Risk Assessing HIM’s Effectiveness in the Revenue Cycle

Elizabeth (Liz) Johnson, The Christ Hospital Health Network, Cincinnati, OH

Objectives• Understand principles of risk assessment and importance in

today’s risk environment• Identify effective controls--and how to deploy• Learn how to report on your control effectiveness and Key Risk

Indicators• Understand that HIM effectiveness is a Key Risk Indicator within

the revenue cycle

Managing an organization’s risks in individual silos is like trying to pick up a six-pack without the little plastic thingy that holds them all together; you can do it, but it is far harder than it would be if the cans were connected to each other.--Andrew Bent

Risk and Risk Assessment Principles and Procedures

Enterprise Risk Management*“…a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

-

Source: COSO* Enterprise Risk Management – Integrated Framework. 2004. COSO.

*COSO-The Committee of Sponsoring Organizations of the Treadway Commission: American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, The Institute of Internal Auditors

• This principle also applies to subunits: Revenue Cycle HIM

The Underlying Principle is Universal Value is created, preserved, or eroded by management decisions in all activities,

from setting strategy to operating the enterprise (or department) day-to-day

Risk Assessment and Mitigation of Risks supports value creation by assisting management to:

o Deal effectively with potential future events that create uncertainty.o Respond in a manner that reduces the likelihood of downside outcomes and increase

the upside.o Take a view of risk and risk mitigation within the business portfolio

Strategic Operations Financial(Reporting) Regulatory (Compliance) Reputation

Risk Defined• Risk is the likelihood that a threat (or a threat agent) will exploit a given vulnerability,

multiplied by the business impact of that exploit.• Inherent Risk is risk that exists before controls• Residual Risk is risk that exits after controls

• Risk can be:o Avoided (Do not Accept) or Transferred (Insurance)o Accepted and Mitigated –Managed (Controls), or Accepted and Not Mitigated (No

Controls)o Or a combination of the above

• Impact is the implication to the organization in terms of materiality should the risk event occur

• Likelihood is the probability the risk may occur

• Sensitivity: implicating factors such as velocity, high priority, scrutiny

• Complexity: implicating factors such as interdependence, detectability, human behavior

Sample HIM Portfolio Subject to Risk

8

HIM Role in Revenue Cycle:Mission-Charter-Scope

Timely-Accurate Coding Hospital-

Professional

Controlled, secure and relevant ‘distribution of’ and ‘access to’ records

Accurate, timely, complete records maintained efficiently-centrally

IT, Software, Data Analytics,

Security, Backup and Recovery, Storage

Coding capture, Provider

competency, Provider records, CDI hospital and

professional

Legal-Regulatory Compliance, Payor Rules, Downcodes-

Denials, External Requests

Oversight, Coder

Competency, Resources, Education

Operations -Advisory Support,

Indicator Reporting, Business Continuity,

Change Management

Functions subject to risk assessment - risk mitigation and monitors of effectiveness

The COSO domains apply to all profile components

How do I assess?• Compile your portfolio subject to risk

• Survey the external and internal environments for risk factors and controls (are they present; are they effective).

• External examples• State Medicaid Changes

• New bundling for outpatient • Payor policy changes-federal, managed care, commercial

• LCD-NCD coding and documentation changes• Payor down coding: ED E/M, DRG changes not in comportment with convention

• Regulatory• Copy Paste, CDI, storage requirements, security, business continuity, CoP’s

• Records requests and access to systems• Quantity, relevant content to defend claims, access with need to know

• Internal Examples• Coder proficiency and concordance• Provider documentation completeness-timeliness• Monitors and reporting of key indicators – or lack of

Survey ExcerptRisk Survey Question Examples

Coder Competency -Coding accuracy

Are competency reviews performed quarterly on 10% of work product? Is intervention effective? Education -resource program in place and comprehensive? Is coding validated every six months?

Data storage-back up Are all medical records consolidated, including scanned documents? Are legacy systems tested periodically for retrieval? Is MR-transcription data backed up?

