Important Content Note:

This technical assistance resource was developed prior to the

August 2017 release of the Health Center Compliance Manual by

the Health Resources and Services Administration’s (HRSA) Bu-

reau of Primary Health Care (BPHC). The BPHC Compliance Man-

ual, issued August 2017, indicates where PINS, PALs and other

program guidance are now superseded or subsumed by the

BPHC Compliance Manual.

See: https://bphc.hrsa.gov/programrequirements/pdf/

healthcentercompliancemanual.pdf

Information Bulletin #1 Updated January 2016 RM

Note that in all Information Bulletins:

The term “health center” refers to public or private nonprofit entities that: (1) receive grants under Section 330 of the Public Health Service Act (Section 330), including Sections 330(e), 330(f), 330(g) and 330(h) (collectively “Health Center Program Grant-ees”); and (2) entities that have been deter-mined by the Department of Health and Human Services (DHHS) to meet the Sec-tion 330-Related Requirements to receive funding without actually receiving a grant (“health center look-alikes”).

The term “Section 330-Related Require-ments” refers to requirements set forth in:

• HealthCenterProgramStatute:Section 330 of the Public Health Service Act (42 U.S.C. §254b),

• ProgramRegulations:42 CFR Part 51c and 42 CFR Parts 56.201-56.604

• HealthCenterProgramRequirements:http://www.bphc.hrsa.gov/programrequirements/index.html

The term “Grant Requirements” refers to Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Fed-eral Awards: 2 CFR Part 200, as adopted by DHHS at 45 CFR Part 75.

This publication was supported by Cooperative Agreement No. U30CS16089 from the Health Resources and Services Administration, Bureau of Primary Health Care (HRSA/BPHC). Its contents are solely the responsibility of the authors and do not necessarily represent the official views of HRSA/BPHC.

RISK MANAGEMENT SERIES

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is published with the understanding that the publisher is not engaged in rendering le-gal, financial or other professional service. If legal advice or other expert assistance is required, the services of a competent pro-fessional should be sought.

Risk Management, Risk Management Programs, and Your Health Center

This Information Bulletin addresses the importance of risk management and the reasons that health centers need risk management programs. We will discuss how health centers can

assess risk and develop and implement appropriate risk management programs. Special focus is placed on implementing a risk management program and conducting a health center risk assessment. Types of questions that health centers need to ask themselves as they develop risk management programs and high risk issues areas are also addressed.

WHAT IS RISK MANAGEMENT?Risk management can be described as creating and applying a system and procedures designed to reduce liability exposures by applying “structured common sense.”

This approach to risk management can apply to everything a health center does, from its daily clinical operations to more elaborate matters, such as purchasing an accounting system or managing medical malpractice exposures. When it comes to delivering quality care, the stakes are high; if health centers do not manage and mitigate their risks successfully, they have the potential to incur significant liabilities, which, in turn, could impact (and/or impede) a health center’s ability to provide services to its patients.

Health center liability exposures — Liabilities can stem from a long list of risk areas across health center operations, including medical malpractice, noncompliance with Federal and state statutes and regulations regarding fraud and abuse in billing and payment, safety of clients and employees,

1

January 2016 National Association of Community Health Centers,

employment practices, and procurement of goods and services.

Risk management or corporate compliance1 — While developing and implementing a corporate compliance program is an integral part of an effective risk management program, risk management encompasses a much broader scope than compliance with laws and regulations. For example, a health center could be compliant with required life and safety codes, but have exposure to liability due to faulty facility maintenance. A corporate compliance program cannot be the only risk management technique employed by the health center. Instead, a compliance program represents one of essential pieces of a robust risk management program.

WHY HEALTH CENTERS NEED RISK MANAGEMENT PROGRAMSHealth centers are exposed to a myriad of risks on a daily basis. In order to manage risks across the organization on an ongoing basis, a health center should consider putting a comprehensive risk management program in place, as recommended by the Department of Health and Human Services Office of the Inspector General’s final report Risk Management at Health Centers2. A comprehensive risk management program will help to reduce the health center’s exposure to loss, both financial and otherwise. Not only is a risk management program a good business practice for health centers, but also it is required by Health Resources and Services Administration/ Bureau of Primary Health Care (HRSA/BPHC).3

♦ Under the Federal laws and regulations that apply to health centers (Section 330 of the Public Health Service Act, 42 C.F.R. § 51c.304 and §56.304), the health center’s governing board must ensure that the health center is operated in compliance with applicable Federal, state, and local laws and regulations.

