Over the past two months, business headlines have covered the fall of FTX, a large cryptocurrency exchange. If you haven't followed the story, in summary, FTX once valued as a several billion-dollar company recently filed for bankruptcy in November. This valuation was attributed to its holdings and in particular the value of its crypto token, FTT. FTX's crypto tokens (FTT) were used to finance an affiliated company, Alameda Research, which is a hedge fund, that leveraged the value of these tokens and other funds to make investments with money investors used for purchases through FTX. In November, it surfaced that the financials across the organizations were mismanaged, mostly because of highly leveraged investments made by Alameda Research. The money supplied by several investors had essentially vanished.
Ok, so what does this have to do with healthcare? Crypto itself is unrelated, however, there are lessons from FTX and Alameda Research that healthcare organizations can learn from their demise. One of the biggest reasons for this downfall was the lack of compliance, governance, and controls that were in place to ensure the business functions were appropriately monitored through oversight. To date, crypto is arguably unregulated and lacks some of the integrity that we experience in the healthcare space. Because our industry is governed by federal and state requirements, it requires our organizations to deliver upon compliance fundamentals.
No business wants to be negatively highlighted on the front page of any publication, nor does your healthcare organization. If you haven't reviewed your oversight model recently maybe FTX's downfall may be a reminder for you to review your current plan and its effectiveness. Consider it a New Year's resolution.
Risk Assessment and Work Plan
Have you performed an annual risk assessment and work plan and has it been effectively communicated?
It is important to ensure that functional areas across your organization are aligned with potential areas of risk such as federal and state regulatory requirements, financial management, and audit protocols. Assessing these areas of risk and identifying the methods your organization will use to mitigate these challenges should be developed and implemented. It is also important that this is effectively communicated across your organization to ensure that there is awareness cross-functionally and efforts to educate the organization about the areas and topics that need to be considered in the upcoming year. Communication should not only occur across the organization but also consider the depth of communication. The message should reach all employees, not just executives and department leaders. Comprehensive awareness will help operate towards a common goal and understand the risks your organization has identified for the upcoming year.
Documentation
Is your organization's documentation comprehensive and up to date?
Policies and procedures, job aids, and training are fundamental documents that demonstrate how an organization administers key functions. Documentation enables employees to reference materials to perform their jobs in an effective and compliant manner. When these attributes are futile or absent, it often leads to poor performance and points of failure. Therefore, it is important that these documents are current and that adequate training has been administered to support your processes.
During a regulator audit, documentation is often the first impression your organization will have upon an auditor. This makes it important that documentation is thorough, accurate, and up to date. The adage, "Never get a second chance to make a first impression" should be greatly considered as poor documentation can lead an auditor to potential areas of weakness and focus for them to audit.
Although it may be a corporate policy for policies and procedures to be reviewed annually, many leaders in organizations simply "rubber stamp" their approval because they are consumed with multiple conflicting priorities. Unfortunately, they lost sight of changes that need to be considered such as regulatory updates, internal system modifications, or new vendors who perform delegated services affecting these references. This leads to inaccurate documentation, operational risks, and audit risks.
Monitoring and Auditing
Is your monitoring and auditing program effective?
Monitoring and auditing are key to ensuring that your organization is operating in a state of compliance. It is important that your organization facilitates methods to measure performance based on the risk assessment and comprehensively across all operations. Controls, dashboards, and ongoing reporting that are data-centric are tools commonly used by organizations for monitoring. These tools measure areas such as medical claims processing times and accuracy, patients are receiving care according to their benefits (e.g., utilization management, claim denials), financial subsidies are being applied accurately to patient-specific premiums and cost-sharing, delegated entities are performing in alignment with contracted parameters (and as we saw in the case of FTX, related entities should also be overseen), prescription benefits are managed according to formulary parameters, and the timely delivery of care coordination. These are all worthwhile topics to consider for monitoring.
Auditing is also key to operational soundness. Audits should be developed that closely mimic known regulatory audit standards, implementing targeted sample methodology versus random sampling, and a review of past corrective actions should be measured to ensure these issues have been rectified. When performing audits, it is important to select a valid sample size to help ensure that an appropriate number of samples are evaluated. Don't just perform audits for the sake of performing audits, audits should have a goal to discover flaws in operations. After all, that is what regulatory auditors are tasked to do.
Conclusion
We can learn a lot from organizations that fail to administer effective compliance, governance, and controls. These fundamentals are agnostic to industry. In healthcare we are not managing the assets of millions of people as we saw with FTX; however, we are responsible for managing the delivery of healthcare for millions of people and when mismanaged can result in organizational financial risk through sanctions and fines from regulators. It is never too soon to review your oversight model and consider how today's headlines can impact your organization's future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
