From risk management to risk mastery

An internal audit guide for navigating health care’s emerging and future risks

May 22, 2024
Regulatory compliance
Risk consulting Business risk consulting Internal audit Health care

The health care industry is a dynamic landscape, constantly evolving and introducing new risks and opportunities that disrupt the market.

In addition to common internal audit challenges and conventional health care risks (such as revenue cycle, human capital management, cybersecurity, contract compliance), modern health care internal audit teams must be prepared with the resources and knowledge to dive deep into emerging risk areas. Left unchecked, these risks could present substantial threats to a health care organization’s already tight margins, operational efficiencies, compliance and most importantly, patient safety

Is your organization effectively managing key risks?

Click on the following areas to learn about specific risk obstacles as well as understand the resulting positive outcomes once you apply transformative strategy.

Pharmacy operations and 340B

Managing pharmacy operations and compliance with CMS' 340B rule requires meticulous oversight. Through thorough audits and robust risk mitigation strategies, organizations can ensure compliance and financial stability.

How confident are you in navigating the intricacies of pharmacy operations and 340B compliance within your organization?

  • Repayment obligations on unmet eligibility criteria
  • Financial penalties, duplicating 340B program and Medicaid drug rebate discounts
  • Financial losses associated with improperly segregating 340B and non-340B eligible patients
  • Drug diversion or misuse the as result of weak controls over 340B purchased inventory
  • Assess compliance with 340B eligibility criteria
  • Verify eligibility status on a regular basis
  • Implement tracking and reconciliation processes to prevent duplication of claims
  • Implement an effective split billing software
  • Provide staff training to accurately identify 340B and non-340B drug usage
  • Develop robust processes to track drug utilization and prevent diversion

Third-party risk management

Strong vendor risk management is more than the practice of evaluating and mitigating just the security- and privacy-related risks introduced by vendors. Internal audit and risk management functions are essential in mitigating the diverse risks posed by third-party relationships. By implementing comprehensive risk assessment frameworks and due diligence processes, organizations can enhance resilience in their third-party engagements.

How effective is your third-party risk management process?

  • Financial losses incurred when third-party vendors fail to meet contractual obligations or deliver products or services that do not meet expectations
  • Financial penalties incurred from regulators if a third-party vendor violates compliance regulations
  • Operational or clinical disruptions associated with third-party vendors failing to meet service level agreements, experiencing data breaches or cyberattacks, or failing to comply with regulatory requirements
  • Risk of reputational damage if associated with a third-party vendor that engages in unethical activities
  • Implement a performance monitoring system to track key performance indicators and contract compliance
  • Assess the performance and identify improvement opportunities for all third-party vendors on a periodic basis
  • Diversify vendors for critical services and develop a business continuity plan to mitigate service disruptions and ensure minimal impact on operations
  • Develop a comprehensive due diligence process that evaluates the financial and reputational health of prospective third-party vendors
  • Identify a strategy for exiting a third-party vendor relationship and planning succession

No Surprises Act

The No Surprises Act (NSA) represents a significant regulatory framework aimed at protecting consumers from unexpected medical bills, with penalties to providers of up to $10,000 per violation. In addition to financial penalties, failure to adhere to the NSA can result in administrative burdens, reputational damage and more.

Is your organization up to date with the various elements of the NSA and do your policies, processes and technologies support adherence to the requirements?

  • Fines and penalties for noncompliance
  • Administrative burden to develop policies, implement systems and train staff on new requirements
  • Challenges negotiating rates with insurance companies for out-of-network costs
  • Reputational risk and patient dissatisfaction as a result of noncompliance or inaccuracy with information or estimates provided
  • Develop hospital’s governance framework and establish new policies where appropriate
  • Assess your organization’s billing practice by collaborating with stakeholders within key areas such as revenue cycle, legal, compliance and patient experience
  • Implement cost-estimation tools to accurately predict the costs of medical procedures and services
  • Establish dispute resolution process
  • Strategize how to reduce the out-of-network gap

Price transparency

Hospital price and health plan transparency is a critical regulatory requirement aimed at providing patients with accurate and accessible information about the cost of health care services. Compliance with price transparency regulations is essential for health care organizations, necessitating the implementation of robust processes, controls and technologies to ensure adherence. Failure to comply with price transparency requirements can result in significant financial penalties, administrative burdens and reputational damage.

How confident are you that the processes, internal controls and technologies in place to ensure adherence to the requirements are operating effectively and as intended?

