Ppt for Healthcare Risks

a KONNECTORS presentation

R I SK

HEALTH CONTINUUM

Governments

Public health

organizations

AgenciesPatients

Others

Healthcare

providers


Project risks

Legal & Regulatory risks

Reputation risks

Corporate Governance risks

Business continuity risks

People risks

Supply chain risks

Technology risks

Economic risks

Social risks

MAJOR CATEGORIES OF

RISK IN HEALTHCARE


A list of audit universe areas whereapplications are present to better assess the ITrisks of health-care providers. Risk areasidentified* include:•Accounts payable.•Admissions, discharges, and transfers.•Ancillaries.•Billing and accounts receivable.•Cardiology.•Core clinical activities.•Cost accounting.•Decision support.•Emergency department.•General ledger.•Health information management.•Human resources.•Laboratory.•Materials management.•Payroll.•Pharmacy.•Physician practice management.•Radiology.•Scheduling.•Surgery.

The audit universe also identified generalcontrol areas that should be examined duringthe assessment. These areas include:•Application change controls.•Backup and recovery processes.•Compliance initiatives.•Disaster recovery planning efforts.•Infrastructure configuration managementactivities.•IT management processes.•Network infrastructure, securityadministration, and server infrastructureactivities.•System development and acquisition lifecycle initiatives.•Third-party services.•Data center environmental controls.

Finally, besides identifyinggeneral control areas, the audituniverse pinpoints a number ofcommon IT security high-riskareas, including Webapplications, medical devicesconnected to the network,wireless networks, andapplication interfaces. Below is adescription of each high risk andits associated audit universearea.

Risk assessment of IT risks in Healthcare

Ass

essi

ng

IT

Ris

ks

in t

he

Hea

lth

care

In

du

stry

While the adoption of new technology offers a number of benefits and gives health-care providers the opportunity togain a competitive advantage, it also introduces new risks into the environment that must be managed appropriately.Health-care providers are rapidly deploying IT systems to dramatically change business processes, create newopportunities, and reduce costs. Because failures in health-care technology can be life threatening, internal auditorsneed to become aware of the different technology-related risks in the health-care field and learn about potential auditapproaches to address identified problem areas.

As part of their work, health-care providers collect and maintain non-clinical personal information that could be usedfor identity theft purposes, such as Social Security numbers and credit card and insurance account information. Inaddition, many organizations are adopting automated health information systems, thus highlighting the importance ofcontinuous system availability and decreased downtime. Hence, data integrity remains a critical factor that is necessaryto ensure better patient care and is an area that is regulated more and more through different national and industry-specific regulations.

Considering the different IT security risks that are affecting organizations and the technologies used in the health-carefield, where should internal auditors and organizations focus their audit activities? A good starting point is to conduct anIT enterprise risk assessment. Ideally, this risk assessment should be revisited and updated as necessary on a continuousbasis. The Health Information and Management System Society's (HIMSS's) 18th Annual Leadership Survey providedinsight into the priorities of CIOs in the health-care sector, their areas of perceived risks, and the tools used to mitigatethose risks (refer to the 3 charts below).


Charge Description Master (CDM): Is the hospital reviewing this area on a regular basis to

make sure they capture charges correctly? Coding and charge information can change frequentlyand if a procedure is recorded incorrectly, a hospital may not receive the correct reimbursementamount.

Pharmacy: What system does the hospital use for medications? How are medications controlled?How are patient accounts charged?

One day stays: What is the criterion for admissions? How is the criteria applied for medicalobservation? Is the billing corrected if the criteria are not met?

Managing cash activities: How is cash accounted for? How are receipts given out? What typesof receipts are utilized? How is this information recorded into a patient’s account? Is a lock boxused to hold onto cash until deposited to a central location? How often is cash collected anddeposited? What controls are in place for cash handling and who handles the cash?

