glass
pen
clip
papers
heaphones

Enterprise Risk Management

by | Aug 2, 2024 | Nursing | 0 comments

by | Aug 2, 2024 | Nursing | 0 comments

Enterprise Risk Management

Enterprise Risk Management
Enterprise risk management (ERM) in healthcare promotes a
comprehensive framework for making risk management decisions
which maximize value protection and creation by managing risk and
uncertainty and their connections to total value.
ERM Framework
ERM Domains
Operational
Clinical/Patient Safety
Strategic
Financial
Guiding Principles
The following guiding principles in concert with ASHRM’s mission
and vision have been developed as basic building blocks supporting
the framework for ERM in healthcare:
? Advance safe and trusted healthcare
Human Capital
? Manage uncertainty
? Maximize value protection and creation
? Encourage multidisciplinary accountability
Legal/ Regulatory
? Optimize organizational readiness
? Promote positive organizational culture which will impact
readiness and success
? Utilize data/metrics to prioritize risks
? Align risk appetite and strategy
Technology
ERM Practices:
1. Are continuous
2. Require a paradigm shift in how an organization identifies and
manages risks and opportunities
Hazard
3. Are “not a stop on the road, but a journey”
© ASHRM 2016
ERM Risk Domains
Domain
Description/Example
Operational
The business of healthcare is the delivery of care that is safe, timely, effective, efficient, and
patient-centered within diverse populations. Operational risks relate to those risks resulting
from inadequate or failed internal processes, people, or systems that affect business
operations. Included are risks related to: adverse event management, credentialing and
staffing, documentation, chain of command, and deviation from practice.
Clinical/Patient
Safety
Risks associated with the delivery of care to residents, patients and other healthcare
customers. Clinical risks include: failure to follow evidence based practice, medication
errors, hospital acquired conditions (HAC), serious safety events (SSE), and others.
Strategic
per violation
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Stark Law
What is Stark Law?
The Stark Laws refers to a practice or a physician
referring patients to a medical facility in which the
physician has a financial interest, whether ownership or
other type of investment.
Physician Self Referral
Prohibits a physician from making referrals for certain designated health services (DHS) payable
by Medicare where there is a financial relationship (ownership, investment, or compensation),
unless an exception applies.
Prohibits the entity from processing claims for those referred services.
Establishes specific exceptions and grants the Secretary authority to create regulatory
exceptions for financial relationships that do not pose a risk or patient abuse.
Designated Health Services (DHS)
The following items or services are DHS:
? Clinical laboratory services.
? Physical therapy services.
? Occupational therapy services.
? Outpatient speech-language pathology services.
? Radiology and certain other imaging services.
? Radiation therapy services and supplies.
? Durable medical equipment and supplies.
? Parenteral and enteral nutrients, equipment, and supplies.
? Prosthetics, orthotics, and prosthetic devices and supplies.
? Home health services.
? Outpatient prescription drugs.
? Inpatient and outpatient hospital services.
OIG, 2020
Healthcare Quality Improvement Act
Developed in 1986
Protects the public from incompetent physicians
Requires the Board of Medical Examiners to report professional competence or conduct to the
Secretary.
Requires hospitals to request information from the Secretary about providers regarding staff
physicians and health care practitioners
? Want to Read more about these Laws?
? Visit http://www.hcqia.net/ or NAMMS https://www.namss.org/
Medical Identity Theft
Medical Identity Theft
? Medical Identity Theft
? Red Flag Rules- Registration, financial assistance, and business office will be mostly affected
? Background- the federal trade commission adopted the red flag rules to urge creditors to protect sensitive customer information,
watch for the red flags and respond quickly and claims of identity theft.
? What is Identity Theft? It is fraud
? Medical Identity is a growing problem and can include SSN, account numbers and other personal information.
? Riskiest time for identity theft- when a new patient account is opened
? Visit IdentityTheft.gov to report identity theft
? Federal Trade Commission
? Collaborate with law enforcement across the country and around the world to advance consumer protection and competition