  • Lack of governance structure to plan for and oversee compliance
  • Lack of resources within the organization to help with compliance
  • Lack of clarity and understanding of regulations.
  • Possible corrective action plan from CMS for noncompliance or violation
  • Potential civil monetary penalties
  • Implement effective program governance to establish efficient processes, controls, and materials
  • Implement key program-level internal controls to ensure regulatory compliance
  • Detect errors or irregularities
  • Monitor and report appropriately
  • Leverage price transparency as a strategic growth opportunity

Nursing utilization

Nursing utilization is a critical aspect of health care operations, aimed at aligning clinical capabilities with patient needs to ensure that nurses are scheduled and operating at the highest level of their clinical resume. Effective nursing utilization can improve patient outcomes, enhance job satisfaction and increase cost-efficiency.

Do your internal controls and processes promote the alignment of clinical capabilities with patient needs to ensure nurses are scheduled and operating at the highest level?

  • Financial costs associated with utilizing skilled/registered nurses for tasks outside of their job description and experience level
  • Increase in nurses’ workloads due to system factors and expectations (e.g., nonprofessional tasks such as delivering and retrieving food trays; performing housekeeping duties; transporting patients; and ordering, coordinating or performing ancillary services)
  • Lack of sufficient time to perform tasks that can have a direct effect on patient safety
  • Reduced time spent by nurses collaborating and communicating with physicians, therefore affecting the quality of nurse-physician collaboration
  • Poor nurse-patient communication
  • Lack of defined job descriptions and clinical ladders, affecting staff retention, productivity and job satisfaction
  • Open dialogue with nursing teams to assess staff levels, staff qualifications and patient needs
  • Provide ongoing training and education to help nurses develop new skills and to learn emerging health care practices
  • Perform analytics/benchmarking by location, specialty, surgeon and more to identify outliers and remediate issues
  • Use clinical ladders to effectively staff nurses

Generative artificial intelligence (AI)

Generative AI is an exciting innovation that presents both opportunities and risks for health care organizations. Effective risk management is essential to ensure that the use of generative AI is aligned with clinical quality, privacy and security, regulatory compliance, and third-party relationships. Risk management must consider multiple factors to ensure robust AI governance without serving as an anchor to the exciting innovation of generative AI.

Does your organization have the needed governance structure in place to manage the risks around clinical quality, privacy and security, regulatory compliance, and third-party relationships for AI implementation?

  • Potential fines due to patient privacy violations or HIPAA violations as a result of AI misuse
  • Unreliable and false claims and estimates due to improper AI monitoring and governance
  • Outputs in which AI can reflect the biases in the underlying data which can lead to incorrect recommendations, negatively affecting patients
  • Security and privacy risks such as the potential for data breaches
  • Lack of understanding among key stakeholders, leading to mistrust in the AI tool
  • Bias in outputs that negatively affect patient outcomes, ethics and health care equity
  • Potential generation of false claims, incorrect health care cost estimates and inappropriate/duplicative/surprise billing, which may compromise fraud, waste and abuse compliance, price transparency and NSA billing compliance
  • Establish organizational AI strategy and governance frameworks and periodically reassess
  • Implement internal controls to ensure data leveraged for AI systems are equitable and unbiased
  • Integrate data privacy rules and regulations into the design and implementation of AI model(s)
  • Establish cybersecurity controls to ensure AI systems/model(s) are protected
  • Understand input and output processes of the AI model(s)

Laboratory operations

Lab operations are an essential component of any health care organization. In the current environment, payors are reducing reimbursements for lab tests, driving hospitals to focus on operating their labs efficiently and effectively. While improvement efforts related to lab operations may result in cost reduction and streamlined processes, internal audit can play an important role in evaluating potential risks and unintended consequences of the changes to people, process and or technology.

Have you reviewed internal controls related to lab operations to effectively balance reduction of costs and effective processes?

  • Lack of qualified staff and high turnover
  • Challenges associated with finding the right balance of centralized/standardized vs. localized/customized processes
  • Lack of robust data analytics capabilities to review financial performance evaluating cost of staffing, supplies contracts
  • Establish standardized reporting, key performance indicators, policy and process
  • Leverage analytics to identify root causes and operational inefficiencies
  • Identify automation opportunities
  • Document cost savings
  • Enhance quality metrics and patient experience
  • Establish governance leading to process improvements

Discharge and transition of care

With the increasing complexity of health care delivery and the growing emphasis on patient outcomes, discharge and transition of care processes are under scrutiny. Factors such as prolonged hospital admissions, high readmission rates and inadequate discharge planning can result in inefficiencies and financial costs. Effective discharge planning and transition of care processes, on the other hand, can improve patient outcomes, reduce readmissions and increase cost-efficiency.

