Você está na página 1de 560

Enterprise Risk Management

for Healthcare Entities

First Edition




Copyright 2009 by
1025 Connecticut Avenue, NW, Suite 600
Washington, DC 20036-5405
Web site: www.healthlawyers.org
E-Mail: info@healthlawyers.org
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form,
or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express,
written permission of the publisher.
Printed in the United States of America
ISBN: 978-1-4224-6085-6
978-1-4224-6084-9 (Members)
This publication is designed to provide accurate and authoritative information with respect to the subject matter covered.
It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services.
If legal advice or other expert assistance is required, the services of a competent professional person should be sought.
from a declaration of the American Bar Association


Healthcare Capital Finance: In Good and Challenging Times
2009, perfect bound
Fifty State Survey of Certificate of Need and Licensure: Nursing Homes, Assisted Living, Home Health and
Hospice, First Edition with CD-ROM
2009, perfect bound
The Complete Connected Stark Laws & Regulations, Second Edition
2009, CD-ROM
Corporate Governance Implications of Nonprofit Executive Compensation, First Edition
2009, perfect bound
AHLAs Federal Healthcare Laws & Regulations, Fall 2008 Supplement to 2007-2008 Edition
2008, perfect bound
Guide to Healthcare Legal Forms, Agreements, and Policies with CD-ROM, 11/08 Supplement
2008, looseleaf
Healthcare Finance: A Primer, First Edition with CD-ROM
2008, perfect bound
Health Plans Contracting Handbook: A Guide for Payors and Providers, Fifth Edition with CD-ROM
2008, perfect bound
Stark Final Regulations: A Comprehensive Analysis of Key Issues and Practical Guide, Fourth Edition
2008, perfect bound
Peer Review Hearing Guidebook, First Edition with CD-ROM
2008, perfect bound
The Complete Connected Pharmaceutical and Medical Devices Laws & Regulations
2008, CD-ROM
Clinical Research Practice Guide with CD-ROM
2008, perfect bound
Guide to Healthcare Legal Forms, Agreements, and Policies with CD-ROM
2008, looseleaf
False Claims Act & The Healthcare Industry: Counseling & Litigation, Second Edition
2008, casebound
Stark Phase III Guidance Collection
2008, PDF
Fundamentals of Health Law with CD-ROM, Fourth Edition
2008, perfect bound
AHLAs Federal Healthcare Laws & Regulations, 2007-2008 Edition
2008, perfect bound 3-volume set
Legal Issues in Healthcare Fraud and Abuse: Navigating the Uncertainties, 2007 Supplement
2007, perfect bound
Ambulatory Surgery Centers: CMS Update on Payment and Coverage
2007, PDF
The Complete Connected Civil False Claims Act Laws and Cases
2007, CD-ROM
Telemedicine: Survey and Analysis of Federal and State Laws with CD-ROM
2007, perfect bound
Healthcare Entity Bylaws with CD-ROM
2007, perfect bound
The Fundamentals of Life Sciences Law: Drugs, Devices, and Biotech with CD-ROM
2007, perfect bound
Institutional Review Boards: A Primer
2007, perfect bound

Healthcare entities face risk in all facets of their organizations, from changes in patient demographics, to use of complex, constantly changing technology, and increased regulatory mandates. It is
critical that they identify and address potential risk, and equally important for these organizations to
have a game plan that crosses all departmental barriers. The benefit to having a comprehensive risk
management process and plan that encompasses the entire enterprise becomes more important every
day. Indeed, Standard & Poors, a major credit rating agency, announced in 2008 that it would add an
enterprise risk management (ERM) review for nonfinancial companies to further enhance its rating
Health Lawyers wants to express its tremendous gratitude to all of the authors of the Enterprise
Risk Management Handbook for Healthcare Entities. This new publication addresses the need for and
implementation of a proper risk management system that will address and assess the myriad areas of
importance in the healthcare setting.
The coverage begins with an overview of ERM and its evolution. The impetus for many organizations to adopt ERM was the passage of the Sarbanes-Oxley Act of 2002, the legislative response to
scandals involving accounting and compliance in the private sector. While nonprofit healthcare entities were not the focus of the legislation, many began to voluntarily comply with the principles and
financial controls incorporated in the legislation. A renewed focus on the responsibilities of boards of
directors to identify and manage organizational risks increased the impetus to embrace ERM.
The authors provide guidance on how to structure an ERM system, as well as insight on risk
financing methods. They delineate how to manage risk in various settings, including contract management, claims management, environmental compliance, human research, peer review and credentialing,
due diligence in business transactions, consent to treatment and numerous others. Finally, coverage
includes insight on the impact that the implementation of electronic health record (EHR) systems,
combined with the advent of e-discovery rules, will have on traditional documentation issues.
Health Lawyers commends Enterprise Risk Management Handbook for Healthcare Entities to all
healthcare attorneys and others in the healthcare field that need to understand the assessment of and
planning for risk management in the healthcare setting. We anticipate that it will prove to be a useful guide for healthcare entities and their counsel in understanding this critical area of the healthcare
environment and the law as it continues to evolve.


Enterprise Risk Management for Healthcare Facilities, First Edition

The Editor-in-Chief would like to thank Peter L. Leibold, the American Health Lawyers Association (AHLA) Executive Vice President/Chief Executive Officer, for his support of the Enterprise Risk
Management (ERM) Affinity Group, as well as John Washlick and Brian Gradle, who as Chairs of
AHLAs Hospital and Health Systems Practice Group lent their unwavering encouragement to the ERM
Affinity Group and this effort. Thanks to Trinita Robinson, AHLAs Vice President of Practice Groups,
for always being there for the Affinity Group and serving as the link throughout this process.
I also want to offer my tremendous gratitude to our reviewers, who improved this publication by
taking the time to read the chapters and offer insightful guidance and comments to the authors. They
were Roberta Carroll, Connie Crawford, Sheila Hagg-Rickert, Mary Marta, Erin Muellenberg, Peggy
Nakamura, Kathy Wire, and Leigh Collier. My thanks also to Alice Kush for her early involvement in
the project. And finally, I would also like to thank Cynthia Conner, AHLAs Vice President of Professional Resources, and Will Harvey, AHLAs Director of Business Development and Publishing, for
their constancy, expertise, and willingness to do what was necessary to make this publication a reality.
Ellen L. Barton
Editor in Chief

Enterprise Risk Management for Healthcare Facilities, First Edition

About the Editor

Ellen L. Barton, JD, CPCU (Editor in Chief), is an independent Healthcare Risk Management
Consultant. Ms. Barton is a graduate of Rosemont College and received her JD degree from the University of Cincinnati. She also holds the distinction of Chartered Property and Casualty Underwriter.
Ms. Barton has conducted numerous seminars on risk management issues on a national as well as
regional level and has published articles in related areas. Ms. Barton is admitted to the Bars of Ohio,
Maryland, and Pennsylvania and holds membership in the Maryland Bar Association, the Society of
Chartered Property and Casualty Underwriters, the American Health Lawyers Associationin which
she previously served as Chairperson of the Risk Management Affinity Group of the Hospitals and
Health Systems Practice Groupthe Maryland Society for Healthcare Risk Management of which she
was President for 2002-2003, and the American Society for Healthcare Risk Management (ASHRM)
of which she was President for 1990. She is also the 1993 recipient of the American Society for
Healthcare Risk Managements Distinguished Service Award. In 2001, the ASHRM Modules Program
The Barton Certificate in Healthcare Risk Management,was named in her honor.


Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors
Roberta Carroll, RN, ARM, CPCU, MBA,
Senior Vice President, Aon Healthcare
Sheila Hagg-Rickert, JD, MHA, MBA,
Senior System Director of Risk Management,

Nicola A. Nelson, Esq.

Richard S. Porter, Esq.
Hinshaw & Culbertson LLP

Human Capital
Deborah Martin Norcross, Esq.
MartinNorcross LLC


Steven O. Grubbs, Esq.

Amanda J. Flanagan, Esq.
Sheehy, Ware & Pappas, PC

Ellen L. Barton, JD, CPCU

Principal, ERM Strategies, LLC


Mary S. Schaefer, RN, M.Ed, ARM, JD

Corporate Director of Risk Management,
Covenant Health Systems, Inc.
Peggy Nakamura, RN, MBA, DFASHRM,
Assistant Vice President, Chief Risk Officer, and
Associate Counsel, Adventist Health
Richard L. Clarke, DHA, FHFMA
President and CEO, Healthcare Financial
Management Association (HFMA)
Elizabeth M. Mills, Esq.
Senior Counsel, Proskauer Rose LLP

Kathryn K. Wire, JD, MBA, FASHRM

Principal, Kathryn Wire Risk Strategies
Fay A. Rozovsky, JD, MPH
President, The Rozovsky Group, Inc.
Peter J. Hoffman, Esq.
Eileen Lampe, Esq.
Joseph V. Conroy IV, Esq.
Eckert Seamans Cherin & Mellott, LLC
John R. Evancho, JD
Senior Vice President and Chief Compliance
Officer, OSF Healthcare
Joan Danielson Plump
Attorney at Law

Sheila Hagg-Rickert, JD, MHA, MBA,
Senior System Director of Risk Management,
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative
Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company

Fay A. Rozovsky, MPH, DFASHRM, Esq.
President, The Rozovsky Group, Inc.
Mark A. Kadzielski, Esq.
Fulbright & Jaworski, LLP
Yvonne K. Puig, Esq.
Mark Faccenda, Esq.
Fulbright & Jaworski LLP
Emily Rhinehart, RN, MPH, CIC, CPHQ
AIU Holdings, Inc.

Enterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continues

Terie Zimmerman, RN, BSN, JD, ARM,

VP Chief Quality, Risk and Patient Safety
Officer, Community Mercy Health Partners

Jeffery Layne
Christopher N. Kanagawa
India K. Brim
Fulbright & Jaworski LLP



Ellen Barron, Esq.

Profit Management Group

Phyllis F. Granade, Esq.

Adorno & Yoss

Mary Mahoney, Esq.

Tufts Health Plan
Daniel G. Hale, Esq.
General Counsel, Trinity Health

Marilyn Lamar, Esq.

Liss & Lamar, PC

Ila Rothschild, MA, JD

Healthcare Attorney

Joshua I. Rozovsky
The Rozovsky Group, Inc./RMS

Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM

Director, Litigation and Loss Prevention
CHRISTUS Health Risk Management

Steven M. Puiszis, Esq.

Hinshaw & Culbertson, LLP


Nestor J. Rivera, Esq.

Carlton Fields, PA

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Ellen Barron
Ellen Barron has more than 25 years experience in Marketing, Communications, Strategy and related
disciplines. She has provided leadership to these functions in community hospitals, academic medical centers and large, multi-site health systems. Ellen has served on the boards of both a national
marketing professionals association, as well as a multi-state health system. She has acted as an expert
facilitator for health- and insurance-related organizations; presented at numerous national and regional
meetings; and published more than 30 articles. She is an independent consultant with her own firm,
Profit Management Group, in West Chester, PA.
India K. Brim
India K. Brim is a Healthcare associate in the Washington, D.C. office of Fulbright & Jaworski,
L.L.P. As an associate, she focuses her practice on healthcare issues including regulatory compliance,
fraud and abuse, hospital and laboratory certification, and Medicare/Medicaid reimbursement matters. Ms. Brim also has experience in handling government investigations and healthcare litigation.
Ms. Brim received her BA from Spelman College, magna cum laude, in 2003 and her JD from Duke
University in 2006. She is admitted to practice law in Maryland and the District of Columbia.
Roberta L. Carroll
Roberta L. Carroll, RN, ARM, CPCU, MBA, CPHRM, CPHQ, LHRM, HEM, DFASHRM, is a Senior
Vice President of Aon Healthcare, based in Tampa, Florida. Ms. Carroll is also a faculty member for
the ASHRM-sponsored Barton certificate program Essentials module, is a member of ASHRM and
served on its board for six years, serving as President in 1995-1996. Ms. Carroll received a Bachelor
of Science degree in Health Services Administration and a certificate in Emergency Medical Services
Systems Administration from Florida International University and a Master of Business degree from
Nova Southeastern University. She is a well-known author, speaker, and teacher in the areas of: alternate risk financing, risk mitigation strategies and solutions, claims administration, early intervention
programs, enterprise risk management (ERM), strategic planning, and reengineering. Her activities
are on a local, state, and national level and her professional and committee activities are numerous.
She is a member of the American Health Lawyers Association and its Risk Management Affinity
Group of the Hospitals and Health Systems Practice Group.
Richard L. Clarke
Richard L. Clarke, DHA, FHFMA, is President and Chief Executive Officer of the Healthcare Financial Management Association (HFMA), Westchester, Illinois, a professional membership association
with more than 34,000 members in 70 chapters who share an interest in the financial management
of the delivery of healthcare services. Richard attained Fellowship (FHFMA) in HFMA in 1983. He
served as President of the Colorado chapter of HFMA, served on its National Matrix, and was a member of HFMAs Principles and Practices Board. He holds a bachelors degree in Industrial Distribution
from Bradley University, Peoria, Illinois (1970), a masters degree in Business Administration in manEnterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

agement/finance from the University of Miami, Coral Gables, Florida (1972), and a Doctor of Health
Administration (DHA) degree from the Medical University of South Carolina, Charleston, SC (2005).
Dr. Clarke has also written numerous articles and publications on healthcare finance.
Joseph V. Conroy, IV
Joseph V. Conroy, IV, is an associate in the law firm of Eckert Seamans Cherin & Mellot, LLC, in their
Philadelphia office. He focuses his practice on professional liability as well as general liability law. His
practice areas include litigation, and product liability. Joe received his JD from Villanova University
School of Law in 2007, and his BS from Villanova University in 2004.
John R. Evancho
As Senior Vice President and Chief Compliance Officer, John is accountable for the development and
direction of compliance, privacy and risk management programs for OSF HealthCare, an integrated
health system based in Peoria, Illinois. John began working at OSF as Vice President of Operations
for OSF HealthPlans. Prior to joining OSF, John served in various executive capacities in both Compliance and Operations for several national health insurance companies. John earned his JD from
Harvard Law School, his MTS from Harvard Divinity School, a BA from the University of Louvain in
Belgium and a BA from Duquesne University in Pittsburgh.
Mark Faccenda
Mark Faccenda is an Associate in Fulbright & Jaworski L.L.P.s Washington, D.C. office. As part of the
firms Health Care Practice Group, Mark has represented healthcare industry clients on regulatory and
transactional matters. Representative clients include pharmaceutical manufacturers, academic medical
centers, health systems, physician groups, physician/hospital joint ventures, long term care facilities
and durable medical equipment suppliers. Mark received his JD and MHA, Health Administration,
from the University of Pittsburgh in 2005, and his BS in Biology, from Pennsylvania State University
in 1995. Mark is admitted to practice law in Pennsylvania. He is a member of the American Health
Lawyers Association.
Amanda J. Flanagan
Amanda Flanagan is an associate with Sheehy, Ware & Pappas, P.C. Her practice is focused on personal injury, wrongful death, and premises liability. She also defends employment claims. Amanda
received her JD from South Texas College of Law (2003) and her BA from the University of Texas at
Austin (1999).

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Phyllis F. Granade
Phyllis F. Granade is a Partner in the Atlanta office of Adorno & Yoss. She began her legal career
as a legal consultant to the Medical College of Georgia Telemedicine Center. Phyllis legal practice
includes assisting clients with privacy and security compliance issues, particularly the HIPAA privacy
and security regulations. She frequently defends clients during privacy and security investigations
brought by the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights
(OCR) and the Centers for Medicare and Medicaid Services (CMS), respectively. She received her JD
from the University of South Carolina School of Law, and her AB, cum laude, from the University of
Georgia in 1991. She is a member of the American Health Lawyers Association, and is a Vice Chair of
its Health Information Technology Practice Group.
Steven O. Grubbs
Steven O. Grubbs is a Shareholder with the Houston, Texas firm Sheehy, Ware, and Pappas, P.C. Mr.
Grubbs is a member of the firms labor and employment, commercial litigation, and general litigation
sections. He has considerable first-chair trial experience in State and Federal Court, and has handled
arbitrated matters concerning employment law issues. He has prepared briefing and conducted oral
arguments before several Texas Courts of Appeals and to the Texas Supreme Court. He received his JD
from South Texas College of Law in 1996, and his BBA from University of Texas at Austin in 1992.
Mr. Grubbs is admitted to practice law in Texas. He is a member of the American Health Lawyers
Sheila Hagg-Rickert
Sheila Hagg-Rickert serves as Senior System Director of Risk Management for CHRISTUS Health
based in Houston. In this capacity, she is responsible for oversight of CHRISTUS loss prevention,
claims management and risk financing programs. Sheila holds a JD from the University of Iowa and
Masters of Business Administration and Masters of Healthcare Administration degrees from Georgia
State University. She has earned Chartered Property and Casualty Underwriter (CPCU) and Certified
Professional in Healthcare Risk Management (CPHRM) designations and is a Distinguished Fellow
of the American Society of Healthcare Risk Management. She also served on the ASHRM board. She
is a member of the American Health Lawyers Association.
Daniel G. Hale
Daniel G. Hale serves as General Counsel of Trinity Health and leads the office of Community Benefit
and Public Affairs in fulfillment of Trinity Healths Mission to improve the health of the communities it serves. Under his leadership, community benefit activities are advancing to serve more people,
improve and expand access to equitable care, integrate care for chronic conditions, and influence
state and federal healthcare policies. Prior to joining Trinity Health, Dan was General Counsel of
Franciscan Health System, a Partner in Drinker Biddle & Reath in Philadelphia, PA and in Baker &
Hostetler in Columbus, OH. Dan is Chair of the Catholic Health Associations Health Reform InitiaEnterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

tive committee, dedicated to promoting universal health coverage. Dan is currently on the Audit &
Corporate Responsibility Committee of Catholic Healthcare Partners and on the Board of Trustees of
the Michigan Public Health Institute. Dan earned his law degree from Capital University Law School,
graduating cum laude, and his AB degree in English from Kenyon College. He is a member of the
American Health Lawyers Association.
Peter J. Hoffman
Peter J. Hoffman, Esq. is a Member of the Philadelphia office of Eckert Seamans Cherin & Mellott,
LLC, a large general practice law firm headquartered in Pittsburgh, Pennsylvania. He received his
BA from Washington and Jefferson College, his MA from State University of New York Graduate
School of Public Affairs, and his JD, cum laude, from Temple University School of Law where he
was the Executive Editor of the Law Review. Mr. Hoffman was a member of the Pennsylvania Select
Committee on Medical Malpractice from 1984 to 1986. He was a member of Governor Rendells
Medical Malpractice Task Force, and is currently Counsel to the Commonwealth of Pennsylvania
Patient Safety Authority. He is a Past President of the Pennsylvania Defense Institute. He was the
recipient of the Defense Research Institute Exceptional Performance Citation in 1989 and the Fred H.
Sievert Award in 1989. Mr. Hoffman was a co-author of the book Laws and Regulations Affecting
Medical Practice. He was the Chairman of Hearing Committee 1.15, Supreme Court of Pennsylvania
Disciplinary Board from 1993 to 1998, and served on the faculty for the Temple University School
of Law, Masters of Laws in Trial Advocacy and Academy of Advocacy. He has been listed as a top
attorney in Philadelphia Magazine each time the article appears, and has been listed in Best Lawyers
in America since 1995. He was listed as one of the top 100 lawyers in Pennsylvania in Pennsylvania
Super Lawyers 2004, 2005, 2007, and 2008. Mr. Hoffman was a member of the Temple Inns of Court.
He is a member of ASHRM, a Fellow of the International Academy of Trial Lawyers and Fellow of the
American College of Trial Lawyers, as well as the American Board of Trial Advocates.
Mark A. Kadzielski
Mark A. Kadzielski is the partner in charge of the West Coast Health Law practice at Fulbright &
Jaworski, L.L.P. His practice focuses on the representation of hospitals, medical staffs, managed care
enterprises, and institutional and individual healthcare providers throughout the United States in a
broad spectrum of matters, including government regulatory investigations, contracting issues, credentialing, licensing, medical staff bylaws, Joint Commission accreditation and Medicare certification.
Mr. Kadzielski is a member of the California Bar, the American Health Lawyers Association and the
California Society for Healthcare Attorneys. Since 1991, on the basis of peer evaluations, he has been
selected for the Healthcare Law Section of The Best Lawyers in America. In 2004, 2005, 2006, 2007,
2008, and 2009 he was selected by his peers as a Southern California Super Lawyer in Health Law.
In 2005, he was named to the American Health Lawyers Associations inaugural class of Fellows,
one of only four attorneys in California and forty attorneys nationwide to receive this honor. Also
in 2005, 2006, 2007, and 2008 he was selected as one of the top ten leading Healthcare Lawyers in
California by Chambers USA as a result of extensive interviews with clients and peers. Mr. Kadzielski

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

has authored numerous books, articles, and chapters in healthcare publications. He is a nationwide
speaker on a wide range of health-related subjects. Mr. Kadzielski is a 1976 graduate of the University
of Pennsylvania Law School.
Christopher Nathan Kanagawa
Christopher Nathan Kanagawa is Senior Counsel with Fulbright & Jaworski L.L.P. and practices in
the healthcare, e-business and corporate areas. His healthcare legal experience includes counseling
both e-health and general healthcare clients. Christophers e-business experience includes advising
numerous clients, including healthcare systems and start-up Internet e-health companies, on corporate,
contracting and regulatory issues. Christopher also regularly advises traditional healthcare clients,
including healthcare systems and national health care providers and suppliers. Mr. Kanagawa received
his JD in 1998 from the University of Tulsa-College of Law and his BA in 1991 from the University of
Tulsa. Christopher is admitted to practice law in Missouri and Illinois. He is a member of the American
Health Lawyers Association.
Maria D. Lain
Maria D. Lain has over 30 years of healthcare experience with a focus on business solutions to achieve
profitability by integrating operations effectiveness, resource management, employee ownership and
accountability, and customer satisfaction. Within her job functions she has worked with organizations
to generate concepts and approaches that align culture, strategy and vision to achieve tangible change,
growth and income. Ms. Lain is currently the Service Line Director for Womens Health and Oncology
at The Chester County Hospital, West Chester, PA. She holds an MBA from Duke University, Raleigh,
North Carolina.
Marilyn Lamar
Marilyn Lamar is an attorney with more than twenty years of experience in corporate and information
technology law, including electronic health records (EHR) and HIPAA privacy and security issues.
Her practice includes a broad range of outsourcing, licensing, and other technology transactions on
behalf of hospitals, health plans, physicians, group purchasing organizations and technology companies. Before joining Liss & Lamar, P.C., Marilyn was a capital partner at McDermott Will & Emery
LLP where she chaired the Health Law Departments Information Technology practice group and cochaired its HIPAA practice group. She also chaired the Health Information and Technology Practice
Group of the American Health Lawyers Association (AHLA) from 2002 to 2005 and serves on its
Quality Council. Marilyn is also a member of the Healthcare Information and Management Systems
Society (HIMSS), serving on the Ambulatory IS Steering Committee, the Payer Roundtable and the
Legal Aspects of the Enterprise Task Force. After graduating from the University of Chicago Law
School, Marilyn served as a law clerk for the Honorable Richard D. Cudahy, United States Court of
Appeals for the Seventh Circuit. She is a frequent author and speaker on EHRs, evolving liability
issues involving information technology, HIPAA privacy and security and outsourcing.
Enterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

Eileen Lampe
Eileen Lampe is a Member of the firm Eckert Seamans Cherin & Mellott, LLC in Philadelphia, PA.
She has tried numerous high exposure cases to verdict, and also serves as a mediator for healthcare
disputes. She also has experience in the premises liability, nursing home liability, and healthcare and
risk management practice areas. In addition, Ms. Lampe is often asked to be a mediator. Ms. Lampe
received her JD in 1986 from the University of Richmond T.C. Williams School of Law, and her BA
in 1981 from Franklin and Marshall College. She is admitted to practice law in Pennsylvania and
New Jersey.
R. Jeffrey Layne
R. Jeffrey Layne is a Partner in the Austin, TX office of Fulbright & Jaworski L.L.P. His practice
focuses on federal and state regulatory, administrative, and litigation-related health law matters,
including Medicare and Medicaid fraud and abuse and research compliance issues. His health-related
litigation experience includes criminal, False Claims Act and administrative litigation related to a
wide variety of Medicare and Medicaid fraud and abuse, reimbursement, and compliance issues. Jeff
represents clients from across the spectrum of the healthcare industry, including hospital systems,
university health systems, pharmaceutical and medical device manufacturers and distributors, pharmacies, suppliers, and managed care organizations. Mr. Layne received his MPH in 1998 from Harvard
University, his JD in 1994 from Duke University Law School and his BBA, magna cum laude, in 1990
from Texas Christian University. Jeff is admitted to practice law in Texas and the District of Columbia.
He is a member of the American Health Lawyers Association.
Mary OToole Mahoney
Mary OToole Mahoney is Associate General Counsel at Tufts Associated Health Plans, Inc., a managed care organization in Watertown, Massachusetts. She joined Tufts Health Plan in 1995. Mary
is responsible for providing legal guidance to the companys board of directors and management
on corporate governance and transactions, financial, tax, and accounting matters. She also serves as
primary counsel on executive and employee benefits and compensation, and intellectual property.
Mary has served as counsel to numerous areas of the company over the years, including general risk
management, clinical services, all areas of contracting, technology and e-business. In addition, Mary
has been counsel on a variety of transactional matters for the plan. Mary received her BS in Nursing
and Philosophy from the University of Scranton in 1986 where she was a graduate of the Special
Jesuit Liberal Arts Honors Program, and her JD from the University of San Francisco in 1991. She is a
member of the Board of Directors of A Place to Turn, an emergency food pantry serving the metrowest
area of Boston.


Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Elizabeth M. Mills
Elizabeth M. Mills is Senior Counsel in the Chicago office of Proskauer Rose LLP. As a member
of the Firms Health Department, she concentrates her practice on nonprofit organizations and their
tax exemption concerns as well as healthcare organizations and hospital-physician transactions. She
works with hospitals and other institutional healthcare providers, health maintenance organizations,
and academic medical centers, as well as other public charities, private foundations and charitable
giving vehicles. Elizabeths practice with tax-exempt organizations includes addressing tax exemption
compliance issues such as intermediate sanctions and use of tax-exempt bond-financed property, representing organizations being audited by the IRS, and assisting organizations in obtaining tax exemption
from the IRS. Ms. Mills received her JD, cum laude, in 1984 from the Northwestern University School
of Law, her MS in 1978 from the Harvard School of Public Health, her MA in 1975 from Stanford
University, and her BA in 1973 from the University of Kansas. She is admitted to practice law in Illinois. She is a member of the American Health Lawyers Association, and serves as a Vice Chair of its
Tax and Finance Practice Group.
Peggy Nakamura
Peggy Nakamura, RN, MBA, JD, DFASHRM, CPHRM is Assistant Vice President, Chief Risk Officer, and Associate Counsel for Adventist Health. In this role, she oversees a comprehensive Risk
Management Department, including self-administered/self-insured programs in workers compensation, professional, general and managed care liability. She was awarded the Distinguished Service
Award from the American Society of Healthcare Risk Management in 2008, and is a past President of
ASHRM. Ms. Nakamura holds an associate degree in Nursing from Sacramento City College, Sacramento, California, and a bachelors degree in Biological Sciences from the University of California,
Davis. In addition she has an MBA from Golden Gate University in San Francisco, California, and
a Juris Doctor from McGeorge School of Law also located in Sacramento. Ms. Nakamura is faculty
for the California Hospital Associations Consent Law, Consent Basics, and EMTALA seminars. She
also is faculty for ASHRMs Barton Certification Program in the Advanced Forum module. She is a
member of the American Health Lawyers Association, and currently serves as Chair of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.
Nicola Nelson
Nicola Nelson is an associate at the Rockford, Illinois office of Hinshaw & Culbertson LLP, where
her practice is focused primarily in environmental law. She advises and represents municipalities,
organizations, and business entities with respect to environmental permitting and compliance, as well
as enforcement actions. Prior to coming to Hinshaw & Culbertson, Ms. Nelson clerked as a judicial
extern to the Honorable Anne M. Burke of the Illinois Supreme Court. She also previously clerked as
a judicial extern to the Honorable Amy J. St. Eve, United States District Court, Northern District of
Illinois. Ms. Nelson graduated first in her law school class and was class valedictorian.

Enterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

Deborah Martin Norcross

Deborah Martin Norcross, Esquire, has more than twenty-seven years of concentrated employment
law experience, providing clients in the healthcare industry with aggressive and effective representation and counsel in employment matters and litigation before state and federal courts and agencies
across the country. Deborah routinely counsels healthcare clients on workplace issues that arise during
the course of the employment relationship. In addition, she provides policy development and review
services, as well as supervisory training on how to avoid workplace disputes and how to best handle
problem situations. She is admitted to the courts of the states of New Jersey and New York, and the
Commonwealth of Pennsylvania.
Amy B. Norris
Amy Norris is the Associate General Counsel of Clif Bar & Company a leading maker of all natural
energy foods. Her current role is to provide advice and counsel on all operational matters and new
product development, both domestically and internationally. Prior to joining Clif Bar, Ms. Norris was
an associate with the law firm of Sheppard Mullin & Richter & Hampton, LLP where she was a member of the Finance & Bankruptcy Practice Group. There, she advised clients on all manner of business
operations. Ms. Norris earned her juris doctorate degree from the University of San Francisco and a
Bachelor of Arts from U.C. San Diego.
Gisele Norris
Gisele Norris, DRPH is National Director at Aon Healthcare Alternative Risk Transfer Practice.
Dr. Norris has spent 15 years in the healthcare industry focusing on issues of healthcare finance.
Gisele currently directs Aons Alternative Risk (ART) Practice in the Western United States and is
a principal leader of Aons Pandemic Preparedness Task Force. In her current role, Gisele provides
strategic consulting to several of Aons most prestigious clients. Prior to accepting her role with the
ART team, Gisele was responsible for the development of new healthcare product opportunities for
Aon internationally. Dr. Norris is widely published in various insurance industry publications. Gisele
received her BA from the University of California at Berkeley in 1988; Master of Public Health and
Master of Public Administration degrees from Columbia University in 1994; and a Doctorate in Public Health (with specialties in epidemiology and health policy) from the University of California at
Berkeley in 2000.
Joan Danielson Plump
Joan Danielson Plump is an attorney who is a member of the State Bars of New Jersey and Pennsylvania. Most recently she practiced with the firm of Eckert Seamans Cherin & Mellott, LLC, in
Philadelphia, PA, where she prepared and presented Continuing Medical Education classes for physicians and nurses, as well as Continuing Legal Education programs for lawyers. Prior to that she was
with McKissock & Hoffman, P.C., where she was Counsel to the Pennsylvania Patient Safety Authority from 2003 to 2005, and trained and supervised young lawyers in the firms beeper program used

Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

in representation of hospitals in emergency guardian and treatment order cases. Ms. Plump received
her JD from Fordham University School of Law, her MA in Education from LaSalle University, and
her BA, cum laude, from Bucknell University. She is admitted to practice law in the United States
District Court.
Nancy T. Poblenz
Nancy T. Poblenz, RN, BSN, DDS, JD, CPHRM serves as Litigation and Loss Prevention Director
for CHRISTUS Health, based in Houston Texas. In this capacity, she is responsible for the claims
investigation and litigation management of all matters involving the healthcare system, including
professional, general, employment, business, class action and other litigation against any CHRISTUS
Health facilities. She also coordinates the corporate response to all government and regulatory
investigations. As corporate Loss Prevention Director she is responsible for leading all corporate loss
prevention initiatives. She serves on various committees, including the corporate Quality Committee
and Clinical Policy Team, and is active on the CHRISTUS St. John Hospital Ethics Committee. Nancy
is a graduate of the University of Texas at Arlington, Baylor College of Dentistry and University of
Houston Law Centre. She is a member of the College of the State Bar of Texas and has previously been
in the private practice of personal injury, medical malpractice, and employment related litigation. Her
medical and nursing experience includes work in hospitals, clinics and long term care facilities. She is
a member of the American Health Lawyers Association.
Richard S. Porter
Richard S. Porter is a Partner with the firm Hinshaw & Culbertson LLP. He represents municipalities
and business enterprises in environmental law and litigation, and in general commercial and insurance
defense litigation. Mr. Porters environmental practice includes experience with CERCLA, NEPA,
RCRA, Clean Air Act, Clean Water Acts, Phase I and II reports, TACO program, Brownfields programs, NPDES permitting, environmental impact studies, Superfund litigation, underground storage
tanks, toxic tort actions, indoor air quality, asbestos abatement and solid waste management. Mr. Porter received his JD, cum laude, from the Southern Illinois University College of Law in 1992, and his
BS from the Illinois State University in 1988. He is admitted to practice law in Illinois.
Yvonne Karen Puig
Yvonne Karen Puig is a Partner at Fulbright & Jaworski L.L.P. Ms. Puig practices exclusively in the
healthcare area and represents hospitals, HMOs, medical schools and other institutional healthcare
providers. She has extensive experience in a variety of health law regulatory matters, including, but
not limited to: EMTALA, credentialing, due process hearings, and JCAHO accreditation and compliance. Her trial experience includes complex litigation, such as representation of hospital systems,
manufacturers and sellers of medical devices, and commercial litigation involving the health industry.
Additionally, she has experience reviewing business arrangements among managed care providers
and other statutory and regulatory compliance. Yvonne is also an author who has published numerous
Enterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

articles on a variety of healthcare topics and liability updates. She received her JD in 1978 from The
University of Texas School of Law and her BA in 1975 from the University of Texas. Yvonne is admitted to practice law in Texas. She is a member of the American Health Lawyers Association.
Steven M. Puiszis
Steven M. Puiszis is a Partner in the Chicago office of Hinshaw & Culbertson LLP, and is a member
of their Business Litigation Practice Group, as well as its Electronic Discovery Response Team. He is
a well-known and highly experienced trial attorney and mediator with a wide-ranging litigation and
trial practice in state and federal court, who stopped counting after having taken more than 40 civil
and criminal jury trials to verdict. He is one of the few attorneys nationally who has ever successfully
defended through trial a federal class-action lawsuit. Mr. Puiszis received his JD in 1979 from Loyola
University Chicago School of Law, and his BS in 1976 from DePaul University. He is admitted to
practice law in Illinois. He is a member of the American Health Lawyers Association.
Emily Rhinehart
Emily Rhinehart, RN, MPH, CIC, CPHQ, is a Vice President at AIG Consultants, Inc., and has over
25 years of diverse healthcare experience. As a consultant and manager, she has developed and provided
a wide variety of products and services for the healthcare market including risk and quality management, performance measurement programs, patient safety programs, and infection control programs for
organizations in all healthcare segments. Ms. Rhinehart holds a Bachelor of Science in Nursing degree
and a Masters in Public Health with a concentration in Epidemiology. She is certified in healthcare
quality (CPHQ) and infection control (CIC). She entered the healthcare quality and risk management
arena after 15 years of outstanding success as a national and international leader in hospital infection
control and epidemiology. She has provided consultation in quality management and infection control
to healthcare organizations and industry in the US, Asia, Europe, Central and South America.
Nestor J. Rivera
Nestor J. Rivera is an Associate at the Atlanta, GA office of Carlton Fields PA. Mr. Rivera is a member
of the Firms Health Care Practice Group. His practice includes representation of healthcare providers
of all sizes in both operations/regulatory and litigation matters. He has advised clients on healthcare operations and regulatory matters, including: HIPAA and related federal and state privacy laws,
healthcare provider reimbursement and insurance coverage, guardianship, contract negotiation and
implementation, debt collection and credit reporting requirements, and other issues encountered by
healthcare providers on a daily basis. Mr. Riveras litigation experience includes representation of
healthcare providers of all sizes in breach of contract, tortious interference, payment of billed charges,
and other business claims. Mr. Rivera received his JD in 2000 from Emory University School of Law
and his BBA in 1997 from the University of Miami. He is admitted to practice law in Georgia and
Florida. He is a member of the American Health Lawyers Association.


Enterprise Risk Management for Healthcare Facilities, First Edition

Contributing Authors, continued

Ila S. Rothschild
Ila S. Rothschild, MA, JD, is Special Counsel with the Office of General Counsel at The Joint Commission. As Special Counsel, Ila has advised The Joint Commission on a number of issues, among
them: credentialing/privileging; peer review and confidentiality; conflict management; risk management; disruptive behavior; telemedicine; leadership accountability; ethics; patients rights; patient
safety, and overall interpretation of accreditation standards. She has also co-authored briefs to the
Kentucky Supreme Court and the U.S. Supreme Court on issues relating to confidentiality of peer
review. Ila taught legal and ethical issues in healthcare as a lecturer-in-law at the University of Chicago Law School. A staunch advocate for patients rights, Ila has co-authored amicus curiae briefs
on end-of-life issues to the U.S. Supreme Court and the Supreme Court of California. Ila received
her bachelors degree with honors from the University of Wisconsin; her masters degree from the
University of Chicago; and her Juris Doctor from Chicago-Kent College of Law. She is licensed in
Illinois and California and is a member of the bar of the U.S. Supreme Court. She is a member of the
American Health Lawyers Association.
Fay A. Rozovsky
Fay A. Rozovsky, JD, MPH, DFASHRM, is President of The Rozovsky Group, Inc. An experienced
healthcare risk management consultant and attorney, Ms. Rozovsky works with clients along the
continuum of care, providing healthcare professionals, organizations and leadership with practical
risk management and patient safety solutions. She is a Distinguished Fellow of ASHRM, and a past
President of the Society. Ms. Rozovsky has lectured extensively and authored or co-authored over five
hundred articles and several books. A summa cum laude graduate of Providence College, Ms. Rozovsky
received her JD from Boston College Law School and an MPH from the Harvard School of Public
Health. She is an Affiliate Associate Professor in the Department of Legal Medicine at the Virginia
Commonwealth University School of Medicine. Ms. Rozovsky is admitted to the practice of law in
Florida and Massachusetts. She is a member of the American Health Lawyers Association.
Mary S. Schaefer
Mary S. Schaefer, RN, M.Ed, ARM, JD, is Corporate Director of Risk Management of Covenant Health
Systems. In her current role, Ms. Schaefer provides oversight and direction over a system-wide risk
management program, insurance operations, and Captive medical malpractice claims management.
She currently serves as a member of Covenants Quality Board Committee and Preferred Professional
Insurance Companys Claims/Risk Advisory Council. She currently chairs Covenants Risk Management, Insurance and HIPAA Committees. Ms. Schaefer received a Juris Doctor from the New England
School of Law and is admitted to the Massachusetts Bar. She also earned a Master of Education from
Boston University, a Bachelor of Science in the nursing program, cum laude, from Central Connecticut
State University. She also earned an Associate Degree in Risk Management from the Insurance Institute of America. She is a member of the American Health Lawyers Association, and an active member
of its Risk Management Affinity Group of the Hospitals and Health Systems Practice Group.

Enterprise Risk Management for Healthcare Facilities, First Edition


Contributing Authors, continued

Kathryn Kottemann Wire

Kathryn Kottemann Wire is Principal at Kathryn Wire Risk Strategies. She has managed professional
and general liability events in Missouri, Arkansas and south Texas. She also has consulted on development of risk and claim management models in system facilities and teamed with risk and quality
managers to maximize loss prevention based on poor outcomes. Ms. Wire also has been responsible
for defense management of all professional and general liability events for a regional system of nine
hospitals, four nursing homes and an extended network of ambulatory care. She initiated a program
for risk prevention and claims management, including investigation of all claims, oversight of outside
counsel and affiliated facilities (two hospitals,. a nursing home, home health agency and occupational
health). She received her JD/MBA in 1980 from Washington University, and her BS in 1976 from
Northwestern University. She is admitted to practice law in Missouri and Illinois. She is a member of
the American Health Lawyers Association.
Theresa M. Zimmerman
Theresa M. Zimmerman, RN, BSN, JD, ARM, CPHRM, DFASHRM, is the Vice President, Chief
Quality Risk Officer for Community Mercy Health Partners. She has over twenty years experience
in healthcare, risk management and law. She is past president of the Ohio Society of Healthcare Risk
Management, voted 2003 Ohio Risk Manager of the Year, and currently serves as president elect for
the American Society of Health Care Risk Management. In 2008, she was awarded the certificate of
recognition and designation of Distinguished Fellow for her contributions to the field of healthcare
risk management and patient safety by the American Society of Healthcare Risk Managers. In 2007
she was co-awarded the ASHRM Journal Author Excellence Award for an article calling for the inclusion of patients and family in root cause analysis after the occurrence of a serious adverse event. Terie
is a graduate from the Patient Safety Leadership Fellowship Health Forum (2003), Intermountain
Advanced Training Program in Health Care Delivery Improvement (2007), 2008 IHI Executive PSO
training program. She has also written for and spoken at state and national forums on legal, compliance, patient safety, leadership and risk management topics.


Enterprise Risk Management for Healthcare Facilities, First Edition

Preface.......................................................................................................................... iv
Acknowledgments ....................................................................................................... v
About the Editor ......................................................................................................... vi
Contributing Authors................................................................................................ vii
Part IIntroduction
Chapter 1Enterprise Risk ManagementWhats It All About? .................................................3
Setting the StageManaging Risks ......................................................3
What Has Changed? ...............................................................................4
Risk Management as a Decision Making Process .................................4
Enterprise Risk Management (ERM).....................................................4
Risk Relationships ...............................................................................12
Risk Correlation ...................................................................................12
Responsibility for Enterprise Risk Management .................................13
Organizational Risk Appetite ...............................................................14
Risk Identification and Analysis ..........................................................15
Strategy Setting and Solution Identification ........................................18
Implementation ObstaclesMonitoring, Evaluating and
Changing the Program .........................................................................18
Benefits of ERM ..................................................................................20
ERM Success Factors ..........................................................................21
The Future Risk Management Professional .........................................22
Conclusion ...........................................................................................22
Table 1.1Reasons for Change ..........................................................23
Exhibit 1.1Values Doctrine ..............................................................24
Exhibit 1.2Risk Appetite/Risk Tolerance .........................................25
Table 1.2Qualitative Measure of Risk Frequency............................25
Table 1.3Measure of Time to Impact ...............................................26
Table 1.4Measure of Risk Severity ..................................................26
Table 1.5Fetal Hypoxia ....................................................................27
Exhibit 1.3Sample Risk Map ...........................................................28
Chapter 2Structuring an Enterprise Risk Management Program .............................................29
Introduction ..........................................................................................29
Laying the Groundwork .......................................................................29
Designing and Conducting the Initial ERM Risk
Identification Interviews and Survey Process ......................................32
Addressing Identified ERM Risks .......................................................35
Integrating ERM into the Corporate Culture .......................................37
Conclusion ...........................................................................................38
Appendix ..............................................................................................39

Enterprise Risk Management for Healthcare Facilities, First Edition


Table of Contents, continued

Part IIFinancial Issues

Chapter 3Insurance and Risk FinancingThe Basics .............................................................47
Introduction ..........................................................................................47
Principles of Insurance .........................................................................50
Insurance CompanyTypes ................................................................51
The Insurance Transaction ...................................................................53
Claims-Made vs. Occurrence Coverage ..............................................55
LimitsTerms and Conditions, Sublimits, Scheduled
Losses, etc. ...........................................................................................55
The Insurance Policy............................................................................57
Insurance Policies by Line of Coverage ..............................................59
Self Insurance.......................................................................................64
Captives vs. Trusts ...............................................................................65
Conclusion ...........................................................................................67
References ............................................................................................68
Exhibit 1Captives vs. Trusts: Comparison of Key Issues ................69
Exhibit 2Captives vs. Trusts: Cost Comparison ..............................70
Chapter 4Claims Management: A Tool for Enterprise Risk Management ...............................71
Introduction ..........................................................................................71
Implementing a System to Identify and Report Disputes ....................71
Timely Investigations of Potentially Compensable Events
and Claims ...........................................................................................75
Tracking Claims, Events, and Disputes ...............................................76
Selection of Defense Counsel ..............................................................78
Obtaining Experts ................................................................................79
Establishing Sound Reserving Policies................................................79
Fair Resolution of Claims and Suits ....................................................81
Pre-Trial Preparation and Discovery....................................................84
Taking the Case to Trial: Issues and Strategies ....................................85
Conclusion ...........................................................................................86
Chapter 5ContractsAn ERM Approach ................................................................................87
Introduction ..........................................................................................87
Contract Review...................................................................................87
Contract File Management ...................................................................88
Critical Contract Provisions .................................................................89
Specific Issues in Healthcare Contracts ...............................................92
Conclusion ...........................................................................................94
References ............................................................................................94
Attachment 1Policy: Contract Review, Execution and
File Maintenance ..................................................................................95
Attachment 2Contract Transmittal Memorandum ...........................97


Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued

Attachment 3Annual Evaluation of Service Provided
By Contract ..........................................................................................98
Attachment 4Contract Review Worksheet .....................................100
Attachment 5Components Of Contract Review ............................101
Attachment 6Contract Review and File Maintenance ...................103
Attachment 7Healthcare Contracts: Key Issues .............................104
Chapter 6Financial Challenges ...............................................................................................107
Introduction ........................................................................................107
Volume ...............................................................................................108
Cost ....................................................................................................109
Pricing/Payment .................................................................................110
Capital ................................................................................................111
Conclusion .........................................................................................113
Exhibit 1Most Significant Factors Related to Hospital
Volume: 2008-2013 ............................................................................113
Exhibit 2Most Significant Factors Affecting Hospital
Costs, 2008-2013 ...............................................................................113
Exhibit 3Most Significant Factors Affecting Hospital
Prices/Payment: 2008-2013 ...............................................................114
Exhibit 4Shift in Credit Quality, 1990-2007 ..................................114
Exhibit 5Most Significant Factors Affecting Hospital
Capital: 2008-2013.............................................................................115
Chapter 7Financial Stewardship .............................................................................................117
Introduction ........................................................................................117
Maintaining Tax Exemption...............................................................117
Tax Reporting and Payment Issues ....................................................124
Corporate Oversight of Financial Affairs...........................................126
Use of Property Financed by Tax-Exempt Bonds ..............................130
Conclusion .........................................................................................134
Part IIIHazards
Chapter 8Energy Management as an ERM Process ...............................................................137
Introduction ........................................................................................137
Energy Management as an ERM Process ..........................................137
Energy Management and Loss Prevention.........................................138
Energy Management and Claims .......................................................138
Energy Management and Risk Financing ..........................................139
Conclusion .........................................................................................140
Chapter 9An Enterprise Risk: Pandemic Influenza ................................................................141
Introduction ........................................................................................141
Duty to Patients ..................................................................................143
Duty to Workforce .............................................................................147
Duty to the Community .....................................................................152
Enterprise Risk Management for Healthcare Facilities, First Edition


Table of Contents, continued


Other Key Relationships ....................................................................153

Conclusion .........................................................................................153
Compendium of Pandemic Policy Resources ....................................154
Chapter 10Environmental Compliance in the Context of ERM .............................................157
Introduction ........................................................................................157
Environmental Laws that Affect Healthcare Facilities ......................159
Environmental Audits ........................................................................163
The Significance for In-House Counsel, the Governing
Board, and Executive Leadership ......................................................167
The Key to Success: Environmental Management Systems
Conclusion .........................................................................................170
Appendix ............................................................................................171
Recordkeeping Requirements for Many of the Relevant
Environmental Regulations Discussed In Chapter ............................171
Part IVHuman Capital
Chapter 11Minimizing Risk in the Employment Relationship ...............................................181
Introduction ........................................................................................181
Regulation of the Employment Relationship .....................................181
Managing the Stages of the Employment Relationship .....................182
Handling Challenges to Employment Decisions ...............................187
Conclusion .........................................................................................189
Chapter 12What to Expect and What to Do When OSHA Comes Knocking ........................191
Introduction ........................................................................................191
The OSHA Process ............................................................................192
Significance for In-House Counsel, the Governing Board,
and Executive Leadership .........................................................................205
Conclusion .........................................................................................206
Part VLegal & Regulatory Concerns
Chapter 13Adverse Event Reporting: Reporting for Patient Safety and Public Health .........209
Introduction ........................................................................................209
An Overview of Programs .................................................................209
An Overview of Reporting Processes ................................................211
Mandatory State Reporting ................................................................214
Reporting and Risk ............................................................................216
Conclusion .........................................................................................216
AppendixNational Quality Forum 2006 Serious Reportable Events ...............222
Chapter 14Human Research and IRBs ...................................................................................225
Introduction ........................................................................................225
Overview of Human Research Requirements ....................................225

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued


Federal Regulatory Infrastructure ......................................................226

Sponsored Research Trials .................................................................227
IRBs and the Research Office ............................................................229
Why an Enterprise Risk Management Model ....................................229
An Enterprise Risk Management Systems Checklist for
Human Research and IRB Administration .........................................233
Conclusion .........................................................................................235
Resources ...........................................................................................236
Chapter 15Mandatory Disclosure of Adverse Events to Patient/Family ................................237
Introduction ........................................................................................237
When Disclosure is Necessary ...........................................................238
Barriers to Disclosure ........................................................................241
How to Disclose .................................................................................242
Conclusion .........................................................................................246
Resources ...........................................................................................247
Chapter 16Compliance and Enterprise Risk Management .....................................................249
Introduction ........................................................................................249
Elements of an Effective Corporate Compliance Program ................251
Conclusion .........................................................................................263
Part VIOperations
Chapter 17Consent to Treatment: An ERM Perspective ........................................................267
Introduction ........................................................................................267
The Key Elements for Consent to Treatment .....................................267
Exceptions to the Rules of Consent ...................................................268
Clinical Research ...............................................................................269
Information Flow in the Consent ProcessAn Enterprise
Risk Exposure ....................................................................................270
Consent Documentation .....................................................................271
Risk Exposures in a Consent ERM Model ........................................272
Case Example.....................................................................................273
ERM Treatment of Consent Risk Exposures .....................................275
Setting the Context for Patient Communication ................................276
Disclosure of Adverse and Unanticipated Outcomes.........................277
Role of Legal Counsel in an ERM Framework for
Disclosure ..........................................................................................279
Conclusion .........................................................................................280
Chapter 18Peer Review and Credentialing in an Era of Enterprise Risk Management .........281
Introduction ........................................................................................281
Practitioner Credentialing ..................................................................281
Documentation of Credentialing Criteria...........................................293
Potential Liabilities Related To Credentialing ...................................294

Enterprise Risk Management for Healthcare Facilities, First Edition


Table of Contents, continued

Conclusion .........................................................................................306
Chapter 19Economic Credentialing: A Balancing of Risks ....................................................307
Introduction ........................................................................................307
Background ........................................................................................309
Government Accountability Office ....................................................311
Office of Inspector General ................................................................311
Statutory Provisions ...........................................................................313
Case Law............................................................................................314
Conclusion .........................................................................................318
Chapter 20Healthcare-Associated Infections .........................................................................319
Introduction ........................................................................................319
Background and History of Prevention and Infection
Control in the US ...............................................................................319
Epidemiology of Healthcare-Associated Infections ..........................321
Impact of HAIs on Healthcare Professional Liability........................326
Role of Legal Counsel .......................................................................328
Compliance with Published Guidelines .............................................329
Review of Surveillance Results .........................................................330
Public Reporting of Surveillance Data ..............................................331
Outbreak Investigation .......................................................................331
Governing Board and Executive Leadership .....................................332
Conclusion .........................................................................................334
Table 1Classification of Surgical Wounds .....................................335
Chapter 21The Patient Experience, Transparency, and ERM.................................................337
Introduction ........................................................................................337
IOM Reports Impact on Healthcare ..................................................337
Highest Opportunity Areas for Patient Safety Improvement .............338
Call for Transparency.........................................................................339
The Impact of National Initiatives (IHI, NPSF, NQF,
AHRQ, Leap Frog) ............................................................................341
A Word about Patient Satisfaction .....................................................345
Conclusion .........................................................................................349
Resources ...........................................................................................350
Appendix A ........................................................................................352
Part VII Strategic Issues
Chapter 22Public Relations, Marketing, and Advertising ......................................................359
Introduction ........................................................................................359
Image and Reputation ........................................................................359
The Brand Standard ........................................................................360


Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued


Issues Most Likely to Test an Organizations Image and

Reputation ..........................................................................................360
And Now a Word about Advertising ..................................................367
Conclusion .........................................................................................370
Figure 1Crisis Communications Plan Table of Contents ...............371
Figure 2Rules of Thumb for Positive Patient/Family
Communication ..................................................................................371
Figure 3Media Relations Dos and Donts.....................................372
Chapter 23ERM and Managed Care .......................................................................................373
Introduction ........................................................................................373
A Historical Perspective of Risk Management in a
Managed Care Organization ..............................................................373
What are the Risks? ...........................................................................375
How to Manage the Risks ..................................................................379
Conclusion .........................................................................................383
Chapter 24ERM in the Context of Mergers, Acquisitions, Divestitures,
and Joint Ventures ...........................................................................................................385
Introduction ........................................................................................385
Definitions ..........................................................................................385
Strategic Transactions and a Healthcare Organizations
ERM Program ....................................................................................387
Strategic Transactions: The Due Diligence Process ..........................387
Transaction Risk Analysis and the ERM Program.............................388
Impact of the Form of Strategic Transaction on ERM
Program ..............................................................................................389
Overview of the Due Diligence Process in the Context of a
Enterprise Risk Management Program ..............................................392
The Most Often Overlooked Due Diligence Item: Culture ...............396
Managing Costs .................................................................................397
Managing the Strategic Transaction and the Due Diligence
Process ...............................................................................................397
Due Diligence Reports .......................................................................398
Conclusion .........................................................................................399
Chapter 25Medical Tourism Risks: Have Patient Will Travel To Thailand,
India, and the Taj Mahal!!...............................................................................................401
Introduction ........................................................................................401
Part IChoice of Medical Travel Destination and
Medical Care ......................................................................................404
Part IILegal Ramifications of Medical Travel from the
Physician, Provider, and Payor Perspective .......................................412
Conclusion .........................................................................................415
Enterprise Risk Management for Healthcare Facilities, First Edition


Table of Contents, continued

Chapter 26Retail Health Clinics .............................................................................................417
Introduction ........................................................................................417
Retail Health Clinic Structures ..........................................................419
Enterprise Risk Management Considerations ....................................420
Conclusion .........................................................................................430
Part VIIITechnology
Chapter 27Telemedicine and Enterprise Risk Management ...................................................433
Introduction ........................................................................................433
Telemedicine Risk Management Summary .......................................434
Telemedicine Equipment Risk Management Issues...........................437
Negligence in TelemedicineCase Law Review ..............................438
Clinical Risk ManagementExtending Performance
Improvement Policies to Telemedicine ..............................................444
ReimbursementMedicare, Medicaid, Grants and Private Pay .......444
Commentary & Conclusions ..............................................................445
Chapter 28Electronic Health Records: An Enterprise Risk Approach ...................................449
Introduction ........................................................................................449
Medical Professional Liability ...........................................................451
EHR Vendor Contracts .......................................................................458
Regulatory Concerns: HIPAA, Stark, and Anti-Kickback .................466
Patient Privacy and Security: HIPAA ................................................467
Fraud and Abuse ................................................................................470
Conclusion .........................................................................................472
Table 1HIPAA Security Rule: Security Standards .........................473
Table 2Stark and Anti-Kickback EHR Provisions .........................477
Table 3Stark and Anti-Kickback e-Prescribing Provisions ............481
Chapter 29Radio Frequency IdentificationA Challenge for Healthcare .............................483
Introduction ........................................................................................483
What is RFID? ...................................................................................484
Types of RFID Tags........................................................................485
Frequency and Range of RFID Tags ..................................................486
RFID Tag and Data Standardization ..................................................487
Regulatory Approvals by the Federal Communications
Commission .......................................................................................488
Food and Drug Administration Regulation ........................................489
Using RFID in Healthcare .................................................................491
Challenges for Legal Counsel ............................................................495
RFID Privacy Concerns .....................................................................495
Other Privacy and Security Concerns ................................................496
Radiofrequency Interference ..............................................................497
Training Staff and Educating the Public ............................................497
Information Technology Interface: Risks and Opportunities .............498
Who is Responsible for Maintaining the System? .............................499

Enterprise Risk Management for Healthcare Facilities, First Edition

Table of Contents, continued


Selecting RFID Vendors and Consultants ..........................................500

RFID Backup .....................................................................................500
Who Controls RFID Policy in the Organization? ..............................501
Challenges that Require Special Attention ........................................502
Conclusion .........................................................................................503
Recommended Reading .....................................................................504
Chapter 30E-Discovery and Enterprise Risk Management ....................................................505
Introduction ........................................................................................505
Identify Technologically Based Risks of Your EHR System .............508
E-Discovery Risk Management Steps ...............................................512
The Federal Rules Approach to E-Discovery ...................................519
Conclusion .........................................................................................530
References ..........................................................................................530

Enterprise Risk Management for Healthcare Facilities, First Edition


Part I
Principle #6: A charitable organizations board should ensure that the organization has adequate plans to protect its assets. This Principle indirectly endorses the
concept of enterprise risk management as a proper topic for formal board attention.
It concludes that boards are responsible for understanding the major risks to which the
organization is exposed, reviewing those risks on a periodic basis, and ensuring that
systems are in place to effectively manage those risks. Many nonprofit hospitals and
health systems have long maintained components of such a strategy (e.g., corporate
compliance plans, insurance covering key assets, quality of care oversight, technology
backup, asset insurance, and indemnification and insurance protection for officers and
directors). By this principle, however, the Panel describes additional components of
enterprise risk management and encourages boards to evaluate risk mechanisms from
a more global perspective.
From Principles for Good Governance and Ethical Practice: A Guide for Charities and
Foundations at http://www.nonprofitpanel.com/selfreg/Principles_Guide.pdf.

Enterprise Risk ManagementWhats It All About?

Enterprise Risk Management
Senior Vice President, Aon Healthcare

Setting the StageManaging Risks

The medical professional liability crisis of the 70s and 80s was the impetus for development of
most risk management programs. Initially, the emphasis was on insurable risk and facility hazards
with a financial and claims focus gradually moving toward responding to clinical risks. The movement
toward clinical risks was a reactive strategy to improve patient safety, albeit not necessarily said in
such terms. The risk management professionals thought their efforts to avoid, prevent, and manage
clinical risk would preserve the financial assets of the organization through the delivery of safe patient
care. Somewhere along the way, this message was lost.
The identification and management of organizational risks heretofore has been fragmented into
silos of responsibilities and accountabilities across the organization with no clear coordination, facilitation, or communication. For the most part, risks have been managed as if they were in standalone,
disparate business units with no oversight or relationship with other units.
Healthcare risk management programs started in the acute care hospital setting and have expanded
over time to other healthcare settings outside the conventional hospital borders. Common to most
healthcare risk management programs have been the development and implementation of early warning systems to identify organizational risks. The most familiar of all early warning systems is the
incident report. The incident report has been a reactive or retrospective internal source of information widely supported by nursing practitioners as a reporting tool for adverse events or happenings not
consistent with normal operations. However, even this cornerstone of healthcare risk management has
no common taxonomy, offering no standardization from one organization to the next. The majority of
states have adverse event reporting requirements: one is voluntary (Oregon), while others are mandatory. The data collected varies from state to state, and little to no strategies and solutions to mitigate
risk are offered. Without a common taxonomy or standardization of data sets among the reporting
systems, the wealth of information currently being amassed by individual state reporting systems has
no means by which trends can be identified, common themes recognized, lessons shared, or mitigation
strategies implemented. Current efforts by the World Health Organization (WHO), The Joint ComEnterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

mission, and the Agency for Healthcare Research and Quality (AHRQ) are addressing just this issue.
The passage of the Patient Safety and Quality Improvement Act of 20051 (The Patient Safety Act) and
implementing regulations2 are anticipated to assist data collection and offer a repository of information
geared to improve patient safety.

What Has Changed?

The healthcare delivery system in the 21st century has changed dramatically from the not-too-distant past. Many of these changes have clearly placed the spotlight on healthcare as a setting of evolving
risks. See Table 1.1 for a listing of reasons why healthcare changed. This chapter will not discuss these
changes; however, it is important to remember that changeregardless of how well intended or necessaryis not without risk. Healthcare organizations need to identify and manage all its risks, not just
those with which they are familiar or comfortable, have previously identified, or can easily quantify.
The focus of risk management has changed, expanding to identify and assess risk proactively in
tandem with other risks, involving the highest levels of the organization (Board and C-Suite3) requiring the collaborative effort of all employees. No longer can healthcare risk management simply react
to clinical risks and hope that patient safety is achieved; efforts must focus on risks that affect the
entire organization and not just one aspect of operations.

Risk Management as a Decision Making Process

Risk management as a management decision making process, espoused by George Head from
the Insurance Institute of America (IIA), has been around since the early 1970s. The risk management
process includes the following steps: (1) identifying risk and analyzing an organizations exposure to
loss; (2) examining alternate risk techniques; (3) selecting the best technique(s); (4) implementing the
technique(s) chosen; and (5) monitoring and making changes as necessary. This 5-step process has
been embraced by healthcare risk management professionals since those early days as well. It is within
this context that enterprise risk management will be discussed.

Enterprise Risk Management (ERM)

The following section will address the background of enterprise risk management, offer a definition in the context of healthcare, and identify activities that support ERM.

Pub. L. 109-41 2(a)(5), 119 Stat. 424.

For information on Patient Safety Organizations, including the final rules, see http://www.pso.ahrq.gov/regulations/
C-Suite = chief executive officer (CEO), chief financial officer (CFO), chief medical officer (CMO), chief nursing officer (CNO), chief operating officer (COO), chief administrative officer (CAO), chief risk officer (CRO), chief compliance
officer (CCO), etc.

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?