Performance Analytics and Monitor Reporting

Does information extraction and/or the utilization of information effectively facilitate performance improvement? Monitors in place for Key Risk controls? Does HIM deploy internal algorithm tools for monitoring?

Coding Capture and Clinical Documentation Improvement

Does the CDI program (Hospital and Physician effectively capture coding opportunity? Is documentation sufficient and reflective of services provided? Is there a structured education and review program to validate CDI effectives and assure providers receive standardized education?

Regulatory Compliance

Is coding reviewed for concordance with LCD-NCD-Payor policies before release from que? Is coding forced through the que when edit prevents processing-are monitors in place to evaluate daily? Are encoders and edits up to date for State Medicaid rules? Are external audit record requests abstracted for MN compliance prior to release-return to requestor? Are professional claims monitored for accurate coding levels and modifier use, signatures? Are Records timely authenticated?

Denials

Does HIM monitor coding denial rates by reason/ code, and report monthly on rates and actions? Does HIM Log and track all external audit requests, along with results? Report back to management for action planning? Are payors increasingly changing codes by down coding or using their internal standards in lieu of conventional stds?

Rate the Risks and Controls# Key Risk Domain 2018 Risk

DomainImpact Likelihood Inherent

RiskGoal

ProfileRisk Tolerance

Improve Assess Monitor Optimize

1 Coder Competency O,F,C 4.4 3.8 4.1 C L 2.81a Coding Accuracy O,F,C 4.7 3.8 4.3 C L 2.42 Data Storage-Backup S,F,O 3.7 3.9 3.8 R L 4.13 Performance Analytics-Data Monitors S,O,F,C 4.4 4.4 4.4 C, R, A M 4.24 Coding Capture-CDI Hospital F,C 4.0 4.0 4.0 C,R L 3.2

4a Coding Capture-CDI Professional-Other F,C 4.5 4.5 4.5 C,R M 4.35 Regulatory Compliance C,F 4.5 3.4 4.0 C,R,A L 2.46 Denials F,O,C 3.0 4.4 3.7 C,R,A L 4.77 Data Recovery Backup O,C 2.0 2.0 2.0 R M 1.58 Payors policies-downcoding F,O,C 3.7 4.1 3.9 C M 3.89 Disaster Recovery Planning O,C 4.0 3.7 3.9 R L 3.8

10 External Records Requests-data bases O,C,F 5.0 3.8 4.4 A L 2.811 IT-Software Support-Utility O,S 2.8 2.1 2.5 C,R,A M 2.1

12Risk Identification-Change Management* O,F,C 4.0 4.0 4.0 C,R,A M 3.8

13 Talent Mngmnt -Recruitment-Retention S,O 4.8 1.5 3.2 C M 2.4

Impact Financial Key Impact Key Likelihood Key Goal Key

>$500,000 4 to 5 High Risk 4 to 5 High Likely C=Coding Strategic-S; Operational-O; Financial-F

$100,000 to $500,000 3 to 4 Mod Risk 3 to 4 Likely R=Records

$10,000 to $100,000 2 to 3 Low Risk 2 to 3 Not Likely A=Growth

Controls 5-ineffective Risk Tolerance Key: Low-L, Med.-M, High-H 0- effective

Risk Domain Key

Regulatory -R

CONTROLS

2016 survey

ACTION PLAN

Tier #Key Risk Theme 2016Risk DomainImpactLikelihoodInherent RiskBus. ProfileRisk ToleranceImproveAssessMonitorOptimizeControls

Tier 11IT Infrastructure Strategy and Management ( Incl security)O5.05.05.0G,OM44

2Analytics readiness: quality, pay for Value, Pop. Health S5.05.05.0A,G,OM44

3Operational efficiency and margin controlO5.02.03.5O,GL22

4Reimbursement changes- readiness-strategiesF5.05.05.0GL33

5Growth & Positioning Strategies-scale-reachS3.43.33.4GL111

Tier 26Physician acquisition; age in key specialties; succession plan, market forces S5.03.04.0GL11