♦ The Federally Supported Health Centers Assistance Act requires that health centers that intend to be deemed pursuant the Federal Tort Claims Act (FTCA) program have implemented appropriate policies and procedures to reduce the risk of malpractice and the risk of lawsuits arising out of any health or health-related functions performed by the entity.4 Implementing a risk management program to minimize exposures to risks constitutes an integral part of assuring such compliance.

♦ BPHC expects all health centers to develop and implement appropriate risk management policies and procedures. According to the Health Center Program Site Visit Guide, under Program Requirement 8, Quality Improvement /Assurance Plan, reviewers are instructed to review policies related to and/or supporting the QI/QA Plan, including “risk management policies.”5

1 Corporate compliance is the development and implementation of policies and procedures to avoid violations of laws, regulations, rules and ethical standards by employees, contractors, agents and others.

2 OIG Final Report: Risk Management at Health Centers (OEI-10-03-00050) Department of Health & Human Services, Office of Inspector General, Washington, D.C., February 17, 2005.

3 See Health Center Program Site Visit Guide for Health Center Program Grantees and Look-Alikes, November 2014/Fiscal Year 2015 at http://bphc.hrsa.gov under Health Center Program Requirements and Federal Tort Claims Act Health Center Policy Manual at http://bphc.hrsa.gov under Federal Tort Claims Act

4 42 USC §233(h) (1).

5 See Health Center Program Site Visit Guide for Health Center Program Grantees and Look-Alikes, November 2014/Fiscal Year 2015 at page 15.

Risk Management Information Bulletin #1

2

National Association of Community Health Centers January 2016

♦ The FTCA deeming (and redeeming) application also requires health centers to demonstrate various aspects of the implementation of a comprehensive risk management program.6 Additionally, in the past several years FTCA deeming application guidance has reminded health centers that “HRSA may conduct a site visit at any point during the application review process and/or as part of its oversight responsibilities relative to the FTCA program to ensure that risk management, QI/QA policies and procedures, and credentialing have been appropriately implemented.” “Site visit reviewers will assess whether the grantee has … “implemented appropriate policies and procedures to reduce the risk of malpractice and the risk of lawsuits arising out of any health or health-related functions performed by the entity”.

While the Operational Site Visit Guide and the FTCA deeming application discuss some of the areas to be covered by a risk management program, the ECRI Institute provides a clinical risk management program on behalf of HRSA.7 Remember to consider these recommendations alongside other operational areas that necessitate risk management policies such as disaster management protocols, transportation protocols, financial controls and clinical requirements. This Information Bulletin suggests a general framework for a design and implementation from which to begin.

IMPLEMENTATION OF A RISK MANAGEMENT PROGRAMOur discussion of risk management program implementation is divided into three steps, the 1) WHO? 2) WHAT? 3) HOW of implementation.

WHO Should Have Input into Risk Management Implementation?

As noted above, in any complex organization risk and the potential for loss abound in and around health centers. It may therefore be difficult to know where to begin in establishing a program.

♦ As a first step, the health center should charge a point person (the Risk Manager) with the responsibility of developing and coordinating the program. Ideally, the Risk Manager should be an individual familiar with all functional areas of the health center, possibly the corporate compliance officer or someone who works closely with that person. For the purposes of this Information Bulletin, we will call this point person the Risk Manager, although he or she does not have to go by that title, and risk management may not be his or her sole function within the health center.

♦ A committee with representatives from different functional areas of the health center should be established to support the Risk Manager’s efforts. Such a committee will help ensure that each aspect of the health center’s operations is considered and will assist in promoting a comprehensive, yet realistic, risk management program. The Risk Manager, with input from the committee, should define individual and team responsibilities and assignments (i.e., analyzing existing health center policies in each functional area, drafting

6 See current Program Assistance Letter for Calendar Year Requirements for FTCA Medical Malpractice Coverage for Health Centers (e.g., PAL #2015-03).

7 See ECRI Institute Clinical Risk Management Services at https;//www/ecri.org

Risk Management Information Bulletin #1

3

January 2016 National Association of Community Health Centers

policies, etc.) and set a realistic schedule for implementation.