ERM Background

There has been much conversation on the topic of enterprise risk management in the past five
years but little progress in healthcare. ERM was first initiated within the financial sector which includes
banks, investment companies, brokerage houses, and insurers. Consequently, comprehensive systems,
processes, metrics, models, and best practices are well developed in this business sector. Couple those
with stringent regulations and government oversight, and you have a business sector that is more
sophisticated and mature in terms of ERM than healthcare. So, how is the dramatic decline in public
confidence and escalating home foreclosures created by the recent mortgage debacle explained? How
are the Wall Street investment firms scandals with investors losing billions justified? Understanding
that no organization or business sector is immune from catastrophic loss is a start.
Scandals involving accounting compliance and corporate governance such as those seen with
Enron, WorldCom, and Tyco prompted the passage of the Sarbanes-Oxley Act of 2002 (SOX). This
was the impetus for many organizations to implement enterprise risk management programs. The
requirements of SOX are focused primarily on publicly traded, for-profit companies; however, many
not-for-profit healthcare organizations are voluntarily complying with the principles and financial controls embedded within SOX. Additionally, SOX heightened the awareness of boards of directors as to
their responsibility for identifying and managing organizational risks and called the question of ERM
programs to the forefront.
The Treadway Commissions Committee of Sponsoring Organizations (COSO)4 in 2004 issued
the Enterprise Risk ManagementIntegrated Framework. This publication offered an ERM framework
and provided a set of best practices for organizations to use when implementing ERM programs.
This report was an expansion on the work companies were already doing to comply with SOX and
offered guidance for creating an organization-wide risk management.
Furthering support for ERM programs, beginning in 2007 financial companies will be asked a
series of questions about risk management in their evaluation by Standard & Poors (S&P), the debt
rating agency. The results of their evaluation are just one of many factors used to determine a companys debt rating. This evaluation, in part, determines the interest rate lenders charge for loans or bonds.
On May 7, 2008, Standard & Poors announced that the agency will enhance its global rating process
for non-financial companies to include a review of their ERM programs. S&P will begin to hold ERM
discussions with rated companies in the third quarter of 2008 and will begin to include commentary in
S&P reports in the fourth quarter. It is unlikely that the formal scoring of companies ERM capabilities will go into effect much before 2009 because a sufficient number of reviews to permit reliable
benchmarking needs to be conducted and evaluation criteria needs to be published.5 The impact that
S&P will have on rated healthcare organizations is still to be determined, but most likely will not be
an immediate priority.
COSO is the Committee of Sponsoring Organizations of the Treadway Commission. A voluntary council with members
from five accounting organizations, COSO represents a cooperative effort between the American Institute of Certified Public Accountants, American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors,
and the Institute of Management Accountants. For more information, go to http://www.coso.org.
Enterprise Risk Management: S&P Enhancement White Paper, Executive Summary. p. 2 May 2008, Aon Global.

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Enterprise risk management calls for change from a reactive incident-based, clinically-focused
risk management program to a more holistic, multidisciplinary program focused on all risks facing the
organization. Assisting legal counsel in understanding the changing dynamics of organizational risks
and the synergistic effect which those risks have is vital to practicing proactively and is the basis for
this chapter.

ERM Defined

Creating a common language and accepted definition of terms is important when discussing enterprise risk management. Enterprise risk management means different things to different people. It is a
discipline, a practice, and a process. The following working definitions are offered:
Enterprise risk management is a discipline that engages professionals in the practice of
identifying, managing, controlling, and monitoring all risks to the organization.
Enterprise risk management can best be described as an ongoing business decision making
process instituted and supported by the healthcare organizations board of directors, executive
administration and medical staff leadership. ERM recognizes the synergistic effect of risks
across the continuum of care, and has as its goals to assist the organization reduce uncertainty
and process variability, promote patient safety and maximize the return on investment (ROI)
through asset preservation, and the recognition of actionable risk opportunities.
In Enterprise Risk ManagementIntegrated Framework,6 issued by COSO in 2004, enterprise
risk management is defined as a process, effected by an entitys board of directors, management
and other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
As discussed earlier, even though healthcare organizations have not made tremendous inroads
into ERM, it does not mean that they have not been managing risk. The difference between the previous methods of identifying and managing risks and ERM is the recognition of gain as a possible
outcome of risks, the identification of risks proactively as opposed to reactively and understanding
the synergistic relationship among and between risks. Risks do not exist in isolation and can best be
understood in terms of importance or contribution to a portfolio of risks. Risks cross organizational
structures and relationships and should be managed initially in a comprehensive manner from the
top-down. Over time, through education and practice, ERM will permeate the entire organization and
empower all employees to identify risks and recommend mitigation strategies. ERM becomes vertical
and horizontal and becomes a top-down as well as an upward process.

Available at http://www.erm.coso.org/Coso/coserm.nsf/vwWebResources/PDF_Manuscript/$file/COSO_Manuscript.pdf.

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?


ERM Activities

ERM is a series of interrelated activities that are broad in scope and reflect an organizational-wide,
ongoing commitment. Failure to recognize the synergistic effect of risks across the full continuum of
healthcare settings jeopardizes the implementation of long-term risk mitigation strategies and increases
costs through inefficient deployment of resources. To be most effective, it should be part of strategic
planning for the organization and a proactive as well as reactive process.
When developing an organizational-wide ERM program, consideration must be given to differences in the setting or locale (acute care hospital, skilled nursing facility, physician office practice),
organizational structure (for profit, not-for-profit, governmental), business approach and strategy
(community based, faith-based, academic/teaching, integrated network), stakeholders and customers,
and systems and processes, as no organization is exactly alike and many organizations have disparate
parts. The challenge in developing an ERM program is consistency in process: getting everyone on the
same page, so to speak, at the same time and with the same focus.

Risk Domains

Regardless of the setting or locale, it is common practice to refer to domains or areas of risks
when discussing ERM. The following are typical areas or domains of risks under ERM with a common
description for each and examples. They can contract and expand depending upon the ERM definition,
organizational preference, settings, and uses.
1. OperationalRisks related to the business operation that result from inadequate or failed internal processes, people, or systems. The business of healthcare is patient/resident related with an
emphasis on the delivery of clinical care that is safe, timely, effective, efficient, and patientcentered. Examples of healthcare operational risk areas include but are not limited to:
Quality Initiatives
99 Pay for Performance (P4P)
99 Variability in care and quality outcomes
Adverse event management
99 The use of disclosure and apology
99 Transparency
Chain of command
Medical professional liability
National Quality Forums list of 28 Never Events
Patient falls
Medication errors
National Patient Safety Goals (NPSGs).

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

2. FinancialRisks that affect the profitability, cash position, access to capital, or external financial
ratings through business relationships or the timing and recognition of revenue and expenses.
Examples of areas that can create financial risks include:
Billing, collection activities and account receivables
Emphasis on Medicare secondary payer statutes and non-payment strategies for never
Corporate compliance (fraud and abuse)
Charitable care
Possible loss of tax-exempt charitable status
Healthcare financing changes due to new administration and Congress
Credit and interest rate fluctuations
Stock market devaluation and its impact on an organizations financials
Capitation contracts
Foreign exchange rate
Days of cash on hand
Growth in programs and facilities
Capital structure
Capital equipment.
3. Human CapitalRisks that relate to the organizations most valuable asset, the workforce. This
is an explosive area of exposure in todays tight labor market including employee selection, retention and turnover, absenteeism, and compensation. Human capital risks have expanded and now
may include risk associated with the recruitment, retention, and termination of members of the
medical staff. Human resource areas that can cause or create risks include:
Culture and environmental
Wrongful termination
Sexual harassment
Disruptive behavior
Absence and productivity management

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Hiring practices
99 Competency
99 Literacy
99 Criminal background checks
99 Substance abuse
99 Employee handbook
99 Orientation and continuing education
Breach of contract
Position descriptions
Policies and procedures
Infection control.
4. StrategicRisks associated with brand and reputation and risks associated with business strategy,
failure to adapt to a changing healthcare environment, changing customer priorities and competition. Strategic risks can be associated with:
Managed care relationships
Conflicts of interest (perceived and real)
Marketing and sales
Insurance coverage
Media relations
Business ventures
Mergers, acquisitions and divestitures
Contract administration.
5. Legal, regulatoryIncorporates risks arising out of licensure, accreditation, statutes, standards
and regulations, CMS CoPs (conditions of participation), product liability, management liability,
as well as issues related to intellectual property. The areas that can create risks are many, a few of
which include:
Statutes, standards, and regulations such as:
99 Emergency Medical Treatment And Labor Act (EMTALA)
99 National Practitioner Data Bank (NPDB)
99 Health Insurance Portability and Accountability Act (HIPAA)
99 Centers for Medicare and Medicaid (CMS) Inpatient Prospective Payment System

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Accreditation The Joint Commission, American Association for Ambulatory Health Care
(AAAHC), DNV Healthcare, Inc.
State licensure
Office of Inspector General (OIG)
Hazardous waste disposal
Integrity programs
3rd party reports
External reviews
Stark I and II safe harbors
Private inurement.
6. TechnologyThose risks associated with the use of machines, hardware, equipment, devices and
tools, but can also include techniques, systems, and methods of organization. Healthcare has seen
an explosion in the use of technology. Examples include:
Computerized physician/provider order entry system (CPOE)
Electronic medical/health record (EMR/EHR)
Radio Frequency Identification (RFID) used for:
99 Babynapping
99 Wandering
99 Surgical sponges, equipment
99 Inventory control
99 Patient tracking
Bar Coding
Robotics used in:
99 Remote surgery
99 Runners
99 Companions
99 Medication dispensing and packaging
99 Medical monitoring
Telehealth/teleradiology such as:
99 Nighthawking (out-of-facility reading and interpretation of radiological reports
99 Picture Archiving and Communication Systems (PACS)
99 eICU.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

7. HazardRisks attributable to physical loss of assets or a reduction in their value. Traditionally
insurable risk related to natural hazards and business interruption. Areas that can create hazard
risk include:
facility management;
patient valuables;
plant age;
parking (lighting, location, security); and

ERM Framework

Risks can keep an organization from achieving its mission and strategy objectives. Risk management professionals can make a meaningful contribution by partaking in the strategic planning process
and should become partners with those responsible for strategy setting. All healthcare operations have
some level of risk. The risk management professional can assist the organization in considering risks
associated with new programs both clinical and non-clinical, going green, expansion into new markets such as those seen with medical tourism, mergers, acquisitions and divestitures, and the purchase
and implementation of technological advances, to name a few. Emerging risks can occur in any area
(financial, human resources, technological, legal and regulatory, etc.) and should be thoroughly evaluated to determine the impact to the organization. It may be necessary to engage the expertise of others
if the risk manager does not have the requisite skills necessary to evaluate those risks thoroughly. An
annual assessment of risks to the organization can lay the foundation for the development and review
of the strategic plan. Developing a comprehensive ERM framework will also support the yearly budgeting process mapped to risk initiatives.
It is also important to understand that the practice of risk management is not the practice of law,
medicine, nursing, accounting, actuarial science, or insurance. It is a management discipline supported
by a business decision-making process that utilizes the expertise of many professionals. While having
a clinical, legal, or other professional background may be helpful as a practicing risk management
professional, keep in mind that risk management decisions, recommendations, and opinions are based
on sound business practices and are not to be confused with rendering a legal opinion or a medical

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?


Risk Relationships

Risks are uncertain events or conditions. Pure risk implies that there is no possibility of a gain.
Either a loss is realized or the status quo is maintained. There is another type of risk that ERM recognizes called speculative risk where there is the possibility of gain/profit or loss. The best example of
speculative risk is gambling. Not considering for a moment the odds of a particular outcome, in speculative risk the possibilities include winning or losing. In healthcare, many risks can be considered
speculative because of the possibility that, if managed appropriately, they can benefit an organization.
Benefits to the organization can include giving the organization a competitive edge, receiving additional dollars under P4P metrics, attracting a higher caliber of professionals to their staff, maintaining
or increasing market-share, and the like.

Risk Correlation

The synergistic effects of risks can impact more than one area or domain simultaneously. All risks
should be evaluated in concert with other risks. Risks may be positively or negatively correlated with
other risks. In risks that are positively correlated, as the probability of one risk increases so does that
of an associated risk. Employee dissatisfaction, diminished morale, and a negatively perceived work
environment often contribute to increased risks in the human capital domain. The human resource
department responding to these risks and the workforces desire for flexible hours and decreased number of work days implemented twelve hour work shifts. Oftentimes what was anticipated to be a
12-hour shift turns out to be greater than 12.5 hours. The risk associated with these longer shifts
increases the risks of fatigue, falling asleep, and an increase in medical professional liability. Studies
have shown that making an error almost doubled when nurses worked 12.5 or more consecutive hours,
and the majority of those errors were medication errors.7
In negatively correlated risks, the probability or impact of increasing one risk decreases that of
an associated risk. As an example of a negatively correlated risk, consider the organization that wants
to decrease the number of days patients are on ventilators in the intensive care unit; certainly a worthwhile goal. If the organization only strives to decrease the length of time patients are on ventilators,
they may not account for the number of re-intubation in the same unit during the same period of time.
The number of patient days on ventilator may decrease but the rate/number of re-intubations may
increase giving a false picture of positive outcomes. Risks need to be identified and managed together
to receive maximum benefit. Looking at risk in a silo may not account for the unrecognized trickledown or synergistic effect.
Utilizing an ERM framework will support the organizations ability to evaluate processes and
outcomes in tandem while understanding the cascading effect of risks or how independent intervening
events can come together at just the right time to create risks that affect the delivery of care. James
Reason best described this theory when explaining his Swiss Cheese theory of accident causation.
Reason explains that accident causation is akin to lining up small failures or fractures in organizational
systems and processes much like the holes in Swiss cheese. No one failure would cause the error, but
Scott L.D., Rogers A.E., Hwang W.T., and Zhang Y., Effects of Critical Care Nurses Work Hours on Vigilance and
Patients Safety, American Journal of Critical Care, January 2006, Volume 15, No. 1.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

instead is the result of a series or combination of errors, any one of which if identified and corrected
could have eliminating the error.
ERM practices can be implemented from the individual position level through the senior organizational level. Staff involved in day-to-day departmental activities are in the best position to evaluate
risks within their area of competency or responsibility and can easily share their results with those
responsible for ERM. Those responsible for ERM need to be able to see the big-picture and connect
the dots. What might be a significant risk to a frontline manager may, in relationship to all risks facing
the organization, be insignificant.
The organizations ability to appropriately identify and manage risks can significantly affect public perception. The recent publicity surrounding disclosure and apology for preventable medical error
and the public attack on charitable care brings these issues front and center. Facilities that do not
practice transparency and full disclosure are taking a hit in public perception and confidence. This
will eventually (sooner rather than later) have a trickle-down effect and impact marketing strategies.
Organizations that have taken an early position to be fully transparent when dealing with patients,
their families, the public, and internally with staff are now reaping the benefits through positive public
relations, and improving future patient care through lessons learned. The potential for decreased costs
may be realized through reduced claims severity and reduced frequency of lawsuits.

Responsibility for Enterprise Risk Management

Because ERM takes a broad, high-level view of risks, it requires the commitment of strategically
placed professionals throughout an organization, including those in the C-Suite. All successful ERM
programs have this high level of organizational commitment. The responsibility for ERM however,
ultimately resides with the board of directors. This dictates that the board understands the principles
and practices of ERM, is conversant in how those practices and principles differ from traditional risk
management programs, supports an environment that embraces change, and sets strategy to support
ERM activities. Legal counsel can be particularly helpful in educating the board as to their risks
responsibilities and preparing them for ERM adoption. Other board responsibilities include:
creating and endorsing a Values Doctrine espousing the ERM process (see Exhibit 1.1);
reviewing identified organizational risks in concert with other risks;
approving risk ranking/scoring;
reviewing and approving initiatives and prioritization; and
reviewing status reports routinely (monthly/quarterly) until resolution.
The boards role in ERM is ongoing and continuous. Once solutions are implemented, they need
to be periodically assessed to ensure that the solution identified and implemented is still working
and fits the risk. Risks can and do change over time. What works today may not work tomorrow. In
addition, new risk will be identified and new solutions developed. ERM is a process, not a one-time
function; it is a series of related on-going activities. Understanding the answers to the following key
risk questions will assist the board in understanding ERM:
Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

What are the organizations mission, vision, and strategy?
How does the organization include ERM in strategy setting?
What are the organizations objectives?
How will the ERM strategy be communicated and executed throughout the company?
How will each division/unit/team contribute to meeting the goals of the ERM strategy?
How will teams/individuals be held accountable for success?
Has the organization identified all the critical risks to which it is exposed?
Does our organization have effective controls in place to manage its critical risk?
Are risks greater now than 12, 18, or 24 months ago?
Are these risks within acceptable limits?
Do we have competent risk professionals to manage the process?

Organizational Risk Appetite

Risk appetite is the amount of risk an organization is willing to assume for a return it hopes to
achieve. ERM assists an organization in selecting a strategy that is consistent with risk tolerance parameters. The concept of risk appetite is important for the board of directors to understand. Is the organization
risk adverse and insures all risks from the first dollar of loss, or are they risk takers with sophisticated
programs of self-insurance and other forms of alternative risk financing? Remember the more risks taken
the greater the responsibility for managing risks. See Exhibit 1.2, Risk Appetite/Risk Tolerance.

Risk as a Competitive Advantage

Earlier in this chapter when discussing speculative risk, it was identified that risks can have a positive outcome or gain. There are two significant questions to ask when discussing risk as a competitive
advantage. They are:
Is the risk more dangerous to our competitors?
Can we manage the risk better than our competitors?
The answers to these questions will help an organization take the lead among their competition.
Competitive advantage in the marketplace often discusses earnings per share or some other financial
metric. In healthcare, competitive advantage often has quality of care outcomes and decreased variability at its core.

Your Organizations Risk Profile

An important aspect of ERM is a thorough understanding of your organization: its operations,

people, products, assets, processes, systems, stakeholders, customers, suppliers, and so on. In todays
competitive and economic environment, healthcare organizations are venturing across borders not
previously recognized, supporting the delivery of care in less-than-conventional settings, such as those


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

seen with medical tourism, a topic discussed in Chapter 25. Healthcare settings regardless of delivery
location vary and include:
Acute care hospital
Long-term care facility
Behavioral health
Home care
Assisted living (ALF)
Skilled nursing (SNF)
Continuing care retirement communities (CCRC)
Ambulatory care
99 Physicians group practice
99 Ambulatory surgery (ASC)
99 Out-patient clinics
99 Convenient care clinics (CCC).

Risk Identification and Analysis

The identification and analysis of risk is managements attempt to determine what risks can impact
strategy and the achievement of organizational goals. Both formal and informal methods are used to
identify organizational risk. Risk can be internal within an organization or external to it. Risks can
be identified retrospectively, concurrently, pre-interventional, and prospectively. The incident report,
the longest in-use risk identification tool (albeit not necessarily the best method to identify significant
risks) can be both a retrospective and concurrent method by which risks are identified depending on
the timeliness of the report. The use of occurrence reporting in high-risk areas (for example, every
delivery where a baby is born with an Apgar score of 5 at five minutes is reviewed or when a patient
returns to the emergency department within 48 hours after discharge) are forms of concurrent risk
identification used in clinical settings. The review of discharged patient medical records using a set
of predetermined screens is a form of retrospective risk identification. The Institute for Healthcare
Improvements (IHI) Global Trigger Tool for Measuring Adverse Events8 is another method for retrospective risk identification. Current efforts to minimize wrong-site, wrong person, wrong body-part
surgery through the use of a universal time-out is a type of pre-intervention risk identification. The
study of filed claims and lawsuits to determine trends that could likely form the basis for future claims
and failure mode and effects analysis (FMEA) are examples of prospectively identifying risks. Risks
can be identified on an organizational-wide basis or can be department/unit specific.

Available at http://www.ihi.org/IHI/Topics/PatientSafety/SafetyGeneral/Tools/IHIGlobalTriggerToolforMeasuringAEs.htm.

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

Risk identification tools can be developed and used to survey leadership, and interviews can be
conducted to drill down further on risk previously identified. When preparing a survey tool care should
be taken to include all areas/domains of risk. Open-ended questions should also be asked to solicit
additional comments not covered by survey questions. Other questions might include:
What other aspects of your position keeps you awake at night?
Would you go to your emergency department if ill? And if not, why not?
Given unlimited resources, what would you implement first that could impact patient care?
What would you change first?
Where are we wasting resources and, if possible, where would you re-deploy them?
Additional survey instructions may also ask the participants to identify current risk mitigation
initiatives and risk owners. Asking participants to rank or prioritize the risks they identify will also be
helpful as you evaluate/assess each risk in the next step. During the risk identification step, you want
to ensure that every possible effort has been taken to identify all risks to the organization.
From the surveys, interviews, and other formal and informal methods used to identify risks, apreliminary risk register is developed categorized by area/domain, priority, risk owner, and current risk
mitigation efforts. Keep in mind that this list may be quite long initially and, until some filters are
incorporated in the assessment phase, it may appear cumbersome.

Risk Assessment and Evaluation

Once all organizational risks have been identified, analyzed, and placed in the risk register, thenext
steps are to:
Understand and attempt to quantify the potential magnitude or materiality of each identified
Consider the positive and negative consequences of events underlying identified risks across
an organization.
Incorporate at least two dimensions of risk: likelihood and severity.
Recognize that there may be a range of possible results associated with an event.

Tools to Evaluate Risk

There are many tools to assist in the evaluation and assessment of identified organizational risk.
A few of them include: failure mode and effects analysis (FMEA), vulnerability analysis, quantitative
risk modeling, cost benefit analysis, risk scoring, risk maps/heat maps, financial analysis (simulation,
modeling), and a review of adverse outcomes data. How to determine a risks score and display it
graphically will be discussed as an example of risk assessment tools.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Risk Scoring

Once an exhaustive list of risks is assembled, it is helpful to evaluate the importance of one risk
over another. This methodology may be largely intuitive but in most cases takes into account probability, time to impact/discovery, and severity. A sample formula is displayed below. By developing a
score/rank for each risk, a priority order for each score can be displayed. The graphic display of these
results is called a risk map or heat map. See Exhibit 1.3, Sample Risk Map. The descriptor and detail
can change to fit organizational risk appetite or tolerance levels. For example, in the formula shown,
alevel 1 risk considered to be minor has a financial value less than $50,000. Some organizations may
find that range to be higher than their tolerance for risk and might change the range for minor risk to a
value at or below $5,000 while other organizations may find the level too low and raise the tolerance
to a value above $5,000,000. The value and ranges within the measure of risk frequency (probability),
(see Table 1.2, Qualitative Measure of Risk Frequency), measure of time to impact (see Table 1.3,
Measure of Time to Impact), and the measure of risk severity (see Table 1.4, Measure of Risk Severity) can all be changed to meet organizational preferences, appetite and tolerance. What is considered
to be of significance to one organization may be insignificant to another. These tables are offered only
as examples and should be reviewed by each organization for relevance and appropriateness. Once
a determination has been reached on how risks are to be scored, the scoring/ranking methodology
should not be changed without good cause. Consistency in how risks are evaluated is important.
Sample Formula
(Probability + Time to Impact) x Severity = Risk Score
(1- 5 + 1- 3) X 1- 5 = Risk Score
The highest score in the formula with this sample scoring is 40. The example offered in Table
1.5 is offered to highlight that even significant events can have lower scores due to a lower frequency
or number of events that occur during a given period. Keep in mind that events that score higher or
closer to a score of 40 most likely would have already been identified with solutions and strategies
implemented to reduce their frequency if not preventing them for occurring all together.

Risk Mapping

Risk mapping graphically depicts an organizations risks, displaying the relationship between
frequency and severity. It requires a team approach to identify and rank each identified risk. See
Exhibit1.3 for a Sample Risk Map. Prioritized risks are useful for:

data collection;
identifing risk mitigation strategies;
allocating capital and limited resources;
exploiting a competitive edge; and
improving knowledge of exposure and facilitates risk control techniques.

Once all risks are identified, evaluated and measured, the organization can develop prioritized,
organizational-wide solutions and strategies for dealing with those risks.
Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?


Strategy Setting and Solution Identification

In determining the strategies and solutions that may be appropriate to implement, risk projects are
identified and evaluated by:
Low-hanging fruitwhich risks are clearly identified and a solution readily available.
These risks are considered quick fixes and may not drain valuable resources. Keep in mind,
however, the possibly for negatively or positively correlated risk discussed earlier.
Resource allocation and availabilityHow will the solution or strategy suggested impact the
99 Human capitalDoes you organization have the personnel available to initiate, manage,
and monitor a new project?
99 Financial/costDoes the risk resolution or mitigation strategy meet the organizations
risk appetite? Does the budget address these projects?
99 Time to completionWill the time to complete the project and monitor its progress take
so much time that the risk will have already changed, making the solution obsolete?
99 Expertise neededAre there available resources in-house, or will outside expertise
and consultation be necessary? If not, are there dollars in the budget to hire the needed
99 Internal or externalDoes the project require the use of external resources (systems,
products, people, hardware)? If so, has the organization done a cost benefit analysis on
use of the resource?
99 Frequency and severity of riskHas the organization identified which risks to address
first? Is this by frequency, severity, time to impact, availability of resources, or some
other metric? Can the organization support its prioritization of risk projects?
Projects identified by individual, committee, department
99 What methodology will be used to identify, analyze, and assess and prioritize risks
throughout the organization? Will surveys and questionnaires supplemented by interviews with key staff be conducted? How will the organization receive the input from
frontline employees? Is there a forum to solicit ideas and suggestions? Will a person or
committee take charge to review all risk and assess their organizational impacts?

Implementation ObstaclesMonitoring, Evaluating and Changing the


The ultimate success of an ERM program is like the success of any other cultural change within
the organizationonce implemented, it requires monitoring and reinforcement. Risks to the organization changes over time as new risks emerge and older, more well-known risks are appropriately
mitigated or eliminated. Strategies and solutions implemented to address identified risks need periodic
monitoring to ensure that the intended outcome is still being achieved. An even more basic question
is, does the risk still exists? With the continued limitation on scarce resources (time, money, and
people), monitoring the ERM program becomes a critical component of any ERM program. Ongoing

Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

ERM education will help reinforce the program, keep it fresh, and support routine program updates,
as necessary.
Obstacles that have been seen when developing ERM programs include:
Territorial turfCompetition among various units such as: quality assurance/management,
performance/process improvement, contemporary risk management, patient/environment of
care safety, corporate compliance, and internal audit needs to be identified and minimized.
Cultural incompatibility and diversity as barriers to careSuccessful organizations
understand the impact of culture and diversity and embrace differences. The complexities of
a changing workforce and its impact on the organization needs to be identified particularly as
it relates to staffing shortages and changes in the demographic of populations served.
Changing environment and cultureMoving from a punitive environment focused on individual employee error to an organizational emphasis on systems and processes is a paradigm
shift for most organizations. This shift does not happen overnight. Dealing with disruptive
staff, finger-pointing and blame, working individually and not as a unit, and the inability to
effectively communicate, all contribute to the complexity of change. How the organization
implements and manages change to the environment and its culture is critical to the success
of the ERM program and is no easy task.
Inability to team and effectively communicateOrganizations advocating a trusting,
caring, and learning environment are teaching employees and staff new skills in better communicating. These changes will help move ERM throughout the organization.
Limited use of technologyTechnological advances abound in healthcare, and the impact
is profound. Technology to support the core operations of healthcare will support patient
safety, decrease medical error, and allow for better management through effective and timely
communication and documentation of care and the ability to benchmark outcomes. Hopefully
technology will save time and save lives. Use of technology in healthcare includes: electronic
medical records/electronic health records (EMR/EHR), computerized physician/practitioner
order entry system (COPE), bar coding, risk management information systems (RIMS), radio
frequency identification (RFID), robotics, and a whole host of software programs aimed at
identifying benchmarking data, just to name a few.
No common healthcare taxonomy for ERMWhen you have seen one risk management
program you have seen just thatone risk management program. The same is true for ERM.
Currently there is no common taxonomy for terms, language, systems, methods, and/or processes in healthcare.
Inadequate senior-level supportThe board of directors and senior leadership (C-Suite)
need to not only understand the concepts associated with ERM but lend organizational support for program development.
No commonly accepted risk metrics by which ERM programs can be evaluated over time.
Length of time to implementWillingness to devote the time it takes to implement an
ERM program. Some organizations are happy to take smaller steps that will yield some benEnterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

efit while organizations will focus on better risk reporting from business units, and not push
for a broader more comprehensive program.
Limited expertise in risk and finance.
Difficult-to-quantify results or return on investment (ROI)Inability to demonstrate
immediate, quantifiable return on investment.
No follow-throughERM as an ongoing process should be imbedded into organizational
culture. Following, monitoring, and evaluating the programs progress is just as much a part of
the process as is risk identification and assessment. ERM programs are living concepts within
an organization of which change is a natural outcome. Without change and follow-through,
ERM programs become static, eventually dwindling in support and effectiveness.
Establishing solution before defining root cause of problem (subjective vs. objective
Not including users of the system in its development of an ERM programSuccessful
ERM programs recognize the importance of employee involvement and contributions and
value their input.
Failure to take the advice of experts and those empowered with ERM program responsibilities. As an example, when Fannie Mae and Freddie Mac executives were being grilled before
members of the House Oversight and Government Reform Committee in early December
2008, it became clear through submitted documents that they did not heed the advice offered
by their own chief risk officers, and that failure to take internal advice was a significant contributing factor in the mortgage crisis of 2008/2009, costing taxpayers billions of dollars.9
Information is only as good as the organizations interest and ability to act upon it.
Organizations who are successfully pursuing enterprise risk management are addressing these
issues head on.

Benefits of ERM

The ERM process allows the organization to take a more strategic perspective of risk from the
top-down. This view should result in the following benefits:
development of strategies and solutions that support the organizations mission, vision, values doctrine and stakeholder value;
anticipation (better) of the unexpected;
treatment of risks that is more efficient and effective;
comprehension of organization-wide cost;
establishment of methodology for assessing future risks;
ABC News, December 9, 2008, Fannie, Freddie Ignored Risky Loan Warnings, by Huma Khan. Their own risk
managers raised warning after warning about the dangers of investing heavily in the subprime and alternative mortgage
market. But these warnings were ignored by the two chief executives, said Henry Waxman, Chair of the House Oversight
and Government Reform Committee.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

development of strategic, organizational framework for managing risk;
conservation of limited resources;
promotion of transparency;
development of a framework for meeting financial disclosure requirements and support for
board education;
improvement in decision making;
allocation of limited resources/elimination of waste;
enhancement of the success for regulatory and compliance initiatives;
creation of formal linkages between units/divisions/organizations;
identification of risk interdependencies/clusters;
identification of significant or material risks using a structured and auditable process;
establishment of baseline estimates of probable loss utilizing a variety of modeling
operational contingency plans to reduce the impact of catastrophic loss;
establishment of new and more comprehensive risk management discipline;
identification of strategic competitive advantages;
development of an organization-wide taxonomy;
comprehension of relationships (correlations) between risks; and
promotion of patient safety and the delivery of care that is effective, efficient, and, most of
all, safe.

ERM Success Factors

The following are considered success factors when implementing an ERM program:
Leadership support and a positive culture
Broad-based employee involvement
99 in assessment
99 in scoring measurement
Quantifying and benchmarking results
Decreased variability through evidence-based practice (EBP)
Monitoring and evaluation
99 Internal
99 External.

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?


