Cybersecurity and more stringent staffing needs are among the emerging risk management challenges for hospitals, say industry advisors.

June 2—Risk management strategies will become increasingly important in determining the credit strength of not-for-profit hospitals and health systems, according to a new report.

Navigating changes spurred by the Affordable Care Act (ACA) and legislation proposed to repeal and replace parts of it, the American Health Care Act (AHCA), will require hospitals to mitigate heightened risks in areas including information technology, cybersecurity, clinical quality, and brand protection, according to a new report from Moody’s Investors Service.

“Maintaining high clinical quality will increasingly impact financial performance and reduce risk of brand impairment as reimbursement moves away from a fee-for-service model and towards a greater emphasis on value and outcomes,” the report stated. “A hospital’s ability to improve quality of care and the patient experience will increasingly impact its financial performance. Furthermore, perceived quality is tied to physician and nursing recruitment, fundraising, and community relationships. The perception of poor quality can have a lasting negative impact on an organization's brand and significantly hurt profitability.”

Citing data from the Centers for Medicare & Medicaid Services (CMS), the Moody’s report said organizations with better patient outcomes produce stronger operational margins.

“In 2015, hospitals with above-average value-based purchasing (VBP) scores produced a median operating cash flow margin of 11.7 percent, compared to 8.6 percent for organizations with below-average VBP scores. The patient experience, which accounts for up to 30 percent of the VBP score, has a similar correlation,” Moody’s authors said.

Health Reform Impact

The fate of the ACA and the AHCA poses risks to hospitals, Brad Spielman, a lead author, vice president, and senior credit officer with Moody’s, said.

“It’s hard to plan around unknowns and the future of both laws is presently uncertain. The risk is that large areas of reimbursement will change and regardless of how they change, they create risk,” Spielman said in an interview. “Both laws speak to the possibility of significant reductions in government-based funding, which will impact hospitals pretty significantly.”

Richard Kusserow, CEO of the consulting firm Strategic Management Services, said regardless of congressional action on health reform, it is certain that the Trump administration will pump more money into fraud and claims enforcement.

“Hospitals will continue to face regulatory risk,” Kusserow said in an interview. “They will face large fines, penalties, and reputational damage from corrupt arrangements and inappropriate claims.”

Hospital violations of the Anti-Kickback and Stark laws in relationships with doctors and vendors expose hospitals’ brands and finances, he said.

“Virtually all hospital kickback settlements with government entities have had attorney fingerprints on them, so that shouldn’t stop scrutiny. And the [OIG] has said that corrupt arrangements often mask quality of care issues, which also pose high risks to hospitals,” Kusserow said.

Kusserow, who worked for the OIG for 11 years, said submitted medical claims have gotten many hospitals in trouble with regulators and government contractors.

“The [corporate integrity agreements] that come with settlement agreements are sometimes even more costly than the penalties,” Kusserow said. “Yet, we see these two risk areas receiving the least amount of attention in hospital risk analysis. Every hospital should have an arrangements database as part of its risk analysis process and those reviews should be done regularly.”

Hospitals should conduct mock audits of their claims processing, test them for payment accuracy, and stop payments until corrections are made, he said. If patterns persist, training or termination should follow.

Hospital staff should determine which DRGs are most error prone, which pose the highest risk of government attention, and focus on fixing those errors first, Kusserow said.

Maureen McGovern, director of risk management and patient safety officer for the South Nassau Communities Hospital in Long Island, New York, said maintaining and improving clinical quality is the primary focus of South Nassau.

“That’s what we’re here for, it is the mainstay of our business. And the rest falls in place if you do that successfully. Patients who’ve had good outcomes will recommend you. Your reputation will grow in a positive way. And good reimbursement will follow, especially through pay for performance models,” McGovern said in an interview.

Cybersecurity Risk

McGovern, who has worked in risk management for 31 years, said cybersecurity is among the most imminent risks.

“Not just electronic medical records, but much of our high tech equipment also stores information and we need to make sure they’re not hacked and the equipment is compromised,” she said.

Ann Gaffey, president of the risk management consulting firm Healthcare Risk and Safety Strategies of Arlington, Va., said operational damage from data breaches should not be overlooked.

“If you have a breach and your system goes down for days, are you prepared to document care by manually writing on paper?” Gaffey said. “Can you provide care without the electronic medical records? Have you created an emergency preparedness plan? If you have a young work force that hasn’t worked with paper, you may need to provide education and training in real time. How would a major slowdown and business interruption impact your billing cycle? Hospital leaders need to think about those downstream effects.”

Because more high-acuity patients are coming to hospitals, Gaffey, a nurse and the past president of the American Society for Healthcare Risk Management (ASHRM), said finding a workforce to support that patient base is growing in importance and poses a looming risk to many hospitals.

John Sanchez, vice president of compliance and risk management for consulting firm Pendulum, said many hospitals face the daunting task of balancing quality and risk management in the era of value-based payment.

“If hospitals score in the bottom quartile of their peers in the prevalence of hospital-acquired infections, for example, they can be penalized up to 5 percent of their Medicare reimbursements,” Sanchez said in an interview. “That’s a hefty sum that presents large risks to hospital financial viability.”

Keys to Success

Hospitals that fare better in managing professional liability risk establish strong risk management and patient safety programs, improve the integrity and quality of documentation efforts, proactively review charts, and improve the training and education of their providers, he said.

Implementing strong service recovery programs are key to improved resolution of medical malpractice and negligence lawsuits, Sanchez said.

“Having strategies to communicate well with patients and families when something does occur and having a disclosure of adverse events program while proactively managing potentially compensable events all go a long way to reducing risk,” Sanchez said.

Mike Midgley, president of ASHRM and vice president of healthcare risk engineering at the international insurance firm Swiss Re Corporate Solutions, said prudent programs identify the risks to the strategy and operations of those organizations.

“The best approach is to provide data based on enterprise risk management (ERM) analysis, which will engage key stakeholders in our organizations,” Midgley said in an email. “A primary purpose supporting the ERM program is encouraging a formalized procedure for making thoughtful decisions throughout the system, requiring consideration of protecting the assets of the organization, and contemplating creating value. The ERM process should be familiar to everyone and used daily in thinking about risk and making decisions.”

The risk management process includes identifying and analyzing loss exposures, using alternative risk techniques, selecting the best risk management techniques and implementing those, and monitoring and improving the risk management program, he said.

Hospitals that fail to respond appropriately to imminent risks “will be left behind,” David Petrous, safety and risk manager for Hendricks Regional Health, said in an e mail. “While financial risk cannot be entirely identified or eliminated, a properly designed and present enterprise risk management program can greatly mitigate or minimize exposure.”

Mark Taylor is a freelance writer based in Chicago.


Publication Date: Friday, June 02, 2017