The Top Risk Areas for Healthcare Organizations in 2019 - November 2018 An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA - Crowe LLP

The Top Risk Areas for Healthcare Organizations in 2019 - November 2018 An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA - Crowe LLP
November 2018

The Top Risk Areas
for Healthcare
Organizations in 2019

An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA

Audit / Tax / Advisory / Risk / Performance                  Smart decisions. Lasting value.™
The Top Risk Areas for Healthcare Organizations in 2019 - November 2018 An article by Sarah A. Cole, CPA, and Scott C. Gerard, CPA - Crowe LLP
The Top Risk Areas for
Healthcare Organizations in 2019

The growing complexity of healthcare
delivery and financing is creating new risks
for hospitals, health systems, physician
practices, and other types of provider
organizations. Each innovation – whether
it’s a new medical technology, a new setting
of care, or a new value-based payment
mechanism – brings with it unforeseen
threats for which traditional internal audit and
compliance programs may not be prepared.

                        Lack of preparation for new risks can         Early identification is the best strategy
                        cost a healthcare organization money and      to mitigate those risks. To help with
                        its reputation at a time when it can least    identification, based on what was learned in
                        afford to lose either. In a value-based       2018, Crowe has named the top risk areas
                        reimbursement environment, every              facing healthcare organizations in 2019.
                        dollar is at risk. If an organization loses
                        that dollar to a compliance problem,
                        it can’t make it up simply by adding
                        a dollar of revenue elsewhere.

2                       November 2018                                 Crowe LLP
            The determination of top risk areas           What may be a top risk at one healthcare
            for healthcare organizations in 2019 is       organization may not be a risk at
            based on the results of risk assessments      another, so the top risk areas are not
            performed in 2018 for more than 250 Crowe     ranked. Instead, they are grouped into
            healthcare clients, including hospitals,      five categories in alphabetical order:
            health systems, physician practices,
            and other provider organizations.             •   Compliance
                                                          •   Information technology
            A “risk area” is defined as anything that     •   Operations
            might impede the organization’s ability       •   Patient care
            to achieve its goals in critical areas such   •   Revenue cycle
            as patient care, regulatory compliance,
            operations, strategic growth, and financial   It is important to note that many
            performance. A risk area was considered       of these top risks are multifaceted
            a “top risk area” based on its frequency      and may be relevant to more than
            of inclusion in client risk assessments       one of the five categories.
            as well as its perceived potential impact
            to strategic goal achievement. Twenty-
            three risk areas met the criteria.                                                                                            3
The Top Risk Areas for
Healthcare Organizations in 2019

                                340B                                          Health Insurance
                                  Compliance with the 340B Drug               Portability and
                                  Pricing Program remains a top               Accountability Act (HIPAA)
                        concern for healthcare governance and        Protected health information may be
                        management. Under the 340B program,          communicated or stored via paper, oral,
                        eligible entities may take advantage         or electronic methods. Safeguarding of
                        of significant discounts in the cost of      protected health information in all of its
                        outpatient drugs, enabling them to           forms is critical to manage regulatory,
                        stretch limited funds and provide more       legal, reputational, and financial risks
                        comprehensive services to low-income         related to internal and external security
                        patients and their local communities.        threats. Failure to do so could result
                        The 340B regulatory requirements are         in civil and criminal penalties on an
                        numerous and complex, and they often         organizational and individual level. To
                        require substantial internal monitoring.     minimize vulnerability to cyberattacks and
                        Noncompliance can have significant           privacy breaches, healthcare organizations
                        negative financial risks ranging from        must implement stringent controls,
                        regulatory penalties and manufacturer        including risk assessments, state-of-the-art
                        repayments to total removal from the         password and authentication methods,
                        340B program. The numbers of audits          activity logging and monitoring, and
                        by the Health Resources and Services         “minimum necessary” access to electronic
                        Administration (HRSA) and by drug            protected health information (ePHI) for
                        manufacturers are likely to increase         IT-managed systems and for systems that
                        again in the coming year for healthcare      are managed outside of IT (shadow IT).
                        organizations. As a result, demand is        Healthcare organizations also must design
                        rising for 340B program assessments and      and implement strong HIPAA privacy and
                        independent audits to proactively identify   security policies and processes to promote
                        and resolve potential compliance concerns    compliance and support successful
                        before an external or regulatory review.     completion of an Office for Civil Rights or
                                                                     other regulatory agency compliance audit.

4                       November 2018                                Crowe LLP
The top risk areas are presented in alphabetical order first by
                                                            category and then within each category. They are not ranked.