The Future Risk Management Professional

The evolution of enterprise risk management is redefining the scope of practice for the professional charged with risk management responsibilities. Risk management professionals need to be
facilitators of change, action seekers, and well-networked within their own organizations and externally, enabling them to call upon outside experts when necessary. Changing risk management into
organizational-wide strategies to address ERM is not for the weak at heart. Increased responsibilities
require enhanced skills. The Risk and Insurance Management Society (RIMS), in their white paper
entitled The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, identifies skills
for the successful enterprise risk manager.10 RIMS divides the necessary skills sets into conceptual
skills, core competency skills, business skills and technical skills. Conceptual skills include: planning, organizing, decision making, management process, ethical judgment, organizational architect,
and strategic thinking. Core competency skills are separated into interpersonal skills and personal
skills and include leadership, negotiations, innovation, communication, and being motivated. Business
skills, as one would expect, include legal, accounting, compliance, human resources, finance, marketing, safety, and security to name just a few. Project management, the risk management process, risk
financing and knowledge of insurance, enterprise risk management information systems, risk control,
and claims management are all technical skills necessary for todays enterprise risk manager. The
enterprise risk management professionals are well-networked ringleaders, orchestrators, and facilitators of change.


By understanding the concepts of enterprise risk management and advocating its practices, principles, and processes, legal counsel adds value to the board of directors and executive leadership as
knowledgeable members of the ERM team. With this understanding, legal counsel will be better positioned to offer sage counsel in an area not yet fully understood by boards and executive leadership at
most healthcare organizations. A thorough understanding of ERM will assist in identifying and minimizing risks, helping to create a competitive advantage, decreasing costs, managing staff and patient
expectations, minimizing waste, and supporting the delivery of patient care in a safe environment.
Although healthcare organizations have not yet made tremendous inroads into ERM, that does
not mean that they have not been managing risk. It just means that there continues to be a tremendous
opportunity to make a meaningful difference. There is still much to do!

The 2008 Financial Crisis: A Wake-up Call for Enterprise Risk Management, Bill Coffin, Editor. RIMS 2009.



Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Table 1.1 Reasons for Change

The following list is meant to offer just a sample of the myriad reasons why healthcare has
transformed over the recent past. It is not an exhaustive or mutually exclusive listing and changes
1. Change in patient demographics
99 Diversity of patients, staff and physicians
99 Aging of the population
2. Enhanced expectations by a variety of stakeholders including:

Medical staff
Board of directors
Executive leadership
Professional caregivers

3. Increased use of the internet as a source for health knowledge and exchange
4. Movement to a paperless environment and the promotion of electronic medical/health records
5. Continuous need for and access to outcomes data
6. Local, regional, and national competition
7. Increased financial oversight and scrutiny
8. Emphasis on patient-centered care and transparency
9. Changing lines of authority
99 Staff empowerment
10. Variability in clinical care
99 Hesitancy to follow evidence-based practice
11. Increase in regulatory requirements, standards, regulations and standards
99 Standard & Poors to evaluate rated agencies on ERM progress
99 Sarbanes-Oxley Act of 2002 requirements trickle over into healthcare
99 CMS IPPS changes related to hospital-acquired conditions
12. Promotion of disclosure and apology programs
13. Reliance on complex, changing technology
14. Reduced reimbursement
15. Advances in medicine

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

Exhibit 1.1

Values Doctrine
Values Doctrine
Enterprise Risk Management

Quality patient care is at the center of all we do and core to our business objectives.
Creating a culture that supports a safe environment for all is paramount to the Organizations
mission and objectives. This includes not only our patients and their families but our employees, board members, volunteers, and medical staff.
We promote an enterprise-wide early warning system and framework for the comprehensive
identification and resolution of all organizational risk.
We adhere to an early intervention program that supports prompt investigation, open and
honest communication, transparency, disclosure, and apology and compensation (when
appropriate) to injured patients that is fair and equitable.
Employee empowerment and service recovery are principles with which all employees are
trained and participation is encouraged.
In promotion of our organization as a learning environment, we will share with all stakeholders the lessons learned from patient safety and risk-related issues.
To safeguard the delivery of patient-centered care we will strive for patient/family participation in strategy setting and membership on functional teams designed to identify and mitigate
the potential for loss.
Understanding that risks can cross all aspects of the organization, we will endeavor to identify and assess all risks in a manner that is both strategic and timely in order to preserve
resources, maintain fiscal integrity, support the workforce, and create an environment that
promotes transparency.

This Values Doctrine is endorsed by the organizations board of directors, executive leadership,
and medical staff and is supported by all employees and volunteers.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Exhibit 1.2

Risk Appetite/Risk Tolerance

Table 1.2

Qualitative Measure of Risk Frequency



Example Detail Description

Extremely rare

May occur in exceptional circumstances


Could occur at some time


Will occur at some time


Will probably occur in most circumstances

Occurs frequently

Is expected to occur in most circumstances

Reprinted with the permission of Corey Gooch, Aon Corporation.

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

Table 1.3

Measure of Time to Impact



Warning occurs over a long period of time (months or years) providing opportunity
to adjust or react

Warning occurs over a shorter period of time (days or weeks) providing some opportunity to adjust or react

No warning, impact is felt immediately

Reprinted with the permission of Corey Gooch, Aon Corporation.

Table 1.4


Measure of Risk Severity


Descriptor Financial Impact


Less than $50,000








Over $5,000,000

Reprinted with the permission of Corey Gooch, Aon Corporation.


Enterprise Risk Management for Healthcare Entities, First Edition

Enterprise Risk ManagementWhatsItAllAbout?

Table 1.5


Fetal Hypoxia

(Risk Factor)


Lifetime injury or
Failure to
fetal distress Medical malpractice
Failure to
Increased insurance
interpret fetal rates
Loss of reputation
Increased scrutiny by
to perform
JCAHO, State
Difficulty attracting

Internal Controls
Use of technology to facilitate
recognition of
fetal distress
New policies
ensuring emergency c-section
PR advertising
new measures



Biannual fetal
monitor training
Purchase new


Host Mothersto-Be Event

Carroll R.L., Norris G.A., Aon Healthcare, 2006.

Enterprise Risk Management for Healthcare Entities, First Edition


Enterprise Risk ManagementWhatsItAllAbout?

Exhibit 1.3


Sample Risk Map

Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program

Structuring an Enterprise Risk Management
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health


Healthcare organizations come to the realization that they need to explore an enterprise risk
management (ERM) program from a variety of different directions. It sometimes starts with a senior
corporate officer or the organizations risk management professional learning about ERM in a seminar,
an article, or through conversations with a peer. At times a member of the governing board with ERM
experience in another industry questions whether such an approach might be applicable in a healthcare setting. Other times leaders simply become increasingly aware that traditional risk management
processes and activities, no matter how successful, fail to capture a significant and growing portion of
the most serious risks facing the organization.
However a healthcare organization comes to appreciate its need for an ERM initiative, it is important that the organization identify the right people, devote sufficient resources, and allow enough time
to appropriately structure the ERM process. It is equally important that the governing board and senior
leadership team of the organization be prepared to confront the fundamental cultural and operational
assumptions that such a process is likely to reveal and embrace the broad-based organizational changes
that a successful ERM process will likely entail.

Laying the Groundwork

Prior to embarking on a large-scale exploration of ERM, the senior leaders and governing board
of a healthcare organization need to identify the goals for the process. While it is neither possible
nor appropriate to be overly prescriptive at the outset, it is helpful to reach consensus on a few key
Who will lead and champion the ERM process?
Does the identified team have sufficient time and expertise to assume such a role? If not, can
other work responsibilities be modified and additional educational resources provided?

Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program

What level of resources can be devoted to the project? Can the leaders retain consultants,
statisticians, or other outside resources if needed?
Is there a specific timetable for the initial risk identification and prioritization process? For
the ERM implementation?
What outcome for the ERM effort is envisioned? An extension of current risk management
processes? A reorganization and restructuring of risk management activities? A fundamental
shift in direction and approach?
Even if some senior leaders or board members have significant ERM experience, it is helpful for
a in-depth educational process to precede the launch of any ERM effort. Key leaders can seek out
seminars and conference offerings on ERM and conduct structured interviews with peers as to how
other healthcare organizations are addressing ERM issues. More knowledgeable leaders can develop a
reading list for other directors and officers to acquaint them with current ERM theory and practice. It is
often helpful to interview ERM leaders in other regulated and complex industries, such as pharmaceuticals, telecommunications, aerospace, or financial services, to gain an understanding of how they have
approached ERM and how they have structured their internal processes. Such industries are typically
well ahead of the current state of healthcare in adopting ERM principles and can provide invaluable
insight into avoiding pitfalls in launching an ERM initiative.

Establishing an ERM Oversight Committee and Working Group

While the decision to embark upon an ERM project typically rests with an organizations senior
management team and governing board, responsibility for day-to-day exploration of the issues and
design of the initial ERM project is usually vested in an ERM working group. The working group
should be capable and willing to develop an in-depth understanding of ERM theory and processes and
to frame the issues in developing the initial ERM risk assessment survey. The working group should
also be prepared to assist with designing and launching a comprehensive ERM implementation process for the organization and making recommendations for required organizational restructuring and
resource reallocation.
While the organizations risk management professional is often a key member of the working
group, it is advisable to include other disciplines in order to assure the appropriate breadth of perspective for a successful launch. Internal audit, with its broad focus of organization-wide standards and
compliance, and strategic planning, with its global and futuristic orientation, frequently make good
partners with traditional risk management in forming the working group. Legal, corporate compliance,
and clinical operations representatives may also be good candidates for inclusion, depending on the
organizational structure of the healthcare entity.
Regardless of who is named to the working group, the team should typically include no more than
four to six members. Even in a large and complex healthcare organization, it is important that the team
be small enough to meet frequently in the face of competing schedules and to reach consensus easily.
The team must be nimble enough to adjust quickly to changes in focus and orientation that may occur
in the course of the project.


Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program

The working group should report to an ERM oversight committee made up of senior leaders and
governing board members who provide top-level support and resources for the project and guide the
development of specific goals and objectives. Again, the group should be kept small, no more than
three to four people. The CEO or COO, CFO, senior human resources official, general counsel, and
chairman of the board or of the finance or audit committee may be appropriate candidates for inclusion, depending on their understanding of and commitment to ERM and their ability to view the
organization holistically. While the ERM oversight committee need not micro-manage the work of
the working group, it needs to make sure to allow opportunities for innovation and creativity among it
members. The committee should meet periodically with the working group, receive progress reports,
and ensure that the project stays focused and on schedule.
The ERM oversight committee is responsible for overseeing development of the organizations
ERM infrastructure and for creating a framework within which the ERM process can take root and
expand over time. The committee also serves the function of selling the concept of ERM to other
senior managers and board members and of laying the groundwork for the fundamental organizational
changes that may come out of a successful ERM implementation process.

Developing an ERM Implementation Process

One of the first tasks facing the designated ERM working group is to design the framework for
exploring and implementing the organizations ERM process. Such a design process typically begins
with developing a methodology for identifying and prioritizing the various risks that may potentially
impact the organization. While the working group could review the relevant literature to find a standardized list of risks impacting healthcare organizations or could seek the assistance of a consultant in
developing such a list, it is preferable to develop it internally. Developing an organization-specific listing of critical risks not only allows the working group to capture risks unique to a given organization,
it allows the entitys management team to begin thinking about risk from a fundamentally different
perspective. The work done in identifying, defining, categorizing, and prioritizing specific risks is a
valuable part of the overall ERM education process and assists members of the management team in
internalizing the differences between ERM and a more traditional risk management orientation.
The preferred approach for identifying risks potentially impacting a healthcare organization is
for the working group to conduct interviews of small groups of managers and other leaders to determine risks in their respective areas along with current mitigants. The information gathered from the
interviews can then be synthesized into a survey document in which various risks identified can be
analyzed as to their likelihood (anticipated frequency or probability of occurring within a given time
frame) and impact (anticipated severity in terms of potential to prevent the organization from reaching
its desired objectives). Additionally, identified risks can be considered in terms of the adequacy of current risk mitigation effortssome risks that could be potentially disastrous to the organization without
the application of appropriate risk treatment or risk financing strategies may be perceived as much less
onerous if they are subject to adequate mitigation efforts. The risk remaining after the risk mitigation
efforts are applied may be characterized as residual risk.

Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program

The working group should review the interview process (Who will be interviewed and in what
groups? How long the interviews will last and who will conduct them? How will the results be tabulated?) and the resulting survey process (How will the survey be created and circulated? How will the
results be reported?) with the ERM oversight committee. The committee will also need to determine
how the results will be utilized to implement the ERM process and how the implementation and ongoing ERM process will be structured and monitored. Frequently the final report of the survey process is
shared with the governing board or a board-level committee such as the audit committee. From there
process owners are assigned to specific risks. Such process owners, typically senior-level managers
within the organization, can then receive additional training in analyzing the risks to which they have
been assigned and in assembling a task force of resources to develop loss prevention, occurrence
management, and risk financing strategies to effectively manage the risk. Process owners are also
responsible for helping to integrate identified risks into the organizations financial and operational
processes and for monitoring the organizations ERM performance.

Designing and Conducting the Initial ERM Risk Identification Interviews

and Survey Process

The best way to develop a listing of risks facing an organization is to ask the people who know
it bestits managers and leaders. As an initial step in the ERM assessment effort, the working group
should conduct interviews with groups of organizational leaders to elicit their views on risk. It is desirable that groups be kept small, no more than 10 to 12 people, and that one to two hours be allowed
for each interview. For multi-facility healthcare organizations, leaders at both the corporate system
level and the local facility level should be included, as their views regarding important risks may well
In setting the stage for the discussion of risks, the working group may pose a question such as,
What risks facing ABC Health Care keep you up at night? The working group should also emphasize
that risks to be considered should not be limited to things traditionally handled by the organizations
risk management department, such as medical professional liability claims or catastrophic property
losses (although such risks need not be excluded), and should include any risk to the organization
capable of seriously impairing its ability to meet its stated objectives.
In framing the discussion of risk, it is sometimes helpful to discuss three discrete types of risks
that might be considered by the interviewees:
1. Event Risks: Risks associated with specific events such as a flood or hurricane, a pandemic
disease outbreak, or a terrorist attack. Such risks most closely parallel risks addressed through
traditional risk management programs.
2. Process Risks: Risks associated with the organizations failure to design and implement
appropriate business, clinical, or other processes or to effectively monitor and correct deviations from established processes. The concept of process risk is less tangible than event risk
and may be less apparent to individuals without prior experience with ERM. Process risks
might include failure to retain and recruit sufficient numbers of qualified staff or failure to
collect a sufficient proportion of patient care revenues.

Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program

3. Strategic Risks: Risks associated with the organizations failure to identify or successfully
pursue appropriate business, financial or other strategies or the failure to appreciate when an
adopted strategy has failed and should be abandoned. Examples of strategic risks include the
failure to develop outpatient surgery centers as joint ventures with physicians and a competitor opens a surgery center next door or the failure to divest unprofitable previously-acquired
primary physician practices.
Another framework for categorizing risks that can be offered during the interview process is to
ask participants to think of risks within a series of identified risk domains. While some risks will cross
over and include aspects of multiple domains, the concept allows for individuals to think about risk in
holistic and comprehensive terms. Examples of risk domains include:
Human resources risks: risk associated with staff recruitment and retention and performance appraisal and incentives.
Financial risks: risk associated with revenue production and collection, billing, reimbursement, budgeting and investment activities.
Clinical risks: risks associated with diagnosis and treatment of patients.
Strategic risks: risk associated with failure to identify and pursue appropriate clinical and
business opportunities or to abandon unsuccessful strategies.
Reputational risks: risks associated with the organizations brand name or public image.
Physical risks: risks associated with the organizations property, plant and equipment.
Technology risks: risks associated with the failure of the organization to embrace emerging
technologies and those associated with technological vulnerabilities to security threats and
destruction of data.
While such a list of risk domains may not include every risk facing a healthcare organization,
itdoes assist interview participants in thinking expansively about risk.
Finally, interviewees should be encouraged to think about risk in positive as well as negative
terms. In traditional risk management, risk can only be a negativeeither your building burns down
or it doesnt; a patient falls from bed or does not. In contrast, ERM considers the up-side as well as
down-side potential of risk. The pursuit of a specific business strategy, while posing certain risks of
failure, also holds the potential for success. Thus risks can be viewed generally as uncertainty or variability from expected results and therefore neither positive nor negative in and of itself. Even for those
traditionally considered risks for which there is only down-side potential, the ability to manage risks
more effectively or efficiently than ones competitors can in itself be a competitive advantage and
operationally positive.
While providing a framework to assist interviewees with thinking about risk is helpful, the working group needs to be careful not to be too prescriptive nor to provide too many examples of specific
risks in its introductory remarks. The goal is to gain an understanding of those risks that pose the
greatest concerns for the healthcare organizations leaders, not to plant seeds in their minds as to what
the working group might define as important.
Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program

The members of the working group need to keep detailed notes of the interview discussions. Following the completion of the risk identification interviews, the group can then reassemble to develop
the list of risks to be included in a risk assessment survey process. When drafting the survey tool, the
working group should strive to include the risks that were cited repeatedly by different groups of interview participants and to synthesize similar risks into common themes. Often, participants may frame
a given risk very specifically from the perspective of a given department or professional discipline,
yet the risk may be able to be stated more generically to encompass other specific risks cited by other
groups. For example, a participant from the information systems department may express concern
about the vulnerability of the organizations computer systems to sabotage and hackers, and someone
from patient accounts may mention issues with inappropriate release of patient information. Both risks
may be included under a broader risk category pertaining to security vulnerability of electronic data
Ideally, by combining similar risks and focusing on those cited most frequently by various groups
of interview participants, the working group can whittle the large number of risks identified during
the interviews to 20 to 40 comprehensive risks facing the organization. Once this list is developed, a
definition needs to be drafted for each.
Developing risk definitions is often one of the most difficult tasks in the risk identification and
assessment process. The goal of the working group is to make the definitions generic enough to have
wide applicability within the organization and to capture a number of related risks within each definition while providing a clear understanding of the key focus of the risk. For an example of the risks
identified by one large healthcare organization and their assigned definitions, see Appendix to this
The survey tool should ask participants to assess the identified risks in terms of likelihood of
occurrence (frequency) and impact on the organization if the risk does occur (severity). Participants
can either be asked to rate these variables qualitatively, such as high, moderate, and low or quantitatively by assigning specific probabilities to the anticipated frequencies, i.e., such as one in the next five
years, two to three times in the next five years, and specific dollar amounts to potential impacts. Each
approach has its advantages. While the qualitative method is somewhat easier to understand, it is more
subjective; one respondent may describe a specific risk having a $10 million impact on the organization as high, while another, perhaps more accustomed to dealing with large financial sums, may rate
the same magnitude of impact as moderate or even low. If the quantitative approach is selected, it is
helpful to include a reference guide with the survey that provides the dollar impact of sample large
losses with which the respondents may be familiar, such as the largest civil monetary penalty assessed
against a healthcare entity for violation of federal fraud and abuse laws and the largest medical professional liability verdict from the prior year as point of comparison.
In addition to capturing information regarding perceived likelihood and impact of various risks
facing the organization, the risk assessment survey may also query respondents on their views of the
adequacy of current mitigation efforts related to the risks. Some risks that might be considered significant if left untreated may be perceived as much less onerous because respondents are confident that
current loss control measures are adequate to prevent an occurrence or to severely limit its impact.

Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program

A qualitative scale that ranges from very well controlled to not even identified as a risk may be
useful for this purpose.
In addition to asking the respondents to characterize each identified risk in terms of likelihood,
impact, and adequacy of current controls, the survey may further ask each respondent to list his or her
top five most concerning risks and to comment further upon them. Not only do the comments themselves provide additional insight into the ERM concerns of the organizations leaders, but requiring
respondents to list top five issues provides additional clarity if there has been a tendency to rate all
identified risks similarly.
A number of software programs exist to automate the distribution of the ERM risk assessment
survey and allow for the tabulation of results via an organization-wide intranet or protected website.
While replies may be kept completely anonymous, it may be useful to gather some demographic information from respondents, such as department, clinical vs. non-clinical background, position within
the organizational hierarchy, length of service, and system vs. healthcare facility positions for larger
healthcare organizations. Having such information allows for comparing responses among various
groups to determine how identified risks may be perceived differently.
Tabulated results from the survey are assembled into a formal report to the ERM oversight committee. The report should include a brief review of the process employed to identify the selected risks
and develop the survey as well as an executive summary highlighting the key findings. A meeting
should be scheduled between the working group and ERM oversight committee to discuss the implications of the findings and plan for the next steps in the ERM implementation process. Once a general
plan is developed, a summary of survey results can be shared with survey participants. Presentations
can also be scheduled with groups such as the risk management, audit committee and or governing

Addressing Identified ERM Risks

One of the greatest challenges in implementing an ERM program is preventing the process from
dead-ending with the risk assessment. Healthcare organizations, like their counterparts in other industries, seem to suffer from a natural tendency to consider the interviews, risk assessment survey, results
analysis, and resulting risk prioritization as an end in themselves. In fact, these activities are but the
beginning of the ERM process.
Once survey results are tabulated and risks ranked and displayed, the working group should report
its findings back to the ERM oversight committee. The Committee then needs to determine the specific
risks on which to aim its initial focus. For most organizations, it is recommended that no more than
three to 10 risks are tackled at the outset. Typically the risks identified through the survey assessment
process are global in nature and pervasive in scope and require the effort of a multi-disciplinary team
of experts both within and external to the organization to address. Attempting to adequately explore
and manage too many risks during the implementation phase of the ERM process is a sure recipe for
disaster. It is better to deal effectively with a handful of risks than to superficially consider a larger
Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program

It is not always easy for the healthcare organization to determine which risks are its most serious.
A risk may score differently in likelihood and impact dimensions, with some risks having a remote
likelihood of occurrence but holding serious consequences for the organization if they do occur, and
others relatively likely but of lesser consequence. It is not readily apparent to most risk managers
how to combine these measures in a mathematically appropriate and statistically valid way. It is often
necessary to employ the assistance of a consultant to make sure that the survey results are interpreted
accurately. If the healthcare organization is self-insured, a discussion with the organizations actuary
may be a convenient and advantageous first step. Actuaries have a firm grasp of mathematical and statistical principles and, although assisting with the analysis of the ERM may pose different challenges
than compiling the typical actuarial report, may be very helpful in assigning values to the survey
results and helping the organization to appropriately prioritize its ERM risks.
The combined measure for rating likelihood + impact may be termed inherent risk. Inherent risk
considers the magnitude of the risk in its pure form, without any discount for loss prevention, loss
control, insurance coverage, or other risk mitigation strategy that may be employed by the organization to reduce either the likelihood of the risk occurring or its potential impact on the organization.
In contrast, the risk remaining after the application of risk mitigation strategies can be thought of as
residual risk. The ERM risk assessment survey should attempt to evaluate both inherent and residual
risks in order to gain a complete picture of the risks facing the organization.
Once the list of ERM risks to explore has been determined, the ERM oversight committee should
assign a process owner for each. The process owner is charged with responsibility for assembling a
task force of internal and external resources to further drill down into the assigned risk, identify the
key drivers and develop loss prevention and risk financing strategies for mitigating the risk. It is recommended that process owners be chosen from among the senior leadership team of the organization
for maximum visibility and access to resources and information.
The working group needs to develop educational resources and tools for the process owners to
assist them in understanding their roles and in creating a framework for examining the risks with which
they are charged. Training in techniques such as failure mode effect analysis1 and root cause analysis2
is often helpful, as well as an introduction to organizational improvement models like LeanSix Sigma3
and the Toyota Production System.4 A workshop format utilizing internal resources outside of the
working groups as well as outside consultants (as needed) may prove an excellent means of orienting
the process owners to their task. The content and format of the workshop should be approved and
promoted by the ERM oversight committee.
Once the process owners have received their initial charge and orientation and assembled their
task forces, the ERM oversight committee can set up periodic meetings or required reports to ensure
that the ERM process stays on track and makes progress in developing strategies to tackle the assigned
Smith, Deborah L., FMEA: Preventing a Failure Before Any Harm is Done, 2008 http://healthcare,isixsigma.com/
Bellinger, Gene, Root Cause Analysis, 2004 http.//www.systems-thinking.org/ca/rootca.htm.
Smith, B., Lean and Six Sigma: A One-Two Punch, Quality Progress 36.4 (2003: 3741).
Spear, Steven J. and Bowen, H. Kent, Decoding the DNA of the Toyota Production System, Harvard Business Review,
September/October 1999.


Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program

risks. The working group continues to play a role in fostering ongoing support for the ERM process
and continuing to assist and encourage the various process owners and task forces during this critical
segment of the implementation phase. For most risks, the process owners should be expected to have
their final report of recommendations prepared within six to 12 months.

Integrating ERM into the Corporate Culture

Moving beyond the risk identification and assessment process and fully integrating ERM into
the organizations culture is a challenging endeavor for most healthcare organizations. To be fully
operationalized, ERM must become a core process, reflected in strategic planning, budgeting, and performance measurement and improvement activities, and embraced by every level of the organization.
The governing body of the organization, as well as it senior management team and other leaders, need
to set risk-adjusted goals and objectives and consider risks holistically across the enterprise. Such a
view of risk avoids a reactive, siloed focus on the mitigation of individual risks and allows for intelligent risk taking utilizing risk-based decision support and performance measurement tools.
The ERM implementation process typically involves an analysis of the organizations risk tolerance. Healthcare entities vary in their ability to withstand the potentially adverse consequences of risk
based on their competitive and cash positions, revenue stream, access to credit and degree of financial
and operational predictability. Organizations in highly volatile markets and those operating under
severe financial pressures tend, out of necessity, to be more risk averse then their peers; however, even
similarly situated organizations may view risk differently and have very different risk appetites.
While defining an organizations risk tolerance precisely may be difficult, a few relatively simple
techniques can be employed to aid in the analysis. Just as entities typically conduct a cost-benefit
analysis of proposed projects to determine which of several competing projects to pursue, organizations can think in terms of a risk-reward analysis to consider proposals from an ERM perspective.
Those endeavors that offer the greatest probable reward for the least residual risk, given the costs and
anticipated effectiveness of available risk mitigation options, should be pursued. Just as organizations
typically look for a specified internal rate of return for their business initiatives, managers can come to
appreciate that projects must be able to demonstrate a specific risk/reward gap in order to be pursued.
Healthcare organizations should also approach their strategic planning and budgeting functions
from an ERM perspective. Rather than setting goals and objectives and budgetary targets as absolutes,
it is helpful to think of them within an ERM framework. What is the likelihood that the organization
will meet this specific goal or budgetary target? Is there a possibility that the organization will exceed
it, and if so, by how much? What is the probability that the organization will fail to meet it? What are
the risks that are driving those probabilities? Can those risks be mitigated (if negative) or enhanced (if
positive)? What are the costs (financial and otherwise) in pursuing such mitigation or enhancement,
and how likely are these activities to be effective? When considering risk treatment strategies, it is
important to bear in mind the law of diminishing marginal returns: while quick fixes and relatively
obvious risk mitigation or enhancement efforts may yield large returns, the closer one gets to completely eliminating or optimizing a risk, the higher the incremental costs tend to be in proportion to the
incremental benefits, so that completely eliminating or optimizing risk is not feasible.
Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program

The road to full organizational integration of ERM principles is a long one. Few healthcare organizations have reached full ERM maturity, but experience from other industries shows that the process
can easily take two to five years.5 as the process develops, it is imperative that the ERM oversight
committee, working group, and process owners remain engaged, meeting frequently with departments, boards, committees and other groups throughout the organization to facilitate the incorporation
of ERM concepts into planning and operating activities at all levels of the organization until ERM
becomes just the way the organization does business and is fully incorporated into the organizational
In addition to ongoing monitoring and performance measurement of the degree to which ERM is
integrated into the corporate culture, strategic planning and operational decision-making of the organization, the working group and ERM oversight committee should plan to repeat the risk identification
and assessment process about every three years. Organizational priorities, regulatory and economic
environments, technology, and market conditions change rapidly for healthcare providers and risks
that seem monumental today may be inconsequential tomorrow. (Remember Y2K?) New risks are
constantly emerging. Survival for many healthcare entities in the future will likely depend on their
ability to perceive and manage changing threats quickly and to make timely and accurate decisions
about when to change a strategic course.
At some point it will be necessary to find a permanent home for Enterprise Risk Management
within the organization. Although ERM is by nature a multi-disciplinary process, there needs to be an
individual or department responsible for setting specific ERM goals, developing strategies to see that
those goals are met and educating the organization at-large regarding the continuing development of
ERM. Frequently these responsibilities are assigned to a chief risk officer (CRO). The CRO may be
selected from within the ranks of the current organization or recruited externally, but in either event it
is important to distinguish the role from that of the traditional risk manager. The CRO should ideally
report to the organizations Chief Executive Officer to remain independent from quality, finance, legal,
or other departments that might attempt to assert undue influence or limit the expansive role that is
appropriate to the ERM effort. While candidates with prior healthcare CRO experience are, at this point,
very rare, the CRO must possess a good understanding of the healthcare industry in general as well as
have specific expertise in finance, corporate compliance, organizational effectiveness, strategic planning, and traditional risk management. The job of CRO requires a very broad perspective and diverse
skill set, but holds opportunity for growth in a challenging and still-evolving field of endeavor.


Enterprise risk management for healthcare organizations is still a discipline in its infancy. While
much work remains to be done, healthcare entities that begin by assembling the right initial team,
developing a thoughtful process of risk identification and assessment, and devising an implementation
strategy that focuses on integrating ERM into the corporate culture of the organization over the longterm will be rewarded with a better understanding of the inter-relationships among the risks they face
and be better equipped to anticipate and manage those risks effectively.
Risky Business: Employing Enterprise Risk Management to Sustain Growth, Mitigate Threats and Maximize Shareholder Value, APQC, 2007.


Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program



Changing regulations and rates/standards for reimbursement by government payors threaten the
organizations ability to maintain operations.

Regulatory Compliance

Noncompliance with laws, regulations, and accreditation standards results in lower quality, lost
revenues, unnecessary delays, adverse publicity, penalties, and fines.


Actions of competitors (e.g. new product and service introductions, predatory pricing and competitor mergers) or new entrants to the market handicap the organizations activities, competitive
advantage or even its ability to survive.

Catastrophic Loss

A major disaster or pandemic directly or indirectly impedes the organizations ability to sustain
operations, provide essential products and services, or recover operating costs.

Catholic Identity

Compliance with ethical and religious directives challenges the organizations ability to enter and
remain in profitable markets or to deliver state-of-the-art and full-range clinical services demanded by

Not-For-Profit Status

Failure to identify and accumulate relevant information and maintain appropriate operations
regarding the organizations not-for-profit status results in noncompliance with tax regulations and the
loss of not-for-profit status.


The organizations people are not being effectively led, which results in a lack of clarity, direction,
motivation to perform, management credibility, and trust throughout the organization.

Organizational Structure

The organizations corporate and/or legal structure impedes its capacity to change, develop relevant business plans, or implement long-term strategies.

Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program


System Value

System functions fail to align or fail to appropriately support regional operations and create additional burdens on the regions without adequate accountability or the addition of value.

Business Planning

Lack of a systematic and cohesive business planning process or failure to establish and execute
clear operating strategic priorities impacts the organizations ability to focus and formulate realistic
and relevant business strategies.