Admitting and registration of patients: When a procedure has been scheduled in advance,how does the hospital register the patient? Does the admitting area ask for identification andinsurance information upon arrival at the hospital? Are any co-payments and deductibles discussedprior to the procedure taking place? How are co-payments and deductibles collected?

Laboratory: Is the laboratory in compliance with OIG guidelines? Do reference forms contain allneeded diagnostic information? Is there a maximum time limit for standing orders? How does thelaboratory charge? On result only?

Charity care: Is there a process in place to maintain charity applications? Are logs maintained?Who approves charity write-offs? Who reviews write-off codes for compliance with hospital-levelservices defined by HCAP?

Miscellaneous: Are the discounts (in case of multiple services availed by a patient and availableat that time under Hospital’s policy) properly adjusted at the time of billing ?

Revenue Assurance

in a Hospital


On an average, companies lost seven percent of revenue to fraud in 2008, according to the Association of CertifiedFraud Examiners (ACFE) 2008 Report to the Nation on Occupational Fraud and Abuse.

PRIORITY B

Processes with significant but less likely risks will

receive audit focus, if they relate to or can be efficiently audited with

other 'A' processes.

PRIORITY A

Processes with risks thatare both significant and

likely. Unless risks are well managed, they should be

a key focus of the audit plan.

PRIORITY C

Processes with likely but low significant risks. Minimal audit focus.

PRIORITY D

Minimal or no audit focus.

Human Resources;Patient Satisfaction

Legal & Regulatory;Contracts;

Information Systems;Treasury

Pa

tien

t Se

rvice

s;R

eve

nu

e C

ycle

Supply Chain Management

Gra

nt

Ad

min

istr

ati

on


For the evolvinghospital industry,managing risk isa high-stakesbusiness issue.

Someassociated

risks

Healthcare providers & Others consists of Sample risk(s) associated with the healthcare provider & Others

Hospitals (Private/ Government) Not enough beds to accommodate all patients; whether proper billing charged to the patients.

Nursing Homes Running without license; Either short on some medicines/ injections or a doctor not available on duty (for any reason, in an emergency)

Testing Laboratories Personnel not available to do the testing & hence further delay in patients’ treatment.

Pharmaceutical Companies Some medicines’ supply not frequently available or very highly priced;regulation risks.

Diagnostic Centers Some machines not working properly.

Medical Equipment (X-ray machines, BP testing machines, CT scan machines, etc) Manufacturers

Not able to meet the demand for the various machines from all the customers (including hospitals/ R&D centres, etc).

Health Insurance companies/ Third PartyAdministrators (TPAs)

Claim settlements; forged documents; Hospitals charging higher rates (where mediclaim is applicable)

Colleges/ Universities/ Institutes teaching medicine

Not able to meet the demand of the medical professionals as required.

Specialised R&D centres Breach of agreement vis-à-vis technology transfer; failure of research resulting in writing off of expenditure incurred.


Risks that were

identified in 2010,

were present in surveys of

2005 & 2007 too

Top 10 Risks 2010 *

(5 risks were present earlier too)

Level of risk

in 2007

Level of

risk in 2005

Percent of respondents

who believe that passage

of healthcare reform will

increase this risk

Estimate of an

organization’s

ability to control

this risk

Payment increases consistently below medical inflation: potential for precipitous reductions in reimbursement as

a result of state and federal regulatory changes Top-Level Top-Level 92% Limited or none

Physician relationships: ability to control the direction and level of alignment of physicians and institutions Top-Level Top-Level 96% Reasonable

Increased enforcement initiatives and governmental challenge of overpayment for services (e.g. RAC, MIC,

and ZPIC audits, Stark anti-kickback statutes, false claims laws, antitrust, etc.) Low-Level Mid-Level 89% Some

Unfunded mandates for the provision of healthcare services Top-Level Top-Level 66% Limited or none

Increasing cost of capital and significant gap between capital needs and capital available from all sources Low-Level Low-Level 66% Some

Top 10 Risks 2010 *

(5 new risks in 2010)

