The second most important function an executive and/or a governance board conducts (second only to planning) is risk management. This key leadership function is evolving rapidly primarily due to the evolutionary movement around compliance (ACA, CMS, etc.) and the payer focal shift from episodic, procedural care to outcome or evidenced based care, pay-for-performance, etc. Similarly, as government policy shifts so does commercial market dynamics with like movements toward pay-for-performance and disease management. While the core concept of “enterprise” protection remains the same, the scope today is different, the breadth wider and the responsibilities and tasks more structured than say, ten plus years ago.
Risk management is the term that encompasses a series of activities, programs, policies, etc. that work (ideally) together to protect and secure the overall enterprise/organizational identity, value, market share, legal structure and by downstream relationship, the stakeholders/shareholders. Its activities, etc. are passive and active. Passive activities (examples) include the purchase of insurance and implementation of firewalls and data security systems. Active activities include audits, training of staff, QA/QI activities, customer/patient engagement programs, etc. The purpose of this post is to focus on the “active” elements and in particular, the most important elements today given the evolving environment and the new risks emerging. The purpose is to frame a model of risk prevention culture rather than an environment fraught with rule deontology and protectionism. The latter tends to breed its own kind of risk(s) in addition to the risk(s) it seeks mitigate.
I like to think of effective risk management plans today as having six key elements. Importantly, the plan is not operative while the elements are. The plan is what the organization uses to monitor the completion (activities), ongoing improvement (identification and address of organizational weakness and vulnerability), and accountability of management in identifying and managing risk. Remember, these elements are the “active” side. I, for sake of the theme of this article, will assume that providers acquire adequate insurance policies utilizing industry professionals in their development plus that they maintain modern IT infrastructure to secure patient data, etc.
- Organizational Focus on Patient Care Quality and Service: This isn’t about slogans or marketing rather, it is about having an overall and deeply integrated culture around patient care outcomes and satisfaction. In a pay-for-performance, competitive, ACO world, this element is key.
- Executive and Board involvement in QA/QI, especially at the highest organizational levels.
- Compensation for management and executives incorporating (heavily) patient outcomes and satisfaction to the degree that all other elements are dwarfed by the weight given to this measure.
- Monitoring in-place of key patient outcome data and benchmarking of the same.
- Monitoring of response and wait times. This element is key as the goal is to create response times as near as possible/practical to immediate or to minimize wait times wherever possible.
- A program of patient/family engagement that includes surveys, focus groups, etc.
- A grievance resolution system that is open, accessible and seeks to address concerns as instantaneous as possible. The approach must be around resolving concerns without delay and bureaucracy.
- Staff training focused on customer service, QA/QI, communication and dealing with patient/family stress, trauma, etc.
- Engagement of staff in a “bottom-up” program or approach whereby lower level line staff are engaged in all training, QA/QI processes, mentoring, etc.
- Audit Contractors and Sub-Contractors: The use of contractors such as physician intensivists (hospitalists) and therapy companies, imaging companies, lab providers, environmental service providers (laundry, housekeeping, etc.) is on the rise as organizations seek to control costs and improve efficiency. Contractors, etc. yield new risk as their conduct, care, service, etc. create a risk transferable directly to the parent organization. The risk of course, is multi-fold. First, as applicable, is care risk (outcomes, service, competence, qualifications, insurance, etc.). Second, is labor risk (legal status, background checks, etc.). Third, is billing risk and compliance risk. If the contractor is involved in any element of care that is billable to a payer (Medicare, Medicaid, commercial insurance), the organization must assure complete compliance with billing and care provision rules in order to negate billing fraud or inappropriate claims risk (risk of non-payment or worse). Summarized, organizations must monitor and audit, externally, the work of contractors. Immunization clauses within contracts cannot supplant audits of risk areas proportional to the scope of the service agreement. For example, the organization must audit its medical staff, the care provided, documentation, billing as applicable, patient contact and satisfaction, response times, etc. The same is true for any care service contractor.
- Billing Audits: This element is particularly crucial for government programs such as Medicare and Medicaid. Providers today must get in the habit of reviewing their claims submitted to payer sources, particularly the government. Two huge risk areas are present today. First, focused fraud actions against providers under the False Claims Act. Audits here are all about making sure that what was billed was actually provided, documented, necessary and compliant. Second, billing accuracy such that claim submissions are “clean” and “accurate”. Denials for inaccuracy, etc. can lead to imbalances in error rates and thus, probes and claims held for review. The latter negatively impacts cash flow and staff productivity as extra work to justify payment is required. I also recommend that organizations be very, very careful about compensation programs tied to revenues and claims, especially without counter-balancing elements and a strong audit program. I like billing audits that are third-party conducted, benchmarked against regional and national data (our business should look like others in the region and nationally) and occur episodically and randomly as frequent as monthly and certainly, no less than quarterly.