♦ Cooperation and participation of the health center’s management and staff at all levels is essential for a successful risk management program. It is important to involve appropriate directors, officers, employees, contractors, and volunteers in the risk management program in order to ensure that there is comprehensive and meaningful input. Moreover, without support from all of these individuals, the outcomes of the risk management program may be less successful. Implementing any change can be difficult in most organizations, and health centers are no exceptions.

♦ Finally, the health center’s board must play an important role in overseeing the implementation of the health center’s risk management program. The board may choose to have the Risk Manager report to a particular committee, such as a quality assurance committee, or to the board as a whole at board meetings. The Risk Manager and the board will have to work together to develop a process by which the board’s expectations concerning risk management are communicated to the Risk Manager and to the health center as a whole. The Risk Manager must also effectively communicate the key aspects of the risk management program and progress to the board in order to allow them to perform their necessary oversight functions.

WHAT Areas of Risk Exist? – The Risk Assessment

The risk assessment is a critical component of a health center’s overall risk management program. The assessment includes risk identification and risk analysis.

Risk Identification

The Risk Manager with input from the committee should begin the risk assessment process, by identifying areas of the health center’s operations that are at risk or may present risk. Risk identification should focus on all areas of the health center’s operations to consider what might cause a loss (“loss” refers to not only financial resources, but also other resources such as employee time). Risks can be identified using a variety of techniques including interviewing, checklist analysis, facilitated workshops, and scenario analysis. One way to begin the risk identification process is to review insurance claims histories and incident/occurrence reports; however, past history will not adequately identify all risks.

Risk Analysis

Once risks are identified, there may be so many as to be overwhelming and unmanageable. It is helpful to categorize risks such as whether the risk is controllable or non-controllable and external or internal. This step should include an analysis of what the health center does or does not do that might cause loss. The key questions to ask are:

1. What can go wrong?

2. What has gone wrong in the past?

Risk Management Information Bulletin #1

4

National Association of Community Health Centers January 2016

The analysis should include an assessment of various types of risk, including clinical, operational, legal, regulatory, human resources-related, technology, and financial risk.8

♦ Clinical — is the possibility of an adverse outcome resulting from clinical investigation, treatment or patient care. Clinical risk can include medical staff credentialing, misdiagnosis, surgical procedures, administration of medication, treatment, research issues, experimental procedures, informed consent issues, HIV testing and disclosure, medical records, other areas that affect patient care and service.

♦ Operational — possibility of loss or damage to buildings, office equipment (including management information systems), personal property, and vehicles, machinery malfunctions, harm to staff and patients, as well as the possibility of theft or dishonesty.

♦ Legal — quality of care issues, statutory responsibilities of employers to employees (state workers’ compensation), liabilities pursuant to contract, and tort liabilities under which the health center can be sued for alleged injuries to patients, employees, and others.

♦ Regulatory — Federal, state, and local regulations; compliance issues.9 Note: An effective corporate compliance program designed to satisfy Office of Inspector General guidelines is a critical risk management tool.

♦ Human Resources — risks that relate to the health center’s workforce throughout the lifecycle of the employment relationship, from recruitment and retention to termination.

♦ Technology — risk associated with the use of technology throughout the organization, from vulnerabilities to the confidentiality, integrity, and availability of data to risk related to the

organization not keeping up with technological advancements in the health care industry.

♦ Financial — maintaining solvency, grants management issues, maintaining appropriate documentation of cost reasonableness, allocability, and allowability, appropriate fiscal management standards and cash drawdown policies, officer and employee bonding, reserves, and investments.

Getting input from a variety of levels and functional areas will be important at this step to ensure that possible material risks are identified — it is wise to be more inclusive, rather than less. For example, maintenance staff may best be able to address important facilities management and safety issues and, as such, should be consulted when assessing risks in those areas. By intentionally focusing the risk assessment through the full gamut of health center operations and activities, the health center will be better able to protect itself in the future.

The frequency with which a health center conducts a risk assessment will vary based on resources available and the amount of support that staff contributes to the process. We recommend that health centers endeavor to conduct a comprehensive risk assessment at least every two years. Certain high risk areas should

8 Although this list of risk areas does not include every conceivable risk that a health center may encounter, it is broad enough to help the health center identify a wide variety of risks.

