Modern Health Care Risk Management

The second most important function an executive and/or a governance board conducts (second only to planning) is risk management.  This key leadership function is evolving rapidly primarily due to the evolutionary movement around compliance (ACA, CMS, etc.) and the payer focal shift from episodic, procedural care to outcome or evidenced based care, pay-for-performance, etc.  Similarly, as government policy shifts so does commercial market dynamics with like movements toward pay-for-performance and disease management.  While the core concept of “enterprise” protection remains the same, the scope today is different, the breadth wider and the responsibilities and tasks more structured than say, ten plus years ago.

Risk management is the term that encompasses a series of activities, programs, policies, etc. that work (ideally) together to protect and secure the overall enterprise/organizational identity, value, market share, legal structure and by downstream relationship, the stakeholders/shareholders.  Its activities, etc. are passive and active.  Passive activities (examples) include the purchase of insurance  and implementation of firewalls and data security systems.  Active activities include audits, training of staff, QA/QI activities, customer/patient engagement programs, etc. The purpose of this post is to focus on the “active” elements and in particular, the most important elements today given the evolving environment and the new risks emerging.  The purpose is to frame a model of risk prevention culture rather than an environment fraught with rule deontology and protectionism.  The latter tends to breed its own kind of risk(s) in addition to the risk(s) it seeks mitigate.

I like to think of effective risk management plans today as having six key elements.  Importantly, the plan is not operative while the elements are.  The plan is what the organization uses to monitor the completion (activities), ongoing improvement (identification and address of organizational weakness and vulnerability), and accountability of management in identifying and managing risk. Remember, these elements are the “active” side.  I, for sake of the theme of this article, will assume that providers acquire adequate insurance policies utilizing industry professionals in their development plus that they maintain modern IT infrastructure to secure patient data, etc.

