|
|
||||||
|
04/05/2004 |
||||||
|
Steven R. Smith Sanford V. Teplitzky Appeared in CCH Healthcare Compliance Letter Risk management is in the process of evolving. Both the scope of what is included in the concept of risk management and the risks that face most hospitalsi have greatly expanded in recent years. This evolution is occurring in response to changes that have taken place in the broader healthcare environment. The result of this evolution is that, in the interests of both the hospitals and their patients, hospitals need to view and manage the risks that they face from an organization-wide perspective and not as isolated issues to be confronted on a department by department basis. The traditional role of the risk manager was, not surprisingly, tied to the traditional concept of risk. "Risk" has been defined as "…the chance of injury, damage or loss…"ii and has been closely aligned to concepts of loss in the context of insurance and safety matters. Therefore, the traditional role of the risk manager was to manage the risk of loss from events that were insured against. This may have meant simply working with an insurance broker to facilitate the placement of insurance policies (facility professional liability and general liability) to cover such insured losses or a more proactive approach to manage these risks. However, even the proactive approach was traditionally limited to a relatively limited menu of risks such as falls and medication errors. The healthcare environment that is compatible with this concept of risk management has markedly changed. That overall change has been driven by several environmental factors that have significantly expanded the risks that must be managed within a hospital. Among those factors are:
As a result of these changes in the healthcare environment, hospitals face a much wider range of risks that require a coordinated approach to management if they are to be effective. Each of these changes in the healthcare environment, their impact on the risks that hospitals face and how they have helped to shape the approach to risk management are briefly reviewed below. Managed Care Payment Systems In the absence of Plans, these risks simply do not exist. Patients are either insured or uninsured. The financial risk of the uninsured is the same regardless of the presence or absence of Plans. For insured patients, their insurance pays for what is done. As Plans have become an ever larger part of the system of reimbursement for hospitals, these risks have become proportionately larger concerns in the overall functioning of the hospital. Electronic Communications This has not always been the case. Before email there was nothing other than regular mail or internal rounds of mail sent inside a hospital. There was no Internet so research was done only if one had access to the materials and then through a labor intensive process. Cell phones in the workplace were non-existent which meant that if a fellow employee was not at his or her desk or station then a message (usually manually) had to be taken so the person could call back. Desktop computers, if they existed, were bulky, slow, and inefficient in the sense that there was not much sophisticated software available for the use of risk managers. The evolution of our technology and communications abilities has also given rise to new risks. With the convenience and openness of the Internet comes the potential for the invasion of privacy and the need to protect vital organizational and patient information from "worms" and hackers. Organizations as a whole also have to protect against a loss of productivity and potential liability from the inappropriate use of the Internet by its employees. The same risks are present with email and, in conjunction with the increased access to and utility of computers, additional risks arise such as the ability to quickly and easily access confidential information and send it out by email without notice. These are all risks that need to be evaluated and managed by a hospital in the modern healthcare environment. Expansion of Federal Regulation of Healthcare EMTALAiii essentially requires that everyone that presents to an emergency department of a hospital requesting treatment for an emergency medical condition must be provided a screening examination and necessary stabilizing treatment or transfer under certain conditions.iv EMTALA did not break any new ground from the standpoint of the adequacy of treatment received by patients. That subject is still the purview of state negligence actions.v EMTALA was enacted to respond to a societal problem of patient dumping.vi That response was to require essentially all hospitals with emergency departments to treat all persons that present to the hospital for an emergency medical condition in the same way and to impose various other administrative requirements on the hospital in order to allow the government to determine whether the hospital is complying with the requirements of the law. The administrative simplification provisions of HIPAAvii were enacted to provide greater protection to the privacy and security of medical records and to provide for the electronic submission of claims for payment for providing health care. These provisions apply to health care providers who transmit health information in electronic form in connection with certain transactions.viii HIPAA creates important new protections for the privacy and security of medical records but these protections are necessary only because the environment has changed into one that is dominated by the electronic transmission of information. The fraud and abuse lawsix provide important protections against fraudulent and other abusive behavior by healthcare providers. The increased focus on these laws have made healthcare providers aware of the potential for significant penalties to be imposed if they were violated. That awareness was, at least in part, responsible for the movement towards the development of compliance plans for hospitals as a result of the beneficial effect that an effective compliance plan can have on penalties imposed on an organization as a result of the violation of these laws.x The development of compliance plans necessarily caused hospitals to focus on risks throughout the organization with the emphasis being on the