9 Some regulations specifically require that entities conduct risk assessments. For example, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that health centers conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguard, as well as reveals areas where protected health information (PHI) could be at risk. Because this Information Bulletin is intended to provide general guidance on risk management design and implementation, it does not address the specific requirements of the risk assessment required by the HIPAA Security Rule.

Risk Management Information Bulletin #1

5

January 2016 National Association of Community Health Centers

be assessed more frequently. For example, the OIG recommends that an audit of claims submission, one part of a comprehensive risk assessment, should be conducted on an annual basis.10

The following pages are a checklist that the Risk Manager can use to assist in getting started with the risk assessment phase. This checklist is by no means an exhaustive list of risk management areas and should be tailored to each health center’s specific requirements and activities.

How to Implement a Risk Management Program?

The key point in risk management is staying in control of the risk. Once the Risk Manager and committee have developed a comprehensive list of areas of potential risk, they should strategize about the health center’s “process of risk control.” By working their way down the list of identified risks from the greatest risk of loss to the smallest, the risk management team can discuss and determine which risks must be eliminated, reduced, or avoided. Some questions to ask at this step are:

♦ What are the most important areas in which the health center cannot afford to have anything go wrong?

♦ What mistakes, errors and wrongdoings can the health center eliminate entirely?

♦ What risks can be avoided?

♦ What risks can be reduced?

♦ How should these changes be made?

The method of risk control should be commensurate with the likelihood of risk that was determined during the risk assessment phase. In other words, the key

at this stage is to ensure that the risk management method selected (mitigation or avoidance, for example) fits the nature of the risk being considered. It is not effective risk control to simply say that a particular area of risk will be avoided when such a conclusion would be completely unrealistic. For example, it would be unrealistic for the health center to determine that it will avoid all risks related to transportation and vehicle use by eliminating transportation services; however, mitigation of risk could take place by instituting driver safety training program, or eliminating a particularly risky travel route and substituting a safer or less traveled route in its place. Mitigation can also take place by ensuring that routine maintenance on vehicles is scheduled and performed.

Methods of Risk Control

For effective risk management, begin with health center’s top priority risks and work your way down the list. Select suitable methods for controlling or avoiding risks. These methods include:

♦ Risk Avoidance – Risk avoidance eliminates the source of a risk by discontinuing a certain practice or service. Risks deemed too hazardous for the health center to assume should be eliminated or contracted out. Explore other options that do not involve retaining the risk. The “down- side” to risk avoidance is that discontinuation of certain services may not always be feasible or desired. Examples: discontinuing a health center’s evening hours of operations because of security concerns and the expenses associated with hiring a security guard; eliminating the direct provision of certain non-mandatory services.

10 OIG Compliance Program Guidance for Individual and Small Group Physician Practices, 65 Fed. Reg. 59,434 (Oct. 5, 2000). Although health centers are not specifically identified in the Guidance as a type of small group physician practice, of the Guidance documents issued by OIG, this Guidance is probably the most pertinent to health centers.

Risk Management Information Bulletin #1

6

National Association of Community Health Centers January 2016

♦ Risk Reduction – This method minimizes the potential for risk through a reduction in frequency of exposure to risk or a reduction in its severity. Determine what risks are susceptible to being reduced through instruction and training. Examples: Developing a program of equipment inspection, testing, and maintenance may serve to reduce the risk associated with equipment failure; instituting a process for promptly addressing building code violations; training medical staff to recognize and respond to allergic reactions to medication.

♦ Separation – Risk separation reduces losses of irreplaceable items, such as donor lists, by making copies and keeping items stored in separate locations and keeping items such as important computer files and software in safe, locked locations.

♦ Retention – Risk retention involves a strategic decision to bear a risk. With risk retention, a health center is making an informed decision to “gamble” by retaining a risk because of little opportunity for a downside or because the downside itself is bearable. Example: A health center uses an old van to run errands or transport volunteers. The van may be worth only $500, but runs well. Instead of purchasing collision insurance, the organization could decide to retain the risk of collision loss and accept the potential loss of a $500 van. (Note: while the health center may wish to assume the risk with respect to collision loss in such a situation, it should still obtain sufficient insurance with respect to bodily harm and injury.)