Percent of respondents

who believe that passage of

healthcare reform will

increase this risk

Estimate of an organization’s ability

to control this risk

Preparedness for clinical automation: inadequate information technology requiring investment in more

sophisticated information systems 83% Reasonable

An extended economic recovery or a return to a significant recessionary environment; unemployment

increases and continues to remain high No additional impact None

Improving performance in the midst of accelerating regulatory and marketplace change 85% Reasonable

Rebuilding the organization’s balance sheet 73% Reasonable

Significant reduction in employer-based insurance 77% None

Risks that were

identified as new in 2010


Important auditable functions/ areas from an Hospital’s perspective:

SERVICE DELIVERY Medical strategy & service excellence

Patient reception & admission

Diagnosis & Patient treatment

Patient discharge & rehabilitation

services

Medical record maintenance

Corporate Governance

Business Planning M & As and Projects

Marketing & Sales

Stakeholder perspective

Cost perspective Procurement -Medical supplies

Procurement - Capex HR & Payroll

Some other enablersInsurance including

TPAHousekeeping

Operating systems & IT

MiscellaneousBlood Bank

managementWaste & Energy

managementF&B

Legal & TaxationInventory

managementCustomer service


Pro

cess

/ su

b-p

roce

ss

wit

h H

igh

ris

k

crit

ical

ity

i Hospital Governanceii Medical & Quality Auditiii Operations Support Auditiv People Auditv Finance & Accountsvi Compliance Management

Mergers & Acquisition –Internal Control DDRMedical Strategy & QualityCapacity ManagementQuality Compliance Management –NABH/ JCINew ProjectsCorporate GovernanceMarketing

Hospital Governance

Compliance Management

Medical RecordsSecretarialEHSOther enactmentsJCI standardsNABH standards

Medical & Quality Audit

Stress Care CentresOperation Theatre’sICU, MICU, ICCU & PICUImaging Centres & Laboratory’sVascular RoomsCardiac Recovery roomsPreparatory roomRecovery roomAmbulance servicesSurgical ServicesBlood bank management

Functional audit areas of focus

(High risk) AdmissionsProcurement including CPCInventory ManagementDischarge & BillingPatient Safety – Incident ManagementInsurance including TPABio / Non Bio Medical equipmentIT Support – FOS, ITGC, ERP, Business Continuity & DRP

Operations Support Audit

HR Planning & RecruitmentEmployee trainingRoster managementLeadership Development InitiativesPerformance Appraisal processEmployee Satisfaction Survey

People Audit

BudgetingAccounts ReceivableAccounts PayableFixed Assets ManagementCapital ExpenditureTaxationFinancial ReportingShare Capital And Funds Utilization

Finance & Accounts


Process/ sub-process with Medium risk

criticality

Medical & Quality Audit

Allied Health operationsMedical Psyh UnitsProgressive Care UnitNurse/ Doctors bayPediatrics/ Ortho/ Neuro Unit

Foods & BeveragesLaundry & HousekeepingCentre for Community ServiceAutopsy & Mortuary managementPharmacyEnergy & Water consumption

Operations Support Audit

Hospital and clinician relationship managementEmployee RecordsPayroll end to end Salary benchmarking

People Audit

Cash & Bank ManagementTreasuryStock OptionsForeign ExchangeInvestmentsShare Capital And Funds Utilization

Finance & Accounts


Risk Levels*

1. Top-Level Enterprise Risks These risks were identified by all or virtually all of the respondents and are seen as meeting the following parameters:a. A current risk or one that is on the short-term horizonb. A risk that has a high likelihood of occurringc. A risk that is seen as having a significant impact on the healthcare system.

2. Mid-Level Enterprise Risks These are essentially “around the corner” risks as identified by the executives. They are generally viewed as having a lower likelihood of happening or a longer lead time. However, if the risk becomes a reality, it is viewed as having a significant impact on the organization.

