Fulfilling the hospital's charitable, community-based mission is critical to maintaining the hospital's tax-exempt status and building community trust, confidence and support. But that trust can be shattered by poor risk management. Hospital trustees, senior leaders and employees serve the community with the best of intentions, but in today's high-scrutiny environment, the best intentions are not enough.
Hospitals are responsible for growing areas of compliance and risk, from billing and coding, referral relationships, and quality and patient safety to privacy breaches and natural disasters. As hospitals and health systems merge, affiliate, innovate and grow in today's population-health environment, they are experiencing new complexities to their risk exposure.
Most organizations and caregivers are just beginning to navigate population health and increased clinical care coordination, collaboration and communication. This requires a steep learning curve in both clinical competencies, as well as coordination. Understanding risk and having a clear compliance plan in place is essential. Organizations without a robust risk management plan will likely face noncompliance and unintended lack of adherence to rules and regulations.
In April 2015, the Office of Inspector General, U.S. Department of Health and Human Services, American Health Lawyers Association, Association of Healthcare Internal Auditors and the Health Care Compliance Association issued the publication Practical Guidance for Health Care Governing Boards on Compliance Oversight. The publication was developed to provide boards with practical tips and guidance as they carry out their responsibilities for oversight of the organization's compliance with the laws and regulations governing health care.
According to the OIG report, a critical component of oversight is the process of asking the right questions of management. The introduction to the OIG guidance states that boards must 1) determine the adequacy and effectiveness of the hospital or health system's compliance program, 2) understand the performance of those who develop and execute that program, and 3) make compliance a responsibility for all levels of management.
Key Board Responsibilities
Boards of trustees must act in good faith in their oversight of the organization's compliance program. The OIG explains this basic board responsibility as ensuring that: 1) a corporate information and reporting system exists, and 2) the reporting system is adequate to assure the board of the organization's compliance.
Benchmarks for Evaluating Compliance Plans. The OIG encourages boards to use Federal Sentencing Guidelines, OIG voluntary compliance program guidance documents and OIG Corporate Integrity Agreements as "baseline assessment tools" in developing and evaluating compliance programs. The OIG report states that "boards are expected to put forth a meaningful effort to review the adequacy of existing compliance systems and functions. Ensuring that management is aware of the guidelines, compliance program guidance, and relevant CIAs is a good first step."
The OIG recognizes that every organization's compliance program will be different, due in part to size, resources and complexity of the organization. Larger, more complex hospitals and health systems may need to have more extensive plans and resources. While smaller organizations may be able to meet compliance requirements with existing staff and greater reliance on board involvement, they are still required to demonstrate the same high level of commitment to ethics and compliance.
Ongoing Education. Ongoing education is important for all boards of trustees, particularly in today’s evolving health care environment; however, outside education, articles, resources and a consistent relationship with a regulatory expert are essential for boards of smaller hospitals that may be more closely involved in compliance and ethics.
Defining Roles and Responsibilities. The OIG report describes typical compliance functions including compliance, legal, internal audit, human resources and quality improvement. Organizational functions must be executed independently, but the board must ensure management has a plan for functions to communicate and work together to identify, address and correct risks.
Maximizing Board Reports and Executive Sessions. The board should regularly receive compliance and risk-related reports and must understand management's approach to resolving compliance concerns. Dashboards and standardized processes help boards to more easily monitor key metrics and identify areas that might need investigating. The OIG recommends that boards hold regular executive sessions without senior management, in order to hear from experts in compliance, legal, audit and quality, and to promote open communication. Regular executive sessions are healthy and can help avoid any confusion or suspicion that may arise if an executive session is called unexpectedly.
Cybersecurity at Risk
While billing problems, referral relationships, and quality and patient safety are more well-known challenges in health care, cybersecurity cannot be overlooked and must be well understood by the board.
Many have argued that health care's technology implementation has lagged behind other industries. As hospitals and health systems try to catch up, the risk for cyber-attacks is increasing. The most notable increase has been in the last year. According to IM Managed Security Services, health care accounted for less than one percent of records compromised across all industries from January 2011 to December 2014. But in 2015, health care security breaches skyrocketed. Thirty-three percent of records compromised across all industries came from health care between January and October of 2015.
According to the American Hospital Association's report Cybersecurity and Hospitals, risks include loss of personal data, destruction or corruption of records, disruption to the revenue cycle, and theft of financial and intellectual property. Hospitals and health systems also face potential vulnerabilities related to functional interference with medical devices and attacks on critical infrastructure.
Boards of trustees must ensure that the hospital has a cybersecurity plan in place and identify the executive with responsibility for it. The board also should review the hospital's insurance policy to ensure coverage for cybersecurity incidents. In addition, trustees need to have confidence in the hospital's planned response and resources, including a plan for notifying the board of a breach, consistent with the hospital's escalation policy. More resources on this topic are available at www.aha.org/cybersecurity.
The Board Sets the Tone
Compliance is not a plan that sits on a shelf. It is an organization-wide responsibility that requires accountability from all leaders and employees to be successful. The board's job is to set expectations for full compliance.
Trustees should continually ask management about compliance issues and self-disclosure of those issues. The OIG report recommends that boards evaluate whether internal processes encourage communication across the hospital or health system, including encouraging employees to raise compliance concerns or questions without fear of retaliation.
Boards should be committed to their own ongoing education about regulatory and compliance issues and should ensure a trustee succession plan that includes access to risk and compliance expertise.
Making a commitment to understanding, identifying and minimizing risk is at the core of trustees' fiduciary responsibility. An effective compliance plan, led by the board, will be rewarded with an ethically centered organization, strong employee and community trust, and ultimately successful fulfillment of the hospital's community-centered mission.
Special thanks to The Walker Company for use of: New Complexities to Risk Exposure Require Increased Board Vigilance. Additional trustee resources from KHA are available in the Trustee Section of the KHA website. Additional resources from Larry Walker can be found at: www.walkercompany.com.