7Population Health-viability; CIN role; readiness-desire-for riskS4.03.03.5GL11

8Physician compensation & alignment with value-qualityO4.02.53.3OL22

9Disaster management & Business continuity planningO4.73.74.2OL44

10Documentation integrity across system F5.04.04.5OL3.23.2

11Clinical and Vertical IntegrationF5.04.04.5GM2.42.4

12Culture, Turnover, Qualified staff, maintaining depth O4.03.03.5OM33

13Maintain Quality -Patient Satisfaction while decreasing costO5.03.04.0O,GL11

14Practice variation across the system (speed of acquisition, lack of studs, rigor, quality monitoring, staff educ.)O3.03.33.2A,OM33

Tier 315Competition & sustainability of system independence or alliancesS3.02.72.9H11

16Tax Exempt Status & Franchise Tax F4.52.53.5OL11

17Talent management and succession planningS3.23.03.1OL3.23.2

18Vendor & Contract management (incl payor contracts)O3.53.53.5OM44

19Organizational structure matrix-role accountability, SLED roleO3.13.13.1AM3.53.5

Boyd, Sherida L: Role clarity

20Workforce allocation-flex to adjust to system needsO2.92.42.7OM11

21Performance Improvement: speed, knowledge depth, accountability, nimbleness, transparencyF3.53.23.4A,O,GL3.33.3

22Capital and resource allocation & priority planningF3.42.02.7O,GL11

Tier 423Regulatory standards and changes implicating strategy and OPS -preparedness; action planning, monitoring implicationsR5.04.04.5A,O,GL11

24Inefficiencies in EPIC- productivity O4.54.34.4OL-M44

25Care Coordination & patient engagement across episodesO4.04.24.1A,0M44

Impact KeyLikelihood Key Profile Key Risk Domain KeyControls 5=ineffective Risk Tolerance Key: Low-L, Med.-M, High-H

4 to 5 High Risk4 to 5 Highly LikelyA=AlignmentStrategic-S; Operational-O; Financial-F 0=effective

3 to 4 Moderate Risk3 to 4LikelyOE=Op ExcellenceRegulatory -R; Reputational-RPAction Plot=mapping inherent risk vs. management effectives ( controls)

2 to 3 Low Risk2 to 3Not LikelyG=Growthsee Action Plot worksheet

&"-,Bold"CONFIDENTIAL DO NOT COPYERM WORK SHEET 3-17-2016

2016 Risks defined

Tier #Risk Explanation: The Risk that TCHHN:

Tier 11IT Infrastructure Strategy and Management ( Incl info. security) IT infrastructure cannot adequately support the strategic, and operational platform impeding the bottom line; includes regulatory risk and business risks related to Information security.

2Analytics readiness: e.g.-quality, pay for Value, Pop. Health approach/capacity for information governance is not aligned with organization requirements, strategic plan

3Operational efficiency and margin controlcannot achieve operational efficiency throughout it's business units that are sufficient to support the strategic plan while maintaining high quality and patient satisfaction

4Reimbursement changes- readiness-strategiescannot sufficiently respond to, adjust to, or negotiate payment models for services, resulting in a material impact on cash flow and/or delivery structure

5Growth & Positioning Strategies-scale-reachstrategic positioning (e.g. linking core strengths with marketplace strategy), affiliations, relationships, execution, growth targets are not realized, either through internal performance failures or impacted by external forces. Incl. risk of system sustainability in its current business model-capacity.

Tier 26Physician acquisition; age in key specialties; succession plan, market forces physician acquisition may not be sufficient or timely enough to: meet manpower plan, replace aging physicians with qualified staff; includes market forces; valuation; other impeding factors.