                     Nonphysician contracts                                   Physician contracts and
                        Healthcare systems also may face                      compensation
                        financial, legal, and compliance                     Physician contracting and
            implications without strong controls over             compensation continue to be significant
            the execution and management of contracts             risk areas for healthcare organizations
            for nonphysician services. Common                     due to the complexity of contracts and
            problem areas in nonphysician contracts               compensation models and because of the
            include the need for a single, complete,              regulatory risks when relationships and
            accurate, and secure database of contracts;           contracts are not carefully negotiated,
            failure to monitor contract performance and           reviewed, executed, and monitored.
            compliance against terms (resulting in legal          Contract review processes are vital to
            liability and unnecessary expenses); failure          establish relationships and contract
            to incorporate preapproved, standardized              provisions that do not violate the Stark
            contract terms within all contracts to                Law, anti-kickback laws, or other federal
            safeguard corporate interests; and                    fraud and abuse statutes. Physician
            inefficiencies in the contract negotiation            performance monitoring is also critical
            and execution processes that inhibit                  to identify areas where expectations and
            patient care and business operations.                 contract provisions are not being met,
                                                                  and careful review of compensation and
                      Pharmacy                                    bonuses is needed to reduce the potential
                                                                  for overpayments or underpayments
                       Inadequate controls in the area
                                                                  and violations of federal statutes.
                       of pharmacy and controlled
            substances can introduce significant
            financial, compliance, patient care, and
            reputational risks. Pharmacists and other
            healthcare providers share accountability
            to help prevent and detect prescription
            drug abuse and diversion, particularly
            with regard to controlled substances. To
            help manage the risks in this area and to
            support national efforts to stem the opioid
            epidemic, organizations must establish and
            enforce policies, procedures, standards of
            practice, and protocols in pharmaceutical
            prescribing, ordering, dispensing, and
            administration. In addition, robust inventory
            methodologies and routine monitoring
            processes are critical to help detect and
            address potential diversion activities.                                                                                                                5
The Top Risk Areas for
Healthcare Organizations in 2019

                        Information technology
                                   Business continuity and                          IT governance
                                   disaster recovery                                  IT governance is an important
                                   IT systems must be available and                   component of corporate
                        working at all times. To promote continuous      governance and is focused on delivering
                        availability of systems and the related data,    technology services to support business
                        healthcare organizations must have primary       initiatives in a manner that mitigates risk.
                        and secondary data centers for redundant         IT governance is critical to ensuring that
                        operations in the event of a disaster or         the provision of information services is
                        downtime. Each of these primary and              strategically aligned with the business
                        alternative processing sites should be ready     and that adequate resources are made
                        for use and must have appropriate physical,      available to support achievement of
                        environmental, and operational controls to       technology and business goals. In addition,
                        promote secure and continued operation           a strong IT governance program must
                        when needed. Patient safety, productivity,       include promoting and monitoring IT
                        and revenue could be severely affected if        compliance with technology-oriented laws
                        systems and data are not always available.       and regulations such as HIPAA, the Health
                                                                         Information Technology for Economic and
                                                                         Clinical Health Act, and meaningful use.
                                  Cybersecurity continues to be
                                  a high priority for executive
                                                                                  Systems access
                        leadership, boards, and audit committees.                 management
                        They want to know how ePHI and other                        A well-designed systems access
                        sensitive data are protected and whether         program and associated user provisioning
                        system security is strong enough to              processes are crucial to secure an
                        withstand an internal or external attempt        organization’s information systems and
                        at unauthorized access. A robust                 meet fiduciary and regulatory requirements.
                        cybersecurity program requires strong            Strong controls in this area protect data
                        controls to prevent or minimize computer         and systems availability, confidentiality, and
                        system security vulnerabilities. This includes   integrity by limiting access to information
                        user authentication and access controls,         and resources based on the concepts
                        data loss prevention programs, network           of least privilege and need to know. If
                        security controls, and data encryption.          systems access processes are poorly
                        Also included in the cybersecurity risk          designed or incorrectly implemented, ePHI
                        area is network-connected biomedical             and other sensitive information will be
                        device and internet of things (IoT) risk,        put at risk for inappropriate disclosure or
                        which includes aspects of patient safety,        manipulation, potentially resulting in fines
                        HIPAA privacy, and network security risk.        and penalties for regulatory noncompliance
                                                                         and damage to the organization’s brand.
                                                                         In addition, without strong access
                                                                         management controls, operating systems
                                                                         and business and clinical applications
                                                                         may be vulnerable to loss or failure due
                                                                         to external or internal manipulation.