Business Performance Measurement

An inability to determine and implement accurate performance measures consistent with established business strategies threatens the organizations ability to achieve its long-term objectives.


Misalignment of objectives, goals and strategies throughout individual operational units threatens
the organizations capacity to achieve its overall objectives, maintain core operations and execute

Physician Alignment

Failure to effectively integrate physicians with the organizations business and mission needs
results in quality deficiency, inadequate patient volumes, duplicative services and loss of profitable
service lines.

Patient-Centered Approach

Failure to develop a patient-driven approach to care results in a loss of market share.



The organization develops strategies geared towards desired revenues or short-term goals rather
than indicated costs or long-term objectives resulting in failure to meet operating income needed to
sustain long-term business operations.

International Operations

Failure to appreciate cultural, market, political and regulatory risks results in underperformance
or loss of investment.


Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program


Change Readiness

The organization is not open to or does not implement critical processes or product and service
improvements quickly enough to keep pace with changes in the marketplace or to achieve anticipated
savings or productivity gains. It holds on too long to failing operations and strategies. The desire for
unanimity impedes the organizations ability to act.


Unclear roles and levels of authority result in a lack of coordination between parties, duplication
of efforts, unexpected outcomes, performance gaps or the assumption of unacceptable compliance/
business risks. Failure to hold associates accountable leads to poor results.

Associate Performance Measurement

Unrealistic, misunderstood, subjective, or non-actionable performance measures cause managers

and associates to act in a manner inconsistent with the organizations objectives, strategies, ethical and
legal standards, and prudent business practice. Lack of integrity and equity in pay practices results in
decreased associate morale.

Associate Competence

Lack of knowledge, training and development activities preclude associates from effectively
discharging their current operating responsibilities, as well as preclude creating a workforce that is
flexible and prepared for future challenges in implementing the organizations long-term strategies.

Management Development

Lack of cross-training, mentoring, orientation, flexible recruiting and retention strategies as well
as succession planning for key positions results in a lack of leadership, technical skills, and ability to
provide our customers with the organizations products and services.

Resource Availability

Unavailability of essential, qualified associates impedes the organizations capacity to grow, execute strategy and generate future financial returns.


Failure to deal effectively with union efforts results in organizational discord, operational impairment, and resource misalignment.

Enterprise Risk Management for Healthcare Entities, First Edition


Structuring an Enterprise Risk Management Program


Information Systems Integrity

Lack of functional integrity in the information system infrastructure and application systems
results in unauthorized access to data, incomplete, inaccurate, or non-timely delivery of information
and processing of transactions.

Information Systems Infrastructure

Ineffective and inflexible technology infrastructure impairs the organizations ability to effectively and efficiently support the current and future information and operational/compliance needs of
the organization.

Information Systems Disaster Recovery

Inability to access important information when needed impedes the continuity of the organizations critical operations and processes.

Financial Accounting and Reporting

Failure to accumulate relevant and reliable external and internal information to prepare accurate
and complete financial statements and related disclosures affects stakeholders (including lenders and
regulators) ability to assess the organizations financial status and leads to surprise adjustments to
financial results.

Investment Portfolio

The organization depends on investment income to off-set inadequate operating performance.

Investment portfolio strategy does not align with business strategy. Lack of relevant or reliable
information supporting investment decisions and the financial risks assumed results in poor short- or
long-term investments.


Failure to collect payments as due from patients, vendors, or other third parties exposes the organization to excessive write-offs and collection costs. Inability to either obtain cash on a timely basis
or convert non-cash assets to cash when needed precludes the organization from paying or meeting its
current obligations.

Transaction Processing

Inadequate processes for billing, collecting, paying, recording, reconciling, and monitoring transactions in financial systems results in inaccurate and/or noncompliant collections, transactions and
data for preparing internal management and external financial and operational reports.


Enterprise Risk Management for Healthcare Entities, First Edition

Structuring an Enterprise Risk Management Program


Clinical Quality

Quality failures, reflected through patient outcomes and satisfaction, significantly affect the organizations reputation, efficiency, compliance and accreditation status, future sales, market share and

Product Development and Integration

Inadequate development and implementation of products and services impedes the organizations
ability to meet or exceed customers needs and wants. Difficulty in developing and integrating new
clinical technologies leads to inefficient, noncompliant operations, inaccurate information and loss of
competitive advantage.

Cost Control

Failure to identify and implement a flexible cost structure at the System and regional levels that is
responsive to market conditions results in an inadequate operating margin.

Contract Management

Inadequate, irrelevant, or inaccurate contracting strategies and processes result in excessive or

inappropriate contractual commitments.

Plant and Equipment Maintenance/Repair

The organization defers plant and equipment maintenance and replacement to meet other strategic
and operating goals which results in unsafe and unattractive facilities.
Source: CHRISTUS Health, 2008.

Enterprise Risk Management for Healthcare Entities, First Edition


Part II
Financial Issues

Insurance and Risk FinancingThe Basics

Insurance and Risk FinancingThe Basics
Ellen L. Barton, JD, CPCU
Principal, ERM Strategies, LLC


Most healthcare lawyers develop their expertise in insurance and risk financing through
onthejob training. This may occur because of any number of circumstances including when in-house
counsel assumes responsibility for risk management or when the chief financial officer asks them to
review an insurance policy. With outside counsel, this may occur when a client asks them (as part of
merger negotiations) to review the parties insurance program for adequacy. Regardless of the situation, it will serve healthcare lawyers well to develop a working knowledge of basic insurance and risk
financing concepts in order to enhance their understanding of enterprise risk management and their
ability to provide advice and counsel on such matters.

Risk Financing

It is probably most appropriate to provide an overview of risk financing in the context of the risk
management process. The risk management process has five steps:
1. Identify and analyze loss exposures.
2. Examine alternative risk management techniques for treating the loss exposures:
a. Risk Control
Risk Avoidance to avoid the risk
Loss Prevention when dealing with frequency
Loss Reduction when dealing with severity
b. Risk Finance

ActiveNon-insurance, self-insured

ii. PassiveNot recognized


InsurerCommercial Carrier

ii. Non-insurerIndemnification and hold harmless agreements

Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

3. Select the best risk management technique(s)
4. Implement the technique(s)
5. Monitor and evaluate the results.
Risk financing techniques provide funds to pay for losses that risk control techniques do not
entirely stop from happening. Such techniques are designed to obtain funds, at the least possible cost,
to restore the actual losses that strike the organization.
The following are criteria for selecting a risk financing technique: (1) the financial security each
technique provides; (2) the effect each technique has on the organizations long-term costs and, therefore, its profitability; and (3) control. It should be noted that risk financing techniques can be depicted
as a continuum for the covered entity moving from total risk transfer (where there is a guaranteed cost
of risk financing through the purchase of insurance) to a blended risk transfer/retention (where the
organization may have deductibles, self-insured retentions, insurance, and reinsurance) to total risk
retention (where there is no insurance or reinsurance).


Retention may involve the current expensing of losses, i.e., paying for losses out of available cash
as they occur. For example, hospitals often chose to retain losses such as lost eyeglasses or dentures.
Retention may also involve either funded or unfunded loss reserves. Unfunded or funded loss reserves
involve an accounting entry that shows a potential liability for a loss; or an organization can set aside
funds for expected losses, known as ear marked funds. Thus, in the example involving lost eyeglasses
or dentures, a hospital may chose to put aside a set amount of funds for such losses based on previous
experience or simply decide to pay such losses out of current operating funds.
For large retained losses, an organization might find itself borrowing funds to cover uninsured
losses. Borrowing to pay losses might result in a reduction in the organizations line of credit or ability
to borrow for other purposes; and, in time, will require earnings to repay the loan. More formalized
methods of self-insurance may involve a trust fund or captive insurance company, which are used
to finance specified types of losses. A trust fund is simply a bank account (generally) for the organizations own risksadministered by a formalized agreement or statement of coverage. A captive
insurance company is an owned or affiliated corporation established to insure the risks of the parent
corporation or its members. Captives can also be organized to assume the risk of outside parties.


There are two basic risk transfer techniques: first, a contract providing indemnification or hold
harmless obligations; second, an insurance policy. Contracts for services may provide that the person
providing the service will hold the organization harmless from liability resulting from the service
providers actions or agree to indemnify the organization from such liability. Insurance, on the
other hand, is defined as a contractual relationship that exists when one party (the insurer), for a
consideration (the premium), agrees to reimburse another party (the insured) for a loss to a specified


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

subject (the risk) caused by designated contingencies (hazards or perils).1 Reinsurance is a contractual
arrangement involving the purchase of insurance by an insurer from another insurer. It is basically insurance for the insurance company; reinsurance has a stabilizing effect by smoothing the ups
and downs of fluctuating loss experience. It also increases the capacity of the insurance company to
write business and provides it with catastrophic protection against the adverse effects of large losses
from natural forces or man-made disasters. There are two forms of reinsurance: facultative and treaty.
Facultative reinsurance usually covers a single transaction handled directly with the reinsurer. Many
facultative reinsurance policy forms are drafted (or manuscripted) to fit the specific risks insured
against. These risks are often, unique, large, and/or hard to insure. With treaty reinsurance, the reinsurer
agrees in advance to accept certain classes of exposure as outlined in a treaty. The insurer assumes the
underwriting authority on behalf of the reinsurer.
1. Types of Insurance
a. First party insurance provides coverage for the insureds own property or person so that
the insured will be restored to the same financial position that he or she had prior to the
i. Examples of first party coverage: are fire/property; business interruption; boiler &
machinery; builders risk; flood; earthquake; crime; HMO/capitation stop loss; and automobile collision and comprehension.
b. Third party insurance, also called liability insurance, provides coverage to a party other
than the insured to make that person whole for loss or injury caused by the insured. As its
name implies, it involves three parties: the one who is harmed, the insurer, and the insured
that caused the harm or damage.
i. Examples of third party liability coverage are medical professional liability; general
liability; automobile liability; directors & officers; errors & omissions; employers liability; environmental impairment; and excess/umbrella liability.
c. Health and welfare insurance, also called social insurance, provides coverage for medical and related expenses.
i. Examples of health and welfare insurance are: workers compensation; health benefits;
vision coverage; dental coverage; life insurance; long term disability; and short term
d. Financial Guarantees are different from the traditional concept of insurance in that assets
are pledged for the full amount of the risk transferred.
i. Examples of financial guarantees are: surety bonds; public official bonds; appeal bonds,
judicial bonds; contract and performance bonds; license & permit bonds; and financial
bonds, e.g., bankers blanket bond.

IRMI online glossary of terms available at http://www.irmi.com.

Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

2. Non-insurance Transfer through Contractual Arrangements
a. Contractual terms clarifying, limiting, or transferring liability.
b. Indemnification and/or hold harmless agreements.
i. For example, an owner hires a contractor to do work. The contract provides that if
anyone is injured as a result of the contractors work, the contractor will hold the owner
harmless and indemnify the owner for any financial loss. Thus, if a third party sues the
owner, it is the contractors responsibility to pay the loss.

Principles of Insurance

An insurance policy is a legal contract. In order for a contract to exist, four elements must be present: offer and acceptance (an agreement); consideration (money/premium); competent parties; and a
legal purpose.

Key Concepts

1. Interpretation: Insurance contracts are generally viewed as contracts of adhesion, meaning

that one party draws up the contract, and the other party adheres to it. In such cases, ambiguities are usually interpreted against the party that wrote the contract. Another principle of
interpretation provides that if there is a conflict between the parties, the reasonable expectations of the parties can be used to resolve the dispute.
2. Indemnification: Insurance contracts are designed to indemnify the insured. That is, they
will restore the insured only to the extent of his or her loss.
3. Subrogation: Subrogation is the right of the insurer to recover from a third party who caused
the insurer to pay the loss.
4. Good faith: Insurance contracts must be entered into with the utmost good faith. Good faith
means to deal with honesty and sincerity. Courts penalties are severe when they detect bad
faith on the part of either the insurer or the insured.
5. Representations: Generally, in the purchase of insurance, the prospective insured must complete an application in which it makes affirmative representations. Such representations are
usually written, but may be oral and made with the intention of securing insurance.
6. Misrepresentations: False statements relied upon by the insurer in issuing coverage. Such
false statements need to be material in nature in order for the insurer to void coverage.
7. Warranty: Statements or promises contained in the insurance contract that would void coverage if untrue.
8. Concealment: The failure to divulge facts, or to remain silent when questioned as to key
9. Fraud: Deliberate deceit with intent to take financial advantage of another.


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

10. Estoppel: This concept prohibits an insurer from citing its standard policy defenses if:
(a)afalse representation is made by the agent or company; (b) it is relied upon by the insured;
and (c) it causes the insured to be financially harmed or prejudiced.
11. Affordable coverage: Such coverage that is available for a reasonable premium.
12. Law of large numbers/predictable loss: This theory states that the larger the number of
homogeneous occurrences, the more predictable future losses will become.
13. Adverse selection: The tendency of poorer risks to seek insurancethat is, those who
believe they are more likely to suffer a particular loss are more likely to seek insurance for it
as well.

Elements of Insurability

1. Pure risk: A category of risk in which loss or maintenance of the status quo are the only
possible outcomes; there is no beneficial result or possibility of a gain. Pure risk is related to
events that are beyond the risk-takers control. Speculative risks, on the other hand, allow for
the possibility of a gain, a loss, or the maintenance of the status quo. An example is gambling.
The gambler has an opportunity (or chance) to win, lose, or draw (break even). For a risk to
be insurable it must be accidental, fortuitous. Therefore, only pure risks are insured through
conventional insurance markets.
2. Insurable interest: The insured must have an ownership interest in or control of the property
at the time of the loss.
3. Definable loss: A definable loss is one in which there is the ability to determine the time and
amount of the loss.
4. Unexpected loss: A loss that is accidental and fortuitous (in the sense of occurring by chance,
not in the sense of luck).

Insurance CompanyTypes

There are two major types of insurance companies: private and governmental. Private insurance
companies are those owned and operated by private citizens that issue most coverage types, but they
exclude risks that are considered uninsurable such as unemployment, flood, etc. Government-owned
and operated insurance companies generally write coverage that is not underwritten by the private
sector such as unemployment, flood, etc. In addition, government-owned and operated insurance
companies compete with private insurers in limited lines such as workers compensation in monopolistic states. Private insurance companies can take one of several forms: stock companies, mutual
companies, or fraternal or benevolent societies. Stock companies are simply those that are owned
by stockholders. Mutual companies are owned by policyholders and share their profits in the form
of dividends to policyholders. Fraternal or benevolent societies provide formal insurance plans for
life and health insurance products for their members and are exempt from federal and state taxes and
certain laws. Reciprocals are unincorporated associations whose members (subscribers) insure one
another. An attorney-in-fact manages such organizations. Finally, Lloyds is a group of individuals who
share in the making of insurance contracts. Individuals directly accept risks for personal profit or loss.
Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

All insurance companies typically have the following departments or functions: sales and marketing;
underwriting; accounting; investment; legal; claims; policy issuance and administration; audit; loss
control/risk management; actuarial and statistics; agency; and reinsurance.

Agents vs. Brokers

Agents are individuals, partnerships, or corporations authorized by an insurance company to select

risks, collect premiums, and countersign policies. An agent represents the insurance company. Brokers
are individuals, partnerships, or corporations who act or aid in any manner in obtaining insurance
for another for a fee or commission. Brokers represent the insured. Both agents and brokers must be
licensed. They are deemed to have a fiduciary duty to exercise their professional responsibility and
to conduct their insurance business in accordance with the law and in an ethical manner. Brokers and
agents have a duty to engage in careful assessment of the risks that are being underwritten, recommend
proper coverage with a financially secure insurance company, follow company guidelines, maintain
quality notes and records, and keep abreast of new products and coverages.

Approved vs. Non-Approved Insurance Companies

Insurance companies are generally considered to be approved or non-approved. Approved companies are licensed to conduct insurance business in a particular state. The companies are then considered
admitted and must file rating schedules and coverage plans with the state department of insurance.
Admitted carriers also participate in the states guaranty fund. State guaranty funds protect insureds
(albeit limited in financial payments) in case the insurer becomes insolvent or is unable to meet its
financial obligations. Non-admitted carriers are generally referred to as surplus lines carriers. Surplus
lines carriers may legally operate within a state and are typically used for hard-to-place risks. Surplus
lines carriers do not participate in state guaranty funds. Such companies also have great flexibility in
their rating schedules and coverage forms and do not have to file them with the state department of

Financial Ratings and Standards for Insurance Companies

As mentioned previously, it is important that the insurance company providing coverage for an
institutions risks be financially stable. There are a number of companies that monitor the financial stability of the insurance industry and regularly publish reports. They are: A.M. Best Company, Standard
& Poors, Moodys, security committees of major brokerage companies, state insurance departments,
National Association of Insurance Commissioners (NAIC)which has no regulatory authority but
promulgates uniform standards for insurance company operations and financial operating ratiosand
Insurance Service Organization (ISO). Monitoring the ratings of an institutions insurance companies
should be done on an annual basis or more often if an insurer financial stability is called into question
or the ratings have been downgraded by one of the major rating agencies. Insurers are rated both on
their stability and their size; generally the larger the company, the more capacity it has, enabling it to
write larger risks. An unstable company, however large, is a risky proposition.


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics


Certificates of Insurance

It is often necessary to provide proof of insurance to outside third parties. This is done through
a mechanism called a certificate of insurance. Insurers (or their authorized delegates) issue them on
behalf of and at the request of their insured. Programs of self-insurance will often issue a memorandum of coverage letter as proof of coverage when so requested.

The Insurance Transaction

The insurance transaction involves a number of steps in a process that can take anywhere
from several days to several months and includes: the selection of a broker and/or consultant, the
application/submission for insurance, selection of prospective insurance carriers, the underwriting
transaction, the evaluation of insurance proposals, the execution of the insurance contract, and finally,
planning for the next renewal.

Selection of Broker and or Consultant

The broker/consultant assists and advises throughout the entire process. Your broker should have
a special knowledge of you and your facility, the healthcare industry, the marketplace and insurance in
general. In addition, the broker should have the resources to deal with all or most aspects of your insurance program, and a service philosophy that is based on integrity, forming a partnership based on solid
information. Organizations, while not required, can utilize the services of an insurance consultant to
perform some of the typical broker services such as, assistance with coverage specifications, coverage
comparison, placement evaluation. They can also draft request for proposals (RFPs) and assist with
broker selection.

Application/Submission for Insurance

The application for insurance contains required information regarding the insured, its operations,
and the risk that is being underwritten. In addition, the submission will outline the requested program structures, various options and coverage specifications. Other required information includes a
historical perspective of the organizations insurance programs, an organizational chart, a summary
of exposures (generally for the preceding 10 years), loss experience (for 10 years) with analyses, the
last three years financial statements, a description of the applicants risk management program, and a
description of the claims management program with particular emphasis on reserving practices. The
application and attachments provide an opportunity for the prospective insured to tell its story in a way
that provides a level of comfort to the prospective insurance company. Several prospective insurance
companies are rewarding insureds with up-front premium discounts for implementing proactive risk
management/patient safety initiatives. When telling its story, the prospective insured is well served to
emphasize those initiatives as such programs could translate into premium savings as well as making
the risk more acceptable to underwrite.

Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics


Selection of Carriers for Bidding Purposes

There are numerous criteria that could be used to select a group of carriers to bid on the prospective
risk: (1) the portfolio of insurance products (that is, the coverages available); (2) the financial strength
of the company; (3) the companys claims paying philosophy; (4) the companys risk management and
loss control services; (5) the companys longevity in the marketplace; (6) the companys reputation;
(7) the quality of the companys policy administration services; (8) the companys flexibility to meet
current and future needs; (9) the companys management stability; and (10) the companys admitted/
surplus lines status by state. It may be unrealistic to expect to find a single insurer who can provide all
lines of insurance desired as carriers tend to specialize in certain lines.

The Underwriting TransactionArt or Science?

Underwriting is the process by which the insurability of the risk is determined, at what amount of
coverage, and for what price. The goal of underwriting is to allow the insurance company to provide
its products and services at a profit to the insurer. The underwriting process involves selecting risks
that are consistent with the companys line of business, assuring that the risks can be spread, avoiding
adverse selection, and designing a premium structure that will yield underwriting profits. Underwriting also involves classifying risks and pricing them appropriately as well as designing products with
coverage terms and conditions that include selected limits and retentions.

Evaluation of Insurance Proposals

The first question to be asked in evaluating insurance proposals is whether the proposal addresses
the risks? Does the proposal meet your objectives regarding price and coverage? It is helpful to compare (in an easy-to-read chart format) the current in-place program with options from proposed carriers
in terms of the following items: limits, coverage, exposures, losses, exclusions, service experience and
personnel, financial rating of the carriers, overall cost and financial security requirements, and conditions required by the insurer. Other considerations by which insurance proposals should be evaluated
include: the context of the market conditions, minimum requirements of regulatory authorities, bond
covenants, contracts, etc. Finally, you need to ask if the proposal will accommodate your long-term
risk financing goals.

Execution of the Insurance Contract

When an order for insurance coverage is placed, the insurance company or authorized agent will
issue a binder which outlines key terms of the coverage, provides evidence of insurance, and is limited
in time. The binder obligates (binds) the insurer to the terms described in the binder. The insurance
company will then issue a policy with all the specific coverage information included and will issue
certificates of insurance to appropriate parties as instructed by the insured. Concurrent with placing
coverage, the insured and insurer will determine the process and procedures for identifying, notifying the carrier and managing claims, risk management services to be delivered, and identifying any
insurance changes particularly where coverage is diminished or eliminated. Finally, the risk manager
needs to communicate the new insurance coverage details to the institution and all interested parties.

Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

Arrangements will also be made for building inspections (in the case of property insurance), audits
(for various financial lines of coverage), and premium financing if so requested. Continuing communication between insured and insurer is necessary to maintain appropriate coverage for changing risks.

Planning for Program Renewal

The best time to plan for the next renewal is when you finish the current renewal. This is the time
when issues and concerns are uppermost in mind. In addition, planning should include monitoring
the current insurance program and underwriting markets for continued financial stability, evaluating
service providers (such as brokers, third party administrators managing claims, and defense counsel),
maintaining a log of risk management improvements, internal and external benchmarking, and tracking changes in the risk profile.

Claims-Made vs. Occurrence Coverage

Occurrence coverage provides coverage for a claim that occurred during the policy period regardless of when the claim is reported to the insurance company. Claims-made coverage provides coverage
for a claim that occurred after the inception or retroactive coverage date of the policy and is reported
to the insurance company while the policy or any replacement policy is still in effect. The retroactive
date defines the beginning of the coverage period for the claims-made policy. This date is retained
on an indefinite basis if the insured remains with the same carrier. The retroactive date will usually
predate the effective date on the policy in order to provide seamless coverage and mitigate any coverage gaps. If an insured changes claims-made carriers, the original retroactive date can be maintained
or an extended reporting endorsement can be purchased from the exiting carrier, in which case a new
retroactive date is then established with the new insurance carrier. The extended reporting endorsement may be referred to as the discovery provision, as tail coverage, or as an extended reporting period
(ERP). This endorsement is attached to the exiting policy and extends the reporting period past the
expiration of the policy. It covers events that occurred while claims-made coverage was in place and
that would have been covered had the old policy been continued. In making a decision to purchase
coverage for an extended reporting period, the following issues should be considered: (1) the availability of such coverage; (2) the length of the reporting period; (3) cost of tail; and (4) cost and provisions
for reinstatement.
Most medical professional and general liability policies are claims-made; however, some self-insurance trusts and captive insurance companies provide occurrence-based coverage. Thus, understanding
the implications of each of these types of coverages is important.

LimitsTerms and Conditions, Sublimits, Scheduled Losses, etc.

The policy limit represents the maximum amount the insurer will pay for losses. The per claim
limit applies to a specific loss. The aggregate limit applies to all losses within a policy term (usually
a year). Therefore, policy limits of $1 million/$3 million mean the insurer will pay a maximum of
$1million for any one claim, and a maximum of $3 million for all claims, of whatever size (up to
$1 million), taken together. There are also primary limits and excess limits, which simply refer to
Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

those limits applicable to a primary layer of coverage and those limits applicable to excess layers of
coverage. The primary layer is the policy that pays first and can include deductibles. The primary
layer is considered closer to the risk insured and sometimes called the working layer. This layer has a
higher frequency of losses than does the excess or umbrella layers and is therefore more predictable
and easier to price. In addition, an organization may have purchased umbrella coverage, the purpose of
which is to provide coverage when underlying per claims limits have been paid or coverage may drop
down and pay when the aggregate limits are exhausted by the payment of claims. Umbrella coverage
provides coverage excess of multiple lines of insurance such as automobile liability, medical professional liability, directors and officers, etc.) and can afford coverage against some claims not covered in
the primary layer subject to a self-insured retention. An insurance program may also provide for sublimits for specific exposures, which are limits within the overall policy, not in addition to the policy
limit. For example, a policy may have a limit of $1 million but a sub-limit for property damage of only
$50,000. Thus if there is a covered loss involving property damage, the most that the carrier will pay
for that loss is $50,000. There may also be shared limits where several entities will be covered by just
one limit. Blanket limits apply to two or more classes of risk or locations and thus helps prevent being
underinsured. Scheduled limits provide for specific limits either by location or by risks that have been
specifically rated in the policy. Scheduled limits are often used for fine arts, jewelry, or rare books.
Finally, policies may provide for variable limitsthat is, the amount of the limit changes due to inflation or as a result of some other predetermined reason.

Deductible vs. RetentionThe Effect on Limits

A deductible is defined as that portion of an otherwise insured loss that is borne by the insured. A
retention, on the other hand, is defined as that portion of a loss assumed by the insured, in the form of
self insurance. To illustrate the difference, consider a deductible policy with a $1 million policy limit
and a $100,000 per claim deductible. If a $1 million claim occurs, the insurance carrier is responsible
for paying the full amount of the claim and recovering the deductible from the insured. Thus, the
total amount of insurance available is $900,000. Coverage through a self-insured retention (SIR) is
in addition to the coverage limit purchased. SIRs are popular with insureds because of the ability of
the insured to manage the claim within that layer of coverage. Purchased insurance is excess of the
SIR and increases the amount of coverage available to pay a covered claim. If the insured purchases a
$1million policy and has a $100,000 SIR, the coverage available for a covered loss is $1.1 million.

Other Concepts related to Limits

It is important to understand whether expense costs (i.e., defense counsel, expert witness fees,
etc.) are considered within the limit (also known as cost inclusive) or outside the limit (also known as
cost exclusive) and how they will affect premium costs as well as funding requirements. When expense
costs are within the limit of liability, coverage limits will erode faster and excess or umbrella policies
will drop down and respond quicker. It is not hard to understand why policies written with expense cost
included within the limit will be cheaper on a primary basis but more expensive on an excess basis.
Consider for a moment a birth injury case, one of the most expensive claims to defend: under policies
where expense costs are within the policy limit, coverage could be exhausted through the payment of

Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

defense costs, expert witnesses, etc., leaving no money to pay a judgment or to negotiate a settlement
within the primary layer, requiring the excess layer to respond. The primary insurers obligation is
over after paying the per claim limit of liability When expense costs are outside the limit of liability,
the carrier not only has the obligation to pay per claims policy limit but also has the obligation to pay
the expense costs. Cost exclusive policies are more expensive on a primary basis because the insurer
pays both the limit and the expense costs, while the excess policies can be less expensive because they
will not have to respond until the limits are exhausted through the an indemnity payment.
Tracking claims and remaining aggregate limits is an important responsibility with regard to excess
carriers. It is very important to keep excess carriers informed so they respond when losses reach their
level. In addition, claims need to be tracked by the type of limitclaims-made vs. occurrence. When
a tail policy is purchased at the expiration of coverage from a claims-made insurer, the insured will
need to know if the limit is a new limit or is simply treated as an extension of the last years remaining
limits. Another concern is how the deductible or retention is treated with regard to the aggregate. In
other words, does the deductible or retention erode the aggregate so that the coverage limit is lessened?
Generally, insurance companies price coverage at a rate per million dollars of coverage; however, the
rate generally changes per incremental amount of coverage. Thus, an insured may be able to purchase
additional millions of coverage for far less than the first $1 million of coverage. In other words, the
second $1 million of coverage is cheaper than the first and the second $10 million similarly cheaper
than the first $10 million. Finally, it is critical to assure that there is consistency of terms as they apply
to primary and excess layers so that there are no gaps in coverage. Excess carriers are often asked to
write following form coverage, following the form of the primary (or lower) layers of insurance.

Premium Determination and Rating

Insurance companies determine premiums based on several rating schemes. Two of the more
common procedures are manual rating and loss (or experience) rating. In manual rating, an insurance
company uses the premium rate specified in an insurers or rating bureaus manual for a particular line
of insurance. Loss rating is a method of adjusting the premium for an insured based on the insureds
own loss experience compared to the loss experience of insureds facing the same exposure. Most captive insurance companies use loss rating.

The Insurance Policy

The main sections of an insurance policy can be described by the acronym DDICEE and are as
1. The Declarations Page, also called the dec page, specifies the type of policy and coverage,
the policy number and policy forms, the policy period, the name and address of the insured,
the broker or agent, the limits and deductibles/retentions, the effective/retroactive dates of
coverage, the type of business, the policy premium, and a listing of the endorsements or
extensions of coverage.
2. Definitions define specific terms in the policy that are usually bolded to signify that they have
specialized meanings. The definitions section of the policy is designed to clarify coverage
Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

terms and conditions. However, be aware that definitions can be spread throughout the policy
and can be often be found in the section to which they pertain.
3. The Insuring Agreement is the contractual heart of the policy. It states whether the coverage
is on an occurrence or claims-made basis and outlines the duty to defend, which has two
separate and distinct parts: (a) to investigate and defend claims; and (b) to indemnify the
insured for actual losses incurred (including adverse judgments). Any doubts related to the
insurers duty to defend must be resolved in favor of the insured. It is important to refer to
the definitions section of the policy to understand who the insured is, what constitutes a
medical incident, and how a claim is defined. The named insured is identified on the declarations page and has full rights and responsibilities under the policy. Additional insureds may
be added by endorsement to the policy, not on the declarations gage. Additional insureds are
entitled to defense and indemnification but do not have any rights regarding policy or coverage administration.
4. Conditions outline the rules, duties, provisions, and obligations of the insured and insurer.
Some common conditions include cancellation, policy territory, assignment, arbitration,
liberalization, subrogation, other insurance, inspections and surveys, and non-renewal. Additional conditions include examination of insured books and records (which is also a Medicare
requirement), changes to the policy or waiver of rights, payment of premium and return of
premium, claims reporting requirements/duties after a loss, and concealment, misrepresentation, and fraud. In addition, look for additional language to be added to policies to comply
with mandatory insurer reporting required under Section 111 of the Medicare, Medicaid and
SCHIP Extension Act of 2007 (MMSEA).2
5. Exclusions eliminate coverage for specific occurrences that are deemed uninsurable or not
contemplated for coverage under the policy. Exclusions will vary significantly by line of
coverage. Some common exclusions include damages resulting from war, pollution, asbestos,
nuclear power, and fraudulent, criminal, or dishonest acts.
6. Endorsements are used to change or add to a policys original terms and conditions. They
may be included at the time the policy is issued or later. They can broaden, limit, restrict or
explain coverage and are typically used to add or delete coverage or insured status. There are
standard endorsements prepared by Insurance Service Office (ISO) that are commonly used
by many insurers; however, there are also manuscript endorsements that are drafted by the
insurer (or by the insured or its broker) to apply to a specific situation.