3. Lower-Level Enterprise Risks These risks meet one or more of the following parameters:a. Much lower likelihood of occurring or a longer timeframe for a healthcare organization to adjustb. Less impact on the system and/or a more manageable level of risk

It may happen that lowlevel risks of today mightbecome/ shift to mediumor high category of risks,if left uncontrolled. So,risk management has tobe a continuous & all-pervasive exercise.

1. Does increasing volatility and growing complexity make risk management central and strategic to your entity ?

2. Do you see the riskmanagement capabilities asimportant to future profitability and long-term growth.

3. Are you implementingcomprehensive enterprise risk management programs?

4. Executives expect theirinvestments in risk management to increase over the next two years.

1. How active is your company

in influencing risk regulation in your industry or geography(e.g. establishing direction for future industry reform)?

2. How is healthcare reform addressed within your risk management program?

3. How are pricing issues addressed within the risk management program?

4. How is capital adequacy or the risk-bearing capacity of the balance sheet addressed withinyour risk management program?

1. Balance risk appetite with risk capacity.

2. Focus on supply chain risk.

3. Improve governance of risk & compliance.

4. Use a more holistic approach.

Action to achieve risk

mastery

Handling of primary concerns for a

healthcare entity

How do you view risk management

capabilities ?


“ With more hospitals now hiring physicians andacquiring physician groups, they need to rethink boththe duration and magnitude of their risk exposures.”

A. Look to create shareholder value from riskmanagement.

B. Involve the risk organization in key decision-making processes.C. Improve the sophistication of measurement,modeling andanalytics to anticipate risks in an increasinglycomplex environment.D. Go beyond a compliance mindset of riskmanagement to deliver more complete businesssolutions that drive competitive differentiation.E. Integrate risk management capabilities acrossbusiness units and organizational structures.F. Establish a dedicated, C-level risk executivewith oversight andvisibility across the business.G. Infuse risk awareness across theorganizational culture.H. Invest in continuous improvement.


Critical Success Factors for Effective Strategic

Risk Management

• Align your strategy with the risks most relevant toyour ability to achieve your near- and long-termstrategic objectives.• Create an efficient organizational structure withclear roles and responsibilities for everyone on theteam. Leverage existing functions and teams, ratherthan creating more bureaucracy or overburdeningleadership with decisions and tasks that can behandled by the rest of the team.• Put a transparent, repeatable process in place.Where possible, make use of existing processes toensure minimal disruption, and provide clear directionand well-defined deliverables. Where new approachesare needed, deploy strong change managementdisciplines to optimize workforce involvement andacceptance.• Determine appropriate risk metrics and meaningfulreporting formats, and establish a process formonitoring risk metrics to make sure information isrelevant, reliable and provided on a regular,established basis.• Develop and implement those tools and templatesneeded to efficiently standardize and sustain the riskmanagement process, emphasizing practicality andcost/benefit optimization.

Internal audit is a 5-step process @ KONNECTORS.

Risk Assessment

Annual Internal Audit Plan Development

Audit Program Development &

Execution

Findings & Recommendations

Monitoring of Implementations

Step 1

Step 2

Step 4

Step 3

Step 5


1. We don’t have any risks.

2. Hopefully nothing bad happens today.

3. Everybody needs to be careful all thetime.

4. If you make a mistake, we’llfine/discipline/fire you!

5. We had a meeting and discussed thechance that if a particular risk couldhappen, we would communicate toeveryone.

6. We brainstormed what could happen,and we took some actions to minimize thechance.

7. We developed a risk assessment of ourprocess, and have an ongoing action planand cadence to address the highestprioritized risks.

Some businesses manage risks by the

following ways today:


Please Contact:

Founder Adarsh Saxena, CA

@

KONNECTORS

RMT

[email protected]

+91-9873016166.

New Delhi - 110018.

India.

R SK

I

Ppt for Healthcare Risks

Healthcare

Transcript of Ppt for Healthcare Risks