What is “Risk Management” in the Healthcare Setting?
Working in healthcare inherently presents several types of risk. Risks such as those associated with treating patients, storing confidential patient records, maintaining a safe work environment, and maintaining emergency response capabilities are front-and-center for many providers and facility administrators, but the reality is that these only represent one subset of the risks that doctors’ offices, clinics, and hospitals face on a daily basis.
This raises an important question: What is “risk management” in the healthcare setting? More specifically, what is necessary in order to effectively manage the risks of operating a medical practice or healthcare facility?
As with patient care, there is no single “right” answer when it comes to healthcare risk management. Instead, providers and facilities need to take a comprehensive and custom-tailored approach—not unlike providing a patient with a differential diagnosis. A healthcare risk management program must touch on all aspects of patient care and legal compliance, including the likes of pharmacy compliance. This must be designed in such a way that it can be implemented effectively across all aspects of a practice’s or facility’s operations.
Risk Management in Healthcare: Patient-Related Considerations
In healthcare, the patient comes first, so it stands to reason that this is where we should start our discussion as well. With regard to patient care and patient safety, risk management must address several aspects of a provider’s practice or a facility’s operations. This includes (but is not limited to):
- Patient intake and triage
- Patient recordkeeping and storage (hardcopy and electronic)
- Testing and diagnostic procedures
- Communication between and among individual providers
- Proper prescription and administration of medications
- Scheduling and room availability
- Provider drug testing
- Adverse event and emergency response
- Cleaning and sanitation of rooms, beds, equipment, and tools
- Patient follow-up (including follow-up regarding test results and missed appointments)
Of course, while patient safety is the primary focus of these aspects of risk management in healthcare, the risk of facing malpractice litigation and other civil liability claims cannot be ignored—nor should they. While healthcare providers need to focus on providing appropriate patient care, they must also acknowledge the near certainty that mistakes will be made.
With this in mind, for healthcare providers, maintaining adequate insurance is an essential component of a comprehensive risk management strategy. Providers and facilities alike should purchase insurance that is specific to their needs – not a generic off-the-shelf policy – and they should review their insurance coverage needs both (i) on an annual basis, and (ii) when changes in circumstances create an increased risk of liability exposure. Additionally, both individual providers and corporate entities should implement asset protection strategies that specifically address the risk of facing judgment liability due to a malpractice lawsuit or other negligence-based claim.
Risk Management in Healthcare: Legal and Regulatory Compliance
As we mentioned in the introduction, patient safety and patient care are just two of the numerous aspects of effective risk management for healthcare providers and facilities. As an entirely separate – though not entirely unrelated – matter, providers and facilities must thoroughly address their risks in the area of legal and regulatory compliance as well.
While legal and regulatory compliance are often addressed as a single aspect of risk management, this is an extraordinarily broad area in which healthcare providers and facilities face a multitude of obligations. Developing and implementing a comprehensive legal and regulatory compliance program is essential for any medical practice or healthcare facility, and even seemingly minor oversights can potentially lead to drastic consequences.
What does it take for a medical practice or healthcare facility to be “compliant”? The following is a non-exclusive list of the types of compliance issues that need to be addressed in order to effectively manage legal and regulatory risk in the healthcare setting:
Billing and Coding Compliance
All healthcare providers must comply with strict billing and coding requirements regardless of whether they are billing Medicare, Medicaid, Tricare, another healthcare benefit program, or a private insurer. Each federal program has its own rules and regulations; and, while insurance companies use standardized billing codes, each insurer has its own rules and requirements as well. Under federal law, billing and coding violations can lead to civil or criminal penalties—and this is true for both public payors (under the False Claims Act and the federal healthcare fraud statute) and private insurers (under the federal insurance fraud statute).
Prescription Drug Compliance
Prescription drug compliance is another major compliance area for healthcare providers. Registration with the Drug Enforcement Administration (DEA) carries with it a host of responsibilities under the Controlled Substances Act (CSA), the Drug Supply Chain Security Act (DSCSA), and associated regulations, and providers and facilities must maintain strict compliance at all times. Electronic prescription compliance is an extraordinarily complex area as well, and this is becoming increasingly important in the modern healthcare setting.
