Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities

weaknesses internal controls

Revised September 2022

Risk in US Healthcare

It is incredibly difficult to turn off “work brain” after the day is done.  Thoughts and questions keep creeping in during off work time, personal time.   

For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement?  Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls.  Let’s explore what can be done to mitigate or decrease any vulnerabilities. 

It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization. 

Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.  

Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities. 

Top Areas of Risk

Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance.  Let’s consider the following: 

  • The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.  
  • Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations. 
  • Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs. 
  • And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff.  Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.  

Mitigate Risks

Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur.  One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks. 

  • A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online.  Go out and meet the staff and answer their questions in real time!  Or encourage them to call or email their questions and provide timely follow up. 
  • Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture) 
  • Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently. 
  • Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated.  These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks. 
  • Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented. 

Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen.  While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing.  And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on. 

Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today.  


Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.


Never Miss a Compliance Related Article

Get a 15-minute strategic overview of YouCompli

The Pandemic Is No Excuse: Enforcement Actions Taken by the Office for Civil Rights

We’ve known that enforcement actions were going to pick up again, even though many regulations are still waived or modified during the public health emergency. In the past few months, several decisions have been rendered by the Office for Civil Rights (OCR) which prove the point. Hospitals and other healthcare organizations need remain cautious and cognizant of exactly which regulations are being enforced, and make sure that existing procedures and policies are being followed. 

Religious Rights 

For exampleOCR resolved a complaint against Prince George’s Hospital Center of the University of Maryland Medical System (UMMS). The complaint was raised by a woman who wanted to have a priest attend her critically injured husband during the pandemic. Despite the priest’s willingness to wear any necessary personal protective equipment (PPE), he was refused entry. UMMS implemented a new policy guaranteeing “adequate and lawful access to chaplains or clergy” in order to resolve the complaint. 

second religiously-based complaint was also resolved recently by OCR. In this complaint, filed by a civil rights group, a medical student at Staten Island University Hospital (SIUH) in New York City was ordered to shave his beard, which he kept for religious reasons. The hospital stated that this was in order to ensure his N95 respirator mask had a tight seal around his nose and mouth, even though he had passed a fit test. In resolving the complaint, SIUH provided the student with a Powered Air Purifying Respirator (PAPR) as a religious accommodation. 

Privacy 

OCR also recently resolved a HIPAA-based complaintLifespan Health System Affiliated Covered Entity (Lifespan ACE) in Rhode Island agreed to pay OCR $1,040,000 and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptopNot only did the laptop contain electronic protected health information (ePHI) for 20,431 individuals, OCR found systemic noncompliance with HIPAAincluding lack of encryption on laptops and a lack of device and media controls. 

A Warning for Compliance 

All these enforcement actions took place during the COVID-19 pandemic. The presence of the pandemic is not being taken as a reason for not proceeding with enforcement action. Compliance professionals need to be very aware of what regulations still apply, and how their organizations are continuing to stay within the scope of existing regulations. 

See YouCompli in Action

Easier, faster, more effective compliance is possible

Improving Your Reputation: How to Help Your Healthcare Organization See the Compliance Department in a Positive Light

When the compliance team visits another department, staff responses are usually the same: we must have done something wrong.

This isn’t the response that you want. The compliance department and staff should be seen as approachable, working in a collaborative fashion to make the organization more successful. If the compliance department only comes in to run audits and give “constructive” feedback, then compliance will quickly become known for negativity and criticism.

Collaboration

It is important to collaborate with other departments and incorporate a holistic organizational approach. This means valuing what other team members have to offer with regards to compliance in the organization. It can be easy for compliance professionals to make black or white statements regarding compliance with a specific regulation or policy. After all, it’s there in writing — in black and white.

But, other teams can sometimes bring to light another perspective. There may be gray areas in the written requirements or overall process and addressing these could benefit the organization without compromising compliance.

Or, compliance professionals could demonstrate openness to evaluating how requirements and regulations are impacting specific operational workflows. For example, when evaluating a compliance process for telehealth visits related to obtaining consent, the operations leader should be given an opportunity to work with compliance in developing the process.

In-Person Education

One approach to improving collaboration with other departments is to conduct in-person education and question and answer (Q&A) sessions. Ask all department leaders if you can have ten (but no more than fifteen) minutes at their next staff meeting to introduce the compliance team and to solicit compliance-related topics and questions. Before the meeting, make sure to get the department leader to provide two to three compliance-related topics that would be of interest to their team. Prepare a short slide presentation to use in the meeting — typically, one slide per topic and one Q&A slide at the end.

During the meeting, make sure to leave at least five minutes for compliance Q&A. Listen to the staff questions and solicit information on challenges or knowledge gaps related to compliance, so follow up can be done with the that department or team.

Follow-Up Education

Follow up should be timely (within three to four weeks) and can be done a few different ways: short videos, posts on the internal intranet or website, email education, or additional in-person follow up education. There are several excellent (and free) applications available online where you can create short, two- to three-minute compliance videos that can then be distributed to staff.

Follow-up education could also be done by email if the topic and question and answer lends itself to an email response. For example, if staff ask a question about HIPAA’s application to texts or emails, it would be fairly easy to find a one-page summary on the application of HIPAA to texts and emails and attach that to an email.

Volunteers

Another way to improve collaboration would be to have compliance staff volunteer to participate in organization committees not directly related to compliance. For example, compliance professionals could join the policy committee or the activities committee. In this way, the compliance team can develop positive relationships with others in the organization, in an open and approachable way.

Practice Tip:

  1. Reach out to at least 3-4 departments before the end of the year to schedule and conduct in-person meet and greets with a focus on compliance education.
  2. Utilize services such as youCompli to stay current on compliance topics and regulations to present during your meet and greet meetings.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


See YouCompli in Action

Easier, faster, more effective compliance is possible

Emergency Preparedness Revisited

Emergency preparedness has always been one of the top concerns of hospital administrators and medical staff, but never has it been more critical. As the the coronavirus pandemic continues to impact the United States, and facilities are struggling to maintain levels of personal protective equipment (PPE) and ventilators, administrators and compliance professionals should also review the updated federal emergency preparedness requirements, published by the Centers for Medicare and Medicaid Services (CMS) in the Federal Register on September 30, 2019.

We previously blogged about these requirements in 2017, but the requirements have changed in the past few years. Here are the four core elements of a hospital’s emergency preparedness plan to handle natural and man-made disasters — and a look at how they are impacted by last year’s final rule revision by CMS:

Risk Assessment and Planning

Commonly referred to as the emergency plan, CMS requires such a strategy to be developed and then updated at least once a year. It is based on certain risk assessments and uses an “all-hazards” approach that focuses on hospital capacities and capabilities, care-related emergencies, equipment and power failures, communication interruptions (including cyberattacks), and interruptions to water, food, and medication supply chains.

A major change to this element involves hospital climate control and power. Facilities are no longer required to heat and cool the building evenly. However, safe temperatures are to be maintained in areas deemed necessary to protect patients, other people in the facility, and provisions stored in the facility during the course of an emergency, as determined by a risk assessment. If a hospital is unable to maintain safe temperatures, it should follow an established plan for a timely relocation/evacuation that avoids patient exposure to harmful conditions. Additionally, hospitals are required to have an essential electric system with a generator that complies with the NFPA 99 – Health Care Facilities Code.

Like before, the plan must include strategies for addressing emergency events and include a process to work in conjunction with local, tribal, regional, state, and federal emergency preparedness officials. But the key change to the all-hazards approach — and this is crucial in light of recent events — is that all participating hospitals must be prepared for emerging infectious disease (EID) threats, such as the coronavirus. EIDs may require modification to standard facility protocols to protect the health and safety of patients and personnel, such as isolation and PPE usage.

Communication Plan

This element received additional fine-tuning. Participating hospitals still must develop a communication plan that complies with local, state, and federal laws and the plan must be reviewed and updated annually. It should now also include the names and contact information of key hospital personnel for local, tribal, regional, state, and federal emergency preparedness officials. And, it should detail how patient care is coordinated within the facility, across healthcare providers, and with local and state public health departments and emergency management systems.

Policies and Procedures

Hospital policies and procedures still must be based on the emergency plan, risk assessment, and the communication plan, and must be reviewed and updated at least once a year. They should address a broad range of topics and situations, including subsistence needs (water, food, medical supplies) of patients and staff, emergency staffing strategies, tracking the location of on-duty staff and patients during emergencies, sheltering-in-place plans, and patient relocation/evacuation plans.

Training and Testing Program

This revised element the result of an additive process. Program development is based on the emergency plan, the risk assessment, the communication plan, and the policies and procedures. As before, the final rule states the program must detail who needs to be trained, describe the frequency of training, how knowledge is assessed, and document how the training was conducted.

During the course of normal events, hospitals are required to annually conduct a mock disaster drill that is either a full-scale, community-based or individual facility-based exercise. In addition, hospitals must also hold a discussion-based tabletop exercise with its senior staff to discuss hypothetical emergency scenarios and reassess policies and procedures. But recent years have not been normal.

Along with the coronavirus outbreak, many parts of the country have suffered from an increase in natural disasters or mass shootings. The final rule revision acknowledges this wide spectrum of emergencies. If there is an event that activates a hospital’s emergency plan, that facility is exempt from holding its annual mock disaster drill for one year following the incident, provided it has written documentation. If a hospital activates its emergency plan twice in one year, it is exempt from both the mock disaster drill and tabletop exercise for one year following the actual events. Again, written documentation of these events and procedures is required.

