Risk Assessment Survey and Potential Risk Areas

By Nina Youngstrom

Here’s an example of a risk assessment survey, with a list of risk areas “inherent to health care organizations,” said Shelly Denham, senior vice president of compliance, risk and audit services at UofLHealth in Louisville, Kentucky. Contact her at shelly.denham@uoflhealth.org.

Annual Risk Survey

Background

Please help us plan our audit and compliance activities by providing your input on our enterprise risk assessment. (See survey on page below.) We need to know, in your opinion, which clinical, regulatory and financial processes have the highest risk and should be considered for an audit or compliance project.

Below are some areas of potential risks to help you generate your own ideas.

General Compliance Risks

General Compliance

  • 501r

  • Clinical research

  • Community benefit

  • Conflicts of interest

  • HIPAA privacy

  • Meaningful use

  • Medicare three-day payment window

  • Medication reconciliation

  • Social media

  • Joint commission readiness

  • Two-Midnight rule

Legal and Regulatory Compliance Risks

Pharmaceuticals

Physician Financial Transactions

  • Drug diversion

  • 340B compliance assessment

  • Opioid prescribing analysis and monitoring assessment

  • Physician payments

  • Physician contract compliance

  • Stark Law / False Claims Act / Anti-Kickback Statute

Emergency Medical Treatment and Labor Act (EMTALA)

Advanced Practice Providers (APP)

  • Compliance with EMTALA guidelines with the emergency department

  • Compliance with EMTALA guidelines for patients presenting outside the emergency department

  • EMTALA transfer and receiving processes (antidumping)

  • Scope-of-practice alignment with state-specific practice authority

  • Compliance with supervision requirements

  • APP services documentation and billing compliance

Clinical Risks

Patient Safety

Behavioral Health

  • Surgical safety and surgical suite disinfection

  • Device sterilization and disinfection

  • Hospital-acquired conditions, including infections, falls and pressure injuries

  • Environmental and ligature risk assessment

  • Mental health assessment and suicide risk screening

  • Access to mental health services

Case Management and Utilization Management

Physician Practice Clinical Operations

  • Compliance with Medicare conditions of participation

  • Status assignment (inpatient versus observation)

  • Discharge planning and transition of care

  • Physician practice or ambulatory clinical assessment

  • Physician practice results management assessment

Emerging Risks

Telemedicine

Environmental, Social and Governance (ESG) and Diversity, Equity and Inclusion (DEI)

  • Compliance with documentation and billing requirements

  • IT assessment of telehealth platform and devices

  • Cybersecurity assessment of network and unified communications supporting telehealth

  • Assessment of current ESG and DEI programs

  • Executive and employee pay analysis

New Regulations

Robotic Process Automation (RPA)

  • No Surprises Act process effectiveness

  • Hospital price transparency compliance and accuracy

  • CMS vaccine mandate process assessment and compliance

  • CARES Act reporting compliance

  • Review of overall RPA governance process

  • Assessment of RPA security, controls and disaster recovery

  • Assessment of RPA change management

Financial and Operational Risks

Workforce/Executive Retirement and Succession Planning

Vendor Management

  • Recruitment and retention effectiveness

  • Critical department staffing levels

  • Succession planning

  • Business continuity

  • Vendor selection, management and monitoring

  • Vendor IT security assessment

Staff Safety and Security

Revenue Cycle

  • Staff protection—personal protective equipment safety and environmental safety

  • Workplace violence and management of aggressive behavior

  • Physical security

  • Revenue cycle process effectiveness

  • Clinical documentation improvement

  • Expected reimbursement

  • Denials management

  • Patient access

  • Billing and claims submission

  • Credit balances

  • Collections

  • Charge capture

Financial Reporting

Supply Chain

  • Financial statement close process

  • Accounts payable—duplicate payments

  • Journal entry integrity

  • Fraud awareness

  • Payroll

  • Construction accounting

  • Purchasing agreements

  • Materials management/inventory

  • Medical device credits

Technology Risk

Cybersecurity and Ransomware Preparedness

Biomedical Devices

  • Ransomware preparedness and response

  • Cybersecurity risk assessment

  • Business continuity management

  • Biomedical device governance and procurement

  • Biomedical device security

  • Biomedical device maintenance and third-party, service-level agreement compliance

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings