas of special vulnerability include the introduction of new technologies and high-cost services, such as surgery and cardiology.

Coding:  In an increasingly complex regulatory environment, providers must contend with growing coding and billing scrutiny. Issues with inaccuracy and completeness due to inadequate documentation can pose compliance and financial problems.

Denials management:  Claims denials can be costly. Quality control procedures spanning all of the departments involved in a claim should identify denials by dollar amount, number of denials by root cause and denials by entity. Also needed are a process to compare amounts received to amounts expected and periodic reviews of summary reports.

Patient access:  Controls related to patient access functions, including checking medical necessity for outpatient services, verification of insurance benefits, and estimates of cost and patient liability, should be monitored as part of a comprehensive effort to prevent denials.

The current climate of heightened scrutiny in which a growing number of important issues compete for providers’ attention can make it hard for organizations to decide where to focus first. Hopefully, the analysis summarized here offers a framework for finding that focus in the coming year.