Optional_2023 Board Resources

11

Identifying and Auditing Potential Risk Areas

Some regulatory risk areas are common to all health care providers. Compliance in health care requires monitoring of activities that are highly vulnerable to fraud or other violations. Areas of particular interest include referral relationships and arrangements, billing problems (e.g., upcoding, submitting claims for services not rendered and/or medically unnecessary services), privacy breaches, and quality-related events.

The Board should ensure that management and the Board have strong processes for identifying risk areas. Risk areas may be identified from internal or external information sources. For instance, Boards and management may identify regulatory risks from internal sources, such as employee reports to an internal compliance hotline or internal audits. External sources that may be used to identify regulatory risks might include

professional organization publications, OIG-issued guidance, consultants, competitors, or news media. When failures or problems in similar organizations are publicized, Board members should ask their own management teams whether there are controls and processes in place to reduce the risk of, and to identify, similar misconduct or issues within their organizations. The Board should ensure that management consistently reviews and audits risk areas, as well as develops, implements, and monitors corrective action plans. One of the reasonable steps an organization is expected to take