Anti-Kickback Statute and Stark Law Compliance
One area of risk for healthcare providers and facilities that often gets overlooked is anti-kickback compliance. Under the Anti-Kickback Statute and Stark Law, providers and facilities are prohibited from offering, paying, accepting, and receiving bribes, kickbacks, and other forms of remuneration in exchange for patient referrals and certain other benefits. While there are several “safe harbors” and exceptions that authorize a broad range of transactions, providers and facilities must specifically structure their transactions to fall within these safe harbors and exceptions to avoid liability.
Data Security Compliance
While most healthcare providers and facilities are familiar with the Health Insurance Portability and Accountability Act (HIPAA) and work with vendors to satisfy their HIPAA compliance obligations, there is much more to data security compliance. State and federal laws impose various data security obligations for entities of different sizes; and, generally speaking, entities must adopt data security protocols that are appropriate to the size and extent of their operations. For healthcare providers, it is necessary to protect the privacy and security of both patient records and employee records, and both sets of records carry equal importance.
Telemedicine and Telehealth Compliance
Similar to electronic prescriptions, telemedicine and telehealth are continuing to play an increased role in many healthcare providers’ and facilities’ practices. While some standards have been relaxed specifically in relation to the COVID-19 crisis, as a general rule, telemedicine and telehealth compliance both entail a host of legal responsibilities. This includes, but is not limited to, compliance obligations in the areas of billing, method of delivery, patient location, documentation of medical necessity, out-of-state medical practice, and referral relationships.
Risk Management in Healthcare: Avoiding Risks and Shifting Liability
A third aspect of risk management in healthcare involves the mitigation of liability exposure through effective contracting policies and protocols. Virtually all aspects of healthcare practice involve contracts in one way or another, and the effective use of contractual protections can greatly minimize individual providers’ and healthcare facilities’ liability risk. For example:
- Patient Waivers and Other Agreements – While there are limitations on what is enforceable in terms of waivers of patients’ rights, waivers and other agreements can still be effective tools for mitigating liability risk in the provider-patient relationship.
- Contractor and Employee Relationships and Contracts – Medical practices and healthcare facilities should have written agreements with all contractors, and they should have contracts with appropriate employees. These, of course, are in addition to the practice’s or facility’s employment policies and procedures.
- Contracts with Other Healthcare Providers and Facilities – Contracts with other healthcare providers and facilities should be drafted with both liability protection and anti-kickback compliance in mind.
- Third–Party Service Provider Contracts – When contracting with third-party billing administrators, telehealth companies, and others, providers and facilities should ensure that their agreements appropriately shift liability for these third parties’ errors and omissions.
What Does it Take to Manage Risk Effectively in the Healthcare Setting?
Given all of these concerns, what does it take to manage risk effectively in the healthcare setting? While there are many aspects to healthcare risk management, developing an effective risk management program is ultimately a matter of applying general principles to your practice’s or facility’s specific circumstances and needs. Effective risk management is certainly an obtainable goal, and it is a goal that can be achieved relatively efficiently with the advice and representation of experienced healthcare compliance counsel.
At Oberheiden P.C., we offer comprehensive risk management and compliance services for healthcare providers and facilities throughout the United States. Our services include:
- Conducting risk assessments in order to identify areas of need and the strategies that can be used to address them
- Developing custom-tailored risk mitigation and compliance programs that address providers’ and facilities’ unique risks in a practical and cost-effective manner
- Assisting with training and implementation in order to ensure that providers’ and facilities’ risk management and compliance programs are maximally effective
- Conducting periodic audits to assess new risks, and conducting targeted internal investigations when risks or compliance concerns arise
- Drafting and negotiating contracts with contractors, employees, other providers and facilities, and third-party vendors
- Advising providers and facilities regarding federal law enforcement risks and providing legal representation for federal audits and investigations
Speak with a Federal Healthcare Compliance Lawyer at Oberheiden P.C.
Do you have concerns about the effectiveness of your healthcare practice’s or facility’s current risk management efforts? If so, we encourage you to get in touch. To speak with one of our senior federal healthcare compliance lawyers in confidence, call Oberheiden P.C. at 888-680-1745 or tell us how we can help online today.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.