♦ Transfer of risk – A health center may be able to transfer certain risks to another party by insurance or by contract to a subsidiary or related organization. With the other entity taking on the risky activity, the risk may be transferred away from the original source. Example: where appropriate, the use of contracted physicians for highly specialized (high risk) services rather than employees; contracting for janitorial staff as opposed to directly hiring such staff in order to

Risk Financing

Despite planning to control risks, it is important to remember that even the best-laid plans sometimes go awry. Some form of loss is bound to occur even when all foreseeable areas of exposure are considered. Therefore, after establishing how the health center should plan to control its risks, it is imperative that the Risk Manager together with the committee focus on “risk financing,” and determine how the health center will pay for the eventual costs of any losses that it incurs. Determining the exact method by which to finance risk depends on the specific budget constraints and finance mechanisms any given health center has in place. Common examples, however, include establishing a defined contingency reserve from which to draw against for losses incurred, and/or obtaining appropriate insurance to cover such losses.11

11 See Risk Management Information Bulletin #11, “Beyond FTCA: Purchasing Insurance Coverage to Protect Your Health Center from Liabilities” for a discussion of health center insurance needs at http://www.nachc.com Search in MyNACHC.

Risk Management Information Bulletin #1

7

January 2016 National Association of Community Health Centers

Going Live

The risk management program should be incorporated into the health center’s operational policies and procedures and should apply to every activity performed by the health center. The Risk Manager and the committee should make certain that all potential risks scenarios have been evaluated and focus on filling gaps that exist in the existing health center policies. When the point person/committee has completed drafting risk management policies and procedures, the proposed policies and procedures should be brought before the Board for approval. Once the Board has approved the risk management procedures and policies, the risk management team and health center administrators should begin to implement them. If the Board vetoes certain risk management policies or procedures, an attempt should be made to understand the Board’s reasoning and determine if (and how) the policy should be modified. Any substantial amendments will need Board approval as well.

Risk Monitoring and Training

The final step of the risk management process brings it full circle. This is the monitoring stage, in which the risk management techniques that have been approved by the board and implemented by management are reviewed and evaluated to determine whether and how well they are working. If modifications are necessary, they should be implemented in an efficient and effective manner. It is critically important that the Risk Manager and the committee seek to educate all health center employees and contractors about the details of the risk management program so they understand its importance, its urgency, and its substance.

Modifications of risk management techniques may occur for a variety of reasons. For example, the health center could discover that a certain implemented technique does not prevent an adequate amount of loss, as anticipated. More frequently, regulatory standards may change and the health center’s risk management program will need to be changed with them to ensure that the appropriate risks and losses are being prevented or minimized. Because the nature of risk management is non-static, such change should be considered an essential part of the process. Beyond identifying necessary changes through the means noted above, the health center should periodically assess the health center’s risk and the effectiveness of the program, policies and procedures currently in place.

Success of the risk management program is dependent on staff understanding of the program and its importance. The Risk Manager and the committee must educate all health center employees and contractors about the details of the risk management program so they understand its importance, its urgency, and its substance. Presentations should be made to employees to explain the overall purpose and goals and how the risk management program will affect their jobs and functional areas. Such education programs should occur at least annually, but may occur more often if changes are made to the program or if otherwise necessary. Additionally, newsletters, bulletin board notices, and email may be useful tools for reminding program staff about the importance of risk management.

Remember, risk management is never “complete”—there is always more to do. Ensuring that the risk management activities of the Center are faithfully adhered to will make future program adjustments easier on all employees whose jobs the changes will affect.

Risk Management Information Bulletin #1

8

National Association of Community Health Centers January 2016

CHECKLIST OF CATEGORIES TO INCLUDE WHEN DESIGNING AND IMPLEMENTING RISK MANAGEMENT POLICIES AND PROCEDURES

Risk Assessment of Organizational/Corporate Activities

F Does the health center have policies and procedures regarding compliance with all state and federal tax and other corporate filing requirements?

F Does the health center have policies and procedures that protect its status as a tax- exempt organization? In particular, does the health center have policies and procedures with respect to:

♦ The determination of “reasonable compensation,” including consideration of all compensation (e.g., fringe benefits, life insurance, incentive compensation)?

♦ Limitations on lobbying activities, as well as appropriate registration and disclosure of lobbying activities?

