Eight Reasons Why Compliance Risk Assessments Are Important

Healthcare organizations  operate in a highly regulated and intensive enforcement environment that makes conducting compliance risk assessments a critical part of their compliance program. Conducting risk assessments offer numerous benefits, including demonstrating regulatory compliance commitment, strengthening governance, providing guidance for the use of limited resources, and significantly reducing legal and financial exposure. Key benefits include the following:

1. Meets Regulatory and Enforcement Expectations. The Office of Inspector General’s (OIG) Compliance Program Guidance and the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs call for organizations to regularly assess compliance risks and have results incorporated into compliance work plans, audits, and monitoring activities. Organizations unable to demonstrate a structured risk assessment are at a disadvantage and risk aggravated penalties when subjected to enforcement actions.
2. Supports Proactive, Not Reactive, Risk Management. Many healthcare enforcement actions arise from known risks that were never formally assessed, ranked, or addressed. Risk assessments can help identify emerging risks early, address gaps and weaknesses before they escalate into enforceable violations, and reduce relying on reactive, damage-control responses after issues materialize.
3. Directs Limited Resources to the Highest-Risk Areas. Compliance Officers cannot monitor all risks equally. Risk assessments aid in identifying and prioritizing the most significant legal, regulatory, and operational risks (e.g., billing and coding, referral source arrangements, HIPAA, quality of care, third-party relationships). This enables organizations to focus limited compliance resources where they matter most.
4. Drives Development of the Compliance Work Plan. Risk assessment results can drive development of the Annual Compliance Workplan, along with (a) targeted audits, (b) monitoring activities, (c) education and training priorities, and (d) updates to policy and procedures.
5. Provides Evidence of Board and Leadership Oversight. Boards and leadership are expected to exercise active oversight and support for the compliance program. Results from risk assessments provide them with a clear, data-driven view of the organization’s risk profile, areas where more attention is needed. This supports informed decision-making and governance; and provides evidence that leadership is fulfilling its fiduciary and compliance oversight duties.
6. Mitigates Exposure to Financial Liability and Reputational Harm. Unidentified or unmanaged compliance risks can result in enforcement actions under the False Claims Act, Civil Monetary Penalty Law, Anti-Kickback Statute, and other laws. Identified violations can result in repayment obligations, severe financial penalties, potential exclusion, and reputational damage. Risk assessments help organizations prevent issues that are far more costly to remediate later.
7. Aligns Compliance with Operational Reality. Effective risk assessments incorporate input from billing and coding, clinical operations, IT and data security, human resources, and contracting and vendor management. This ensures compliance efforts align with how the organization actually operates, not just how policies say it should.
8. Adapts the Compliance Program to a Changing Risk Environment. Healthcare risks are constantly evolving due to changes in regulations, enforcement priorities, business environment, and technology. Regular risk assessments ensure the compliance program remains dynamic, current, and relevant.

A common challenge for Compliance Officers is how to get all this done. Many turn to consultants to assist with an initial compliance risk assessment, however after that, the work should be carried forward with internal staff using the process, methods, and techniques provided in the initial assessment.  The author Steve Forman, CPA, has over 30 years of experience in conducting compliance risk assessments.  For more information on this topic, he can be reached at [email protected].

About the Author

Steve Forman is a certified public accountant with decades of experience in health care compliance. Mr. Forman specializes in developing and implementing compliance programs, assessing an organization’s vulnerabilities and risks, implementing effective monitoring systems, testing internal compliance controls and working with senior management and Boards in developing strategic plans.