Compliance Risk Assessments: The Foundation of Effective Compliance Programs

compliance risk assessmentsAs compliance regulations and laws evolve and increase in number, many organizations – hospitals, home health agencies, skilled nursing facilities, physician practices, and third-party medical billing companies, among others – are constantly exposed to new compliance risks.  To adapt to this ever-changing environment, it is necessary to determine the levels of risk present throughout an organization.  Conducting thorough compliance risk assessments on a regular basis will identify and evaluate these risks, and will empower an organization’s leadership to address any necessary changes.

Compliance risks emerge from violations (intentional or unintentional) of regulations, laws, codes of conduct, or standards of practice.  To understand these threats, organizations must assess their level of risk and exposure to potential damage.

Compliance risk assessments are a vital part of an effective compliance program.  They should be performed regularly to support the development and implementation of a compliance work plan.  These assessments can be performed manually, or with the assistance of specialty software, and can be accomplished by an internal self-assessment paired with an external assessment by a third party every two to three years.

However, if an organization has been sanctioned by a government entity for an inappropriate process or other violation, the government entity may mandate that an annual compliance risk assessment be performed by an external group as part of a corporate integrity agreement or non-prosecutorial agreement.  External third-party-based risk assessments obtain a truly unbiased assessment.

Healthcare providers and organizations that receive payment from federal payers are required by the Department of Health and Human Services Office of Inspector General (OIG) to have a compliance program in place.  The risk assessment examines compliance issues that organizations must mitigate to address potential financial and operational loss.

Compliance risk often involves:

  • Exposure to regulatory and legal penalties.
  • Payment refunds.
  • Material losses from failure to demonstrate compliance.
  • Potential damage to an organization’s public reputation.

Organizations must understand the details of their risk universe.  Fortunately, the OIG has established guidelines for hospitals, physician practices, pharmaceutical manufacturers, clinical laboratories, third-party billing companies, and other healthcare organizations to follow.  Healthcare regulatory compliance is a constantly moving target.  Payers issue new documentation, coding, and billing requirements often – frequently without any apparent notification.  It is necessary for healthcare organizations to remain current with all new and updated regulations.  Compliance violations can arise from misunderstood or improperly implemented regulations.  Keep in mind that as far as the government is concerned, a violation is a violation, regardless of intent.

A compliance risk assessment is critical for focusing important organizational resources on addressing the greatest risks and/or those areas lacking controls.  Unfortunately, particularly when limited resources are a factor, management of regulatory compliance within healthcare organizations is often considered to be of secondary importance, exposing the organization to unnecessary risk.  Compliance risk assessments enable organizations to appropriately and efficiently allocate resources to make sure that important compliance issues are not overlooked.

Compliance risk assessments are a great way to “take the temperature” of an organization by uncovering vulnerabilities, such as duplication of efforts, process issues, and lack of communication.  For instance, there are many rules to follow in order to correctly bill and submit claims.  It is important to establish good processes and open communications between the clinical and financial departments so that correct information is shared appropriately.  These key processes cannot be accomplished in silos – a multidisciplinary, coordinated effort is required.

Specific steps for completing a compliance risk assessment include:

  • Determining the risk universe by assessing operational areas and responsible parties.
  • Determining if the assessment should be under attorney-client privilege to protect issues that must be addressed.
  • Implementing a robust methodology for determining areas of risk.
  • Gathering and reviewing related policies, procedures, audits, investigative reports, and similar documentation.
  • Interviewing key individuals (e.g., service line leaders, compliance department leaders and staff, executives, medical staff, and the governing board) who are responsible for compliance function oversight.
  • Utilizing questionnaires to determine whether compliance controls are in place and followed.
  • Compiling the resulting information and applying risk factors, weighted by rank of importance, regarding which risks require the most immediate corrective action.
  • Identifying the parties responsible for compliance.
  • Formalizing a plan of action based on the levels of identified risk, factoring in the organization’s risk appetite.
  • Internally disseminating the assessment report so that its recommendations can be reviewed and applied to day-to-day operations throughout the organization.
  • Providing affected employees and new employees updates and continuing education regarding risk issues through seminars, leadership meetings, and/or internal correspondence.