7Population Health-viability; CIN role; readiness-desire-need to take on riskdoes not adopt/implement in sufficient scale or effectively, the infrastructure, workflows, and tools necessary to support an organized system of care as required to manage populations and associated risks. Includes maturity risk of the organization infrastructure, risk of missing strategic opportunity, upside risk taking (an ability to discern readiness and where to play in the space); capacity to change-adapt; alignment with CIN, failures to coalition build with payors and external partners needed in the care stream, and other failures in strategy setting

8Physician compensation & alignment with value-qualitycompensation models do not keep pace with reimbursement transition to pay for value and quality; includes risk of failure to integrate into the model appropriate levels of professional skill sets to achieve highest value for the lowest cost (e.g. leveraging APN's); developing relevant performance metrics for pay; changing culture and collaboration risk

9Disaster management & Business continuity planningcannot sustain critical operations and provide essential services during unit catastrophic and material events (including IT ); includes risk of failure to maintain and test business continuity and incident response plans ( IT - Operations)

10Documentation integrity across system documentation is in adequate, inaccurate and untimely documentation from care providers will impede achievement of operational excellence and operating margin; includes quality risks, efficiency risk, reimbursement, metrics reporting (pay for performance),risk of accurate reporting external agents-payors- regulators.

11Clinical and Vertical Integrationcannot achieve sufficient vertical and clinical integration to support growth, efficiencies, cost, coordinated care, managing populations in a continuum with Internal and external partners; includes risks associated with response to strategic market forces such as consumerism, telehealth, alternate delivery modes, wellness, population health, bundles

12Culture, Turnover, Qualified staff, maintaining depth culture/structure does not foster an environment of competency creation, full spectrum engagement, collaboration, value creation; includes risk that morale, turnover and lack of knowledge depth may implicate key business assets: quality of care, reputation.

13Maintain Quality -Patient Satisfaction while decreasing costcannot sustain high quality and safe care, and/or exceptional patient experience concurrent with cost reduction; includes failure to achieve efficiencies that reduce cost but sustain high levels of care and satisfaction

14Practice variation across the system (speed of acquisition, lack of stds, rigor, quality monitoring, staff educ.)practice variation across the system impedes ability to achieve a strategic target (growth, OE, alignment); includes risk of failure to maintain core strategic assets in this business unit: reputation, quality position in the market; patient engagement

Tier 315Competition & sustainability of system independence or allianceshas inefficient, ineffective or poorly monitored alliances, joint ventures, relationships with outsides entities and providers that impede strategic objectives; includes risk organization fails to recognize upside risk; risk that scale and independence will impede growth, sustainability as a system

16Tax Exempt Status & Franchise Tax cannot retain tax exempt status; risk that franchise taxes other taxes will implicate business viability or strategic plan

17Talent management and succession planningdoes not select, promote and develop the right talent; includes risk of talent pool deficiency recruiting strategy, and insufficient focus to key strategic areas with aging management, clinicians, care givers; includes risk of incongruence with strategic plan

18Vendor & Contract management (incl payor contracts)contracting practices or structures do not protect the interests of the company from a financial, strategic, tax, operational, or legal perspective; or are not negotiated consistently with proscribed policies; includes risk that policies are not robust or effective

19Organizational structure matrix-role accountability, SLED rolethe matrixed organization structure (role clarity, ownership, collaboration, competencies) may impede value creation, strategic plan, operational efficiency, innovation-risk taking, and other human risk factors

20Workforce allocation-flex to adjust to system needs human resources may be insufficient, inflexible, or mis-allocated across the service line; not supporting move to vertical integration, coordinated care; or evaluated in consideration of limited resources in terms of priority replacements

21Performance Improvement: speed, knowledge depth, accountability, nimbleness, transparencyachievement of the organization's strategic plan and preservation of core strengths are impeded by inappropriate, inefficient, inadequate systems design and resource integration; risk that the right people are not at the table; risk that knowledge curve and speed of design may implicate effectiveness; risk that accountability for oversight, integration, execution, effectiveness monitoring is impeded-inadequate

22Capital and resource allocation & priority planningis unable to generate sufficient capital resources to respond to strategic plan, meet the plan; includes risk that allocation of capital resources may not be concordant or prioritized to strategy; risk that once approved, execution of plan does not realize return on investment

Tier 423Regulatory standards and changes implicating strategy and OPS -preparedness; action planning, monitoring implicationscannot respond sufficiently or timely to changes in regulations that implicate the mission or strategic plan