- Organizational Transparency and Staff Engagement: A huge risk area providers continue to face is the mixed message and incongruent messages sent to staff from leadership and at the highest levels of the organization. The impetus behind so many False Claims investigations and actions undertaken by the DOJ (Department of Justice) isn’t smart federal auditors – its disgruntled staff. Whistleblowers are the fundamental impetus behind False Claims allegations and actions. Mitigating this risk is simple (beyond doing the right things of course). Organizations, especially leadership, must be transparent and as open and candid as possible. The point here is that there really is no reason to not share goals, plans, operating data, etc. with staff. When I was a CEO, my office was never locked and thus, work and files on my desk and credenza. My compensation was open and I did not hide what I made or how I made it. Not too surprising, across decades of running large healthcare organizations, I never had a fraud allegation or an allegation of any impropriety. Staff knew what the corporate plans were, how they achieved compensation and bonuses, etc. We gain-shared so staff had opportunities to reap reward as the organization grew and performed. Staff engagement means at the planning and implementation levels. It also means active programs of training and a large amount of dialogue regarding why the organization does what it does and where the right and wrong lie. The same Whistleblower mentality is also fundamentally sound when it is used to police bad internal behavior, including that of management.
- Focus on Competence: A simple thing but rarely do I see this element boldly, prominently emphasized. Competence is about the ability to do what is required at the professional, validated level. It is about validation of core skills and abilities within a framework of education and testing. Organizations that focus on developing and maintaining staff and managerial competence limit risk inherently. All together, risk is often a byproduct of incompetence and protection of a weak, status quo. If excellence and competence is demanded and the systems engaged and in-place to assure it, then there is little room for marginal, sub-standard and incompetent to remain. How does an organization focus on competence? First, eliminate old, worn out HR policies and job descriptions and performance evaluations and replace the same with competency and behavioral standards. Competency standards are the elements one must demonstrate and perform as part of the job at a repetitive, proficient level. Behavior standards are the elements of personal conduct and accountability that the organization demands (uniforms, attendance, inservice attendance, etc.). Evaluate standards routinely, move in new skills, refine old skills, educate and test. Require ongoing passage and demonstration and be intolerant of employees and managers that can’t/won’t meet the competency and behavioral requirements. Competency standards are required for ongoing employment; reward for performance thus can only and should only occur when the base standard is consistently exceeded.
- Be Public: By employing all of your constituents in oversight, the likelihood of getting surprised or being caught off guard is minimized. Be public as possible with standards, expectations, contact information, grievance steps, etc. Be open to all criticism and frankly, demand (as much possible) feedback regarding just about anything in the business. No reason that business goals can’t be public and yes, even margin goals. Heck, explain why margins are necessary. Engage the broader universe and community and ask for input and reactions. People will tell you the good, the bad and the ugly – the latter being where potential risk lies. Force the conversation and the accountability and in doing so, limit a large area where risk can fulminate.
I had a phone conversation earlier today with a friend and colleague (he’s part owner of a rehab consulting and management company) and as we talked, the conversation reminded me about the host of issues facing health care administrators. Our conversation flowed to long-term care and specifically, SNFs (he spends a lot of his time with SNFs) and the work his firm is involved with. We kicked around some ideas and as our conversation concluded (hopefully with a golf date soon to be set), I did some thinking.
My friend always tries to get me to do “more” speaking engagements, particularly at conferences and trade association meetings and in this case, he was trying to convince me that the discussion we had was great information that “everyone should know”. Oddly enough, I agree but as time doesn’t always permit me to head out on the speaker’s circuit, it made sense to “boil down” our conversation into a quick written summary.
Health care administration, like any leadership discipline, should be (about) one-third current operations focused and two-thirds future operations focused. I realize, having done the job myself for over twenty years, that some days or even weeks bend this ratio but over the long-haul, in order for an Administrator to lead (regardless of title), he/she must be willing to step a good distance forward to lay the ground work and strategies for “what will be”. In other words, effective administration is about understanding what is going on in the industry, how events or policies, etc. not yet in effect will alter the business, and developing plans and strategies to move the “current” toward the “future’. In simpler language: Effective health care administration is principally about planning. Effective leaders have a running gap analysis in their heads; inherently understanding the current status of operations and matching that with what is yet to transpire. Leaders with tenure have a bit of advantage as they should innately understand historically, how change roles out with new government policies, changes to reimbursement, etc. The experience of having been through numerous changes in the business can’t help, if matched with effective planning abilities, but provide a clearer understanding of how to migrate current operations to the next required level of operations.
