The Why, What, Who, and When of Healthcare Risk Assessments  

sharon parsley reasons for healthcare risk assessments

Healthcare risk assessments are essential for patient safety and compliance. By understanding the why, what, who, and when of risk assessments, healthcare organizations ensure high-quality care in a safe environment. In this article, Sharon Parsley discusses risk assessment from a “why, what who, and when” perspective. She also looks at ways that you, as an effective compliance officer, can lead this process with your colleagues.

Continue reading

New DOJ Guidance on Compliance Programs Released March 2023

Incentives, Compensation Structures, and Consequence Management for Healthcare Compliance

Healthcare organizations should benchmark the DOJ Evaluation of Corporate Compliance Programs (ECCP) guidance (March 2023) to assess their compliance program.

Continue reading

Opioid-related compliance enforcement actions 

Enforcement actions to beat back the opioid epidemic.

C.J. Wolf, MD provides enforcement action summaries for the YouCompli blog. These summaries provide real-world examples of regulators’ response to practices that don’t fully comply with regulations. This month’s article looks at opioid-related incidents.     

Government enforcement agencies continue to put the pressure on healthcare providers to ensure compliance with opioid prescribing guidelines. And for good reason: We saw 92,000 drug overdose deaths in the United States in 2020. A full 75% of these deaths involved an opioid. 

Multiple presidential administrations have focused on beating back the opioid epidemic. One way that is being done is by enforcement against healthcare providers who are contributing to the problem. The U.S. Department of Justice, through its Consumer Protection Branch, is pursuing both criminal and civil actions against entities and individuals committing wrongdoing throughout the prescription opioid supply chain. 

Providers investigated for overprescribing opioids 

For example, a pain management physician in Ohio was recently convicted for unlawfully distributing opioids through his clinic. The convictions involved the distribution of a controlled substance, outside the usual course of professional practice, and not for a legitimate medical purpose. The prescriptions greatly exceeded recommended dosages and were in dangerous, life-threatening combinations. For each charge, he faces a maximum penalty of 20 years in prison. The physician required clients to pay cash for prescriptions and they would often travel hundreds of miles to visit this physician’s particular clinic. During a four-and-a-half-year period, the physician prescribed over 111,000 pills to nine clients. Sentencing has not yet occurred. 

Non-physicians have also been subject to enforcement. In one case, a Maryland physician assistant was enjoined by the court from dispensing, prescribing, or administering any controlled substances. Officials specifically called out anyone, regardless of their credentials, to be aware of their responsibilities. The U.S. Attorney involved in the enforcement noted that the Controlled Substances act applies to physician assistants and nurse practitioners.

They “cannot overprescribe opioids and hide behind their affiliations with physicians in an attempt to shield themselves from criminal and civil liability.”    

U.S. Attorney Erek L. Barron for the District of Maryland.

The court’s action brought to close a civil complaint filed by the government against the physician’s assistant. Allegedly, she issued hundreds of opioid prescriptions that had no legitimate medical purpose and fell outside the usual course of professional medical practice. In some especially concerning examples, it was alleged she prescribed morphine milligram equivalent (MME) dosages exceeding 700 MME per day. By comparison, the Centers for Disease Control and Prevention (CDC) generally recommends that primary care clinicians avoid daily dosages of opioids over 90 MME daily. The court’s ruling requires she never again apply for or seek the reinstatement of her Drug Enforcement Administration (DEA) registration. DEA registration is required to prescribe controlled substances.  

Manufacturer fined for opioid kickback scheme 

It is not just prescribers coming under scrutiny from enforcement agencies. The agencies have also publicized major financial settlements with opioid manufacturers. For example, Insys Therapeutics is the manufacturer of a sublingual fentanyl spray, known as Subsys. The company allegedly participated in kickbacks and other illegal marketing schemes to influence prescribers. These schemes were intended to induce providers to write more prescriptions of the drug typically used for breakthrough cancer pain. Insys settled the allegations with the government by agreeing to pay $225 million.  

The primary alleged scheme was a sham speakers’ program. The company would recruit physicians, physician assistants and other prescribers to ostensibly participate as paid speakers about the drug. The program was simply a mechanism to funnel kickbacks to the providers. One physician assistant in New Hampshire had not written a single prescription for the drug before joining the speaker program. After signing on, he was soon writing over 670 prescriptions after being a paid speaker. A substantial number of other prescribers have also participated and have either settled financially with the government or pleaded guilty to accepting kickbacks. 

What should compliance officers do to stay ahead of opioid regulation violations? 

Compliance officers often include opioid monitoring on their workplan, to protect the wellbeing of patients and to safeguard their organizations against fines and reputational hits. Here are two strategies compliance officers can use. 

Know who the high-volume prescribers are.  

Are patients traveling longer distances to visit a particular clinic or provider? Are patients asked to pay cash for services? Are patients doctor shopping?  

The HHS OIG offers a toolkit and computer programming tools to assist healthcare entities with monitoring potentially concerning prescription patterns.

According to the HHS, “These toolkits and the accompanying computer code can be used to analyze claims data for prescription drugs and identify patients who may be misusing or abusing prescription opioids and may need additional case management or other follow up.”

Learn more about the toolkits – HHS OIG Toolkits for Calculating Opioid Levels and Identifying Patients at Risk of Misuse or Overdose.

Utilize your medical directors or clinical resources to assess compliance with opioid guidelines.  

Though clinical guidelines are not the end-all of clinical decision making, compliance programs can start with these respected guidelines when assessing opioid risks. 

Opioid clinical guideline examples include:  

While the enforcement actions noted in this article are focused on individual providers or manufacturers, healthcare organizations are under scrutiny as well. Staying aware of opioid-related regulatory changes and monitoring for compliance are critical steps you can take to protect patients and your organization.  


CJ Wolf, MD, M.Ed is a healthcare compliance professional with over 22 years of experience in healthcare economics, revenue cycle, coding, billing, and healthcare compliance. He has worked for Intermountain Healthcare, the University of Texas MD Anderson Cancer Center, the University of Texas System, an international medical device company and a healthcare compliance software start up. Currently, Dr. Wolf teaches and provides private healthcare compliance and coding consulting services as well as training. He is a graduate of the University of Illinois at Chicago College of Medicine, earned a master’s in education from the University of Texas at Brownsville and was magna cum laude as an undergraduate at Brigham Young University in Provo, UT. In addition to his educational background, Dr. Wolf holds current certifications in medical coding and billing (CPC, COC) and healthcare compliance, ethics, privacy and research (CHC, CCEP, CHPC, CHRC).

Don’t miss the next enforcement action article from C.J. Wolf.

Register now to get email notifications from YouCompli.

Managing regulatory change is crucial to avoid enforcement actions. YouCompli is the only healthcare compliance solution that combines actionable, regulatory analysis with a simple SaaS solution to help you manage regulatory change. Read more about the rollout and accountability of requirements or schedule a demo. 

Get a 15-minute strategic overview of YouCompli

Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs

The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.

See YouCompli in Action

Easier, faster, more effective compliance is possible