Ppt for Healthcare Risks
-
Upload
adsaxe2408 -
Category
Healthcare
-
view
291 -
download
2
Transcript of Ppt for Healthcare Risks
HEALTH CONTINUUM
Governments
Public health
organizations
AgenciesPatients
Others
Healthcare
providers
a KONNECTORS presentation
Project risks
Legal & Regulatory risks
Reputation risks
Corporate Governance risks
Business continuity risks
People risks
Supply chain risks
Technology risks
Economic risks
Social risks
MAJOR CATEGORIES OF
RISK IN HEALTHCARE
a KONNECTORS presentation
A list of audit universe areas whereapplications are present to better assess the ITrisks of health-care providers. Risk areasidentified* include:•Accounts payable.•Admissions, discharges, and transfers.•Ancillaries.•Billing and accounts receivable.•Cardiology.•Core clinical activities.•Cost accounting.•Decision support.•Emergency department.•General ledger.•Health information management.•Human resources.•Laboratory.•Materials management.•Payroll.•Pharmacy.•Physician practice management.•Radiology.•Scheduling.•Surgery.
The audit universe also identified generalcontrol areas that should be examined duringthe assessment. These areas include:•Application change controls.•Backup and recovery processes.•Compliance initiatives.•Disaster recovery planning efforts.•Infrastructure configuration managementactivities.•IT management processes.•Network infrastructure, securityadministration, and server infrastructureactivities.•System development and acquisition lifecycle initiatives.•Third-party services.•Data center environmental controls.
Finally, besides identifyinggeneral control areas, the audituniverse pinpoints a number ofcommon IT security high-riskareas, including Webapplications, medical devicesconnected to the network,wireless networks, andapplication interfaces. Below is adescription of each high risk andits associated audit universearea.
Risk assessment of IT risks in Healthcare
Ass
essi
ng
IT
Ris
ks
in t
he
Hea
lth
care
In
du
stry
While the adoption of new technology offers a number of benefits and gives health-care providers the opportunity togain a competitive advantage, it also introduces new risks into the environment that must be managed appropriately.Health-care providers are rapidly deploying IT systems to dramatically change business processes, create newopportunities, and reduce costs. Because failures in health-care technology can be life threatening, internal auditorsneed to become aware of the different technology-related risks in the health-care field and learn about potential auditapproaches to address identified problem areas.
As part of their work, health-care providers collect and maintain non-clinical personal information that could be usedfor identity theft purposes, such as Social Security numbers and credit card and insurance account information. Inaddition, many organizations are adopting automated health information systems, thus highlighting the importance ofcontinuous system availability and decreased downtime. Hence, data integrity remains a critical factor that is necessaryto ensure better patient care and is an area that is regulated more and more through different national and industry-specific regulations.
Considering the different IT security risks that are affecting organizations and the technologies used in the health-carefield, where should internal auditors and organizations focus their audit activities? A good starting point is to conduct anIT enterprise risk assessment. Ideally, this risk assessment should be revisited and updated as necessary on a continuousbasis. The Health Information and Management System Society's (HIMSS's) 18th Annual Leadership Survey providedinsight into the priorities of CIOs in the health-care sector, their areas of perceived risks, and the tools used to mitigatethose risks (refer to the 3 charts below).
a KONNECTORS presentation
Charge Description Master (CDM): Is the hospital reviewing this area on a regular basis to
make sure they capture charges correctly? Coding and charge information can change frequentlyand if a procedure is recorded incorrectly, a hospital may not receive the correct reimbursementamount.
Pharmacy: What system does the hospital use for medications? How are medications controlled?How are patient accounts charged?
One day stays: What is the criterion for admissions? How is the criteria applied for medicalobservation? Is the billing corrected if the criteria are not met?
Managing cash activities: How is cash accounted for? How are receipts given out? What typesof receipts are utilized? How is this information recorded into a patient’s account? Is a lock boxused to hold onto cash until deposited to a central location? How often is cash collected anddeposited? What controls are in place for cash handling and who handles the cash?
