As featured in Compliance Today, September 2022
A compliance program can only be truly effective at accomplishing its goal of preventing and detecting fraud, waste, and abuse when the program, its infrastructure (i.e., the seven elements), and the work the program does (i.e., the compliance work plan) are oriented around the organization's compliance risk profile.1 To best prevent fraud, waste, and abuse, it's logical to focus on those issues where fraud, waste, and abuse are most likely and where the consequences of noncompliance are the most significant. Why would a compliance program spend its, oftentimes, small number of resources on issues that are not as crucial to get right? Nevertheless, compliance programs have not always understood, nor prioritized, risk assessment, leading to ineffective and inefficient efforts not oriented around the organization's most significant compliance risks.
Implementing an effective compliance risk assessment approach is beneficial in multiple ways. It is the most efficient and effective way to ensure that the compliance program spends its time and resources on the appropriate issues (to best prevent and detect fraud, waste, and abuse). It also helps ensure that operations leaders and managers understand compliance risk and the importance of operations' responsibility for compliance. Effective compliance risk assessment, management, and mitigation promote an engaged and aware culture throughout an organization and is a best practice that has become a requirement in recent corporate integrity agreements (CIAs). Risk-based compliance programs promote the highest level of service for employees and patients and help ensure proactive compliance programs. Perhaps the most compelling reason to provide an exceptional risk assessment approach is that it can be protective in cases of wrongdoing. The Department of Justice Evaluation of Corporate Compliance Programs states, "Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction."2
While every organization's risk profile is unique, there are certain common healthcare-specific industry risks, especially when narrowed to healthcare providers, that these organizations have in common. These shared industry risks include, but are not limited to, state and federal statutes and regulations, matters seen in recent enforcement actions, Department of Health & Human Services Office of Inspector General (OIG) reports and work plan items, government audit priorities, changing regulatory priorities, and certain broader state and national issues such as "the great resignation" and pandemic-related concerns, among others. An organization's risk profile becomes further customized when adding internal risks or those particularly applicable to the organization. These may include, but are not limited to, organizational structure and legal relationships, the control environment, the culture of compliance and accountability, operations' engagement with compliance, specific issues reported to management or compliance, specific investigation outcomes, and specific audit findings.
Essential Concepts in Compliance Risk Assessment
There are several essential concepts to consider when developing an approach for compliance risk assessment.
Maintenance of an Ongoing, Dynamic Compliance Risk Profile
For practical and logistical purposes, it is essential to designate a specific time during the year to perform the risk assessment (see further discussion later). However, it is also necessary to establish processes to ensure the risk assessment is kept up to date throughout the year. Both the regulatory landscape and healthcare organizations themselves are dynamic, constantly changing, and need to adapt to those changes when needed. Therefore, risk assessments must be able to reflect changes in the risks themselves and their prioritization. This can be accomplished ...
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.