♦ Prohibition on participation in political campaign activities?

♦ Fundraising and the rules regarding deduction of contributions to the health center (i.e., written and contemporaneous acknowledgement by the health center of any contribution over $250, and a statement that, if the donor receives something of value, he or she can only deduct the amount of the donation above such value)?

♦ Classification of staff as either employees or independent contractors, based upon IRS Revenue Ruling 87-41 that sets forth criteria for such determination?

F Does the health center have policies and procedures concerning the review of contractual obligations, as well as the monitoring of its collaborations and affiliations with external providers, vendors, and other organizations serving the same or similar populations?

F Does the health center have policies and procedures regarding the establishment and maintenance of accurate financial records and systems, in accordance with applicable federal and state statutory and regulatory requirements?

F Does the health center have policies and procedures regarding authorization to sign checks and contracts, use of letterhead and the health center’s name and related administrative concerns? In particular:

♦ Does the health center keep the corporate checkbook in a locked area and limit signature authority on checks and other precautionary methods to ensure the safety of checks (i.e., clearly marking checks as “VOID” or “FOR DEPOSIT ONLY”, as applicable)?

♦ Has the health center installed a system of “checks and balances,” wherein each financial responsibility is divided among more than one person, so that one person authorizes action, another performs the action and a third reviews the action?

♦ Does the health center maintain an accounting calendar that, at a minimum, includes deadlines to prepare and, as necessary, submit important employment-related and financial documents (e.g., time sheets; payroll tax payments; checks to vendors)?

F Has the health center bonded all employees handling money (and any other appropriate employees)?

F Does the health center have policies and procedures concerning record retention and destruction?

F Does the health center have in place information management systems and processes to meet internal and external needs? Does the health center have a system that will promote and maintain information security, including data integrity?

Risk Management Information Bulletin #1

9

January 2016 National Association of Community Health Centers

F Does the health center have policies and procedures calling for periodic review and modification (as necessary) of the organization’s procedures, programs, systems, and activities for compliance with all applicable federal, state, and local laws and regulations, as well as the health center’s Articles of Incorporation, Bylaws, and operational policies?

Risk Assessment of Human Resources Matters

F Does the health center have policies and procedures concerning personnel?

F Are all personnel files complete and stored in a secure location?

F Does the health center employ an adequate number of qualified staff?

F Does the health center have in place mechanisms by which the competence of all staff is continually and consistently assessed, maintained, demonstrated and improved?

F Does the health center provide for new staff orientation that provides initial job training and information, and assesses capability to perform job responsibilities/?

F Does the health center have policies and procedures to supervise and monitor PAs, APNs, RNs and other staff?

Risk Assessment of Patient and Employee Safety

F Has the health center established a Safety Committee/designated a Safety Officer or designated staff members to maintain an organized health and safety program, including the scheduling of regular safety meetings and periodic training sessions?

F Does the health center provide the staff, volunteers, trainees/interns and others, as appropriate, orientation and ongoing training regarding current health and safety techniques, based on job duties, applicable law and regulation, the identified needs of the clients and the services provided?

F Does the health center have a policy regarding off-site safety of employees, including required check-in with the health center and the employee’s option not to proceed with off-site activities if he or she is believes that his or her safety is threatened or compromised?

F Has the health center developed a coordinated process to reduce and control infection in patients and health care workers? Does the process include, as appropriate, the reporting of infections within the health center to public health agencies?

F Has the health center developed procedures by which incidents can be analyzed and tracked, and, in the event of recurring incidents, corrective action can be taken?

F Does the health center have a plan for managing its equipment (including, but not limited to, medical equipment) and supplies? Does the health center have in place a system for maintenance, testing, and inspection of equipment and supplies?

F Has the health center developed written emergency plans for a wide range of potential events, including procedures to test emergency plans on a regular or rotating basis and to develop and document necessary corrective action? Does the health center conduct emergency drills to test emergency preparedness?

F Does the health center have fire suppression equipment and adequate first aid supplies placed in accessible locations, and does it inspect such equipment and supplies at least annually?

Risk Management Information Bulletin #1

10

National Association of Community Health Centers January 2016

F Does the health center verify at least annually the safety of the facility(s), grounds, and parking areas, and, if necessary, has the health center installed adequate security equipment and developed controlled access policies?

