Compliance 101. Developing Sound Policies and Procedures Specific to Potential Risks

Hospitals are becoming more reliant on risk assessments to discover prospective risk areas and to determine how these risks can be reduced. A hospital should examine internal and external sources for various risks, and use this information to identify and prioritize its highest concerns. Examples of potential organizational risks include cost reports, EMTALA, and anti-kickback areas. When the hospital’s risks have been prioritized, internal controls can then be integrated to assist in managing these risks. Policies and procedures are often a good solution to address risks because they require a review of applicable federal and state regulations, examine current operating procedures, and provide an opportunity to train affected personnel with updated information. This article will outline a process that can be used from development to finalization of policies and procedures to internally manage designated risks.

Review, revise and/or develop policies and procedures? To begin this process, a team of individuals with the appropriate knowledge and skills pertaining to each of the risk areas to be tackled should be designated. A work plan should be developed including a timeline. Designated personnel should collect and review existing policies and procedures. There are essentially six steps involved in the development of the policies and procedures.

The first step involves the creation of a criteria/condition matrix. This matrix is an analysis of current federal and state regulations for the particular risk issue (ie, cost reports, EMTALA, anti-kickback, etc.). All applicable federal, state and local regulations should be reviewed specific to the issue being addressed. Additionally, existing policies should be reviewed to determine if they sufficiently address all requirements. Please refer to Table 1 for an example of the criteria/condition matrix.

The second step is based on these regulations and the review of existing policies and procedures. An analysis should be undertaken and a determination made as to which documents may need to be developed and/or updated. As soon as the proposed policies have been agreed upon, drafts should be developed.

The third step entails reviewing the draft policies and procedures with the appropriate team of designated personnel, who are the primary users, to ensure all procedures are in line with what is currently being done, as well as to ensure that federal and state regulations and payer requirements are sufficiently addressed. For instance, if developing cost report policies and procedures, you should meet with members of the reimbursement department who are responsible for the submission of the cost report.

The fourth step includes revising the policies and procedures based on the feedback obtained. These policies should be assessed once more, with the designated staff having final review, and then a final draft of the policies will be composed. Once the policies are finalized, they should be made available?to all applicable employees via the Intranet, electronic or hard copy distribution, organizational newsletter, etc.

The fifth step is to develop training for the staff on these policies. While the policies are being implemented, discussions should be held concerning the type of training needed?to address the risk area. As soon as the policies are fully implemented and all applicable staff has received the policies and procedures and has had time to review them, training should begin. Personnel should be designated to conduct the training, whether it is interactive or Web-based. Organizations must be certain to address why these policies were developed and/ or updated, as well as any applicable regulations requiring specific procedures or examples of how the procedures can be applied.

The sixth step is to audit the policies to determine whether the departments are adhering to the guidelines and to measure if the policies have helped reduce the risks for the specific risk area.

Throughout this process, the executive management committee and the board of directors should be kept informed on the actions that are being taken internally to address selected risks. This will allow executives an opportunity to respond to any concerns they may have regarding procedures being implemented or training that is provided.

Personnel should be selected to annually review the policies and procedures for accuracy to the regulations and revisions made when changes to regulations are released. This updated information can be electronically distributed to applicable employees or discussed during annual compliance training, if appropriate. The organization should also consider instructing the Internal Audit department to review the various high-risk areas after implementation of the policies and procedures and employee training. The information discovered can be used to determine whether safeguards are in place to prevent the likelihood of this risk occurring.


In an effort to address designated risks, an organization should implement internal controls to decrease the likelihood of the risk occurring. The development and/or revision of policies and procedures, specific to each risk area, should be established. There are six standard steps that can be utilized—from the creation of a designated group of employees, to the drafting and finalization of the policies, to the application and training in these policies. An organization should audit these policies and procedures to ensure they are appropriately addressing and diminishing the applicable risks. By integrating internal controls, an organization can better control its risks.