Maintain Compliance with CMS

Being compliant with the September 30, 2019 final rule is a requirement for your facility’s Condition of Participation (CoP) / Condition for Certification (CfC) with CMS. Failure to comply, even during a pandemic, could thus have significant impact on your organization. The youCompli compliance management software is a powerful tool to help mitigate risk and enable your hospital to effectively implement these, and many other, regulatory requirements. The software is easy to use and quick to deploy, and can be a powerful means to drive efficiencies through your compliance department.

See YouCompli in Action

Easier, faster, more effective compliance is possible

For Hospitals, Climate Change Compliance Pays. Literally.

Hospitals nationwide are trying to recover from what AHA president Rick Pollack calls a “triple whammy.” Between “increased expenses incurred in…caring for the COVID patients,” “the decreased revenues” from “having shut down regular operations in terms of scheduled procedures,” and “the increased number of uninsured,” it’s probably no surprise that, according to AHA estimates, US hospitals are losing as much as $50 billion a month.

What is surprising, though, is how hospitals are offsetting some of those losses — to the tune of tens or hundreds of thousands of dollars a year — with significant savings from climate change sustainability. In principle, this boils down to cutting waste — wasted food, wasted paper, red bag waste, wasted electricity — and associated disposal costs.

Climate change regulations are complex, and are likely to change over time, as climate change becomes a more serious issue for regulators. Establishing a program now that fits within existing regulations, has potential to grow, and will support the hospital’s budget needs — all without violating other compliance requirements — is a significant win for compliance professionals.

As these examples show, there are opportunities now to reduce your climate risk, save money, and stay compliant:

Reduced Consumption

ORs and Medical Waste

  • ORs account for 20-30% of a hospital’s total waste, up to 60% of its medical waste, and about a third of its expenses. By lowering the number of air exchanges per hour (ACH) from 25 to 20 (the federal and state required minimum) between surgical procedures, the Cleveland Clinic saves $250,000 a year.
  • Health Partners’ waste reduction and recycling program has diverted 793,000 pounds from the ORs of all its hospitals.
  • By removing 91,753 pounds of instruments from the reprocessing cycle, Dartmouth Hitchcock Medical Center saved almost $1.5 million.
  • Seattle’s Virginia Mason Medical Center cut supply costs by over $3 million in three years by switching to reprocessed medical devices.

Implications for Compliance

Selling these savings to the executive board is easy. Savings like these don’t just go once to your bottom line. They stay there, year after year. What’s more, they can increase your property value by as much as eight times your investment. Reducing energy use can also earn you federal tax reductions and refunds, state matching grants, and electric utility rebates.

From a compliance standpoint, the obvious concern is whether implementing these changes to green your organization will have negative impacts on your exposure to compliance risk. And that’s a big challenge to overcome. What you need is a way get clear insight into what regulations require, and what environmentally-focused options are available.

See YouCompli in Action

Easier, faster, more effective compliance is possible

COVID-19 Testing: New Federal Clarifications for Employers

You’ve probably heard of recent federal legislation affecting insurance coverage for COVID-19 testing and related services, such as the Families First Coronavirus Response (Families First) Act and the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The federal government has taken steps to require certain kinds of insurance plans to provide coverage for testing (and related services) without cost-sharing, prior authorizations, or other medical management requirements.

New Guidance Issued

On June 23, three federal departments — the Department of Health and Human Services (HHS), the Department of the Treasury, and the Department of Labor — issued a second round of guidance on implementing these provisions.

The Centers for Medicare & Medicaid Services (CMS) has published an FAQ specifically related to the Families First Act which contains some useful information related to this guidance. (Click here to read the full document.)

CMS has confirmed that the Families First Act does not require employers and insurers to pay for COVID-19 testing that is not used for diagnostic purposes. This includes back to work purposes or general screening. And there are no exceptions for the uninsured or those receiving Medicaid coverage.

In the case of diagnostic testing, the law allows for quite a broad range of coverage. Tests must be approved by HHS (which includes tests approved by the Food and Drug Administration (FDA) on an emergency or temporary basis). But as long as one of these approved tests is ordered by an attending health care provider, “where medically appropriate for the individual,” then insurers must pay for it. And that’s even if there are multiple tests ordered.

COVID-19 Tests Not Covered

However, for tests that are not for diagnostic purposes, things get more complicated. If employers require their employees to have clean COVID-19 tests before returning to work, there are basically two options, neither of which insurance is required to help with under this legislation:

  1. Pick up the tab for testing themselves, or
  2. Ask employees to either cover it (which can be very expensive) or line up at one of the free public testing sites.

Implications for Compliance

As with most of the regulatory changes related to the pandemic, the devil is in the details here. Staying up to date on the latest guidance and clarification is the only way to be sure that you are providing the correct information to the rest of your organization.