MMSEA adds new reporting requirements for group health plan arrangements (GHP) and for liability insurance (including self-insurance), no-fault insurance, and workers compensation laws or plans to report the identity of a Medicare
beneficiary whose illness, injury, incident, or accident was at issue as well as such other information specified by the Secretary to enable an appropriate determination concerning coordination of benefits, including any applicable recovery claim.
See 42 U.S.C. 1395y(b)(7) and (8). A specific website has been created by HHS/CMS for mandatory insurer reporting
and can be accessed at http://www.cms.hhs.gov/MandatoryInsRep/01_Overview.asp#TopOfPage.


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics


Insurance Policies by Line of Coverage

An insurance policy will describe in detail the specific risks that are covered. Below is a nonexhaustive list of the many different types of insurance coverage that healthcare institutions might
consider depending on their various exposures.

Aircraft (Non-Owned) Liability

Non-owned aircraft liability insurance provides coverage for bodily injury and property damage
caused by an accident involving a non-owned helicopter using the helipad or an accident involving
non-owned aircraft for which the insured is responsible. Losses from aircraft accidents are excluded
from normal general liability and property insurance, so this coverage is needed if, for example, the
insured operates a helipad.

Boiler and Machinery Coverage

Boiler and machinery insurance provides protection for explosion of boilers and other pressure
vessels and accidental damage to equipment. It also covers resulting damage to other property, including property in the care of the insured, for which the insured is liable. Boiler and machinery insurance
may be included in blanket property insurance.

Commercial Automobile Coverage

Commercial automobile insurance protects against loss arising out of the ownership, maintenance, and use of automobiles and their equipment including those that are owned, hired, or borrowed,
and those that are not owned but for which the insured has responsibility, such as the personal car of
an employee used to run a company errand. In this last instance, the liability coverage provided for
these vehicles is excess over the coverage the vehicle owner may have. The excess coverage does not
apply to the employee individually unless the coverage is endorsed to cover employees as additional
insureds. Automobile liability is usually written on a combined bodily injury and property damage
limit. Automobile physical damage is written on an actual cash value basis for comprehensive loss
(fire, theft, windstorm, hail) and collision. Collision is always written subject to a deductible. There
are special automobile exposures in healthcare given the following: personal use of company cars
(permission for such use can be granted); employees as additional insureds (remember, the employees
policy will respond first); and personal use of non-owned automobiles (for which one should have
drive other car coverage and personal umbrella coverage). Note, too, that coverage does not apply
to physical damage to employees automobiles, even if they are used in business. Garage insurance,
not automobile insurance, applies to losses to vehicles in employer-operated garages and parking lots.
Additional exposures involve ambulances used for emergency transport and other patient transport as
well as auxiliary and volunteer exposures.

Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics


Commercial General Liability

Commercial general liability protects against financial loss resulting from bodily injury and property damage from the insureds liability to third parties arising out of the premises the insured owns
or occupies, operations, products, and completed operations, advertising, personal injury liability, and
liability the insured assumes under contract, subject to the exclusions of the policy. The coverage is
usually rated based on square footage and/or receipts. The most common general liability exposures
include liability arising out of contracts, visitors, product liability, libel, slander, false imprisonment,
defamation of character, and sexual abuse by non-professional employees. Because of potential coverage gaps, it is recommended that general liability insurance be purchased from the same insurer that
provides the organizations professional liability. The biggest reason for this is that most commercial
general liability policies will exclude coverage for bodily injury for any person who is in the insureds
building or on the insureds premises for the purpose of receiving any type of medical evaluation, care,
or treatment. Thus, coverage for such injury to patients needs to be covered under a medical professional liability insurance policy. Having one company provide both coverages eliminates the potential
for disputes.

Directors and Officers (D&O) Liability

D&O insurance protects directors, trustees, officers, and other key executives as identified in
the policy from personal liability for wrongful acts (misstatements, misleading statements, acts,
omissions, neglect, or breach of duty) and insures that the organization is covered for its obligation to
indemnify its officers, directors, trustees, and key executives. Under this coverage, the insurer shall
pay on behalf of the Company all losses for which the company grants indemnification to the insured
persons and which the insured persons have become legally obligated to pay on account of any claim
for a wrongful act. There are three coverage parts: Insuring Agreement A provides individual coverage
to the director (trustee), officer or key executive when the corporation (e.g., a hospital) cannot provide
indemnification. Insuring Agreement B provides corporate reimbursement when directors, trustee,
officers, and key executives can be indemnified. Insuring Agreement C, if purchased, provides entity
coverage for loss from covered wrongful acts that it is legally responsible to pay. Healthcare exposures
include committee membership (peer reviewloss or denial of privileges) compliance issues, antitrust,
wrongful termination (including committee decisions and routine personnel activities), sex and age
discrimination (failure to supervise employees accused of misconduct), diligence (alleged waste or
neglect of assets, failure to manage), breach of loyalty (conflict of interest), and contractual issues with
outside stakeholders.

Employment Practices Liability

Employment practices liability (EPL) insurance is designed to cover employment discrimination,

sexual harassment, negligent hiring and selection, and wrongful termination. The insureds include the
corporation, directors and officers, and employees. This type of coverage can be included in directors
and officers insurance or written as a separate policy.


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics


Fiduciary Liability

Fiduciary liability insurance covers breach of fiduciary responsibility under common law or ERISA
for directors and administrators of an organizations pension plan and health & welfare funds.

Fidelity Coverage

Fidelity insurance, also referred to as commercial crime coverage, provides coverage for several
different types of crimes: (1) dishonesty of employees; (2) forgery or alteration; (3) theft of money
and securities; (4) funds transfer fraud coverage; and (5) computer fraud. Coverage can be endorsed to
cover other risks as well such as kidnapping, ransom, and extortion coverage. One way to remember the
major coverages is to remember the 3 Ds representing dishonesty, disappearance, and destruction.

Garage/Garagekeepers Liability (Parking Garage Exposure)

A general liability policy covers loss to third parties resulting from premises exposure of parking areas but excludes losses to property in your care, custody, and control. A garagekeepers legal
liability policy provides coverage for physical damage to automobiles in your care, custody, and control for which you are legally liable. Valet services can result in automobile physical damage exposures
not covered in any other form of coverage.

Helipad Premises Liability

Helipad premises liability covers bodily injury and physical damage arising out of the use, ownership, or operation of a helipad including slips and falls that occur during the loading and unloading of
patients and bodily injury of bystanders and property damage to others. A separate policy is needed for
this coverage since it is explicitly excluded under the commercial general liability policy. This coverage can be combined with non-owned aircraft coverage.

Managed Care Liability

Managed care delivery mechanisms take a variety of forms: preferred provider organizations
(PPO) plans that contract with providers for discounted fees or for payments based on a fee schedule; health maintenance organizations (HMO) group practices, staff models, or independent networks
that provide comprehensive care for a fixed price paid in advance of rendering services; independent
practice associations (IPA) organizations that contract with a managed care plan to deliver services in
return for a single capitation rate. The IPA in turn contracts with the individual providers to provide
the services either on a capitation basis or on a fee-for-service basis. A physician-hospital organization (PHO) is a legal or informal organization that bonds hospitals and their attending medical staff.
Frequently, such organizations are developed for the purpose of contracting with managed care plans.
Point of service plans (POS) or open ended HMOs (OEHMO) are managed care programs that allow
the patient to select a point of service between full benefits within a network or reduced benefits for
care outside the network. A primary care physician is used to facilitate services. Moreover, finally,
there are provider sponsored organizations (PSOs) which operate the PHO. Delivering care in this
manner brings some unique exposures (in addition to direct professional liability) that include: vicariEnterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

ous professional liability; liability for improper design or administration of the cost controls; breach
of contract or bad faith; ERISA; antitrust; denial of benefits or services; discrimination; advertising
injury; violation of state insurance laws; invasion of privacy; insolvency/bankruptcy; improper credentialing; fraud and abuse.
There are two types of managed care insurance policies: (1) direct, for those providing medical
services (the staff model HMO and employed physicians); and 2) vicarious, for those facilitating the
delivery of healthcare services (IPA model HMO, PPO, PHO, MSO, foundation model).
There is also a product called managed care errors and omissions that provides business errors
and omissions coverage for damages because of personal injury in the performance of professional
services including utilization review, peer review, claims processing, enrollment, and marketing of
services. This coverage is usually written on a claims-made basis. Managed care D&O liability coverage is frequently purchased with managed care errors and omissions. Some standard exclusions
include: punitive damages, anti-trust, ERISA claims, and coverage for TPA operations.

Professional Liability (Medical)

Medical professional liability insurance provides coverage for claims arising from providing
or failing to provide professional medical services. Professional medical services means any act or
omission in furnishing of healthcare services by or at the direction of a licensed professional, including furnishing food, medications, or appliances, the postmortem handling of bodies, or service by
any persons as members of a formal accreditation review board. While medical professional liability
policies vary greatly from carrier to carrier, most provide coverage for the following individuals and
entities: the corporate entity (including its auxiliary), board of directors or trustees, members of committees, employees, students, volunteer workers, member of religious organizations, and others at the
request of the insured, i.e., certain physicians, dentists, etc. Most medical professional liability policies
also contain specific exclusions: absolute or total pollution (typically excludes coverage in cases of
bodily injury that would not have occurred in whole or part but for the actual, alleged or threatened
discharge, dispersal, seepage, migration, release, or escape of pollutants at any time, physical and
sexual abuse, intentional/criminal acts, fines and penalties, occupational disease or injury, impaired
physicians, asbestos removal, punitive damages, and the loading and unloading of vehicles or aircraft.
In comparing one medical professional liability policy to another, the following issues should be
addressed: coverage type, named insured provision, retroactive dates, limits, defense costs, the claims
trigger, employee/physician coverage, extended discovery provisions (tail coverage), claims reporting
provisions, other insurance clauses, exclusions, and the coverage territory.
In reviewing physicians professional liability insurance, consider some key issues such as: coverage for ancillary exposures, death, disability, and retirement provisions, entity coverage, consent
to settle provisions, changes in specialty provisions, occurrence vs. claims-made coverage, and the
slotting of positions (mainly for group programs, employed physicians or residency programs where
rotation is frequent and the group of insured is large).


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics


Property Coverage

Property insurance policies cover an organizations buildings, contents, attached equipment,

building service equipment, and interruption of business activities at the site. Most hospitals are considered highly protected risks since they are operated 24 hours a day and are generally managed with a
sensitivity toward loss prevention. Such risks are generally entitled to lower premiums. Most property
policies are written on an all risk basis, which provides coverage for any and all accidental loss except
those specifically excluded versus coverage for specific perils identified in the policy. Thus, the carrier
is required to prove that a loss is not covered, rather than the insured proving that it is. The blanket
limit concept in a property policy allows coverage limits to extend over several buildings or locations
and can include property that may move from one location to another. Another important feature to
consider is to purchase property insurance written on a replacement cost basis so that losses will be
fully covered rather than reimbursed on an actual cash basis. Property insurance may have co-insurance
requirements that require the organization to carry insurance equal to a percentage (such as 90%) of
the value of the property insured. Property insurance could be written on an agreed value basis where
the insurer and insured agree on the value to be paid for a loss in an annual statement of values. There
are a number of common extensions of property insurance such as automatic coverage for new entities
or locations, errors and omissions, service interruptionutility interruption, debris removal, transit,
accounts receivablesums that become uncollectible, EDP (electronic data processing), valuable
papers, and contingent business interruption. Earth movement (earthquake), flood, and wind damage
coverage may be particularly important depending on the entitys location and may require negotiation, and/or additional premium or may actually require the purchase of separate coverage.

Time Element Coverages (Business Interruption/Extra Expense)

Time element coverage is probably the most misunderstood coverage, and time element losses are
certainly the hardest claims to negotiate. Business interruption and extra expense coverage replace lost
earnings in an amount needed to cover an organizations continuing expenses and lost profits, where
the lost earnings arise from a covered event such as a fire or natural disaster. Continuing expenses
include: debt service, payroll for key personnel, insurance, contractual obligations, advertising, and
publicity. Business interruption insurance also may apply to managed care contracts.

Workers Compensation

Workers compensation provides virtually unlimited medical benefits to victims of workplace

accidents or illnesses. It also replaces a portion of the employees lost wagesknown as time loss.
Workers compensation pays whatever benefits are prescribed by the applicable state statute (Part A
Coverage). Employers liability protects employers from suits brought by injured employees to recover
money damages separate and distinct form claims for workers compensation benefits (Part B). Each
states division of workers compensation governs workers compensation. There are a number of what
are referred to as monopolistic states (i.e., West Virginia, Puerto Rico, Washington, and Ohio) which
require coverage to be purchased from a state managed fund but allow in some cases for employers to
Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics


Self Insurance

Self insurance is a risk management technique in which a calculated amount of money is set aside
to compensate for a potential future loss. If self insurance is approached seriously, money is set aside
using actuarial information and the law of large numbers so that the monies set aside (similar to an
insurance premium) are enough to cover the future uncertain loss. It is the funding of potential losses
that distinguishes being self insured from being uninsured.
Self insurance is possible for any risk that is predictable and measurable enough in the aggregate
to be able to estimate the amount that needs to be set aside to pay for future uncertain losses. For a risk
to be insurable, it must represent a future, uncertain event over which the insured has no control. In
addition, it must be possible to rate or price the risk. If the insurable event is one in a large number
of similar risks, the aggregate risk can be estimated according to the law of large numbers and the
probability of that event occurring in the future so that it can be quantified. Normally, catastrophic
risks such as earthquakes are not self insured as they are highly unpredictable and high in loss-value.
However, if the commercial market does not provide appropriate coverage at reasonable cost, it is not
uncommon for an organization to self insure a part of the risk.
The concept of self insurance is that by retaining certain risks and paying the resulting claims or
losses from designated funds, the overall process is cheaper than buying commercial insurance.

Underlying Principles

There are a number of principles underlying the concept of self insurance:

1. Do not risk a lot to save a little.
2. Self insure the predictable layer of loss. Risk transfer the unpredictable or catastrophic layers
of loss.
3. Understand the institutions risk-taking philosophy or risk appetite. Define clearly the risks
the institution is willing to take vs. what it can afford to take.
4. Have sound and effective risk management systems in place:
a. risk identification, reporting, and communications (RMIS);
b. loss control;
c. claim handling and defense;
d. physicians vested in the process; and
e. control over most or all program elements.
5. Ensure the support of senior management and ensure the board of directors will be involved
and committed.
6. Make a long-term commitment and keep a long-term perspective.
7. Adopt prudent and conservative funding.
8. Remember that self insurance is not the cure-all for poor loss experience.

Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics


Methods of Implementation

There are several methods of implementing self insurance programs:

1. Large deductibles or self insured retentions (see previous discussion).
2. Retrospectively rated programs. The premium is determined or finalized based on losses
incurred during the policy year or term. Minimum and maximum premiums may apply and
there may be collateral requirements.
3. Quota share arrangements. These programs require that the insured share in a predetermined
portion of the loss with the insurer over a primary layer of coverage.
4. Trusts (see previous discussion).
5. Captive insurance companies are closely held insurance companies whose insurance business
is primarily supplied and controlled by its owners and in which the original insureds are the
principal beneficiaries. Captives can be organized as follows:
a. Ownership: single owner, multiple owners (association, industrial insured, mutual, and/or
risk retention group), stock/mutual (assessable or non-assessable).
b. Domicile: onshore (in the United States) or offshore (not in the United States).
c. Structure: direct or reinsurance, mono-line (e.g., professional and general liability
insurance only), fronted (by a commercial carrier) or multi-line, primary, excess, and
d. Type of business: only the insureds risks, or also including third parties; also what lines
of coverage will be included.

Captives vs. Trusts

Generally, a captive program needs to be considered as an alternative to a trust because a trust

fund is a less flexible vehicle for accommodating risk management and financing needs for the future.
Whenever an organization is considering self-insurance, there are a number of preliminary steps that
need to be taken: first, an organization has to understand its risk bearing capacity, which will involve a
formalized review of the institutions financial statements and an understanding of the organizations
appetite for risk and then have an actuarial study done of its losses. In addition, the organization needs
to identify and compare various program costs and develop an internal allocation methodology. In
addition to this quantitative analysis, a qualitative analysis should be done. This involves a comparison
of coverage terms and conditions, the flexibility to accommodate profit vs. not-for-profit entities, third
party business, multiple lines of coverage/integrated programs, future programs, the level of control
over claims and defense and settlement, and the internal resources to manage the program specifically,
the sophistication of the risk management program. Exhibits 1 and 2 compare some key issues including costs.
Finally, other program cost components and considerations include the following: the financial
security requirements (letter of credit or capitalization); cost of handling claims and risk management/
loss control programs; cost of risk management information systems; policy administration costs; the
cost of consultants: actuarial, legal, brokerage, program management, and investment advisors; taxes:
Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

state, federal income tax, domicile, excise; Medicare reimbursement guidelines; internal management
time; travel and meetings; and finally education. Tax issues will depend on the for-profit or tax-exempt
status of the owner and the domicile selection and include deductibility of premium, controlled foreign
corporation status, passive foreign investment company status, withholding tax issues, federal excise
tax, state premium taxes, engaging in a U.S. trade or business for federal income tax purposes, and
branch profits taxes.


An organization that has adopted an enterprise risk management focus must first identify
its loss exposures and then treat such exposures through control, finance, and/or transfer.
Using an exposure analysis tool allows a thorough review of possible exposures. Healthcare
entities face very few risks that risk management (risk finance, loss prevention, and claims
management) cannot control. Thorough risk analysis is necessary: understanding plant and
equipment, operations, human resources, and business relationships is critical.
Healthcare lawyers need to understand the risk tolerance of an organization. It is this, sometimes intangible, aspect of an organization that will determine in large part how risk is treated.
An organization that has a well-informed governance structure, solid senior management,
and skilled risk management expertise (whether internal or external) will be far more likely to
use alternative risk financing mechanisms than an organization that is lacking in one or more
of these critical components.
Insurance agents, brokers, consultants, actuaries, investment managers, captive managers, and others can provide a needed measure of external expertise. However, the selection
process is critical. It is important to obtain background information on the experience and
expertise of such external resources, compare and contrast their strengths and weaknesses,
and obtain references.
Since significant healthcare exposures such as medical professional liability are more likely
subject to claims-made coverage, it is critical to understand retroactive dates and the nuances
of tail coverage under an extended reporting endorsement. It is also important to understand
the limits of coverage and how deductibles and/or retentions serve to increase or decrease
limits. Likewise, whether defense costs are inside or outside the limit can have a significant
impact on the dollars available to pay claims and premium costs.
The interpretation of an insurance policy is dependent upon careful reading and understanding of its essential partsthe declarations, the insuring agreement, the exclusions, the
conditions, the definitions, and the endorsements, and how they interact. Of particular significance are the definitions of the insured or named insured, additional insured, and additional
named insured.
There is a commercial insurance policy for almost every exposure. Captive insurance companies, whether single-owner or group-owned, issue policies of coverage similar to commercial
policies. Understanding the scope of coverage as well as the significant exclusions can aid
in evaluating an organizations risk financing program. Likewise, if a self-insurance trust is
used, the trust document contains important coverage information.

Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

While an organizations focus is generally on claims filed by third parties, understanding
coverage issues can prevent the unfortunate situation of a healthcare organization filing a
claim against its own.
Using various tools such as a schedule of insurance and an annual report on the Bests Rating of the healthcare organizations commercial carriers, as well as quarterly claims reports
will enable the healthcare attorney to monitor to some extent the effectiveness of the riskfinancing program.


When all is said and done, from an enterprise risk management perspective, it is most important
to evaluate the effectiveness of the risk-financing program selected. This can be done internally or
externally. That is, an organization can establish its own benchmarks and track them over time, i.e.,
losses per occupied bed or admissions or losses per $100 of payroll. Alternatively, an organization
can use external cost of risk surveys, specific studies, or research papers. Whatever measure is used,
the point is that evaluation is a necessary component of a comprehensive enterprise risk management
programs risk-financing component.

Enterprise Risk Management for Healthcare Entities, First Edition


Insurance and Risk FinancingThe Basics

Colaizzo, D.A., Introduction to Risk Financing, in R.L. Carroll (ed.), Risk Management Handbook
for Healthcare Organizations, 5th Edition, Vol. 1, Chapter 15, San Francisco: Jossey-Bass, 2006.
Colaizzo, D.A., Cost of Risk, in R.L. Carroll (ed.), Risk Management Handbook for Healthcare
Organizations, 5th Edition. Vol. 3, Chapter 11, San Francisco: Jossey-Bass, 2006.
Commercial Liability Insurance and Risk Management, 5th edition, American Institute for Chartered
Property Casualty Underwriters, (CPCU 4, Vol. 1), Malvern, PA: 2001.
Luthardt, C.M., Property and Liability Insurance Principles, 3rd edition, New York, NY: Insurance
Institute of America, 1999.
Luthardt, C.M. and Wiening, E.A., Property and Liability Insurance Principles, Malvern, PA: American Institute for Chartered Property Casualty Underwriters, 2005.
Malecki, D.S. and Flitner, A.L., Commercial Liability Insurance and Risk Management, New York,
NY: Insurance Institute of America, 1998.
Norrick, B.R., Jones T.M, Hermes T.M., Risk Financing Techniques, in R.L. Carroll (ed.), Risk
Management Handbook for Healthcare Organizations, 5th Edition, Vol. 3, Chapter 12, San Francisco:
Jossey-Bass, 2006.
Nyce, C.M., Foundations of Risk Management and Insurance, 2nd edition, Malvern, PA: American
Institute for Chartered Property Casualty Underwriters, 2006.
Rubin, H.W., Dictionary of Insurance Terms, 5th edition. Hauppauge, NY: Barrons Educational Series,
Trupin, J. and Flitner A.L., Commercial Property Insurance and Risk Management, 6th edition,
Malvern, PA: American Institute for Chartered Property Casualty Underwriters, 2001.
Webb, B.L., Flitner, A.L, and Trupin, J., Commercial Insurance (INS 23), 3rd edition, New York, NY:
Insurance Institute of America, 1996.
Wiening, E.A., Foundations of Risk Management and Insurance, 3rd edition, Malvern, PA: American
Institute for Chartered Property Casualty Underwriters, 2002.
Willis, K. and Hart, J., Insurance: Basic Principles and Coverages, in R.L. Carroll (ed.), Risk
Management Handbook for Healthcare Organizations, 5th Edition. Vol. 1, Chapter 16, San Francisco:
Jossey-Bass, 2006.


Enterprise Risk Management for Healthcare Entities, First Edition

Insurance and Risk FinancingThe Basics

Exhibit 1

Captives vs. Trusts: Comparison of Key Issues

Structure and Reporting

Third Party Business

Separate corporate entity
Comply with reporting requirements
of IRS, domicile regulations, etc.
Can accommodate directly or
through a fronting arrangement

Lines of Coverage

Can accommodate most lines

For-Profit Subsidiaries

Can accommodate

Reinsurance Markets
Repatriation of Funds to
Risk Management Program

Greater flexibility to access

Less restrictive
Yes, through dividends or loans

Flexibility to Accommodate
Changing Health Care
Use of Surplus
Ease of Development and

Perceived as formalized and highly

Greater flexibility to use for other
Complex. Requires the services
of professionals such as actuaries,
accounts, attorneys, insurance and
risk management professionals, etc.

Enterprise Risk Management for Healthcare Entities, First Edition

Simply a funding mechanism operated by a Trustee
Minimal reporting, if any
Typically cannot accommodate this business, as it
would be subject to state
insurance regulations
Very limited as subject to
state regulations
Inclusion could jeopardize
tax-exempt status
Cannot access directly
More restrictive
More difficult
Perceived as formalized
and structured, but to a
lesser degree
Less flexible
Less complex and considered easy to develop,
implement, and manage


Insurance and Risk FinancingThe Basics

Exhibit 2

Captives vs. Trusts: Cost Comparison

Mandatory Surplus
Start-up Costs
Captive Management/
Trustee Fees
Domicile Fees and Taxes
Federal Income Taxes
Excise Taxes
Letter of Credit
Travel and Domicile
Legal Fees
Actuarial and Audits



Typically not required
Generally none



Yes, but can be exempt for not-for-profits
Yes, but can be exempt
Tied to capitalization and/or required
for fronting arrangements

Typically none
Generally not applicable

Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

Claims Management: A Tool for Enterprise
Mary S. Schaefer, RN, M.Ed, ARM, JD
Corporate Director of Risk Management, Covenant Health Systems, Inc.


Most health lawyers are familiar with the basics of claims management but may not understand
how a cutting-edge claims management program can support an organizations movement to enterprise
risk management. Each element of effective claims management protects a healthcare organizations
reputation and financial assets. Further, while the majority of claims impacting a healthcare organization arise from medical professional and general liability, the claim management program described
below is applicable to all disputes arising from the enterprises activities.

Elements of an Effective Claims Management Program

identifying and reporting potentially compensable events;

conducting timely investigations of those events;
providing an effective administrative process to monitor the life-span of a case;
selecting effective counsel who can support the organizations strategy;
selecting credible experts;
establishing sound reserving policies;
providing a principled system that resolves disputes fairly;
managing the complexities of pre-trial preparation and discovery; and
defending appropriate cases in court.

Implementing a System to Identify and Report Disputes

A robust mechanism to report and review all potential disputes or events is a key component of
any ERM program. One subset of these events is potentially compensable eventsevents involving a
serious patient injury that may generate a claim for monetary damages. Other reportable events may
include those that dont cause serious injury, but which carry significant reputation or regulatory significance such as discharging an infant for a short time to the wrong family. Timely reporting of these
Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

events is critical to all claim management programs, as it permits thorough investigation before the
event has public or legal consequences. The investigation supports the eventual defense of the claim1
but also allows the organization to control communication about the event and supports timely process improvements to prevent similar events. Staff cooperation in reporting requires not only a good
working relationship between the manager who will handle the issue (often the risk manager) and
the hospital staff but also a wide-spread institutional culture that promotes reporting as an important
component of process improvement and loss control.

Reporting Adverse Events

Most risk management programs have reporting mechanisms in place, including computerized
event reporting, which allow the institutional risk manager to review and evaluate all patient-care
related events reported by staff. Larger health systems may also employ a corporate director of risk
management who is responsible for overseeing the entire risk management program. In that case, the
hospital risk manager will also submit a notice of significant events to the corporate office. Organizations should also determine who can receive reports of other claims or disputes, such as a medical staff
or contracting issue, and manage those. Leaving dispute management to individual departments can
create risk due to their failure to manage the conflict effectively.
Criteria for reporting events should be clear and disseminated to all healthcare providers and staff.
In developing the criteria, the institution should consider all relevant outside reporting programs, such
as those based on the National Quality Forums Serious Reportable Events (Never Events).2 Other
redflag warnings of an impending claim should be included in the reporting system:
1. Any threats of legal action by a patient or family member and any request for medical records
by an attorney.
2. Quality Improvement data collected within an organization from generic screening criteria
and other medical staff sources.
3. Complaints to the billing office about medical care.
4. Complaints voiced to volunteer services or patient advocates.
5. Escalating tension in physician relationships.
6. Product failures.

Protection of Peer Review Documents from Disclosure

Peer review and quality improvement programs can identify reportable events and reduce many
risks for healthcare organizations, but they also generate data and documents that plaintiffs, the press
or regulators can use to the detriment of the entity. Because peer review and quality improvement protection of documents varies by state, incident or adverse event reports need to be maintained according
to the governing state protective statutes. Some statutes extend protection to information and records
For brevitys sake, this chapter will refer to claims but may also encompass the management of adverse publicity
or regulatory concerns. Many of the suggestions could also apply to conflicts in which the healthcare organization is the
aggrieved party, such as contract disputes or construction cases.
National Quality Forum, Serious Reportable Events in Healthcare 2006 Update, A Consensus Report, 2007.


Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

produced by risk management and quality assurance programs, including incident reports, if the document exists primarily to improve the quality of care.3 Healthcare organizations need to develop strict
policies and procedures that reflect the constraints of the applicable peer review statutes as interpreted
by relevant courts. The following steps may help to maximize full protection from legal discovery:
Stamp quality improvement documentsthose generated to improve quality of careasconfidential and prepared at the request of peer review or quality assurance committee.
Develop clear protocols governing access to peer review material and use it only for peer
Include on the documents the healthcare entitys by-law provision that recognizes confidentiality of peer review activities and prohibits unauthorized disclosure of peer review
Some courts have held that incident reports are discoverable if there is a showing of need and
undue hardship by an opposing party requesting the document.4 In addition, some state peer review
statutes only protect documents generated by a peer review committee and not the reports submitted
independently to the committee.5
Institutions applying an enterprise risk approach will evaluate the risks of disclosure against
all the potential benefits of strong peer review and process improvement programs. Also, disclosure
may bring the most benefit to the organization, as when hospitals publicly disclose significant errors.
However, in those situations the organization must protect the confidentiality of patients and other

Documentation Surrounding an Adverse Event

Whenever a significant risk event occurs, documentation is critical. It often forms the centerpiece
for litigation and for dealing with regulatory concerns. The organization must educate all staff to
record only objective and factual accounts as soon as possible after the event. Documentation prepared
outside of the time immediately after events take place may appear self-serving and may actually compromise the healthcare organization. Reports should include only pertinent facts about the event. Staff
should reserve opinions about events or actions for protected conversations and records, such as an
attorney investigation or quality assurance meeting. For example, a nurse who records in an incident
report or in the medical record that the patient fell because of a delay in answering a call light could
harm the defense of the resulting claim. Her conclusion about the cause is an opinion which may not
be reflective of what had actually occurred. For example, a quality follow-up investigation reveals that
the patient contributed to his own fall by refusing to use the call light as instructed.
Business records such as medical records should never refer to a confidential investigation or
document. Such references disclose the existence of confidential information and they arguably
Lucinda Glinn, Navigating Provider Protections for Quality of Care ReportsFrom Peer Review Statutes to Common
Law Privileges, Hospitals and Health Systems Practice Group 9, AHLA, Spring 2007, at 16.
Mary Frances Grabowski and Paul Sanders, Shielding Documents From Prying Eyes, at 45, AHLA, Long Term Care
and The Law, February 23, 2005, Coronado, CA.

Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

incorporate the confidential documents into the non-confidential source, making it discoverable. For
example, a medical record entry that refers to an incident report (e.g. patient condition assessed with
results per incident report) could potentially result in a finding that the report had thus become part
of the medical record, which is discoverable. Relevant factual information in the confidential material
(for example, physical assessments or reviews of physical conditions) should be reproduced in the
discoverable documents, such as the medical record, so there is no need for cross-reference.