Synthesizing from my view, what has and is happening in health care today and what I see and hear about long-term care administration and the organizations in the industry, I hashed out five things (issues, concepts, etc.) that every Administrator (senior leader, etc.) should focus on. Obviously, the list could be expanded but in reality, focus on the key or critical five below will produce the kind of results administrators desire and organizations require.
- Medicare and Reimbursement: Regardless of any white-noise concerning possible delays or advances in the implementation of RUGs IV, MDS 3.0, etc., the path is laid and the dates will occur sooner rather than later. Getting clinical and billing functions up-to-speed, educated, and ready to roll is an absolute necessity. During this process, I’d analyze a whole series of issues and begin to lay the ground-work for any related changes to the present course of business, such as;
- What is the potential impact on my Medicare revenues?
- How is the revenue impact related to my current case-mix?
- Should I begin to adjust my case-mix via different marketing strategies or the implementation of some new clinical programs?
- Does my software/IT systems support new forms, new charting/documentation requirements, assessments, and billing documentation? If not, what is my vendor doing to get us there and when will they be ready?
- Big changes are about to occur in therapies particularly and what, if I am using an outside vendor for therapy, are they doing to be ready? Does this impact our contract and our overall care delivery in any way? Is now a time to consider transitioning to an in-house therapy service?
- Are we, as an organization, actively engaged in communicating what is happening to outside vendors, referral sources, etc.?
- Do we have a fully integrate project plan, budget for change implementation (training, software, etc., costs), and a methodology in-place to review, change and update policies, procedures, forms, etc.? (Names need to be involved, dates set, milestones identified, time set aside for review, time set aside for meetings, etc.)
- Compliance: This is a huge issue today and it continues to grow as health care reform upped the ante once again. There are at least a dozen or more key concerns every organization should have in this area and very recent policy and legislative activities have added to the list. Below is a sample of what should be at the forefront of every administrator’s compliance focus.
- Billing compliance, particularly Medicare. Health care reform and the focus on the part of Medicare to save money via reduction of fraud, waste, and overpayment is a hot topic now. I routinely encounter way too many administrators and organizations that have pushed the revenue per diem issue far too much under Medicare, leaving enormous areas of exposure for recovery actions to occur. In other words, I’ve seen way too much routine high level rehab coding, length of stay elongation, etc. than what the clinical documentation supports. Too often, I encounter MDS coding to substantiate rates of payment and then when the resident’s chart/record is reviewed, the documentation is far different than what appears on the MDS. Administrators need to be wary, even though the revenue numbers look good (perhaps too good), of questionable billing activity under Medicare.
- To the point above and addressed in a recent post here, all organizations should have a compliance plan and now, under health care reform, SNFs are required to have one in place this fall. Compliance is about not just being “compliant” with survey and certification rules but also with other federal laws such as Stark and the False Claims Act. There is no reason that any organization participating in Medicare and Medicaid today does not have a fully developed compliance program and a process for routine audits to preemptively identify,correct, and disclose potentially illegal activity – the ramifications under the law for providers are far too severe. For more information, see my post titled “Stark, Health Care Reform, and Updated Compliance Requirements”.
- There are new privacy and security requirements under HIPAA that organizations need to have in-place. For more information, see my post titled “New HIPAA Provision Now in Effect”.
- Survey and certification requirements such as the QIS are here and the government is in the process of revamping the Five Star rating system. As much as I think the survey and certification process is onerous and unrelated to true care quality, administrators need to understand the peril of poor performance and sub-standard quality. Keeping an up-to-date and clean survey history is vitally important in order to avoid fines, public relations problems, rising liability insurance costs and potential litigation problems.
- Patient/Resident satisfaction is an area that too many administrators believe is unrelated to compliance activity; think again. I see way too many facilities that end-up in compliance problems as a result of resident and family complaints. Dealing with satisfaction across the board is an “ounce of prevention” compared to the “ten pounds of cure” that are required when unsatisfied customers complain to the regulatory authorities.
- Transparency and disclosure are two new buzz words that every administrator should incorporate into operations. In today’s arena, disclosure of ownership, governance, staffing, etc. are the new rules of the road and there is no reason any longer not to publicly embrace a plan of transparency and disclosure of all this information and more.