6                       November 2018                                    Crowe LLP
The top risk areas are presented in alphabetical order first by
                                                            category and then within each category. They are not ranked.

                      Systems implementation
                         The implementation of electronic         IT risks include lack of security, poor
                         health record (EHR) and other            change management, inadequate backup
            critical clinical and business systems                and recovery, improper segregation
            poses a significant risk to healthcare                of duties, insufficient infrastructure to
            organizations. Many operational, clinical,            sustain and optimize the EHR systems
            financial, and IT risks can result when               after implementation, and lack of proper
            systems are not implemented on time,                  interfaces with other systems.
            within budget, and using industry standards
            for design, testing, training, and support.

                      Case management                                           Financial performance
                        Case management, often                                Business processes such as
                        referred to as care management,                       accounts payable, accounts
            is intended to help patients reach                    receivable, payroll, and financial statement
            their optimum level of wellness while                 close are a standard part of day-to-day
            promoting cost-effective, high-quality                operations for healthcare organizations
            outcomes. As such, it affects both clinical           and generally are well-controlled. However,
            and financial aspects of a healthcare                 when significant changes occur in the
            organization. Absent strong controls in               organization or environment – such as
            this area, organizations may see increased            leadership changes, regulatory changes,
            readmissions, regulatory noncompliance,               mergers, or acquisitions – or when new
            and increased denials and billing problems.           technologies supporting these processes
            To minimize these risks, governance                   are introduced, financial, fraud, and
            and management functions continue                     legal risks may increase. To minimize
            to seek insights into ways to optimize                these risks, healthcare organizations
            processes related to discharge planning,              must proactively plan for and manage
            utilization management, validation of                 change through additional process
            medical necessity, and patient status.                guidance as well as through increased
                                                                  management oversight and timely
                                                                  and regular monitoring processes.                                                                                                                7
The Top Risk Areas for
Healthcare Organizations in 2019

                                                                        varying degrees of oversight for JVs. Risks
                                Health information
                                                                        related to these arrangements center
                                management                              around whether the parties are meeting
                                  Health information management         the terms of contractual agreements
                        (HIM) is critical to managing compliance        and achieving performance and return
                        and coding risks. To maximize healthcare        on investment expectations. In addition,
                        reimbursement, clinician documentation of       regulatory, IT, and compliance risks must
                        patient encounters and services delivered       be considered, including compliance
                        must be timely, complete, and accurate.         with the Stark Law, anti-kickback laws,
                        Effective HIM also is needed to support         the False Claims Act, HIPAA, antitrust
                        patient privacy, quality reporting, quality     laws, state insurance regulations, and
                        process improvement, and pay-for-               medical tort liability regulations. Without
                        performance decisions. EHR systems play         oversight and monitoring of operational,
                        an important role as the origination point,     compliance, and IT controls in these
                        secure repository, and vehicle for diagnoses    areas, healthcare organizations may
                        and care documentation. To promote              be vulnerable to fines and penalties for
                        accurate and complete documentation and         compliance violations and could suffer
                        billing, clinicians must be trained to use      reputational and legal damages.
                        EHR functionality to meet documentation
                        requirements. System access must be
                                                                                Physician practices
                        managed in accordance with job function,
                        and use of copy-and-paste functionality in                Physician integration continues
                        the EHR must be limited and managed to                    to be a major area of focus
                        promote clinical documentation integrity.       as healthcare organizations work to
                                                                        realize the increased efficiencies and
                                                                        coordination required by healthcare reform.
                                   Joint ventures                       Organizations must develop processes
                                    In the healthcare industry, joint   and monitoring to effectively manage
                                    ventures (JVs) commonly are         physician relationships and contracts.
                        leveraged for ambulatory surgery centers,       In addition, strong controls need to be
                        imaging centers, radiation therapy offices,     implemented and enforced in day-to-day
                        urgent care centers, and real estate            operations such as patient scheduling
                        investments. Collaborating with insurance       and registration, patient billing, cash
                        payers also is on the rise as healthcare        handling, and prescription and medication
                        organizations seek to reduce time, cost,        management. Robust controls in each
                        and regulatory burdens. JV agreements           of these areas are critical to accomplish
                        often result in complex arrangements,           strategic goals in the areas of quality
                        including the sharing of revenues and           patient care, patient satisfaction, regulatory
                        expenses between the entities. This sharing     compliance, and revenue recognition.
                        (or splitting) can be difficult to monitor if
                        appropriate processes are not established.
                        In addition, as there is no direct transfer
                        of ownership, organizations typically have

8                       November 2018                                   Crowe LLP
The top risk areas are presented in alphabetical order first by
                                                                 category and then within each category. They are not ranked.