Admitting and registration of patients: When a procedure has been scheduled in advance,how does the hospital register the patient? Does the admitting area ask for identification andinsurance information upon arrival at the hospital? Are any co-payments and deductibles discussedprior to the procedure taking place? How are co-payments and deductibles collected?
Laboratory: Is the laboratory in compliance with OIG guidelines? Do reference forms contain allneeded diagnostic information? Is there a maximum time limit for standing orders? How does thelaboratory charge? On result only?
Charity care: Is there a process in place to maintain charity applications? Are logs maintained?Who approves charity write-offs? Who reviews write-off codes for compliance with hospital-levelservices defined by HCAP?
Miscellaneous: Are the discounts (in case of multiple services availed by a patient and availableat that time under Hospital’s policy) properly adjusted at the time of billing ?
Revenue Assurance
in a Hospital
a KONNECTORS presentation
On an average, companies lost seven percent of revenue to fraud in 2008, according to the Association of CertifiedFraud Examiners (ACFE) 2008 Report to the Nation on Occupational Fraud and Abuse.
PRIORITY B
Processes with significant but less likely risks will
receive audit focus, if they relate to or can be efficiently audited with
other 'A' processes.
PRIORITY A
Processes with risks thatare both significant and
likely. Unless risks are well managed, they should be
a key focus of the audit plan.
PRIORITY C
Processes with likely but low significant risks. Minimal audit focus.
PRIORITY D
Minimal or no audit focus.
Human Resources;Patient Satisfaction
Legal & Regulatory;Contracts;
Information Systems;Treasury
Pa
tien
t Se
rvice
s;R
eve
nu
e C
ycle
Supply Chain Management
Gra
nt
Ad
min
istr
ati
on
a KONNECTORS presentation
For the evolvinghospital industry,managing risk isa high-stakesbusiness issue.
Someassociated
risks
Healthcare providers & Others consists of Sample risk(s) associated with the healthcare provider & Others
Hospitals (Private/ Government) Not enough beds to accommodate all patients; whether proper billing charged to the patients.
Nursing Homes Running without license; Either short on some medicines/ injections or a doctor not available on duty (for any reason, in an emergency)
Testing Laboratories Personnel not available to do the testing & hence further delay in patients’ treatment.
Pharmaceutical Companies Some medicines’ supply not frequently available or very highly priced;regulation risks.
Diagnostic Centers Some machines not working properly.
Medical Equipment (X-ray machines, BP testing machines, CT scan machines, etc) Manufacturers
Not able to meet the demand for the various machines from all the customers (including hospitals/ R&D centres, etc).
Health Insurance companies/ Third PartyAdministrators (TPAs)
Claim settlements; forged documents; Hospitals charging higher rates (where mediclaim is applicable)
Colleges/ Universities/ Institutes teaching medicine
Not able to meet the demand of the medical professionals as required.
Specialised R&D centres Breach of agreement vis-à-vis technology transfer; failure of research resulting in writing off of expenditure incurred.