1. Organizational Focus on Patient Care Quality and Service: This isn’t about slogans or marketing rather, it is about having an overall and deeply integrated culture around patient care outcomes and satisfaction. In a pay-for-performance, competitive, ACO world, this element is key.
   • Executive and Board involvement in QA/QI, especially at the highest organizational levels.
   • Compensation for management and executives incorporating (heavily) patient outcomes and satisfaction to the degree that all other elements are dwarfed by the weight given to this measure.
   • Monitoring in-place of key patient outcome data and benchmarking of the same.
   • Monitoring of response and wait times.  This element is key as the goal is to create response times as near as possible/practical to immediate or to minimize wait times wherever possible.
   • A program of patient/family engagement that includes surveys, focus groups, etc.
   • A grievance resolution system that is open, accessible and seeks to address concerns as instantaneous as possible.  The approach must be around resolving concerns without delay and bureaucracy.
   • Staff training focused on customer service, QA/QI, communication and dealing with patient/family stress, trauma, etc.
   • Engagement of staff in a “bottom-up” program or approach whereby lower level line staff are engaged in all training, QA/QI processes, mentoring, etc.
2. Audit Contractors and Sub-Contractors: The use of contractors such as physician intensivists (hospitalists) and therapy companies, imaging companies, lab providers, environmental service providers (laundry, housekeeping, etc.) is on the rise as organizations seek to control costs and improve efficiency.  Contractors, etc. yield new risk as their conduct, care, service, etc. create a risk transferable directly to the parent organization.  The risk of course, is multi-fold.  First, as applicable, is care risk (outcomes, service, competence, qualifications, insurance, etc.).  Second, is labor risk (legal status, background checks, etc.). Third, is billing risk and compliance risk.  If the contractor is involved in any element of care that is billable to a payer (Medicare, Medicaid, commercial insurance), the organization must assure complete compliance with billing and care provision rules in order to negate billing fraud or inappropriate claims risk (risk of non-payment or worse).  Summarized, organizations must monitor and audit, externally, the work of contractors.  Immunization clauses within contracts cannot supplant audits of risk areas proportional to the scope of the service agreement.  For example, the organization must audit its medical staff, the care provided, documentation, billing as applicable, patient contact and satisfaction, response times, etc.  The same is true for any care service contractor.
3. Billing Audits: This element is particularly crucial for government programs such as Medicare and Medicaid.  Providers today must get in the habit of reviewing their claims submitted to payer sources, particularly the government.  Two huge risk areas are present today.  First, focused fraud actions against providers under the False Claims Act.  Audits here are all about making sure that what was billed was actually provided, documented, necessary and compliant. Second, billing accuracy such that claim submissions are “clean” and “accurate”.  Denials for inaccuracy, etc. can lead to imbalances in error rates and thus, probes and claims held for review.  The latter negatively impacts cash flow and staff productivity as extra work to justify payment is required. I also recommend that organizations be very, very careful about compensation programs tied to revenues and claims, especially without counter-balancing elements and a strong audit program.  I like billing audits that are third-party conducted, benchmarked against regional and national data (our business should look like others in the region and nationally) and occur episodically and randomly as frequent as monthly and certainly, no less than quarterly.
4. Organizational Transparency and Staff Engagement: A huge risk area providers continue to face is the mixed message and incongruent messages sent to staff from leadership and at the highest levels of the organization.  The impetus behind so many False Claims investigations and actions undertaken by the DOJ (Department of Justice) isn’t smart federal auditors – its disgruntled staff.  Whistleblowers are the fundamental impetus behind False Claims allegations and actions. Mitigating this risk is simple (beyond doing the right things of course).  Organizations, especially leadership, must be transparent and as open and candid as possible.  The point here is that there really is no reason to not share goals, plans, operating data, etc. with staff.  When I was a CEO, my office was never locked and thus, work and files on my desk and credenza.  My compensation was open and I did not hide what I made or how I made it.  Not too surprising, across decades of running large healthcare organizations, I never had a fraud allegation or an allegation of any impropriety.  Staff knew what the corporate plans were, how they achieved compensation and bonuses, etc.  We gain-shared so staff had opportunities to reap reward as the organization grew and performed.  Staff engagement means at the planning and implementation levels.  It also means active programs of training and a large amount of dialogue regarding why the organization does what it does and where the right and wrong lie.  The same Whistleblower mentality is also fundamentally sound when it is used to police bad internal behavior, including that of management.
5. Focus on Competence: A simple thing but rarely do I see this element boldly, prominently emphasized.  Competence is about the ability to do what is required at the professional, validated level.  It is about validation of core skills and abilities within a framework of education and testing.  Organizations that focus on developing and maintaining staff and managerial competence limit risk inherently.  All together, risk is often a byproduct of incompetence and protection of a weak, status quo.  If excellence and competence is demanded and the systems engaged and in-place to assure it, then there is little room for marginal, sub-standard and incompetent to remain.  How does an organization focus on competence?  First, eliminate old, worn out HR policies and job descriptions and performance evaluations and replace the same with competency and behavioral standards.  Competency standards are the elements one must demonstrate and perform as part of the job at a repetitive, proficient level.  Behavior standards are the elements of personal conduct and accountability that the organization demands (uniforms, attendance, inservice attendance, etc.). Evaluate standards routinely, move in new skills, refine old skills, educate and test.  Require ongoing passage and demonstration and be intolerant of employees and managers that can’t/won’t meet the competency and behavioral requirements.  Competency standards are required for ongoing employment; reward for performance thus can only and should only occur when the base standard is consistently exceeded.
6. Be Public: By employing all of your constituents in oversight, the likelihood of getting surprised or being caught off guard is minimized.  Be public as possible with standards, expectations, contact information, grievance steps, etc.  Be open to all criticism and frankly, demand (as much possible) feedback regarding just about anything in the business.  No reason that business goals can’t be public and yes, even margin goals.  Heck, explain why margins are necessary.  Engage the broader universe and community and ask for input and reactions.  People will tell you the good, the bad and the ugly – the latter being where potential risk lies.  Force the conversation and the accountability and in doing so, limit a large area where risk can fulminate.