The main focus of the assessment should be to examine specific areas of risk that pose the greatest threat, resulting in the creation of a compliance work plan, which spells out the strategy for compliance for the following year.  An organization uses the compliance work plan to implement the findings and recommendations of the assessment into its day-to-day operations.

It is extremely important to communicate the assessment findings and any recommended corrective actions to the organization’s executive leaders and governance board, as the OIG holds them ultimately responsible for attaining compliance.  Of note, the Department of Justice stipulates that individuals can be held responsible for non-compliance and corporate wrongdoing.

Key Takeaways:

  • A compliance program should include thorough compliance risk assessments that are performed regularly.
  • An organization should break down silos to cover all areas of an organization to complete a thorough assessment.
  • An organization should be prepared to continually address new risks as they arise.

If you would like more information about compliance risk assessments, or would like to request a speaker on this topic for your organization or event, contact one of our related PYA executives below at (800) 270-9629.

Related guidance:


Susan Thomas

Susan Thomas


Shannon Sumner

Shannon Sumner


Related Posts
On July 12, the Centers for Medicare & Medicaid Services (CMS) published its 2019 Medicare Physician Fee Schedule Proposed Rule (Proposed Rule).  Weighing in at nearly 1,500 pages, the Proposed...
Read More

Changes to the Medicare Shared Savings Program in the 2019 Medicare Physician Fee Schedule Proposed Rule

On July 12, the Centers for Medicare & Medicaid Services (CMS) published its 2019 Medicare Physician Fee Schedule Proposed Rule (Proposed Rule).  Weighing in at nearly 1,500 pages, the Proposed...
Read More

New Payments for Non-Face-to-Face Services in the 2019 Medicare Physician Fee Schedule Proposed Rule

Last week, the Centers for Medicare & Medicaid Services (CMS) made a surprise announcement regarding participation in the Bundled Payment for Care Improvement – Advanced (BPCI-A) program.  In addition to...
Read More

BPCI-A: CMS Announces New Risk-Free Trial Period

Several PYA employees were acknowledged for their achievements in mid-year promotions.   PYA, a professional services firm, has announced that Matt Neilson is the latest principal to join its executive team.  In addition,...
Read More

PYA Announces Several Mid-Year Promotions

Get Covered, Stay Covered, Get Paid Cyber attacks are something we simply must deal with in this day and age and during the course of our business practices—they happen.  And...
Read More

Cyber Liability Insurance: Getting or Keeping Your Policy Just Got Tougher

In the nonprofit world, organizations are fueled and sustained by generous contributions and grants, which are used to support the organization’s mission.  Although such funding can often be the deciding...
Read More

“Threading the Needle”—Accounting Standards Update Closes Hole in Nonprofit Grant Guidance

Thought leader and PYA Principal Barry Mathis recently was interviewed in an article, “Inertia Is a Risk with Myriad Security Resources; Overlap May Help.”  Published in the Report on Medicare...
Read More

Inertia Is a Risk with Myriad Security Resources; Overlap May Help

On June 25, the Centers for Medicare & Medicaid Services (CMS) published a public request for information (RFI) regarding the Physician Self-Referral Law, (a.k.a. the Stark Law).  In the last...
Read More

Stark Changes Coming?

Certain employees of governmental and not-for-profit organizations may qualify for a program that offers student loan forgiveness with zero tax liability.   The Public Service Loan Forgiveness (PSLF) Program gives full-time...
Read More

Tax-Free Student Loan Forgiveness for Eligible Public Servants

Share This Insight

If you received value from this article, please share it with your network (e.g., Facebook, Twitter, LinkedIn). Icons below for your convenience.

Stay Current

* indicates required
Monthly eNewsletters
See more newsletter and alert options.

PYA Population Health Ascend

PYA Healthcare Blog

PYA Thought Leadership Services

The Healthcare Loop