                       Third-party vendor
                       Healthcare organizations                        meet the financial terms of the contract,
            routinely use third-party vendors in a                     and billing for services not provided.
            variety of important operational, clinical,                Compliance, patient safety, and regulatory
            and technology capacities, usually with                    risks are also significant, and failure by
            the intention of reaping cost savings                      third parties to comply with federal, state,
            and operational efficiencies. Third-party                  and local laws can have immediate and
            vendors often have access to the hospital                  devastating negative financial, legal, and
            facility and hospital data as well as direct               reputational results. This is especially true
            access to patients. Risks related to use                   with regard to weak information systems
            of third parties for core services must                    controls where vendor vulnerabilities may
            be considered carefully before contracts                   result in a privacy or security breach. A
            are signed, and they must be managed                       thorough vendor management program
            throughout the vendor relationship. These                  with ongoing monitoring of third-party
            risks include failure to meet contracted                   entities is critical to mitigate this risk area.
            performance requirements, failure to

            Patient care
                       Quality and safety                                           Telehealth and
                        Ensuring the quality and safety                             telemedicine
                        of patient care is inherent to the                        Healthcare organizations
            mission of healthcare providers. Diligent                  are rapidly embracing telehealth and
            and continuous focus is needed to manage                   telemedicine as a means to improve
            the countless new and evolving patient                     access to healthcare services, reduce
            safety, quality improvement, and reporting                 or contain the cost of healthcare
            initiatives. Healthcare organizations must                 services, and improve the quality of
            balance funding and support for these                      services provided. In implementing the
            initiatives with other organizational needs                technologies and processes to support
            and goals. This is particularly difficult in light         these initiatives, healthcare organizations
            of the increasing shortage of skilled nursing              also must implement strong controls for
            staff and limited monetary resources,                      remote service delivery and supporting
            both of which affect quality of care and                   technologies. These controls are necessary
            patient safety outcomes. Management is                     to address and adhere to clinical standards
            challenged to aggregate, secure, and use                   (provider capabilities, credentialing,
            the influx of care data from a wide variety                standards of care), promote high-quality
            of EHRs, patient care technologies, and                    care, minimize the risk of patient harm,
            care delivery platforms. Failure to do so                  and comply with regulatory requirements
            can have immediate and profound impacts                    for privacy and patient data security.
            not only on the health and well-being of
            patients but on the financial, regulatory, and
            reputational strength of the organization.                                                                                                                     9
The Top Risk Areas for
Healthcare Organizations in 2019

                        Revenue cycle
                                   Billing and collections               records, and bill claims in accordance with
                                                                         charging and billing guidance provided
                                   Management of billing and
                                                                         by Medicare and other payers. Pricing for
                                   collections, including accounts
                                                                         services provided must be accurately and
                        receivable, is a core function required
                                                                         completely loaded, and the CDM must
                        to keep revenue streams flowing to fund
                                                                         be updated periodically, in a controlled
                        healthcare operations and initiatives.
                                                                         manner, for correct pricing. Clinicians
                        Healthcare organizations must produce
                                                                         must be trained in how to accurately
                        error-free claims that are transmitted
                                                                         code and document services provided,
                        in a timely manner to clearinghouses
                                                                         and management must monitor charge
                        and payers. Failure to produce bills that
                                                                         metrics to enable prompt identification
                        meet payer requirements can result in
                                                                         and correction of charge issues. Risks
                        costly rework, increased denials, and lost
                                                                         of significance relate to the accuracy
                        reimbursement. To help manage these
                                                                         and completeness of charges, especially
                        risks, many healthcare organizations
                                                                         where new technology is in use and where
                        have outsourced billing and collections
                                                                         high-dollar procedures and services are
                        functions. While outsourcing can help
                                                                         involved, such as surgery and cardiology.
                        with standardization of processes, careful
                        management and oversight of third-party
                        provider performance are required to                       Coding
                        ensure that strategic objectives are                        Healthcare systems and
                        being addressed. Risks are related to the                   providers face growing scrutiny
                        completeness and accuracy of billing, lost       of coding and billing in a quickly changing
                        revenue, inadequate denials management,          and increasingly complex regulatory
                        and lack of visibility into controls at third-   environment. The effective evaluation
                        party billing and collections providers.         of ICD-10-CM (clinical modification),
                                                                         ICD-10-PCS (procedure coding system),
                                   Charge capture                        and Current Procedural Terminology/
                                                                         Healthcare Common Procedure Coding
                                   Managing the charge capture
                                                                         System (CPT/HCPCS) coding and billing
                                   process and maintaining
                                                                         compliance is a challenge that has
                        a complete and accurate charge
                                                                         significant ramifications from a regulatory
                        description master (CDM) are essential but
                                                                         standpoint as well as for the bottom line of
                        complex processes for most healthcare
                                                                         a healthcare system or provider. Common
                        organizations. EHRs and other patient care
                                                                         coding challenges include lack of adequate
                        subsystems are the genesis for charge
                                                                         physician documentation and increased
                        records, which then interface with hospital
                                                                         workloads due to the complexity of
                        billing systems and coding systems to
                                                                         coding guidelines. In addition, third-party
                        create the patient bill. Healthcare providers
                                                                         coding vendors require regular monitoring
                        must establish charges, code medical
                                                                         for performance and effectiveness.