24Inefficiencies in EPIC- productivity electronic health record (EMR) inefficiencies, design, design limitations, resources, skill sets and oversight of strategy impede the organization's and provider's ability to optimize the (EMR) in an effective, efficient, timely manner to support high quality patient care, documentation requirements, data analytics (e.g. CDI , Utilization, value based care, bundles, quality reporting, registry reporting, care coordination, managing population health); includes the risk of other inter-related requirements of the clinical record; and the risk that providers are not sufficiently/efficiently supported in the delivery of care and/or the organization in the operations of its business

25Care Coordination & patient engagement across episodesis unable to develop, implement and manage high value, coordinated, efficient care processes across points of entry-episodes in response to market forces, payor requirements; includes risk of inadequate infrastructure design, support, reporting, monitoring, timing, and compliance with regulatory and financial reporting

CONFIDENTIAL 2016 RISK STATEMENTS&"-,Bold"DO NOT COPY

2016 Action Plot

Risks as Most important and Most Challenging For Organizational Success

C-suite executive teamMar-16

ASSESSIMPROVE

High541, 2

23111024

4.56189

Inherent Risk13

3.67161225

3.358, 321,1419

2.71517

2.520,22

2

1.5

Low1

11.52.12.42.83.23.84.14.44.75

OPTIMIZEMONITOR

Management effectiveness -Control Level

KEY:

1. IT infrastructure strategy, management, security14. Physician Practice Variation (rigor, stds)

2. Analytics readiness to support value strategy15. Competition-sustain system independence-alliances

3.Operational efficiency and margin control16. Tax Exempt status and Franchise tax

4. Reimbursement changes-readiness -strategies17. Talent Management & Succession planning

5. Growth and Positioning Strategies-scale-reach18. Vendor Contract management (incl. payors)

6. Physician Acquisition; succession plan; market factors19. Organization structure & matrix roles (SLEDS)

7. Population Health viability in space; CIN role, readiness; 20. Workforce allocation to system needs

8. Physician Compensation alignment with value-quality21. Performance improvement effectiveness

9. Disaster management-business continuity planning22. Capital and resource allocation & priority plan

10. Documentation Integrity across system23. Regulatory stds & implications to strategy-ops

11. Clinical and vertical Integration24. Inefficiencies in EPIC-productivity-alignment with value and reporting needs

12. Culture, turnover, qualified staff, maintaining depth 25. Care coordination & patient engagement across episodes-inc bundles

13. Maintain quality-pt. Satisfaction-while reduce cost

CONFIDENTIAL 3-17-2016ERM PLOT CONTROLS vs. INHERENT RISK

2017 Risk List Refresh

Tier #Risk Explanation: The Risk that TCHHN:

Tier 11IT Capabilities IT capabilities do not effectively or adequately support needs in the domains of: consumerism, patient engagement, revenue cycle, market strategies, physician- clinician efficiency-productivity.

Epic UtilizationEpic is not used to it's fullest potential and/or does not efficiently support operational functions; includes the risk that providers -professionals are not sufficiently adept in Epic use and/or supported in their practice specialties.

Information SecurityInformation Security infrastructure remains immature (even within the context of our risk appetite), exposing TCHHN to material breach; loss of information; or being locked out of critical systems.

Disaster Recovery Planningcannot sustain critical operations and provide essential services during catastrophic and material events due to immature IT disaster recovery systems.

2Analytics Utilization Information extraction and/or the utilization of information does not effectively facilitate cost control, operational efficiency, clinical informatics, performance improvement, revenue cycle.

3Operational Excellence and Margin Controlcannot achieve operational efficiency throughout it's business units that are sufficient to support the strategic plan, manage costs, convert growth to EBIDA, while maintaining high quality and patient satisfaction.

4Reimbursement-Payor Mix cannot sufficiently respond to changing payor mix; adjust to, or negotiate payment contracts that contribute positively to EBIDA; resulting in a material impact on cash flow and/or delivery structure.