Medical Device Issues

Medical device injuries can be caused by simple devices such as defective syringes or heating pads
as well as by complex equipment, including pace-makers, surgical tools, or kidney dialysis machines.
Recently, medical devices have also generated interest due to potential fraud in efforts to market them.
Other risk issues arise surround recalls by the manufacturer.
Whenever an equipment or device-related injury occurs (including property or financial losses,
for example, if an autoclave explodes), the item, its packaging, and all related disposables should be
preserved for safe keeping. The equipment should not be returned to the manufacturer. The unaltered
equipment must be independently evaluated with guidance by counsel. If the manufacturer insists on
inspecting the equipment, counsel should be involved in designing that process, and the device should
not leave the custody of the healthcare organization. If a device causes death or serious injury, the
federal Safe Medical Devices Act of 19906 requires that hospitals and nursing homes report file reports
with the Food and Drug Administration and/or the device manufacturer, if known.

General Liability Events

A general liability incident involves accidents, injuries, property loss, or damage that occur on
an entitys property or as a result of the general negligence of its agents or employees elsewhere.
Examples include visitor falls, theft of patient personal property, or property damage to third parties. One must carefully distinguish general liability events from professional liability, as the legal
consequences often differ. Tort reform provisions or a different statute of limitations might apply to a
general liability claim, and a different insurance program may cover it. Sometimes they can be hard
to distinguish when an injury occurs in a healthcare setting. For example, a fall in a patient room is
generally considered a professional liability event if the patient falls, but general liability if a visitor is
injured. Automobile claims, in which an employee causes an accident, are a subset of general liability
that often has a third set of insurance considerations.7
Like any injury, general liability situations require prompt and thorough investigation, including
a physical inspection of the area and interviews of the victim and any witnesses. Staff completing an
incident report should be instructed to include information on whether warning signs were posted
(e.g., if the floor was wet or waxed prior to a fall.) Photographs should be taken, if relevant, before any
repairs are completed. Obtain the names, addresses, and phone numbers of any witnesses.
PL 101-629, Safe Medical Devices Act of 1990. Some events, primarily those causing death, must be reported to the
FDA; others only to the manufacturer.
Chapter 3 contains a more detailed discussion of insurance issues.


Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement


Directors and Officers Liability

Directors and officers exercise governance functions within a healthcare entity, including oversight of institutional policies, implementation of entity strategies, and obedience to the organizations
mission. In that role, directors and officers (and sometimes the healthcare entity itself) may be liable
for violations of law or injuries arising from employment decisions, medical staff credentialing and
privileging processes, and corporate financial transactions. Relevant statutes and regulations include
anti-discrimination laws, the Stark laws, anti-kickback laws, the False Claims Act, and other antitrust
provisions.8 Strong risk management programs in those substantive areas will reduce the risk of claims
against the directors and officers. Other departments such as Internal Audit and Human Resources may
also be involved in those loss prevention efforts.

Timely Investigations of Potentially Compensable Events and Claims

Whatever the basis for a dispute (general liability, professional medical liability, employment
practices, anti-trust, contract), a claim should be handled as a claim. Claim investigations should not
be confused with a hospitals internal quality or compliance review, but should be conducted separately. Early event investigations are critical to claims management in order to capture the statements
of all-important witnesses and to identify and protect relevant documents. As memories fade with
time, salient details about an event or claim can be lost, and this can affect the future defense of a case.
The earlier an investigation is launched into a potential claim, the less likely key evidence such as
x-rays, medical equipment, medical records, or business documents will get lost or thrown away.
An early investigation also allows the healthcare organization to understand any underlying contractual or process problems that led to the claim or dispute and to address those issues at the earliest
possible time.
Employees who are involved in an adverse event or claim should be advised not to discuss any
details of the case with colleagues or other treating clinicians. Such casual conversations could be
subject to discovery or used as evidence. Discussions about an event or claim should only take place
within the institutional peer review process or with assigned claim staff and defense counsel. Business
disputes, including medical staff issues, also deserve extreme caution regarding communication and
documentation processes.
Cooperation of the organizations employees with the assigned claim representative, defense
counsel or other designated agent, and assistance in the internal investigation of the adverse incidents
is critical. The risk manager or involved department manager can help to identify all involved personnel. The event file should include the current name, address, and telephone number of each person
with information or who is likely to be drawn into the matter by other parties. It is also useful to
include their department or work location, and to note whether the individual is full-time, part-time,
or contractual. All documentation regarding the investigation of a potential lawsuit is confidential and
privileged if handled by appropriate personnel under state law.
The American Health Lawyers Association has a number of resources available for further study of the substantive law
and loss prevention in these areas. Several of the chapters in this Handbook also address these issues in more detail.

Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

Individual interviews give each person a chance to share his or her own knowledge of the event,
avoiding any group think that comes from having several interviews take place together. Often,
employees are nervous about meeting with claim representatives or lawyers, and it can be helpful to
have a designated individual, often the risk manager, present to reassure them.

Tracking Claims, Events, and Disputes

Potential suits can first present through early reports of an event or a disagreement, or they may
first present as lawsuits. Since the lifespan of a case can extend over a period of three to four years,
healthcare institutions need an effective way to track and monitor all investigative reports, claim reports
from defense counsel, expert opinions, pleadings, and discovery in all open cases. Most claim professionals use a diary system to review recent developments and to track scheduled depositions, panel
hearings, and trial dates. Software systems can be very valuable in monitoring a number of cases.

Events or Disputes Without Claim Activity (Potentially Compensable Events)

A complete investigation should precede closing the file for any reported event, particularly if
the matter involves serious injury or presents the potential for significant loss or business disruption.
Without statements from all identified key witnesses and sequestration of key documents, it will be
much more difficult to defend the case later should the matter evolve into a claim or suit.

Claims and Suits

Matters that first arise as a claim or suit also require an immediate investigation but should also
trigger prompt consideration of the best way to manage the conflict. If prompt settlement seems wise,
then departments or entities that will suffer financial impact must contribute to the development of a
strategy, as the settlement will affect their budget, and their staff will likely have to support the ongoing lawsuit if one occurs. If prompt resolution seems unwise or unlikely, then the organization will
need to begin preparations for a lawsuit.


Lawsuits generally bring long, expensive, and painful experiences for all involved. The risks from
a suit extend beyond the courtroom, and managing those risks requires activity well beyond counsels
office or the courtroom.
1. Guidance to Individuals Named in a Lawsuit: A lawsuit is a frightening and stressful experience for most people. An effective claims management program needs to provide handholding
and guidance for the hospital employees or physicians named as defendants in a lawsuit. The
claims professional and defense counsel should offer the following constructive guidance
during the initial process:
a. Early cooperation with the assigned legal team is essential. Named parties should be
instructed to seek or take advice from assigned defense counsel. The full legal team will
be comprised of the assigned claim professional or in-house manager, risk manager,

Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

and experienced counsel. The team will work proactively in managing all aspects of the
lawsuit, including investigations, obtaining experts, and preparing the written interrogatories and depositions.
b. It is usually helpful to have a designated person within the organization who facilitates
contacts for outside counsel. Often this will be the risk manager or an in-house attorney.
This individual can help to assure thorough, consistent responses to discovery and can
dramatically reduce legal fees by doing initial legwork for outside counsel.
c. A physician defendant may be asked by defense counsel to gather all pertinent medical
records and discuss with counsel perceived weaknesses in the record or to highlight portions of the record that would support a defense.
d. Named defendants (and, ideally, key witnesses) should not discuss the case with coworkers, friends, or colleagues. Under no circumstances should a defendant commence
an independent investigation. Communications with assigned counsel are protected
under the attorney-client privilege, but there is no legal protection for information shared
with third parties.
e. Once counsel represents the opposing party, representatives of the healthcare organization should not contact the other party directly to discuss an event. While face-to-face
communication can still take place, contact should occur through the attorney.
f. Parties should have no written or oral communication with opposing counsel. Only
assigned counsel or the assigned claim representative should be involved with communications with the other partys attorney. In patient-injury situations, healthcare providers
often arrange for disclosure or early resolution discussions. Generally, the same rules
apply for those discussions; though it is appropriate for the attorneys to let the parties
talk to each other where feasible in these meetings.
g. Defendants must safeguard relevant documents and records to minimize the potential for
loss, destruction, or alteration of those records. Alteration of key records can make a case
indefensible. Anyone who falsifies a document or record will lose all credibility in front
of a jury. Alterations can be detected with ultraviolet light and high-resolution scanners.
h. Organizations should resist the temptation to give their side of the story to the media.
Only a trained, designated spokesperson should ever speak with the news media. Most
organizations have media policies that comply with the Health Insurance Portability
and Accountability Act (HIPAA) privacy regulations and state privacy laws. A trained
spokesperson can respond effectively to a range of different scenarios. The organization
and counsel should carefully consider the benefit of being the first to disclose harmful
information, which may allow them to control how it is presented.

Medical Professional Liability Screening Panels

Some states mandate hearings by medical professional liability panels or tribunals to screen out
cases lacking in merit. Panel rules and structure vary by state, as do the results of an adverse finding
by the panel. Usually, these panels will weigh the credibility of evidence against the defendant healthEnterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

care provider. In some state panels, only a unanimous finding is subsequently admissible at trial. The
organizations claim process should account for any special requirements that arise from the existence
of such a process in the relevant state.

Selection of Defense Counsel

Because insurance models have changed dramatically over the past several years, defense counsel
must be able to adapt to the needs of very different clients. Litigation philosophies can vary significantly among healthcare systems and even among traditional professional liability insurance carriers.
Some healthcare organizations settle disputes more frequently and forego the expense of costly discovery and trial. Others take a more aggressive stance, preferring to take the majority of their cases
to trial. A one-size-fits-all mentality no longer applies to the needs of todays healthcare clients. It
behooves defense counsel, then, to understand the underlying values and beliefs of the healthcare
organizations they represent. And healthcare organizations need to select counsel with appropriate
aptitudes to support their preferences.
Professional liability carriers and healthcare systems have a pre-approved panel of defense counsel who are available to defend their insured physicians, hospitals, and employees. Generally, only
experienced attorneys who have built a solid track record as successful trial advocates are included in
these panels. Healthcare systems that include acute care and long-term care services need a cadre of
attorneys with expertise in both of these arenas. Defense counsel should work closely with the claims
professional, the hospital risk manager, and corporate risk management, if any, in managing the case.
Desirable criteria when selecting defense counsel include:
1. Attorneys who will try cases must be skillful and adept players in the courtroom.
2. In some cases, it might make more financial sense to recommend settlement when a case
turns, for example after the disappointing deposition of a named defendant.9 The ideal
defense counsel will identify cases that either bear undue risk or present good opportunities
for settlement early in the life of the case.10 Early resolution of cases not only saves the client
defense costs, but appropriate settlement recommendations instill trust and confidence in the
3. As disclosure of unanticipated outcomes and early resolution become more widely accepted
on both sides of professional liability cases, healthcare organizations might consider assigning some cases to attorneys who focus their practice on early resolution. Sometimes the
personality and skill set required for non-litigated resolutions differs from the gladiator
approach that can serve trial counsel so well. An interesting conceptual model that reflects
this approach can be found in collaborative law. Most often practiced in family law settings,
this form of divided representation can also benefit clients in some personal injury situations.11 Generally, the parties agree to each engage a collaborative attorney, whose only goal

See www.collaborativelaw.com and www.twotracklawyers.com.



Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

is settlement of the case. If the parties cannot settle, then different attorneys represent them
for trial.
4. Counsel should adhere to litigation guidelines established by the healthcare organization
and/or its insurer. Most claim management programs strictly monitor and enforce these
guidelines, which cover reporting procedures, litigation strategy, and billing procedures.
They generally require initial evaluation reports and subsequent periodic claim status updates
until the matter is closed. Timely reports are critical to the claims-monitoring process because
they evaluate strengths, weaknesses, liability and damages at every stage of the case. Insurance carriers and clients do not like to be blind-sided by unexpected news, especially that a
winnable case now, for example, has newfound weaknesses or that a cases value has tripled
just before the trial date.12
5. The litigation team consists of defense counsel, claim professional, and the hospital risk manager or other internal support person. Each of these parties has a distinct role but all share a
mutual goal of reaching the best possible outcome for the case.

Obtaining Experts

Medical professional liability claims, construction claims, antitrust claims, and many other disputes require support from experts. They can lend technical support to counsel during the case, as
well. The experts must have access to all relevant information. Following the expert review, the claim
management team should meet with the expert to discuss the experts opinion and to assess whether
the expert would be a good candidate to testify at trial. Expert witnesses must be able to articulate
medical and technical concepts and standards clearly. They are often crucial to a determination about
whether or not to attempt early resolution of a dispute and, for that reason, all decision makers should
be involved in assessing the experts qualifications and input.
Because the outcome of a jury trial depends as much on the experts ability to connect with the
jury as it does on the actual facts, effective reserving will always consider the parties strength in this
area. Though often expensive, strong experts have an incredible impact on the ultimate value of a

Establishing Sound Reserving Policies

A claim reserve is an estimate of how much dispute will cost and represents money that is set aside
for the eventual possible payment of a claim and defense costs.13 If the healthcare organization is the
claimant, it must also account financially for the potential costs and recovery related to a case. A sound
reserving policy is critical to an effective claims management program. A claim management program
may establish reserves at any stage where an event seems likely to generate expenses or loss.

Robert Blasio, The Seven Best Practices of Highly Effective Medical Liability Defense Attorneys, www.westernlitigation.com/Litigation_Spotlight_6_06.asp.
Chapter 3 contains further discussion of risk financing alternatives which will affect the manner in which the reserves
impact the financial status of the organization.

Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

Both under-reserving and over-reserving can have a deleterious effect on the financial well being
of an organization. Under-reserving of claims, in which a companys potential liabilities are understated, can potentially contribute to a companys insolvency if other financial sources must be tapped
in order to pay for its claim obligations.14 On the other hand, over-reserving places too high a value on
claims and understates a companys financial strength. Overstating reserves affects financial reporting
and could invite tax audits resulting in penalties.15 Over-reserving can also tie up capital unnecessarily,
reducing the organizations ability to put its assets where they can have the most benefit.
Setting reserves for individual claims involves the application of subjective criteria based on the
potential loss exposures value and probability.16 This task is usually assigned to the claims committee
or claims manager.
Reserves are also reviewed more globally by statistical or actuarial analysis, usually in order to
establish a funding level for captives or trust funds or to support proper financial accounting for other
potential losses. An actuarial analysis will also take into account claims that have been incurred (the
event has happened) but are not yet reported, referred to as IBNR exposures. Examples of IBNR
claims include cases in which the injury or loss may not be yet be evident or any claim the potential
defendant does not know about. Experts calculate IBNR by looking at an organizations past experience and industry losses for similar organizations and then projecting likely claim frequency and
severity for past events. Since the IBNR figure represents future loss payments, loss reserves are set
aside for these claims.17 Actuaries also calculate the expected losses for future periods to determine
proper premiums or funding levels going forward.

Criteria Used to Establish Reserves

Criteria for setting reserves for future substantive loss payments (settlements or jury awards) and
estimated claim expenses for any dispute may include:
type and severity of injury or loss;
expert opinions;
presence or absence of co-defendants and the amount of available insurance for all potential
all parties attorneys skill and experience;
venue or jurisdiction;
usual philosophy and behavior of the judge;
specific statutes such as strict liability, caps on damages or multiple damage awards;
the parties actual economic losses; and
the parties appearance, credibility and presentation.
Robert Prahl, Setting Realistic Reserves-Projecting the Companys Future Obligations, http://www.aaisonline.com/


Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

Claim managers should review and amend reserves periodically, especially if something changes
in the factors driving potential claim outcomes. Realistic reserves will reflect the ultimate exposure for
loss and expenses as soon as those can be established and as the case evolves thereafter.

Reporting to Excess and Umbrella Insurance Carriers

Most organizations purchase excess and/or umbrella insurance policies to provide coverage in
high severity cases where the amount of loss exceeds the primary layer of insurance. These policies
also protect against a high aggregate total of losses. Excess coverage enables the insured to limit its
loss exposure over particular self-insured or primary insurance programs; umbrella coverage typically
provides coverage over a wider range of underlying programs. Both provide stability to an organizations financial position by protecting against volatility in losses.18
The insured has an obligation under the notice provisions of these policies to provide timely
notification of potential claims, asserted claims, and suits filed. To avoid a denial by the carrier, the
organization or claim manager must make sure the program satisfies all of its carriers reporting requirements. Generally, excess and umbrella carriers require timely notice of only high exposure events and
claims that could potentially reach the excess layer. In the professional liability context, this would
include serious obstetrical injuries, unexpected deaths, and severe neurological injuries. Coverage
triggered by aggregate losses may also require reporting on the total reserves and losses on all claims.
It is also important to apprise the excess carrier of all significant claim developments; some excess
carriers require defense counsel to copy them on all important correspondence and reports. The excess
carrier may conduct an onsite audit of the insureds processes to confirm that they generate adequate
investigations or proper reserves. In addition, the excess carrier may review the insureds loss control
plan and its ability to mitigate future losses.

Fair Resolution of Claims and Suits

Settlement of a claim or lawsuit is contingent on several factors. First, the decision should rest
on the principle of fairness to all parties. Disputes identified for settlement should always be resolved
as quickly as possible. The organization needs to balance the potential savings generated by a quick
settlement against the potential public impression that it fears publicity or litigation, a perception
that will encourage more claims. A strong program will consistently strive for fair settlements where
appropriate but avoid overpaying or last minute settlements, which can suggest a fear of litigation.
When insurers, either captive or commercial, refuse to settle cases in the face of a reasonable
demand, they risk liability for bad faith refusal to pay. Under many state statutes, a bad faith finding
will allow punitive damages or a statutory multiple of actual damages.

See Chapter 3 for further discussion of commercial risk financing opportunities for high-level exposure.


Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement


Alternative Dispute Resolution (ADR)

Once a party decides to settle a dispute, settlement may require only a simple negotiation process
between the parties and their counsel. But some cases may require the assistance of alternative dispute
resolution (ADR) processes. ADR has growing support as an alternative to jury trials for resolving
healthcare-oriented disputes. There are major benefits to both sides in using ADR. The proceedings are
private and confidential, ADR can reduce legal costs, and cases are often resolved more quickly. The
absence of a jury can also reduce the potential volatility of outcomes.
The most common forms of ADR include mediation and arbitration. Both utilize a neutral third
party, often retired judges and attorneys who receive special training. Any party to the dispute may
initiate an ADR process.
1. Mediation: In mediation, one or more selected neutrals will facilitate a negotiated settlement. Mediation allows the parties to disclose facts and discuss the case in a confidential and
safe environment. Often, mediation offers their first chance to discuss issues face-to-face.
Mediation does not result in a finding; if the parties are unable to agree on a resolution, the
claim or suit will continue.
2. Arbitration: Arbitration is an adjudication in which the parties select a trained individual
to decide their case in a private process.19 Arbitration works well in complex cases or where
the inflammatory nature of the case argues against a public trial. The parties in dispute voluntarily enter into a written contract to arbitrate. Although less formal than a trial, it results
in an enforceable final decision and is usually not subject to an appeal on the merits, only
for a failure of the arbitrator to follow the selected procedures. Parties to any agreement can
voluntarily require that resulting disputes will be resolved through arbitration. Benefits of this
approach include reduced legal costs, a speedier resolution to disputes, avoiding run-away
jury awards, and preserving the parties reputations by maintaining confidentiality.
Some healthcare providers and insurers encourage or require patients and clients to sign binding
arbitration clauses. This can raise a number of legal issues in different settings, especially if the facts
raise doubts about the voluntary nature of both parties agreement to arbitrate.20

Special Considerations Regarding Settlements and Indemnity Payments

1. Early Offers of Settlement: The early investigation and assessment of any dispute may lead
to consideration of prompt, early resolution. In professional liability situations, early offers
and settlements help manage defense costs but also provide resources to allow the injured
party to manage expenses, especially for serious injuries. The parties also benefit by avoiding adverse publicity. Evaluations of early offer programs in professional liability settings
have demonstrated benefits to the patients, who receive compensation earlier.21 Though most
Id. at 7.
Many of the decisions regarding arbitration clauses arise in health insurance and long-term care agreements. TheAmerican Health Lawyers Association has a number of resources on both of those issues.
Joni Hersch et al., Evaluation of Early Offer Reform of Medical Malpractice Claims: Final Report, U.S. Department
of Health and Human Services, June 2006.


Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

developed in professional liability setting, the early resolution process can offer the same
advantages in other contexts.
2. Hold Harmless and Indemnity Clauses in Contracts: To minimize the inadvertent assumption of another partys liability risk, hold harmless and indemnity clauses should be included
in all contracts with vendors, contractors, and subcontractors. Though technically a contracting tool and not a claim management tool, these clauses can have a tremendous impact on
the claim management process. They offer the most protection to parties defending vicarious
liability claims, which assert liability only for the negligent acts of another. Generally, the
indemnified party can be reimbursed for all costs incurred as a result of the claim, including
costs of judgments, settlements, and legal fees.
3. Structured Settlements: Structured settlements offer benefits to both parties when they need
to create a predictable stream of payments; they offer a secure and often tax-free income
stream. Where the plaintiff may lack experience in managing large funds or where there
is any risk of mismanagement of settlement proceeds, structured settlements offer future

Structured settlements involve the purchase of an annuity contract, bonds, or another secure
investment vehicle to provide periodic payments for the life of the subject (usually the
plaintiff) or for a designated period of time.22 If the parties use an annuity contract, then the
defendant buys a contract that pays benefits to the plaintiff or into a trust. If bonds or other
interest-bearing assets form the basis of the settlement, they are held in trust for the benefit of
the plaintiff. When a case involves a disputed life expectancy, as might occur with a severely
disabled child, the defendant can often purchase an annuity at a discount yet still provide
lifelong payments to provide for the plaintiffs needs.

4. Medicare and Medicaid LiensThe Governments Right to Recover: The Centers for
Medicare and Medicaid Services (CMS) added new reporting requirements under Section
111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007. These reporting rules do
not eliminate any existing statutory provisions or regulations but are designed to ensure payment of all Medicare liens associated with medical payments in personal injury cases. CMS
now require the reporting of any settlements, judgments, awards or other payments made to
or on behalf of a Medicare Beneficiary by liability insurers, including self-insurance, no fault,
and workers compensation.

Under the Medicare Secondary Payer Act, the Centers for Medicare Services may recover an
amount equal to the Medicare payment for injuries involved in the claim.23 Medicare need not
notify parties of the potential lien.

Paul Scott, Economic Issues: Analysis and Cross-Exam About Economic Evaluation: Present Value of Future Payments, Structured Settlements, Periodic Payments, and Annuities, DRI Medical Liability and Healthcare Law Seminar,
March 16, Phoenix, AZ, at 152.
42 CFR 411.24(c); see also Glenn E Bradford and Melinda M. Ward, The Medicare Super Lien Revisited, Vol 56
J. MO Bar No.1, 2000, accessed at http://www.mobar.org/journal/2000/janfeb/bradford.htm.

Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

Individuals eligible for Medicaid assign their rights to third party payments to the states
Medicaid agency.24 The U.S. Supreme Court has ruled that states cannot assert a lien that
exceeds the plaintiffs compensation for medical payments 25

5. National Practitioner Data BankReporting Requirements: The Healthcare Quality

Improvement Act of 1986 created the National Practitioner Data Bank (NPDB). Among
other things, the Act requires insurers and self-insurers to report payment of any professional
liability claims on behalf of physicians, dentists and other licensed health care practitioners.26
The Act affects claim management in several ways. Also, the law only requires reports on
settlements following a written demand for payment. If the case settles before the claimant
ever submits a written demand, then the settlement payer need not report it. And, if the parties
enter a high-low settlement (an agreement that the plaintiff will receive at least a minimum
threshold amount but not more than a capped figure on the high end), the resulting payment
is not reportable if the jury returns a verdict in favor of the physician.

Pre-Trial Preparation and Discovery

Inadequate management of pre-trial discovery can generate its own risk for healthcare organizations. Incomplete or inaccurate information provided to litigation opponents often undermines the
most valid litigation strategies. The entity must provide appropriate resources for the review and production of information to the other side. By the same token, a party must diligently assess its own
position to avoid a very public and unnecessary embarrassment if its case goes badly. Several areas
deserve special discussion.

Electronic Data Discovery

New federal rules have highlighted this issue by stating clearly that all electronically stored information is subject to the same rules as other documents and things. Chapter 28 of this handbook
contains an in-depth discussion of the risk management issues created by the electronic storage of

Mock Trials and Focus Groups

Focus groups and mock trials can provide valuable information for the evaluation of a case. In a
focus group, participants hear a modified case presentation. A consultant then guides a group discussion, designed to expose the groups response to designated aspects of the case. Though focus group
participants differ from actual juries, they can provide an opportunity for attorneys to test potential
themes for the case, to learn how best to prepare witnesses, and to obtain critical feedback on exhibits
or graphics designed for used in court.27 Online focus groups are less expensive and require less time
to achieve results.
Centers for Medicare and Medicaid Services, Third Party Liability, www.cms.hhs.gov/ThirdPartyLiability.
Arkansas Department of Health and Human Services, et al. v Ahlborn, 126 S. Ct.1752, 2006.
U.S. Department of Health and Human Services, Health Resources and Services Administration, National Practitioner
Data Bank, http://bhpr.hrsa.gov/dqa/.
Linda Crawford, Focus Groups: What They Can Do for You and What They Cannot, DRI Medical Liability and Healthcare Law Seminar, March 16, Phoenix, AZ, at 43.


Enterprise Risk Management for Healthcare Entities, First Edition

Claims Management: A Tool for Enterprise RiskManagement

Mock trials follow a formal mini-trial format; they cost more and take more time. Mock trials provide the most value in cases with high severity or complex issues, as they allow attorneys to observe
the interaction and group dynamics of the jurors. New technology allows moment-to-moment feedback on particular portions of the presentation.

Taking the Case to Trial: Issues and Strategies


Communicating Effectively to a Jury

Jury consultants have observed that many jurors walk away from professional liability trials confused.28 Lengthy trials and complex testimony in any case (not just professional liability) can contribute
to a jurys lack of understanding. This confusion can affect the outcome of a trial. To counter this
problem, defense counsel should use visual aids such as charts, graphs, x-rays, and physical models
that help clarify the case.29 Recently, computer technology has created the chance to present stunning
visual aids to understanding. Though expensive, these aids can be very convincing and enable the jury
to understand the organizations point of view clearly.30
A partys communication style before a jury can have a critical impact on the outcome of a case.
Time and resources invested in preparing key witnesses will generate tremendous benefits.
Jurors emotional response to a case often drives jury awards. Juries with a high level of sympathy
to the plaintiff and high anger for the defendant are more likely to award higher compensatory and
punitive damages.31 Often, large healthcare organizations find themselves litigating against injured
patients, terminated employees, physicians arguing that their career is ruined, or ancillary medical
providers who claim they were forced out of business. In any of those settings, counsel for either side
must acknowledge the potential importance of juror empathy and anger.

High-Low Agreements

A high-low agreement is a binding contract executed prior to trial by the insurer or self-insured
defendant and the plaintiff. It locks in upper and lower payment limits, which apply regardless of a
jurys eventual findings. These agreements can limit the defendant or insurers exposure in cases with
potential for a high verdict or for a jury verdict that could exceed the insureds policy limits. Plaintiff
attorneys also gain by ensuring that their clients will obtain the low amount even if the jury finds for
the defense.


From an enterprise risk management perspective, poor claim management practices and
decisions can have a damaging ripple effect across the entire healthcare organization. An
under-reserved high-severity case endangers the financial well being of an organization and




Linda S. Crawford, A Clear Look at Jury Confusion, Medical Malpractice Law and Strategy, October 1997, at 4.
Robert D. Minick and Dorothy K. Kagehiro, Anger Management in the Courtroom, 46, For the Defense, 13, 2004.

Enterprise Risk Management for Healthcare Entities, First Edition


Claims Management: A Tool for Enterprise RiskManagement

can adversely affect its future performance. The failure to settle disputes efficiently raises
defense costs. Inappropriate aversion to trials may lead to panic settlements, making the
organization a target for claims. The publicity surrounding any suit can severely affect a
healthcare organizations reputation, including loss of trust and standing within the community. Internally, the stress of unresolved conflicts and lawsuits can adversely affect the job
performance and productivity of employees and medical staff. The time and energy devoted
to litigation affects all levels of an organization, from those who find and copy records to
executives and clinical staff who give depositions and trial testimony.
Claims management models are changing as more healthcare entities choose to self-insure
and move away from traditional professional liability insurance companies. Insurance carriers
provide claims management, risk control, and underwriting in exchange for an annual premium. Although these services are valuable and comprehensive in scope, the carrier controls
claims services, limiting the healthcare entitys control and its ability to utilize a hands-on
approach to claims. Self-funded programs such as captives or other alternative risk financing
vehicles will often facilitate a proactive and creative approach to claims management while
possibly lowering insurance costs. A healthcare entity that manages its claims in-house or
through a claims administrator it employs will have more control over the day-to-day claim
operations and selection of defense counsel. Even the most straightforward insurance company does not share the exact needs and goals of the insured.
Reducing the cost of risk across the enterprise requires healthcare entities to place a heavy
emphasis on system-wide retrospection and reflection about disputes. How do all of the entitys operations contribute to generating the disputes, and how can the organization invest its
financial and human capital to reduce the risks highlighted by claims and suits? What wisdom
can past cases provide about the causes of disputes and missed opportunities to avoid them?
How can knowledge gained from lawsuits support ongoing patient safety efforts? The claim
portfolio can provide a rich supply of information on opportunities for improvement.
The claims system must remain flexible and adaptable to new methods and to changing community expectations, such as the current focus on error disclosure, especially as healthcare
entities move to a more patient-centered care model. Knowledge and understanding about
conflict management are evolving quickly as are the realities of healthcare generallywhat
worked well yesterday will not work tomorrow.


A full assessment of enterprise risks must include consideration of risks resulting from ineffective
claim practices that can be costly to an organization. Methodologies to evaluate and maximize the
effectiveness of a claims program should include internal assessments and external independent audits
to support needed improvement. Routine self-audits should review the effectiveness of counsel and the
outcomes of claim assessment and decision-making processes. Routine outside audits should evaluate
the performance of contracted third party claim administrators or in-house claims management, as
well as the adequacy of claim reserves. Most important, the organization must examine its own role
in losses and not blame juries, plaintiff attorneys or other outside parties or processes for a failure to
improve its claim results.

Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

ContractsAn ERM Approach
Peggy Nakamura, RN, MBA, DFASHRM, CPHRM
Assistant Vice President, Chief Risk Officer, and Associate Counsel, Adventist Health


A comprehensive, well-defined, and multi-faceted contract review process is an integral part of

any enterprise risk management (ERM) program. While all attorneys have education in contract law,
in-house and outside counsel for healthcare organizations must operationalize this legal knowledge
in a unique fashion in order to be successful. Taking an ERM approach to establishing or refining a
contract review process can lead to greater success.
Every attorney knows that a well-written contract serves to confirm the understanding between the
parties and avoid future disagreements about terms, conditions, and definitions critical to the relationship. In an ERM environment, it is important to identify the nature of the contractual exposures facing
the healthcare entity and to offer suggestions for minimizing those exposures. But understanding the
roles and functions of key individuals in the organization beyond that of the CFO, CEO, or contracts
manager is also essential.
The purpose of this chapter is to integrate contract review elements with healthcare operations
while utilizing ERM processes and techniques.