missions.
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
Identity Theft
? New requirements for registration
? Patients provide a photo ID
? Proof of address
? Exceptions- Not in ED due to EMTALA
? How to help prevent identity theft?
? Insurance card appears altered
? Photo on license does not look like patient
? Signature on driver’s license does not match patients signature on consents
? Demographic information does not match
? What to do if you discover a Red Flag?
? Notify supervisor
? If supervisor is not available, contact Risk Management or Compliance officer
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA of 1996
Privacy and Security
HIPAA
Health Insurance Portability and Accountability Act of 1996. HIPAA is a response, by Congress,
to healthcare reform and is a federal law that is mandatory. Protects the privacy and security of
a patient’s health information.
Provides for electronic and physical security of a patient’s health information.
Prevents health care fraud and abuse.
Simplifies billing and other transactions, reducing health care administrative costs.
Privacy
? Minimum Necessary- What type of information am I about to share; It’s a need to know
? Covered Entity- Health plans, healthcare clearing houses, healthcare providers, business associate
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA Cont’d
? Security- Organizations should conduct both risk analysis and risk management
procedures and provides a baseline for detecting risk and mitigating breeches.
? Risk analysis- when you look for vulnerabilities of confidential health information
? Risk management- This requires an organization to make decisions and address the security risk
and vulnerabilities and implement policies, procedures, and programs to comply with
compliance programs
OIG. (2020, JANUARY 2). COMPARISON OF THE ANTI-KICKBACK STATUTE AND STARK LAW. RETRIEVED FROM HTTP://OIG.HHS.GOV/COMPLIANCE/PROVIDER-COMPLIANCETRAINING/FILES/STARKANDAKSCHARTHANDOUT508.PDF
HIPAA: Security Standards
Administrative
• Administrative Action
• Policies and Procedures
Technical
• Access controls
• Audit Controls
• Integrity
• Person or Entity
• Authentication
• Transmission Security
Physical
• Facility Access
• Workstation Use
• Workstation Security
• Device and Media Controls
HIPAA
What is PHI? Protected health information
What is EPHI? Electronic health Information
What is an EMR? An electronic medical record
How does HIPAA affect my job?
Do you handle PHI?
If yes, than it’s your job to protect that information.
Health Information Technology for Economic and Clinical
Health Act (HITECH)
– Signed into law by President Obama in 2009.
– Under HIPAA, there were a few grey areas that needed
to fixed. The purpose of HITECH was to eliminate these
grey areas.
– Goal is to promote the use of healthcare technology and
to encourage use of Electronic Health Records (EHR).
– As of 2008, only 10% of physicians had adopted an EHR
system. By 2017, 86% of physicians and 77% of hospitals
adopted an EHR system.
– It provided incentives to providers and healthcare
organizations for proper EMR use. Ex: Meaningful Use.
Source: https://www.hipaajournal.com/what-is-the-hitech-act/
Who can I talk to within the Healthcare
Organization about Privacy and Security
? Chief Privacy Official (CPO)- responsible for privacy program implementation, facilitate training and
education, assess compliance, and evaluate complaints and potential breaches.
? Facility Information Security Official (FISO)- They are responsible for leading, driving, and helping
facility workforce members appropriately comply with the company’s IPS requirements.
? Health Information Management Director (HIM)- Ensure compliance with state and federal laws
and standards related to privacy, security, and record completion
? Director of Information Security (IT & S)- lead and direct activities of the Information Technology
department and partner with business partners to deliver technology services that are aligned with
business needs.
? Ethics and Compliance Officer- Assist the organization in achieving responsible and effective
corporate (risk management) and compliance programs
WhistleBlower
What is a Whistleblower?
Whistle blower- is someone who reports waste, fraud, abuse, or dangers to public
health and or the safety of others. The individual that is being reported is in question
or position to correct the wrongdoing.
? Whistleblower laws are enforced by Occupational Safety and Health Administration
(OSHA)
? There are more than 20 whistleblower statutes
? Pro