F Does the health center have a plan for managing hazardous waste and materials?

F Has the health center developed appropriate procedures for transportation-related risks, including procedures to ensure that:

♦ Drivers and vehicles satisfy all applicable legal requirements?

♦ Vehicles have adequate first aid supplies and other emergency supplies and equipment?

♦ Drivers have been sufficiently trained in emergency procedures, accident reporting requirements and proper techniques to assist persons with disabilities?

Clinical Risk Management

F Does the health center have a risk manager and does that person have at least one year of clinical risk management experience.

F Does the health center have written medical record policies and procedures that address privacy, completeness of documentation and archiving and the health center conducts reviews to ensure these policies are being met?

F Does the health center have implemented policies that address triage, walk-in patients, telephone triage, no-show appointments, referral tracking hospitalization tracking, and diagnostic tracking?

F Does the health center have a quality assurance/quality improvement program that meets HRSA requirements?

F Has the health center developed procedures by which incidents/potential risks are reported and tracked?

F Are incidents analyzed, patterns observed and improvements made to reduce future risks?

F Does the health center have a peer review program where the results are incorporated into the evaluation of clinical staff performance?

F Does the health center have a credentialing and privileging program that meets, at a minimum, all HRSA requirements?

F Does the health center conduct documented periodic assessments to identify, prevent and monitor medical malpractice risk?

F Does the health center have a system to monitor and manage all malpractice claims?

F Is there any pending litigation under FTCA?

F Does the health center have all clinical tracking systems required by HRSA? Does the health center monitor the performance of those systems?

F Does the health center meet the requirements to be deemed eligible for FTCA professional liability coverage?

Risk Assessment of Insurance and Indemnification

F Has the health center secured and maintained appropriate insurance including:

♦ General liability

♦ Property, including fire and theft

♦ Workers compensation

♦ Professional liability (including FTCA coverage if applicable and “gap” policies)

♦ Employment practices Liability insurance (EPLI) to cover a wide range employment practices and employment-related claims

♦ Data breach insurance

♦ Directors and officers liability insurance (D&O)

♦ Business interruption/revenue loss?

♦ Automobile/vehicle?

Risk Management Information Bulletin #1

11

January 2016 National Association of Community Health Centers

F Does the health center’s D & O insurance cover the costs of legal defense for:

♦ Indemnification for loss (i.e., reimbursing the insured person for defense costs incurred by the insured during the course of his or her defense of claims)?

♦ Duty to defend (i.e., imposing on the insurer the right and duty to defend the insured person and to pay directly the costs of such defense at the time they are incurred)?

F Does the health center provide discretionary indemnification of directors and officers under conditions not mandated (but permitted) under state law?

When Implementing a Risk Management Program, A Health Center Should Remember to:

F Keep the process simple and straightforward:

♦ Clearly define individual and team responsibilities and assignments.

♦ Establish a schedule for implementation.

♦ Make a broad-based effort to inform or involve appropriate directors, officers, employees, contractors, and volunteers.

F Bring major program and policy ideas to the Board for approval.

This Information Bulletin was written for NACHC by:

Molly S. Evans, Esq.

Martin J. Bree, Esq.

Feldesman Tucker Leifer Fidell LLP

Washington, D.C.

For information about these bulletins, contact:

Betsy Vieth at NACHC at bvieth@nachc.com

F Include education for employees and contractors about the program’s importance and its application to their jobs.

F Reward effective performance and, as appropriate, sanction inappropriate performance or high risk conduct.

F Institute necessary changes and updates in a timely manner.

CONCLUSIONHealth centers have many incentives to minimize risk and prevent loss, including conserving resources (both financial and other), practicing sound management, and operating as efficiently as possible in order to foster their missions. The implementation process, however, should not be complicated or taxing just because it is important. If the risk management team can work with the board to gain approval for major risk management program policies and procedures, as well as work with staff to ensure they understand how to use and abide by the program, the implementation process will likely progress reasonably smoothly.

Risk Management Information Bulletin #1

12

National Association of Community Health Centers January 2016

7501 Wisconsin Avenue, Suite 1100W

Bethesda, MD 20814

Telephone: 301-347-0400

Fax: 301/347-0459

Website: www.nachc.com

Risk Management Information Bulletin #1

13

January 2016 National Association of Community Health Centers