- Labor Relations: The largest allocation of resources in health care is for staff via wages and benefits, etc. yet I still see too many antiquated labor relations approaches that produce high levels of turnover and poor productivity. To me, it is time for health care to adopt labor relations strategies found in other industries and in companies that have world-class employee productivity, retention, and commitment. Administrators can immediately and positively impact the bottom-line by simply focusing on improving retention, hiring practices (avoiding panic hiring and using better matching strategies), improving supervisor training, removing antiquated pay structures and reward systems, and adopting programs and policies that incorporate employees into the overall strategy and direction of the organization. Stable staff equals better compliance, higher customer satisfaction, higher productivity and lower labor costs (less turnover, less recruiting costs, etc.).
- Risk Management: Leading an organization forward is about identifying “risks” that are inherent in the business and developing plans, strategies and processes to mitigate the impact of risk on the organization’s performance. Though of another way and using a phrase I like and used to use frequently, it is about avoiding the expenditure of “stupid money”. Stupid money is money spent unnecessarily on litigation defense, turnover, higher levels of insurance costs such as liability and worker’s compensation, on agency staff or outside pool staff, on fines and forfeitures, etc. These are all expenses associated with identifiable and known risks and risks that can and should be mitigated by appropriate planning and system implementation. Extremely effective risk management tools and practices don’t require large amounts of investment or even, elaborate policies and procedures.
- The best defense is knowledge – knowledgeable and well-trained staff, active and capable management. Risk management is practice best by management being where the “risk” is, not tucked in an office or tied up in too many meetings with limited purpose, no real agenda, and no specific outcome.
- Using patient/resident satisfaction systems is simple and highly effective at identifying areas of potential problems or risks.
- Using benchmarks available from various industry sources to review facility or organization specific indicators against industry norms.
- Using programs of “gain-sharing” and other incentive compensation practices, tied to compliance, tied to satisfaction, tied to workplace accidents, absenteeism, etc.
- Keeping employees informed regarding organizational policies, standards, plans, etc. Employees involvement and input is a very simple and effective way to mitigate a whole series of risks.
- Using periodic audits to check documentation against billing, patient results and outcomes against set standards (infections, wounds, falls, etc.) and compliance with company policies and procedures.
- Education which can occur via very cost-effective means such as webinars, books, staff to staff training, trade association meetings, etc.
- Purposeful Activity: The famed educational philosopher John Dewey wrote a great deal about “purposeful activity” or the time spent engaged in seeking a desired outcome. For Dewey, this involved the application of the scientific method; the search for answers and insights via a systematic and “purposeful” approach. Health care is a bureaucracy and I watch administrators create additional bureaucracy within their own organizations either in defense of the existing bureaucracy or as a symptom of the bigger bureaucratic problem. I’ve never frankly, understood why health care is so fond of so many committees and meetings that accomplish virtually nothing and consume layers of management staff ad nauseum. Purposeful activity for an administrator is about simplifying as much of the operations and business processes as possible and sticking to some real tried and true managerial and leadership approaches.
- Every meeting must have a purpose, an outcome including a “next step”. No meetings or committees should ever be held or created without a purpose and an outcome and the outcome is never to “meet again”.
- Every manager must have enough authority and be charged with making and held accountable for decisions. Managers that are not accountable for “things” and don’t make decisions are enormous wastes of money and enormous sources of risk. Organizations that allow managers the cover of committees and meetings are wasting enormous amounts of productive energy and time.
- Formal meetings and committees should be entirely focused on two things and only two things; compliance (required reporting and information sharing) and addressing what is “new” or going to be “new”. The latter is about change and developing new strategies or learning, etc.
- Meetings must be brief and have requirements for preparation prior to the meeting and work or tasks to accomplish post the meeting. Discussions don’t require a “meeting”.
- Limit communication via voice mail and e-mail and require people to present their issues in person. Voice mail and e-mail have become the bane of office productivity as they produce “cover”, allowing people not to address what needed or needs to be done. (The famous, “I sent you an e-mail on that”).
- For an administrator, the most purposeful activity is planning and strategizing; taking in information, developing plans and strategies, and assessing the same in light of current operations. All activity, or at least as much as possible, should be focused on improving what exists today, matching future industry trends and requirements with current operations and a strategy to address the future requirements, and communicating what is happening via plans, performance indicators, etc. The test is whether the staff under the administrator can answer, “what happens next and why”.