Healthcare risk and compliance:
Managing third-party risk in the real world
March 5, 2018 | By Heather Namovich
As a healthcare risk manager, you probably know that there are formal processes for managing third-party entities, and then there’s the real world. The world in which business partners may not understand and apply the necessary controls to mitigate risk and manage compliance effectively, or in which they circumvent the governance process altogether.
That avoidance can blunt the effectiveness of your risk and compliance (R&C) programs and lead to decreased revenue, lost savings or costly fines and sanctions.
Business owners can introduce risk when they hire third-party entities without consulting you, expand their scope of work without thinking through the R&C implications, or when they don’t proactively notify you of changing circumstances in business practices or policies and procedures, e.g., how and where data is stored.
Practical tips for gaining the cooperation of your business partners
Reduce administrative burdens
One of the reasons business owners sometimes skirt R&C policies and procedures is because we introduce undue administrative burden into the process. For instance, while it may be simpler for us to use a generic risk questionnaire, we could potentially eliminate excessive work by consolidating and simplifying risk questionnaires and only focusing on critical requirements.
Are you using the same questionnaire for all third-party risk reviews? It’s probably overly complex for most types of risk. Using a blanket questionnaire means many questions may not apply to the risk level of the entity and/or their product and service capabilities, placing an unnecessary administrative burden on third parties, the risk reviewer, and by extension, your business owners.
Designing questionnaires by risk level and even further by service type will help your business partners avoid a lot of the unnecessary and time-consuming work they dread, and it will lead to more complete and timely responses from your third parties.
Another key tactic is to use simple business language and multiple choice questions where appropriate on your internal business justification or service request form. This will help your business owners effectively identify the level of risk up-front so you can deploy the appropriate risk questionnaire the first time. This should improve your risk review timelines and help reduce confusion and frustration perceived by the third party and business owner because you won’t need to reach out multiple times.
Streamline the contracting process
One of the reasons business owners try to circumvent third-party risk and compliance efforts is the length of the process, which stands between them and whatever problem they’re trying to solve. You can speed the process up—and earn trust from these stakeholders—by inserting yourself into contracting early on and by introducing a standard, repeatable governance process.
Getting involved early and following a defined governance process allows you to reduce lag time in several ways:
- Since the appropriate level of risk was reviewed and remediated prior to or in parallel to contracting, negotiations don't stall.
- The entity will already have been provided (and hopefully agreed to) certain legal, regulatory and service level requirements as part of the due diligence process, reducing the back and forth between legal teams.
- If time, resource constraints or knowledge expertise is an issue, you can create tools and templates (e.g., a list of common service levels) that business owners can use to choose the required or nice to have performance measures.
- To mitigate contract risk you should stick with consistent templates with predefined numbering and content structures that will allow you to easily and quickly reference the mandatory regulatory language; this also shows the audit team there’s a formal governance process for contracting.
Working with entities up front will also help you avoid a common trouble point in organizations: business relationships that introduce new types of risk and must meet specific compliance requirements, without appropriate due diligence and oversight. Business owners may contract with a third party for specific services initially, but don’t think to contact you when the relationship expands or changes to include products and/or services not included in the original due diligence process.
Put effective training in place
If you want to reduce your risk exposure you must ensure you provide adequate onboarding and ongoing training. You probably know your annual “check the box” R&C training isn’t enough to help your coworkers and third-parties manage risk appropriately. Implement a risk-based approach by focusing on higher risk functional areas with direct access to consumers and/or protected health information (PHI) and creating targeted training. Simple education and awareness tactics can dramatically improve compliance when the business and their third parties understand how to apply teachings to their area.
Here are a few tactics I’ve seen work for making training more impactful:
- A lot of training is generic, and people get bored or don’t see how it applies to their job. It helps to tailor training to their specific function and circumstances.
- Lunch-and-learns attract a lot of attention and can be effective for reinforcing initiatives.
- Create a culture of compliance by integrating education and training (beyond the annual training requirements) into annual goals.
Identify and rehabilitate the repeat offenders
Certain departments are more educated about healthcare compliance, such as the risks associated with PHI or delegation, while others are less prudent. In a recent focus group I hosted with HIMSS members, one manager shared that her facilities team stored patient files in a big warehouse along with lawn care equipment and everything else needed to maintain facilities. When the facilities manager needed help shifting items in the warehouse, they brought in an outside entity without a thought given to protecting the sensitive files.
In most healthcare organizations, you’ll find departments that understand or appreciate R&C implications more or less than others. If you’re tracking compliance metrics—which you should be—you can use them to track and trend groups that need special attention.
Escalation and communication of risks is a requirement for compliance program effectiveness. Aggregate third-party data and communicate performance concerns and business risks in the appropriate forums (committees, business reviews, etc.). Implement corrective action plans when necessary. External agencies and accreditation associations expect there to be issues, but they also expect you to proactively identify and remediate the root cause of these issues so they don’t occur again.
Looking for some guidance in maturing your R&C program? TEKsystems Risk and Compliance Services offers a full spectrum of R&C solutions, from helping you design a comprehensive program to providing the technology expertise and functional talent to execute on your strategies.
Heather Namovich is the executive advisor for TEKsystems Healthcare Risk and Compliance Services.