Does your organization have well-controlled and efficient discharge planning and transition of care process? What is your confidence level that care coordination, both internally and with external facilities, is operating effectively?

  • Financial costs associated with prolonged hospital admissions; CMS penalties for high readmission rates
  • Increase in utilization of nurses for patients with prolonged hospital admissions
  • Risk of inadequate discharge with fewer facilities for patients to transition into
  • Need for recertification for continued hospitalization if the physician does not find available beds in participating long-term facilities to transition the patient into
  • Poor communication between staff, teams, hospital and external providers negatively affecting documentation, discharge delays, follow-up care and health outcomes
  • Noncompliance with CMS transition care management services requirements
  • Achieve discharge planning/assessment within 24 hours of admission
  • Achieve separation of duties between clinical care and discharge,
  • Achieve appropriate staffing ratio of patients to providers and case managers
  • Reduce delays in discharge
  • Ensure adherence to multiple requirements
  • Encourage continuous relationship-building efforts with external long-term care facilities
  • Provide efficient case management, owned by case manager/care coordinator/social worker

Clinical labor pay practices

Health care organizations have experienced a significant increase in clinical labor costs. These increased costs are largely related to the rise in shift bonus and shift differential expenses for employed staff as well as increased expenditures for contracted clinical resources needed to maintain the staffing levels required to meet surging patient care needs.

How strong are your processes and internal controls to forecast demand and monitor the accuracy and appropriateness of clinical labor costs?

  • Inconsistent, time-consuming, manual processes
  • Inaccurate reimbursement rates that do not reflect increasing costs
  • Insufficient nurse-patient ratios affecting quality of care
  • Cost of alternative staffing models creating strain across the system
  • Emerging nursing shortages caused by inadequate staffing, heavy workloads, increased use of overtime, a lack of sufficient support staff, and adequate wages
  • Modernize clinical labor pricing to help recruit and retain clinical labor staff
  • Implement competitive compensation packages that recognize sustainable rate increases
  • Leverage productivity enabling technology to free up capacity and alleviate pressures caused by labor shortages
  • Implement an accurate payroll system and regularly conduct audits to identify and correct any payroll errors
  • Review employee classifications to ensure staff qualifications align with job roles
  • Establish effective communication channels with staff and union representatives

Supply management

Poor supply management results in a system that is wasteful, costly, ineffective and prone to fraud/abuse, and can negatively influence clinical quality. While improvement efforts related to supply management may result in cost reduction and streamlined processes, an internal audit can play an important role in evaluating potential risks and unintended consequences of the changes to people, process and technology.

How efficient is the supply management in your organization?

  • Poor inventory management, physician preferences, lack of good data, lack of standardization and inefficient practices contributing to a system that is costly, ineffective, prone to fraud/abuse and influences clinical quality
  • Multiple operating rooms that utilize single supply room
  • Unclear roles and responsibilities of vendors across the inventory life cycle, especially for high-dollar implants and orthopedic supplies
  • Varying inventory control considerations, requirements, expiration dates creating an opportunity for human error, manual workarounds, waste/loss/theft
  • Leverage supply chain data to identify operational gaps
  • Monitor how much was paid, what patient was charged and how much was reimbursed by the payor
  • Identify supplies that are purchased across multiple locations for greater purchasing power or standardization
  • Leverage dashboarding opportunities to track and discard items that have expired or been recalled
  • Prevent fraud or optimization by identifying mismatches in use vs. charges

Staying informed of and keeping pace with traditional and emerging risks, and preparing accordingly, is critical for organizations seeking to maintain their competitive edge and provide exceptional patient care in the new reality of health care.

Have you ever struggled to define internal audit?

Join our team for Episode 1 of Material Observations: Insights on Internal Audit. The premiere episode of our new podcast, “Material Observations: Insights on Internal Audit,” dives right in with a broad discussion of what internal audit means in today’s marketplace, the impact internal audit is having, and why these internal audit professionals love what they do.

Subscribe to Health Care Leader Insights

Actionable insights to help health care industry leaders successfully navigate challenges and take advantage of opportunity.