10                      November 2018                                    Crowe LLP
The top risk areas are presented in alphabetical order first by
                                                            category and then within each category. They are not ranked.

                       Denials management                                     Patient access
                       Denied claims result in                                Controls over patient access
            expensive rework and often lead to lost                           functions such as patient
            reimbursement. Healthcare organizations               scheduling, registration, and admission
            must have procedures for effective                    processes must be rigorous to minimize the
            denials management and third-party                    risk of billing and patient accounting issues,
            payer follow-up. These procedures should              lost revenue, and poor patient and physician
            be interdisciplinary, as denials can be               satisfaction. Information gathered during the
            caused by numerous processes in multiple              scheduling, preregistration, and registration
            departments. Organizations should                     processes must be complete and accurate,
            have an established process to quantify               and processes should include checking
            denials by dollar amount, by number of                medical necessity for outpatient services
            denials, by root cause, and by entity.                and providing estimates of cost and patient
            Additionally, a payment variance process              liability. Third-party payers may require
            typically is needed to compare amounts                certain services to be authorized in advance
            received to expected amounts and to                   or precertified, and failure to obtain required
            identify and correct errors in payments               authorizations from payers may result in
            received from contracted payers. Reports              denial of the claim. In addition, insurance
            summarizing denials activity should be                benefits should be verified prior to the date
            prepared and reviewed periodically by                 of service or soon after to prevent billing
            a denials work group that is focused on               delays, and copayments and coinsurance
            prevention and root cause analysis.                   funds should be collected in advance.
                                                                  Finally, financial counselors should visit all
                                                                  uninsured inpatients prior to discharge to
                                                                  discuss patient liabilities, and they should
                                                                  assist patients in identifying and applying for
                                                                  Medicaid and other assistance programs.

                           What can be done about the risks?
                Healthcare organizations’ resources are limited even as the number of potential
                risks grows. To cope with the situation, internal audit departments should take
                the following steps:

                •   Review the 23 risk areas identified here.
                •   Discuss which risk areas apply to their organization.
                •   Prioritize specific risk areas from highest to lowest risk.
                •   Channel resources to the top 10 risk areas on the list.

                By targeting top risk areas, healthcare organizations can reduce unnecessary
                expenses that eat away at profitability and financial sustainability.                                                                                                              11
Learn more
Sarah Cole
+1 314 802 2049

Scott Gerard
+1 818 325 8457

“Crowe” is the brand name under which the member firms of Crowe Global operate and provide professional services, and those firms together form the Crowe
Global network of independent audit, tax, and consulting firms. “Crowe” may be used to refer to individual firms, to several such firms, or to all firms within
the Crowe Global network. The Crowe Horwath Global Risk Consulting entities, Crowe Healthcare Risk Consulting LLC, and our affiliate in Grand Cayman are
subsidiaries of Crowe LLP. Crowe LLP is an Indiana limited liability partnership and the U.S. member firm of Crowe Global. Services to clients are provided by the
individual member firms of Crowe Global, but Crowe Global itself is a Swiss entity that does not provide services to clients. Each member firm is a separate legal
entity responsible only for its own acts and omissions and not those of any other Crowe Global network firm or other party. Visit for
more information about Crowe LLP, its subsidiaries, and Crowe Global.
The information in this document is not – and is not intended to be – audit, tax, accounting, advisory, risk, performance, consulting, business, financial, investment,
legal, or other professional advice. Some firm services may not be available to attest clients. The information is general in nature, based on existing authorities,
and is subject to change. The information is not a substitute for professional advice or services, and you should consult a qualified professional adviser before
taking any action based on the information. Crowe is not responsible for any loss incurred by any person who relies on the information discussed in this document.
© 2018 Crowe LLP.
You can also read
NEXT SLIDES ... Cancel