recognition of standards and compliance therewith. Each of these laws and regulations represent a governmental response to important issues that have arisen in the delivery of healthcare. They have also increased the level of complexity of the healthcare environment and created new risks for the organizations that operate in that environment. These risks are largely the risks associated with non-compliance. The management of those risks entails the creation of policies, the orientation and education of staff on those policies and the auditing and monitoring of the implementation of the policies. These responsibilities extend from the emergency department (and other areas of the hospital) for EMTALA, the health information management department (and all other areas of the hospital) for HIPAA, and most areas of the hospital, especially the business office and hospitals' relationships with physicians, for the fraud and abuse laws. Patient Safety This requires much work. Open communication is essential both among staff members and with the patient. Detailed analyses of problem areas have to be conducted in order to determine the root cause of the problem and how systemic issues contributed to the existence of the problem. Finally, new solutions have to be devised that eliminate the existing systemic issues without creating new ones. Through the analysis and improvement of the processes and systems involved in the care of patients, patient safety initiatives require a hospital to realize that it exists as a single organization for the purpose of taking care of patients and that its various departments cannot be viewed as existing in a vacuum. The movement towards patient safety is a given. Hospitals are required by the Joint Commission on the Accreditation of Healthcare Organizations to have an integrated patient safety program.xi States are considering the incorporation of patient safety initiatives into their regulatory schemes for hospitals.xii These changes clearly are shaping the manner in which hospitals are viewing and managing their risks. The Next Step One answer is to continue to treat the hospital as being made up of independent component parts that function largely independent of each other. In this model, one or more departments of the hospital would likely be assigned the primary responsibility to confront the risks presented for each of the areas previously reviewed. The persons in charge of those areas would have to develop policies and procedures to address the risk concerns for the organization. Most likely, the person in charge of each of those areas will be different people and they will not have the organizational "reach" to pull others into the process. As more organizations are discovering, the alternative is to view hospitals as an integrated system of care. This is consistent with the changes that have occurred in the healthcare environment, sound management practice and is an accurate reflection of the real liabilities of the hospital. Regardless of who is performing what function, hospitals, as organizations, are responsible for the care that they provide to patients. Tort principles recognize this liability through the concept of apparent or ostensible agency.xiii Hospitals need to get on board with the idea that they are going to be held to a standard of an integrated organization so they need to manage their risks like one. Under this model, a senior person in the organization with direct reporting lines to the President and/or Board is responsible for all of the risks of the organization.xiv This person is charged with looking at the organization as an integrated system of care and bringing interdisciplinary teams of people together to dissect, analyze and create new systems to respond to the risks faced by the organization. This requires support at the highest levels of the organization in order to allow the person responsible to break through the inevitable barriers that will be confronted. The foothold taken by patient safety and compliance activities is clearly a stepping stone towards a more global view of the hospitals as integrated organizations. As the environment continues to change, this will expose even more risks and force more organizations to view themselves in this light. The result of understanding the total risks of the hospital and working in an integrated fashion to manage those risks will be a better hospital organization and better patient care. Mr. Teplitzky is a Principal and Chairman of the Health Law Department of Ober, Kaler, Grimes & Shriver and is resident in the Baltimore office of the firm. He can be contacted at 410-347-7364 or by email at teplitzky@ober.com. Mr. Smith is a Principal of Ober, Kaler, Grimes & Shriver and is resident in the Washington, D.C. office of the firm. He can be contacted directly at (202)326-5006 or by email at ssmith@ober.com. Mr. Smith was the former Senior Vice President & General Counsel for a significant health care system where he was responsible for, among other things, insurance and risk management issues.
iThis article will refer to all health care facilities as "hospitals" since hospitals typically have greater risk management presence than other health care facilities. However, the reference to hospitals is not meant to imply that these comments do not also apply to health care facilities other than hospitals. iiWebster’s New World Dictionary of the American Language, Second College Edition, 1976. iii 42 USC §1395dd et seq. iv42 USC §1395dd (a) and (b). v See, e.g., Bryan v. Rectors and Visitors of University of Virginia, 95 F.3d 349, C.A. 4 (Va.) (1996). vi See, 68 Fed. Reg. 53222, 53223. vii 42 USC §1320d et seq. viii42 CFR §160.102 (a). ix See, e.g., The Federal Civil False Claims Act, 31 USC §3729; The Anti-kickback Statute, 42 USC §1320a-7b; and the "Stark" Law, 42 USC §1395nn. xUnited States Sentencing Commission, Guidelines Manual, §8C2.5(f) (Nov.2003). xi Standard LD.4.40, Comprehensive Accreditation Manual for Hospitals (2004), Joint Commission on Accreditation of Healthcare Organizations. xiiSee, e.g., Code of Maryland Regulations 10.07.06.01 et seq. xiii E.g., Mehlman v. Powell, 281 Md. 269 (1977). xiv This position is often known as the Chief Risk Officer. |
||||||
|
Ober, Kaler, Grimes & Shriver Maryland
Washington, D.C. Virginia |
||||||
