Risk Assessment Policy and Process
In accordance with Office of Inspector General (OIG) compliance program guidance, the U.S. Federal Sentencing Guidelines and in support of the eighth element of an effective compliance program, [insert name of company] has developed and implemented a centralized risk assessment and internal review process to identify and address risks associated with the company’s participation in federal health care programs, including, but not limited to, the risks associated with the submission of claims for items and services furnished to Medicare and Medicaid program beneficiaries. Annually, compliance, internal audit, legal, and operations conduct a risk assessment and internal review process that:
-
Identifies and prioritizes risks,
-
Develops internal audit and compliance monitoring work plans related to the identified risk areas,
-
Implements the internal audit and compliance monitoring work plans,
-
Develops corrective action plans in response to the results of any internal audits or compliance monitoring performed, and
-
Tracks the implementation of the corrective action plans in order to assess the effectiveness of such plans.
The risk assessment process is conducted during the fourth quarter of the fiscal year and includes:
-
Reviewing the OIG Work Plan and its updates for audit areas that are applicable to [insert name of company].
-
Reviewing OIG audit results, corporate integrity agreements, Department of Justice settlement agreements, advisory opinions, fraud alerts, and other government publications for risk areas that may be applicable to [insert name of company].
-
Reviewing Program for Evaluating Payment Patterns Electronic Report (PEPPER) reports, internal risk scorecards, prior audit results, government audit results, exit interviews, hotline call trends, investigation trends, risk management cases, and Quality Assurance and Performance Improvement (QAPI) for potential areas to review or follow-up.
-
Reviewing regulatory changes and emerging legislation/regulations, such as changes in government payment models or implementation of new regulations, that could affect the organization.
-
Presenting summary of government audit focus areas to senior leadership and operations for consideration during development of the annual internal audit plan and compliance monitoring plan.
-
Conducting a survey of the company’s entities to identify gaps in compliance.
-
Conducting interviews with senior leadership and operations to assess risk concerns.
-
Incorporating areas for consideration such as bad debt; billing and coding; clinical; cost reports; credit balances; clinical research; documentation; excluded providers; quality; finance; privacy and security; information technology; marketing; physician transactions (Stark Law); licensure; record retention; reimbursement; regulatory; medical necessity; environmental; facilities; policies; procedures; staffing; education; and mergers, acquisitions, and divestitures, among others.
-
Compiling results of the reviews and interviews and prioritizing or ranking the risks for the next fiscal year using the approach in the Compliance Risk Assessment Scoring Matrix, Exhibit A, and tabulating a score using the Risk Prioritization Scorecard, Exhibit B.
-
Using the results to determine the organization’s appetite for compliance risk and finally prioritizing the risks.
-
Developing the annual internal audit plan and compliance monitoring plan and presenting to the high-risk team, executive management compliance committee (EMCC), and board of managers for approval.
-
Implementing the annual internal audit plan and compliance monitoring plan, assessing results, and working with leadership to implement corrective action plans.
-
Reporting results from the annual internal audit plan and compliance monitoring plan a minimum of quarterly to the high-risk team, EMCC, and the board.
-
Following up to ensure the corrective action plans resolved any issues identified.