Risk Assessment at Your Healthcare Organization
Originally published on January 25, 2022
Updated on November 14th, 2024
In an increasingly complex and competitive industry, demands placed on healthcare administration can lead to risks around every corner. And when you’re keeping track of legislation, regulations, and operational and financial concerns, it can be hard to see new risks while keeping your organization focused on strategy and patient care. Pile on the impact of COVID-19, and things get even more complicated.
So how can you identify, prioritize and evaluate risks to your healthcare organization? Through an internal audit and robust risk assessment process.
A Holistic View of Risk Assessment
A risk assessment looks at your entire organization, making it easier to understand issues with objectives, goals, processes and structure. It allows you to systemically identify all auditable aspects of your healthcare organization and the risks those areas pose. By reducing risk as much as possible, you’re lowering the chances that something can go wrong.
Start by choosing a smaller number of risks that can be audited and are relevant to your organization. This can include operations, compliance, finance, environment, clinical and reputation.
After you’ve identified these areas, perform a risk assessment and set up internal controls. Doing so helps apply a uniform level of risk across the entire organization. Depending on the complexity of the risks identified, they can be handled in a one-, three- or five-year audit plan, allowing all areas of the organization to eventually be audited.
Common Risks to Consider
Though healthcare organizations vary greatly, several areas are common to almost all. Though these are a small sample, you can ask similar questions about other areas of your organization when performing a risk assessment.
Labs – Is your lab complying with Office of Inspector General Guidelines? Do your reference forms include all necessary diagnostic details? Do you have a maximum time for standing orders? How are lab charges created (on test or on result)?
The Charge Description Master – Are you correctly capturing charges? Does one person coordinate the process to make sure it happens? Because codes and charge data change frequently, an incorrectly recorded procedure can result in improper reimbursements.
Pharmacy – How are your pharmacy medications controlled? What system does your organization use? Who orders for the pharmacy? Is there separation between pharmacy and receiving inventory? How do you charge patient accounts? How are unused or returned medications credited?
Admitting and Registering Patients – How are patients registered when a procedure is scheduled in advance? Are insurance details taken over phone, online portal/email or fax? Does admissions get identification and insurance details upon arrival? Are co-pays or deductibles discussed prior to the procedures? How are payments collected?
Charity Care – Is there a process for charity applications? Are there logs? Who approves your charitable write-offs? Who reviews the write-off codes to stay in compliance with HCAP and Medicaid UB 92 revenue codes for hospital-level services? Who monitors collections accounts to verify if the patient qualifies for charity later? How do you record charity care on general ledger and financial statements?
Other areas of risk can include brand and industry reputation, shared services such as human resources, your revenue cycle, tech support or supply chain logistics. If the health system doesn’t have an audit process, it must be decided whether to accept all risk identified, develop an internal audit team or bring in outside auditors.
The Role of the Internal Audit in Risk Assessment
Internal audits are independent appraisals to ensure the organization’s financial and operational controls are appropriate. It compares organizational procedures compared to compliance requirements. Auditors do not execute organization activities, but provide advice to management to improve operations.
Annual Audit Plan Development
After you’ve finished a risk assessment, the auditors, managers and oversight boards create and agree on a yearly audit plan. This plan includes brief overviews of areas being reviewed and how quickly the audit should be completed. Prior to the start of the audit, management will develop and review the scope and objectives.
Findings and Recommendations
The audit then moves into practice, including management interviews and testing, based on the audit’s scope. It will evaluate the organization’s current controls, consider current risk and compliance needs and conclude whether updates to those controls are necessary. A final report of audit findings is provided to the organization so corrective actions can be developed. Once the finalized report is approved by management, it’s presented to the audit committee.
The risk assessment process might seem complicated at first. Once you’ve developed an initial annual audit plan, however, you can move through the process more easily year after year. It helps you keep your healthcare organization’s risks the lowest they can be without putting a stranglehold on your operations. A healthcare CPA well versed in healthcare operations can help you start a risk assessment and audit plan.
Taking the time to put a solid risk assessment and annual audit plan in place can help take your business to the next level—allowing for strong growth and options for new opportunities.
All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.
Other Posts You Might Like