a KONNECTORS presentation
Risks that were
identified in 2010,
were present in surveys of
2005 & 2007 too
Top 10 Risks 2010 *
(5 risks were present earlier too)
Level of risk
in 2007
Level of
risk in 2005
Percent of respondents
who believe that passage
of healthcare reform will
increase this risk
Estimate of an
organization’s
ability to control
this risk
Payment increases consistently below medical inflation: potential for precipitous reductions in reimbursement as
a result of state and federal regulatory changes Top-Level Top-Level 92% Limited or none
Physician relationships: ability to control the direction and level of alignment of physicians and institutions Top-Level Top-Level 96% Reasonable
Increased enforcement initiatives and governmental challenge of overpayment for services (e.g. RAC, MIC,
and ZPIC audits, Stark anti-kickback statutes, false claims laws, antitrust, etc.) Low-Level Mid-Level 89% Some
Unfunded mandates for the provision of healthcare services Top-Level Top-Level 66% Limited or none
Increasing cost of capital and significant gap between capital needs and capital available from all sources Low-Level Low-Level 66% Some
Top 10 Risks 2010 *
(5 new risks in 2010)
Percent of respondents
who believe that passage of
healthcare reform will
increase this risk
Estimate of an organization’s ability
to control this risk
Preparedness for clinical automation: inadequate information technology requiring investment in more
sophisticated information systems 83% Reasonable
An extended economic recovery or a return to a significant recessionary environment; unemployment
increases and continues to remain high No additional impact None
Improving performance in the midst of accelerating regulatory and marketplace change 85% Reasonable
Rebuilding the organization’s balance sheet 73% Reasonable
Significant reduction in employer-based insurance 77% None
Risks that were
identified as new in 2010
a KONNECTORS presentation
Important auditable functions/ areas from an Hospital’s perspective:
SERVICE DELIVERY Medical strategy & service excellence
Patient reception & admission
Diagnosis & Patient treatment
Patient discharge & rehabilitation
services
Medical record maintenance
Corporate Governance
Business Planning M & As and Projects
Marketing & Sales
Stakeholder perspective
Cost perspective Procurement -Medical supplies
Procurement - Capex HR & Payroll
Some other enablersInsurance including
TPAHousekeeping
Operating systems & IT
MiscellaneousBlood Bank
managementWaste & Energy
managementF&B
Legal & TaxationInventory
managementCustomer service
a KONNECTORS presentation
Pro
cess
/ su
b-p
roce
ss
wit
h H
igh
ris
k
crit
ical
ity
i Hospital Governanceii Medical & Quality Auditiii Operations Support Auditiv People Auditv Finance & Accountsvi Compliance Management
Mergers & Acquisition –Internal Control DDRMedical Strategy & QualityCapacity ManagementQuality Compliance Management –NABH/ JCINew ProjectsCorporate GovernanceMarketing
Hospital Governance
Compliance Management
Medical RecordsSecretarialEHSOther enactmentsJCI standardsNABH standards
Medical & Quality Audit
Stress Care CentresOperation Theatre’sICU, MICU, ICCU & PICUImaging Centres & Laboratory’sVascular RoomsCardiac Recovery roomsPreparatory roomRecovery roomAmbulance servicesSurgical ServicesBlood bank management
Functional audit areas of focus
(High risk) AdmissionsProcurement including CPCInventory ManagementDischarge & BillingPatient Safety – Incident ManagementInsurance including TPABio / Non Bio Medical equipmentIT Support – FOS, ITGC, ERP, Business Continuity & DRP
Operations Support Audit
HR Planning & RecruitmentEmployee trainingRoster managementLeadership Development InitiativesPerformance Appraisal processEmployee Satisfaction Survey
People Audit
BudgetingAccounts ReceivableAccounts PayableFixed Assets ManagementCapital ExpenditureTaxationFinancial ReportingShare Capital And Funds Utilization
Finance & Accounts
a KONNECTORS presentation
Process/ sub-process with Medium risk
criticality
Medical & Quality Audit
Allied Health operationsMedical Psyh UnitsProgressive Care UnitNurse/ Doctors bayPediatrics/ Ortho/ Neuro Unit
Foods & BeveragesLaundry & HousekeepingCentre for Community ServiceAutopsy & Mortuary managementPharmacyEnergy & Water consumption
Operations Support Audit
Hospital and clinician relationship managementEmployee RecordsPayroll end to end Salary benchmarking
People Audit
Cash & Bank ManagementTreasuryStock OptionsForeign ExchangeInvestmentsShare Capital And Funds Utilization
Finance & Accounts
a KONNECTORS presentation
Risk Levels*
1. Top-Level Enterprise Risks These risks were identified by all or virtually all of the respondents and are seen as meeting the following parameters:a. A current risk or one that is on the short-term horizonb. A risk that has a high likelihood of occurringc. A risk that is seen as having a significant impact on the healthcare system.
2. Mid-Level Enterprise Risks These are essentially “around the corner” risks as identified by the executives. They are generally viewed as having a lower likelihood of happening or a longer lead time. However, if the risk becomes a reality, it is viewed as having a significant impact on the organization.