Revenue cycle-payment for servicesTCH does not properly bill and collect for services; and does not implement effective controls to prevent errors, or monitor effectiveness

5Growth StrategiesStrategy-Growth targets are not realized, either through internal performance failures or impacted by external forces. Includes risk of system sustainability in its current business model-capacity.

Tier 26Physician Acquisition-Succession Plan physician acquisition may not be sufficient or timely enough to: meet manpower plan, replace aging physicians with qualified staff.

7Population Health-CIN does not adopt/implement effective workflows and tools necessary to support an organized system of care as required to manage populations and associated risks.

8Physician Compensation-Alignment with Reimbursementcompensation models are not congruent with reimbursement.

10Documentation integrity across system medical record documentation is inadequate and/or untimely; impeding achievement of operational excellence and operating margin.

11Clinical and Vertical Integrationcannot achieve sufficient vertical and clinical integration to support growth, efficiencies, coordinated care.

Communication of Risk-Concernsorganizational culture may not sufficiently encourage timely identification and escalation of concerns that may lead to significant risk issues or impede the ability to improve as a result of learning from errors.

12 Recruitment and Retentiondoes not select, promote, develop the right talent; or is unable to retain talent, impeding operations and/or the strategic plan.

13Quality - Patient Satisfaction fails to sustain high quality care and patient satisfaction while reducing costs-increasing efficiency.

14Physician Office Practice Variation Physician offices do not effectively deploy enterprise standards and protocols, implicating performance, quality, revenue cycle risk.

Tier 315Enterprise Sustainabilitycannot sustain its mission amidst a rapidly evolving, dynamic industry

16Tax Exempt Status & Franchise Tax cannot retain tax exempt status; risk that franchise taxes other taxes will implicate business viability or strategic plan.

18Vendor - Contract Managementcontracting practices do not protect the interests of the company from a financial, strategic, tax, operational, or legal perspective; or are not negotiated consistently with proscribed policies; includes risk that outcomes do not meet objectives.

21Performance Improvementdoes not apply performance improvement standards across the network, including execution, effectiveness monitoring and training in PI principles.

22Capital - Resource Allocationis unable to generate sufficient capital resources to respond to strategic plan; includes risk that allocation of capital resources may not be concordant or prioritized to strategy; risk that once approved, execution of plan does not realize return on investment

Tier 423Regulations cannot respond sufficiently or timely to changes in regulations that implicate the mission or strategic plan

25Care Coordination across Episodes-CPCI+, CJRis unable to develop, implement and manage a coordinated care processes to support goals of the CPCI+ program and bundled services (CJR-Cardiac).

CONFIDENTIALRISK STATEMENTS 2017DO NOT COPY

HIM Risk List

#RiskSurvey Question Examples

1Coder Competency -Coding accuracyAre competency reviews performed quarterly on 10% of work product? Is intervention effective? Education -resource program in place and comprehensive? Is coding validated every six months?

2Data storage-back upAre all medical records consolidated, including scanned documents? Are legacy systems tested periodically for retrieval? Is MR-transcription data backed up?

3Performance Analytics and Monitor Reporting Does information extraction and/or the utilization of information effectively facilitate performance improvement? Monitors in place for Key Risk controls? Does HIM deploy internal algorithm tools for monitoring?

4Coding Capture and Clinical Documentation ImprovementDoes the CDI program (Hospital and Physician effectively capture coding opportunity? Is documentation sufficient and reflective of services provided? Is there a structured education and review program to validate CDI effectives and assure providers receive standardized education?

5Regulatory-Policy Compliance Is coding reviewed for concordance with LCD-NCD-Payor policies before release from que? Is coding forced through the que when edit prevents processing-are monitors in place to evaluate daily? Are encoders and edits up to date for State Medicaid rules? Are external audit record requests abstracted for MN compliance prior to release-return to requestor? Are professional claims monitored for accurate coding levels and modifier use, signatures? Are records timely authenticated?

6DenialsDoes HIM monitor coding denial rates by reason/ code, and report monthly on rates and actions? Does HIM Log and track all external audit requests, along with results? Report back to management for action planning? Are payors increasingly changing codes by downcoding or using their internal standards in lieu of conventional stds?