See YouCompli in Action

Easier, faster, more effective compliance is possible

AHA and CMS to Keep Regulatory Flexibilities in Place

COVID-19 continues to create obstacles and challenges for healthcare compliance professionals. Thriving in this environment means being agile and adaptive.

The AHA’s Requests

Last week, the American Hospital Association (AHA) asked the Centers for Medicare & Medicaid Services (CMS) to keep relaxed regulations in place. Specifically, the AHA is interested in keeping flexibility around telehealth, quality and compliance measures, and bed capacity.

The telehealth changes are ones that have been on the horizon for some time. Essentially, the AHA is asking CMS to continue to allow hospitals to provide a wide range of telehealth services, without limitations as to profession or geographic location. The AHA is also asking for flexibility on billing and payments related to telehealth to be made permanent.
More interestingly, the AHA has also asked that CMS extend regulatory relief related to some quality and patient safety regulations. These include expanding the use of verbal orders, and extending the reuse of PPE.

The AHA has also asked that CMS provide hospitals with a transition period, to allow them to more easily move from pandemic response to ordinary practice. This includes a request for temporary waivers for sanctions and penalties related to HIPAA , and flexibility on audit requirements. And, it includes a request that certain rules and requirements be delayed or suspended.

The Response From CMS

Three days after the AHA released this letter, Michael Caputo, Assistant Secretary for Public Affairs at the Department of Health and Human Services (HHS), tweeted this :


The public health emergency is currently set to expire on July 25. However, as of this writing, HHS hasn’t officially announced how long the extension will be

This means that we don’t yet know what will happen when the emergency finally does end. Will HHS give a transition period, as the AHA has requested? Will HHS continue to allow flexibility about telehealth, which they have previously indicated they would?

Staying up to date on this fluid situation is going to be a key task for compliance in the coming weeks.

See YouCompli in Action

Easier, faster, more effective compliance is possible

The Results Are In: What the Data Say About the Impact of COVID-19 on Healthcare Compliance

We keep hearing that COVID-19 changed everything, especially in healthcare. But actual data is pretty thin on the ground.

Mostly, we’ve been hearing anecdotes and stories, many of which are striking. The problem with stories is that they can be unique or unusual, and without the context of clear data, we can’t really tell.

Last week, we got some data.

In May, the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) surveyed their audiences on the impact of COVID-19 on their organizations and their work. They received 300 responses, have collated the results, and there are some interesting trends. You can read the full survey results here.

Confirming What We Knew

Some trends are unsurprising, and confirm what we already knew. Survey respondents said they had concerns about the increased risk of compliance failures as a result of the pandemic.

  • 77% expected that there would be some increase, or a great increase, in compliance failures.

It’s also unsurprising to see that healthcare saw more of an increase in the number of inquiries being made of the compliance team.

  • 42% reported an increase in healthcare
  • 30% reported an increase outside of healthcare

Given the number of healthcare-related regulatory waivers and temporary changes that have been issued, this makes total sense.

Positively, collaboration with other departments has been largely unaffected or increased during the pandemic. Compliance is still seen as really valuable to the organization as a whole. The numbers range from 83% to 96% of respondents reporting that collaboration has stayed the same or increased (depending on department).

Differences for Healthcare Compliance

The data also show some surprising trends, specifically related to healthcare compliance.

We know that there has been a huge shift to remote work. The surprising aspect is that the shift is very different between healthcare compliance and compliance elsewhere.

  • In healthcare, 60% reported working remotely
  • Outside of healthcare, 84% reported working remotely

This gap is big, and hard to explain. Working in healthcare institutions would, presumably, increase the risk of being exposed to the virus. It would have been reasonable to expect that healthcare institutions would do as much as possible to try to get their non-clinical staff set up to work effectively off-site.

What’s even more surprising is that healthcare professionals are less likely to report that the transition to remote work has gone well.

  • In healthcare, 47% said the transition had gone better than expected
  • Outside of healthcare, 64% said the transition had gone better than expected

The survey doesn’t indicate why this is so. Speculating a little, it could be that the disruption in moving to a remote office, coupled with the sudden influx of regulatory changes, made it more difficult for healthcare compliance professionals to manage their day-to-day work. If this is true, it would also explain why healthcare institutions were less likely to transition compliance professionals to remote work.

There’s another difference between healthcare and other types of organizations, and this suggests things will be difficult for compliance professionals going forward into 2021. In relation to budgets:

  • In healthcare, 40% reported a budget reduction
  • Outside of healthcare, 31% reported a budget reduction

In short, budget reductions are coming to compliance, as they are going to come to other parts of the healthcare system. (If they aren’t already in place.) As COVID-19 related waivers and suspensions start to expire, compliance is going to have to find a way to do more with fewer resources.

See YouCompli in Action

Easier, faster, more effective compliance is possible