3. Lower-Level Enterprise Risks These risks meet one or more of the following parameters:a. Much lower likelihood of occurring or a longer timeframe for a healthcare organization to adjustb. Less impact on the system and/or a more manageable level of risk
It may happen that lowlevel risks of today mightbecome/ shift to mediumor high category of risks,if left uncontrolled. So,risk management has tobe a continuous & all-pervasive exercise.
1. Does increasing volatility and growing complexity make risk management central and strategic to your entity ?
2. Do you see the riskmanagement capabilities asimportant to future profitability and long-term growth.
3. Are you implementingcomprehensive enterprise risk management programs?
4. Executives expect theirinvestments in risk management to increase over the next two years.
1. How active is your company
in influencing risk regulation in your industry or geography(e.g. establishing direction for future industry reform)?
2. How is healthcare reform addressed within your risk management program?
3. How are pricing issues addressed within the risk management program?
4. How is capital adequacy or the risk-bearing capacity of the balance sheet addressed withinyour risk management program?
1. Balance risk appetite with risk capacity.
2. Focus on supply chain risk.
3. Improve governance of risk & compliance.
4. Use a more holistic approach.
Action to achieve risk
mastery
Handling of primary concerns for a
healthcare entity
How do you view risk management
capabilities ?
a KONNECTORS presentation
“ With more hospitals now hiring physicians andacquiring physician groups, they need to rethink boththe duration and magnitude of their risk exposures.”
A. Look to create shareholder value from riskmanagement.
B. Involve the risk organization in key decision-making processes.C. Improve the sophistication of measurement,modeling andanalytics to anticipate risks in an increasinglycomplex environment.D. Go beyond a compliance mindset of riskmanagement to deliver more complete businesssolutions that drive competitive differentiation.E. Integrate risk management capabilities acrossbusiness units and organizational structures.F. Establish a dedicated, C-level risk executivewith oversight andvisibility across the business.G. Infuse risk awareness across theorganizational culture.H. Invest in continuous improvement.
a KONNECTORS presentation
Critical Success Factors for Effective Strategic
Risk Management
• Align your strategy with the risks most relevant toyour ability to achieve your near- and long-termstrategic objectives.• Create an efficient organizational structure withclear roles and responsibilities for everyone on theteam. Leverage existing functions and teams, ratherthan creating more bureaucracy or overburdeningleadership with decisions and tasks that can behandled by the rest of the team.• Put a transparent, repeatable process in place.Where possible, make use of existing processes toensure minimal disruption, and provide clear directionand well-defined deliverables. Where new approachesare needed, deploy strong change managementdisciplines to optimize workforce involvement andacceptance.• Determine appropriate risk metrics and meaningfulreporting formats, and establish a process formonitoring risk metrics to make sure information isrelevant, reliable and provided on a regular,established basis.• Develop and implement those tools and templatesneeded to efficiently standardize and sustain the riskmanagement process, emphasizing practicality andcost/benefit optimization.
Internal audit is a 5-step process @ KONNECTORS.
Risk Assessment
Annual Internal Audit Plan Development
Audit Program Development &
Execution
Findings & Recommendations
Monitoring of Implementations
Step 1
Step 2
Step 4
Step 3
Step 5
a KONNECTORS presentation
1. We don’t have any risks.
2. Hopefully nothing bad happens today.
3. Everybody needs to be careful all thetime.
4. If you make a mistake, we’llfine/discipline/fire you!
5. We had a meeting and discussed thechance that if a particular risk couldhappen, we would communicate toeveryone.
6. We brainstormed what could happen,and we took some actions to minimize thechance.
7. We developed a risk assessment of ourprocess, and have an ongoing action planand cadence to address the highestprioritized risks.
Some businesses manage risks by the
following ways today:
a KONNECTORS presentation
Please Contact:
Founder Adarsh Saxena, CA
@
KONNECTORS
RMT
+91-9873016166.
New Delhi - 110018.
India.
R SK
I