2018 RISK STATEMENTSAS OF 06-25-2018

2018 Survey

CONTROLS

Tier #Key Risk Domain 2018Risk DomainImpactLikelihoodInherent RiskGoal ProfileRisk ToleranceImproveAssessMonitorOptimize

Tier 11Coder CompetencyO,F,C4.43.84.1CL2.8

1aCoding AccuracyO,F,C4.73.84.3CL2.4

2Data Storage-BackupS,F,O3.73.93.8RL4.1

3Performance Analytics-Data Monitors S,O,F,C4.44.44.4C, R, AM4.2

4Coding Capture-CDI Hospital F,C4.04.04.0C,RL3.2

4aCoding Capture-CDI Professional-Other F,C4.54.54.5C,RM4.3

5Regulatory ComplianceC,F4.53.44.0C,R,AL2.4

Tier 26DenialsF,O,C3.04.43.7C,R,AL4.7

7Data Recovery BackupO,C2.02.02.0RM1.5

8Payors policies-downcodingF,O,C3.74.13.9CM3.8

9Disaster Recovery PlanningO,C4.03.73.9RL3.8

10External Records Requests-data basesO,C,F5.03.84.4AL2.8

11IT-Software Support-UtilityO,S2.82.12.5C,R,AM2.1

12Risk Identification-Change Management*O,F,C4.04.04.0C,R,AM3.8

13Talent Mngmnt -Recruitment-RetentionS,O4.81.53.2CM2.4

Impact Financial Key Impact Key Likelihood Key Goal Key Risk Domain Key

>$500,0004 to 5 High Risk4 to 5 High LikelyC=CodingStrategic-S; Operational-O; Financial-F

$100,000 to $500,000 3 to 4 Mod Risk3 to 4LikelyR=RecordsRegulatory -R

$10,000 to $100,0002 to 3 Low Risk2 to 3Not LikelyA=Growth

Controls 5-ineffectiveRisk Tolerance Key: Low-L, Med.-M, High-H

0- effective

DRAFT RATING-CONFIDENTIAL2018 ERM as of 6-25-2018

Top Box

2018ASSESSIMPROVE

High5

4.53

Inherent Risk1a104a

451412

3139, 826

2.7

2.5

2711

1.5

Low1

11.52.12.42.83.23.84.14.44.75

OPTIMIZEMONITOR

Management effectiveness -Control Level

KEY:

1. Coder Competency4/4a. Coding Capture-CDI Hosp-Profess.

1a. Coding Accuracy6.Denials8. Payor policies-downcoding

2. Data Backup.10.External Records Requests-Data Bases

3. Performance Analytics-Monitors12.Risk Identification-Change Management

KRI

Key Risk IndicatorMeasureFactors

Coding Accuracy-complex DRG's

HeatMat of Risks

2018 ASSESS IMPROVEHigh 5

4.5 3InherentRisk 1a

10 4a

4 5 1 4 123 13 9, 8 2 6

2.72.52 7 11

1.5Low 1

1 1.5 2.1 2.4 2.8 3.2 3.8 4.1 4.4 4.7 5

OPTIMIZE MONITORManagement effectiveness -Control Level

KEY:1. Coder Competency 4/4a. Coding Capture-CDI Hosp-Profess.1a. Coding Accuracy 6. Denials 8. Payor policies-down coding2. Data Backup . 10. External Records Requests-Data Bases3. Performance Analytics-Monitors 12. Risk Identification-Change Management

Controls-Monitors and Case Study

A Case Study - External Records Request

Dept/HIM not Aware of Denial

PatternsMAC performs Medical Review of OP BelataceptAdministration

applyingOhio LCD*

Records Processes

Claim Denial

Missed timely

2nd appeal$10,000 /unit loss

HIM fulfills records request using vendor who copies –timely

sends hospital record to MAC

MAC denies –no MN

Missing required diagnosis codes -

coding codes from order

Admin stop time not on MAR; Waste

not on MAR (in Pharm record)

Medical Necessity resides in Physician office notes-those notes

not pulled over into hospital record

*LCD requires select diagnosis codes; IV Start and Stop Times-Wasting should be in MAR. One dose Cost-$10,000; Reimbursement $13,000.

HIM Controls for the Risk in Case Study• Report on denials patterns

• Work with decision support to create reports• Select complex (error prone)-high volume-high cost services first.

• Initiate structured interdisciplinary reviews to scan the environment for patterns:

• Monthly (weekly for high cost services monthly for high cost/vol. services)• New services-procedures, off label use, anomalies • Elect owner of the risk and request action plan and reporting

HIM is the post office box and may receive letters without the stamp….to force an edit through, or code just the procedure without the why (MN), results in the dead letter syndrome (denials and rework). The risk is interconnected-so ‘return to sender’.

HIM Controls for the Risk in Case Study• Inform Providers and Educate

• Documentation• Templates and record formats• Front end diagnosis code edits for MN• CDI (Hospital and Physician Office-Other)

• Deploy LCD-NCD screening tools for coders-access personnel• Software support tools, edits, work que, supervisory review for edit

bypass, Scheduling controls, review and abstracting of office records into hospital record (or alternative)

• Custom Checklists for records submission to external reviewers• Send RELEVENT INFORMATION-INCLUDE THE WHY• Abstract the record to call out key MN requirements, order, diagnosis,

clinical need, start-stop time, orders, wasting, signatures, LCD-NCD• Perform query-as necessary to obtain required documentation, and

attestations

Case Study: Backup Incident Response• HIM engages an external transcription service (vendor) which is

accessed via web or voice• The transcription is not backed-up

• The vendor is subject to a ransomware attack and the entire system is unavailable to all physicians for 2 weeks

• The vendor is not sure whether the provider's PHI has been compromised• The provider cannot find a recent contract or BAA

• The backup system does not have enough devices and physicians do not know how to use

• Coding is delayed, billing is delayed because back-up transcriptionists not available, and there are not enough backup devices

• What are the risks? What controls would have prevented a crisis?

Key Risk Indicators ReportKey Risk Indicator Measure Factors

$500,0004 to 5 High Risk4 to 5 High LikelyC=CodingStrategic-S; Operational-O; Financial-F

$100,000 to $500,000 3 to 4 Mod Risk3 to 4LikelyR=RecordsRegulatory -R

$10,000 to $100,0002 to 3 Low Risk2 to 3Not LikelyA=Growth

Controls 5-ineffectiveRisk Tolerance Key: Low-L, Med.-M, High-H

0- effective

DRAFT RATING-CONFIDENTIAL2018 ERM as of 6-25-2018

Top Box

2018ASSESSIMPROVE

High5

4.53

Inherent Risk1a104a

451412

3139, 826

2.7

2.5

2711

1.5

Low1

11.52.12.42.83.23.84.14.44.75

OPTIMIZEMONITOR

Management effectiveness -Control Level

KEY:

1. Coder Competency4/4a. Coding Capture-CDI Hosp-Profess.

1a. Coding Accuracy6.Denials8. Payor policies-downcoding

2. Data Backup.10.External Records Requests-Data Bases

3. Performance Analytics-Monitors12.Risk Identification-Change Management

Sheet1

Key Risk IndicatorMeasureFactors

Coding Accuracy-complex DRG's

Approach for Value

Assess your processes for risk

Examine interventions, methods, process redesign, reporting that reveals trends, and optimize control effectiveness

Prioritize your next steps – strategy based on the goals of the enterprise

Thank You!

Questions?

Slide Number 1ObjectivesSlide Number 3Slide Number 4Enterprise Risk Management*The Underlying Principle is UniversalRisk Defined Sample HIM Portfolio Subject to RiskHow do I assess?Survey ExcerptRate the Risks and ControlsHeat�Mat of RisksSlide Number 13A Case Study - External Records RequestHIM Controls for the Risk in Case StudyHIM Controls for the Risk in Case StudyCase Study: Backup Incident ResponseKey Risk Indicators ReportApproach for ValueSlide Number 20