Contract Review

To begin the process, an individual or department should be responsible for maintaining, and
revising as necessary, a current listing of all subsidiaries, affiliates, joint ventures or other legal partnerships into which the organization has entered. The listing should identify the correct legal names
and incorporation dates, as well as the existence of any dbas (doing business as) and their basic legal
structure. Utilizing this list as a part of the review process is critical when ascertaining that the correct
legal name is used in the contract.
Associated with this important element is the identification of the proper signatory to the contract.
An effective loss control technique is to implement an enterprise-wide policy specifying who, by position or title, has signing authority and the applicable category or type of contract. Attachment 1 is a
sample policy, Contract Review, Execution and File Maintenance, that can be used for this purpose. In
addition, healthcare organizations often have what is referred to as a Table of Authorities which lists
signature authority by dollar amount/type of contract/position.
Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

For instance, most significant contracts for construction, capital asset acquisitions, or joint venture
arrangements are authorized and approved by the organizations governing body and signed by the
CEO or CFO. However, in the interests of greater efficiency and organizational knowledge, should
other officers of the organization be authorized to sign contracts? Who can sign equipment purchasing
or leasing, maintenance and repair, clinical affiliation, or supplemental staffing contracts? An important distinction exists between those individuals in the organization who, by virtue of their role or job
function, are best suited to review and/or negotiate key terms and those who have signing authority on
behalf of the organization. To be effective, the contract policy should be approved by the governing
body and contain sufficient detail so as to be successfully implemented throughout the enterprise.
The ERM approach to contract review includes:
1. Bringing together a multi-disciplinary group of representatives from, at a minimum, clinical
staffing, patient financial services, materiel management, radiology, laboratory, home care,
compliance, information systems, physician relations, managed care, contract management, and
risk management. This group should identify the types and variety of contracts they encounter
in their respective roles and other departments or functions affected by the particular contract.
2. The group should prioritize with legal counsel the risks and benefits associated with standard
contract provisions, such as insurance requirements, indemnification provisions, financial
conditions, limitations of liability, warranties, and termination clauses.
3. An important but frequently overlooked aspect of limitation of liability provisions is the
disconnect between value of the contract and the full liability potential being limited. For
example, the total value of a contract for security services and personnel might be $120,000
per year or $10,000 per month. If the maximum liability potential for the security vendor
is limited to no more than the prior 12 months contract price, the entity purchasing the
security services may unknowingly become the deep pocket for any claims exceeding this
4. Preferred (best), acceptable, and deal-breaker language for the various contract provisions
should be developed with legal counsel. A checklist of important provisions to review should
accompany the preferred provisions.
5. Senior management and, ultimately, the governing board, should approve the lists and work
product of the group, contract language suggestions, and the policy detailing the review process and signature authority.
6. Attachment 2 is an example of a transmittal memorandum that can be used to convey the
status of the contract review among key individuals.

Contract File Management

Given the myriad of departments and individuals involved in contract review, it is essential to
have an efficient system for managing the renewal and review process and categorizing the type of
contract being considered and the individuals involved. A comprehensive contract-file management
system, whether manual or software driven, can facilitate the process and assure senior management
the review is timely and comprehensive.

Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

There are essential elements to a successful system:
1. Group contracts into general categories, such as management services, home health, maintenance and repair, temporary staffing, consulting services, professional services, leases,
construction, purchase agreements, clinical affiliation, transfer agreements, physician-related,
managed care, and pending mergers or acquisitions.
2. Within each file, contracts should be listed by contracting party name, term, anniversary
date, affected departments, responsible department or individual reviewing/negotiating the
contract, and whether HIPAA Business Associate requirements apply.
3. The contract file should contain requested documentation regarding insurance coverages,
such as certificates of coverage and additional-insured endorsements.
4. A diary system should alert the responsible department or individual well in advance of
any anniversary renewal or termination date. Regardless of the manual or software contract
management system selected, at a minimum it should allow for adequate time to involve the
necessary parties in reviewing the terms of the existing contract and suggesting improvements in performance expectations.
5. The location of each category of contracts should also be included in the system description.
For instance, it is usually impractical to designate one individual or department as filing and
maintaining all original signed contracts for the organization. Instead, contracts should be
maintained in appropriate departments and reflected in the policy as to location.
6. From an ERM perspective, every contract should be reviewed by an individual knowledgeable about the organizations risk appetite and risk financing approach. Before the contract is
signed and added to the system, the appropriateness of the insurance requirements, indemnification, and any limitation of liability provisions must be reviewed and verified.
7. Any departments affected by the contract relationship should be listed in the system and
included in the renewal process.
8. Attachments 3, 4, 5, 6, and 7 are tools that can be used in the ERM environment to facilitate
timely and efficient contract review.

Critical Contract Provisions

While all distinct provisions are arguably of major importance to contract performance, in the
ERM environment certain areas require special attention. In particular, insurance requirements, indemnification/hold harmless provisions, and any limitations of liability are potential areas of increased risk
to the organization and may be undetected unless proper loss control measures are implemented.

Identifying the Parties

In the introductory clause of most contracts, the individuals and/or entities are identified. A common problem in boilerplate contracts is the failure to use the full name of the contracting individuals
or the legal name under which the entity is registered or incorporated in its home jurisdiction. Without
correction, this oversight can lead to significant problems in aligning insurance coverages and contract
requirements. The legal name and the covered entity/individual for insurance coverages must be the same
so as to avoid disputes in any subsequent claims or litigation involving the subject of the contract.
Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach


Insurance Requirements

From the organizations perspective, contracts requiring the organization to procure various types of
insurance must be aligned with the risk transfer or risk financing vehicle utilized for any particular risk.
For instance, an organization may choose to have a self-insurance program for professional and
general liability risks but select a commercial insurance policy (risk transfer) for property losses or
directors and officers liability. Why does this distinction matter?
In contract insurance requirements, typical language requires the organization provide evidence
of an insurance policy with a rated or qualified insurance carrier in the state in which the contract will
be performed. A self-insured organization, regardless of funding the self-insurance vehicle, is not an
insurance company and is not governed by the states insurance regulations. Therefore, any references
to commercial insurance policies must be modified to reflect programs of self-insurance whenever
applicable so as to avoid a material breach of the contract terms. The contract must accurately reflect
the type of risk financing vehicle used by the contracting parties for each required line of coverage.
Depending on the scope and type of contract, the required coverages might include:

general and professional liability;

workers compensation;

automobile liability;



directors and officers liability.


Indemnification/Hold Harmless

Indemnification provisions are among the most challenging to understand for nonlawyers, and yet
they can result in severe financial consequences if the reviewing party does not understand the indemnitors scope of responsibility and the reasonableness of the risk assumption. Indemnity provisions are
very prevalent in healthcare contracts and represent a contractural risk transfer worthy of attention.
Any manager or executive reviewing this method of risk transfer should have a basic understanding of
the legal framework underlying the indemnification provision and the liabilities assumed upon execution of the contract. Therefore, in-house counsel is well-advised to establish systems for additional
review of indemnification provisions before the contract is executed and when nonlawyers are a part
of the contract review process.
A few ERM-based considerations for in-house and outside counsel include:


Does the assumption of risk fit within the various commercial insurance or self-insurance
programs for the organization?

Does the commercial insurance policy or self-insurance document permit or allow liability
assumed by contract?

What is the risk appetite of the organization if coverage is not available or the limits of coverage are inadequate?
Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Contractual liability insurance is now a standard element in many commercial general liability
policies, and covers the most common type of indemnification provisions in commercial contracts: the
indemnitor indemnifies the indemnitee for bodily injury and property damage related to underlying
contract services. It is incumbent on the legal reviewer of the contract to integrate insurance coverages
and any state law considerations or restrictions in the review process.

Evidence of Insurance

As a practical matter, any contract imposing insurance requirements on the contracting parties
should also include a provision requiring the insured party to provide evidence that the insurance
(orself-insurance) coverage is in place. The required evidence might range from a simple certificate
of insurance to providing copies of the actual insurance policies (rarely done). Regardless, the policy
period, named insured party(ies), type of coverage, and policy limits should be apparent on the document and reviewed for compliance with contract insurance requirements.

Notice of Cancellation

In the event an insurer cancels the insurance policy during the term of the contract, a notice
of cancellation provision typically requires the insurer to provide advance notice of cancellation or
material change in coverage to the certificate holder (i.e., healthcare entity). The insurers providing
certificates of coverage must agree to this notification provision in advance, and it should be reflected
on the certificate document. An example of a Notice of Cancellation provision is:
All certificates of coverage shall provide for 30 days written notice to Healthcare Entity prior
to the cancellation or material change of any insurance referred to herein.

Limitation of Liability

A limitation of liability provision in healthcare is often found in architecture, construction, supplier, manufacturing, and software vendor contracts. Limiting the contracting partys ultimate liability
to a predetermined amount (often tied to contract price) essentially transfers the liability exposure
beyond that level to the organization.
From an ERM perspective, limitation of liability in lesser-value contracts can significantly impact
the risk assumption profile of the organization, often without detection. Particular attention should be
given whenever the limitation of liability provision affects errors and omissions, professional acts,
breach of contract, breach of security, personal injury, and property damage.

Waivers of Subrogation

Subrogation is the substitution of another person in the place of the original creditor, or party
entitled to the legal rights or claims. If the insured party has waived subrogation rights or released
the offending party prior to a loss (via contract) the insurers (or self-insurers) rights of subrogation
against the culpable party are eliminated.

Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

In the healthcare environment, waivers of subrogation occur frequently in leases, construction
contracts, and contract services such as security, environmental and nutritional services, on-site equipment maintenance, and repair. Most often the waiver of subrogation relates to property damage or
workers compensation situations.
Critical issues to consider are:

Will the commercial insurer, or self-insurance program, permit a waiver of subrogation rights?
Who is responsible to contact the appropriate parties and retain the documentation?

If the contract includes insurance costs as a part of the contractor's pricing, is it prudent for
the organization to waive subrogation rights in situations involving the contractor's insurer?


Specific Issues in Healthcare Contracts

There are a number of healthcare contracts that might not rise to the attention of legal counsel and
yet deserve thoughtful attention in an ERM environment.

Clinical Affiliations

Among specific considerations are:

Will the sponsoring educational institution provide coverage for the students/residents health
plan and professional liability? If not, does the student have personal health and professional
liability policies?

Which party (sponsoring educational institution or receiving organization) covers the workers compensation liability for the student/resident? If neither party covers this exposure, is
this clearly stated in the contract?

The structure and scope of student/resident supervision should be clearly specified. The receiving organization always retains administrative and clinical responsibility for any patient care
provided on its premises and regular staff cannot be replaced by students/residents.

Students/residents are to abide by the organizations policies and procedures, and may be
removed from the facility at the organizations discretion for any misconduct.

The contract should specify whether the sponsoring institution is responsible for completing
the background criminal screening required by state or federal law.


Independent Contractors

Temporary or independent contractors present unique challenges because they often work in single departments as a result of close working relationships with department managers. As a result, the
performance expectations might be captured in an informal document or less-than-complete contract.
Obviously, this business relationship can pose additional risk to the organization if contract review
principles and processes are not applied to the situation.


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Additional considerations are:

The organization should not assume responsibility for the contractors negligence, property
damage, personal injury, or compliance with laws, statutes, regulations, or accreditation
requirements as they affect the contract services.

Responsibility for the safe handling and disposal of hazardous materials or medical waste
rests with the organization or individual producing such materials, unless noted in the contract to the contrary.

Performance expectations must be clear, objective, and quantifiable. Vague or general statements should be avoided.


Supplemental Staffing Agencies

One of the most critical contract elements involves the responsibility of the agency to ensure
the competency and qualifications of the staff it sends to the organization. The agency, at a minimum, should perform initial licensure or certification verification, criminal background checks, and
an applicable competency evaluation. In addition, the agency should provide adequate health, workers
compensation, and professional liability coverage for its employees, and indemnify the organization
for their employees negligent acts.

Equipment Purchases

In the ERM environment, it is important to consider:

What warranties does the vendor supply, how are the warranties negated, and how does this
fit with the organizations insurance or self-insurance coverages?

Who, how, and where will the service and maintenance be provided?

Who in the organization can authorize equipment purchases and who monitors the purchase
and service or maintenance contracts?


Most significant contracts for construction, capital asset acquisitions, or joint venture arrangements are authorized and approved by the organizations governing body and signed by the
CEO or CFO. However, in the interests of greater efficiency and organizational knowledge,
should other officers of the organization be authorized to sign contracts? Who can sign equipment purchasing or leasing, maintenance and repair, clinical affiliation, or supplemental
staffing contracts? An important distinction exists between those individuals in the organization who, by virtue of their role or job function, are best suited to review and/or negotiate key
terms and those who have signing authority on behalf of the organization. To be effective,
the contract review policy should be approved by the governing body and contain sufficient
detail so as to be successfully implemented throughout the enterprise.

Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

Healthcare lawyers should incorporate ERM principles in the contract review process. For
instance, middle and upper management in all departments of the organization are involved
at some level with contracts: relationships, maintenance, monitoring, negotiations, or review.
Involving key individuals in the process and educating staff about contract terms is an opportunity for healthcare attorneys to add value and contribute to an organizations success.

Major risk exposures exist in what might appear to be small or insignificant contracts. From
an ERM standpoint, the logical approach is to involve multiple disciplines, departments,
and involved individuals as a contract review process is developed and implemented in the



Healthcare contracts come in many shapes and sizes, varying degrees of complexity, use of boilerplate language and unnecessary legalese. The ERM approach can assist with a thoughtful and careful
review of contract language by those individuals most involved in the subject matter which leads
to an enhanced identification of risk for the enterprise and a more appropriate assumption of risk. No
one attorney or executive can manage the myriad of contracts and contractual relationships without an
infrastructure in place. Utilizing ERM concepts in the contracting process is one positive approach to
creating such an infrastructure and minimizing the inadvertent assumption of risk.
Contractual Risk Transfer, Strategies for Contract Indemnity and Insurance Provisions, International Risk Management Institute, Inc., 2007.
Operations and Risk Management, Contract Review and Execution Policy CRE-1, AHLAs Guide to
Healthcare Legal Forms, Agreements, and Policies, First Edition, American Health Lawyers Association, 2008.
Attachment 1Policy: Contract Review, Execution and File Maintenance
Attachment 2Contract Transmittal
Attachment 3Annual Evaluation of Service Provided by Contract
Attachment 4Contract Review Worksheet
Attachment 5Components of Contract Review
Attachment 6Contract Review and File Maintenance
Attachment 7Heath Care Contracts: Key Issues


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Attachment 1 Policy: Contract Review, Execution and File Maintenance

The process of contract review and contract maintenance is an organized, coordinated process
involving affected department managers, responsible directors, and system-wide executives. Contracts
are a necessary and important component of healthcare business relationships and require diligent and
thorough review prior to execution and filing.
1. Contract: An agreement between two or more persons (entities, organizations, corporations)
that creates an obligation to do or not to do a particular thing. A contract may also be titled:
agreement, lease, memorandum of understanding, letter agreement, and purchase order.
2. Corporate Compliance Program, Contract, and Approval Guidelines: Entitys policies
and procedures regarding compliance with laws governing financial relationships and referrals between affiliates and physicians or other sources of patient referrals or other business.
1. All system-wide facilities.
1. It is the policy of this facility to comply with the Corporate Compliance Program Contract
and Approval Guidelines in their entirety.
2. It is the policy of this facility to commit to writing all lease, purchase, affiliation, professional
service, consulting, independent contractor, and vendor agreements with third parties and to
have responsible administrative personnel review critical terms and conditions before signing
by a corporate officer.
3. It is the policy of this facility to maintain all fully executed original contracts in a secure,
identified location.
1. The department manager or designated contract manager shall review the proposed contract
as supplied by the third party or discuss the critical provisions related to the particular type of
contractual relationship under consideration. All questionable or problematic areas shall be
highlighted. Any remaining questions shall be referred to legal counsel.
2. After the above issues have been resolved, the contract will be referred to the appropriate
corporate officer for signature.
Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

3. As soon as the necessary signatures have been obtained from all contracting parties, a copy
shall be retained in the affected department managers files and the original sent to the
designated office for the facility. Contracts shall be retained for the life of the contract plus
six years.
4. The designated office will maintain, in a secure filing cabinet, a sequenced list of all contracts,
leases, and agreements. The list shall contain: the name of the contracting party, effective
date, expiration date, and category of contract.
5. Responsible department managers shall maintain a tickler file in order to review and renegotiate contracts at least 90 days prior to expiration. During the respective contract periods, key
issues and concerns should be referred to the responsible department manager for consideration during renegotiations.


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Attachment 2 Contract Transmittal Memorandum




Administrative Member/Entity Officer

Contract Reviewer


The contract named above has been reviewed and requires:


Officer Signature:

Further Negotiation:

Additional Legal Input:

Certificates of Insurance:


Based upon this contract review, the following managers/departments should receive specific contract






c: Contract File

Contract Review


Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

Attachment 3 Annual Evaluation of Service Provided By Contract
(Patient Care or Other Outsourced Service)





Insurance: The service has maintained

and provided current information about
coverage for the contract service and all
providers under the service (Professional,
General and Workers Comp).
The service has provided and maintained
current information on each provider
Curriculum Vitae/Resume
Evidence of annual updates on OSHA
requirement, infection control, etc.
Other certificates required by
position(s) are currently maintained.
Please specify:
The contract service has maintained current, comprehensive, and appropriate
policies and procedures that cover the full
scope of services provided.
Information submitted by the contract
service shows that the competency of
all contract service providers has been
evaluated and the basis upon which the
evaluation was conducted.
Human Resources has verified that the
performance evaluation exists.


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach






The system meets Entity standards.

Provider-specific monitoring and
evaluation results were included in the
performance evaluation process.
Managers of units where contract
services are provided contributed
information that was used in the performance evaluation process.
*Contract service providers have received
required education regarding bloodborne
**Contract service providers have received
other annual education updates as appropriate to the services provided.
***Contract service has provided information, as required by hospitals performance
improvement program, in regard to quality control and quality improvement

If appropriate, contract service providers may participate in Entity-provided annual updates or education provided by
contract service will be reviewed by Infection Control Practitioner to assure that Entity standards are met.

** If appropriate, information to be reviewed by individual responsible for Entity education program to assure the Entity
standards are met and providers are given necessary education to perform their functions.
*** If appropriate, information to be provided by individual who is responsible for oversight of performance improvement activities.


Contract to be renewed without changes.

Forward to:

Contract to be renewed with changes (see above).

Contract not to be renewed.

Reviewers Signature:
Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

Attachment 4 Contract Review Worksheet



Services to Be Provided:

Facility/Entity Departments Affected:



Terms: Contract Period:





Insurance Requirements:

Performance Description:

Outstanding Issues/Questions:



Corporate RM Review

Legal Opinion


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Attachment 5 Components Of Contract Review






1. Are all of the parties to the contract identified and are the legal names used?
1. Can you identify the date the contract terms
go into effect and the date it is signed?
1. Is the length of the contract specified?
2. Does it renew automatically with mutual
party agreement?
1. Is the termination without cause?
2. Is it possible to cancel/terminate the contract
for failure to perform?
1. Are the insurance requirements written to
permit self-insurance programs?
2. Are the types of insurance applicable to the
business relationship?
a. Comprehensive General Liability
b. Professional Liability/E & O
c. Workers Compensation
d. Property
e. Business Auto
f. Bonds
3. Does the contract require that the contracting party (contractor) provide insurance?
4. Are the types of insurance specified and, if so,
are the specified types appropriate to the contract services to be provided?
5. Are the required limits of insurance coverage
specified and, if so, are the limits appropriate
to the potential liability exposure?

Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach





6. Does the contract require that the contracting party provide evidence of insurance or
a certificate of insurance for each insurance
7. Does the contract require that the entity be
notified of material change or cancellation
of the contracting partys coverage?
8. Does the contract give the entity the right to
cancel the contract in the event of insufficient
or lack of appropriate insurance coverage as
9. Does the contract specify that the insurance
requirement will outlive the term of the
10. Is there an appropriate indemnification/
hold harmless clause based on which party
has control or ownership of the liability
1. Is the indemnification mutual?
2. Are the parties assuming liability for only
their own negligent acts?
1. Is there a full description of each partys
obligations and responsibilities?
2. Are the financial arrangements understandable and reasonable?
1. Are all reference documents (amendments
or exhibits) attached?
1. Is the state in which the contract terms are
implemented or executed the governing law?
1. Are the names, signatures, and titles of the
parties represented on the signature page?


Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Attachment 6 Contract Review and File Maintenance

Type of Contract

Original to:

Duplicate to:

Business Associate
Corporate Compliance
Equipment Maintenance
Equipment Purchase
Independent Contractor
Managed Care
Professional Services
Service Agreements
Student Affiliation
Supplemental Staffing
Transfer Agreements

Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

Attachment 7 Healthcare Contracts: Key Issues

Contract Type


Clinical Affiliations

1. Which organization (sponsoring educational

institution or healthcare entity) covers the
workers compensation;
health plan;
professional liability;
required training in hazardous materials,
blood borne pathogens, HIPAA?
2. Is the supervision of the student by the sponsoring institution clearly specified?
3. Which organization performs the background
criminal screening on the student?
4. Students must abide by the organizations policies and procedures and can be immediately
removed for violation of policy.

Independent Contractors

Which party assumes responsibility for:

contractors negligence;
property damage;
personal injury;
compliance with laws, statutes, regulations
or accreditation requirements?
Does the contractor assume responsibility for:
professional and general liability;
workers compensation liability;
health plan;
federal- or state-mandated training (i.e.,
haz mat)?
Are performance




Do you understand when and how the contractor

breaches the performance?

Enterprise Risk Management for Healthcare Entities, First Edition

ContractsAn ERM Approach

Contract Type
Equipment Purchases



1. If the contract includes warranties:

What, when, and how do the warranties
How are the warranties negated or affected?
How do the warranties fit with the organizations self-insurance or insurance
2. How will maintenance or servicing of the
equipment occur?
When and how will the equipment be
Does the organization pay for out-of-state
Can the organization use internal or local
resources for servicing
Is the organization committed to a longterm service contract beyond the life of the
3. Who in the organization:
Authorizes equipment purchases and servicing contracts?
Maintains and monitors the contracts?

Enterprise Risk Management for Healthcare Entities, First Edition


ContractsAn ERM Approach

Contract Type
Supplemental Staffing



Does the agency:

Ensure competency and qualifications of
Perform criminal background screening?
Ensure health status equivalent to organizations employee requirements?
Provide workers compensation and professional liability coverage for staff
Indemnify organization for agency staff
Train staff as required?
Can the organization:
Remove the individual if a patient safety
or other major policy/procedure violation
Terminate the contract if the agency fails to
Identify agency staff who should no longer
be sent on assignment to the organization?


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Challenges

Financial Challenges
Richard L. Clarke, DHA, FHFMA
President and CEO, Healthcare Financial Management Association (HFMA)


A fundamental tenet of effective enterprise risk management (ERM) is to provide value for an
organizations stakeholders (owners, investors, customers, employees, and communities) within an
uncertain and changing environment and to deal effectively with potential future events that create
that uncertainty. The importance of ERM was highlighted in May 2008 when one of the major credit
rating agencies announced that it would enhance its rating process for nonfinancial companies through
an ERM review.1
The aim of healthcare financial managers is to ensure resources are available that enable their
organizations to provide high-quality and safe healthcare services that are valued by their stakeholders
today and in the future. To provide this value, governing boards and management teams must understand the challenges and risks inherent in an uncertain and changing environment.
Financial management in this environment involves a strategic focus as healthcare organizations
experience increasing financial challenges. Examples of those more strategic functions include creating competitive strategy and helping link clinical and financial operations to improve volume, strategic
position, efficiency, payment, and clinical outcomes; a perfect fit with ERM processes.
In all of these activities, uncertainty and change are ever present. And with increasing uncertainty
and change, ERM becomes more vital. In the finance risk domain, issues include payment system
changes and compliance with Medicare/Medicaid regulations, diminished capital access because of
unstable credit markets and a weakening economy, revenue risks from the need to serve a growing
number of uninsured patients, andfor not-for-profit organizationscoping with ongoing challenges
to tax-exempt status.

Standard & Poors, Enterprise Risk Management: Standard & Poors To Apply Enterprise Risk Analysis to Corporate
Ratings, May 7, 2008.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Challenges
The best way to understand the risks associated with healthcare finance is to review the key business challenges and drivers confronting healthcare organizations and to identify the risks inherent in
each.2 Those challenges can be grouped into four areas familiar to business management:



pricing/payment; and




For hospitals, inpatient admissions and outpatient visits have been growing slowlyat a rate of
less than 1% over the past five years. However, over that same time, the volume of nonhospital outpatient healthcare services has grown much more rapidly.
For example, while hospital inpatient surgery volume between 2001 and 2005 remained static,
total outpatient surgery volume (in hospital and nonhospital settings combined) grew 25%.3 Similarly, hospitals have been losing ground in the percentage of outpatient surgeries, with the percentage
performed in hospital-based facilities falling almost 10% compared with the percentage performed
in nonhospital facilities over the past five years.4 And although volumes for some primary care and
medical specialties have increased, payment rates have not kept pace with cost increases. In this case,
more volume does not increase profitability.
Many factors drive this shifting from inpatient to outpatient visits and from hospital to nonhospital venues. Poor economic conditions drive down elective and non-urgent services, population
changes impact volume, and competitive forces increasingly are a factor.
Competition is driven in part by a payment system that gives nonhospital providers a competitive
advantage in that they are able to focus on the most profitable services while hospitals face a higher
cost structure to support essential but unprofitable, mission-related services (such as burn units or
inpatient psychiatric units). The current payment system also attracts equity capital investors (including physicians) who see opportunities in the inequities of the current payment system. Competition is
particularly strong in services such as orthopedics and cardiology, and it is coming from physicians
and investor-owned companies, sometimes in partnership. Frequently, traditional hospitals are fighting
for market share with imaging centers, surgicenters, ambulatory care centers, urgent care centers
inshort, facilities without beds.
Healthcare finance leaders surveyed by the Healthcare Financial Management Association (HFMA)
cite physician integration as the most significant issue to affect hospital volume over the next several

The information about healthcare business challenges is adapted from HFMAs Healthcare Finance Outlook: 20082013,
Westchester, IL: Healthcare Financial Management Association, 2007.
Avalere Health analysis of Verispans Diagnostic Imaging Center Profiling Solution, 2004, and American Hospital
Association Annual Survey data for community hospitals, 19812004.
Verispans Diagnostic Imaging Center Profiling Solution, 2004.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Challenges
years. A related issuethe movement toward nonhospital treatment facilities, such as retail settings
ranked as the second most significant factor that will influence hospital volume. (See Exhibit 1.)
To enhance their volume, hospitals and physicians are seeking integration opportunities to align
incentives, enhance market share, and develop stronger negotiating positions. In some settings, this
integration is relatively loose, using directorships, stipends, management contracts, gainsharing, and
leasing to link hospitals and physicians. In other settings, the integration is much tighter, using integrated delivery systems and various joint venture models.
Risk issues related to declining volume include coverage of fixed and overhead costs. That is,
as volume drops, the fixed cost per unit of service increases since there are fewer encounters over
which to spread fixed cost, such as depreciation, interest, and general overhead. Increasing volume
also carries risk. If the increased volume produces revenue per unit of service that does not cover the
increased variable or marginal cost per unit, then overall profitability declines. Finally, strategies to
impact volume (either up or down) carry a variety of risks. These range from community and government reaction to service elimination that reduces unprofitable volume to investment risks related to
strategies to increase volume.


The most significant components of cost are well known to healthcare finance executives: laborand
supplies. For most provider organizations, these costs represent anywhere from 50 to 80% of operating
costs. Labor costs are driven by factors such as nursing and other shortages, as well as rapidly rising
benefit costs. Supply costs are driven largely by the use of high-cost physician-preference items. When
looking at healthcare expenses in terms of inflation, the greatest increases for hospitals over the next
three years are likely to be seen in the areas of professional liability insurance, food, energy, equipment, and supplies.5
The dimension of the problem with rising costs can be seen from a finding by Moodys Investors
Service that in FY06 expense growth outpaced revenue growth for the first time in many years. That
gap narrowed in FY07, but expense growth remains an issue.
Healthcare finance leaders surveyed by HFMA found that the issue with the greatest influence on
hospital costs over the next three to five years is accelerating regulatory requirements. The factor listed
as second most significant was increases in cost of supplies and pharmaceuticals. (See Exhibit 2.)
To address cost issues, hospitals are working aggressively to enhance efficiency and productivity to ensure that human resources are used effectively. On the supply side, efforts focus on engaging
physicians in the process of purchasing supplies to help control use of expensive physician-preference
items. Other joint administration-clinician efforts focus on enhancing efficiency in clinical processes.
Cost issues represent an important challenge for healthcare organizations. Inappropriate costcutting efforts such as inadequate staffing, utilization of excessive temporary staffing or poorly trained
R-C Healthcare Management Hospital Inflation Data, 2nd Quarter, 2007, proprietary information from R-C Healthcare.
Used with permission.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Challenges
staff, deferred maintenance and capital replacement, and inappropriate or inadequate supply levels
may increase risks related to care delivery. Overstaffing due to poor staffing management protocols,
inadequate capital planning, or poor supply-chain management also carries risks, including reduced
profitability and liquidity. The human capital risk domain is particularly affected by cost issues and
highlights the importance of involving human resources while making strategic decisions for the


Healthcare payment and pricing systems are fraught with illogic and unfairness, creating problems for all healthcare stakeholders.
Nearly half of hospital payment derives from Medicare, Medicaid, and other government health
programs. And although these programs represent a smaller percentage of payment for most physicians, they are still significant. Due to federal and state budget constraints, government payment is
falling increasingly short of covering the costs of treating their beneficiaries. Indeed, Medicares future
is tenuous without a significant increase in government funding or a reduction in spending. Recent
estimates suggest that the trust fund for Medicare Part A could be insolvent as early as 2016.
According to healthcare finance leaders surveyed by HFMA, stagnant or declining Medicare and
Medicaid payment rates, guided by federal budget pressures, will be the most significant factor affecting healthcare payment and pricing over the next three to five years. (See Exhibit 3.)
Although providers continue to institute cost-control measures, they cannot make up the payment
shortfall. As such, the cost of these shortfalls is generally passed through to consumers. One estimate
shows private payors pay $1.22 for every dollar of hospital costs as a result of this cost-shift hydraulic, sometimes described as a hidden tax on healthcare purchasers.6
As healthcare costs continue to escalate faster than overall inflation, many employers are responding by eliminating employee health benefits or shifting more of the burden of payment to consumers
in the form of higher deductibles and copayments. These actions lead hospitals to face the additional
burden of uncompensated care associated with caring for uninsured and underinsured patients and, in
many cases, lead to further need to cost shift.
A particularly troublesome consequence of cost shifting is that, over time, hospital prices may
lose their relationship to rational benchmarks, such as cost, value, or market demand. Consumers are
the big losers in this situation, finding it virtually impossible to determine what their financial obligations will be for services, while hospital staff find it challenging to educate their communities about
the complex mechanisms that result in their pricing.
Many healthcare organizations are also grappling with rising levels of nonpayment for services
provided. These problems result in part from the trend toward reduced employee health benefits or
higher copayments and deductibles noted earlier, compounded by the economic effects of the recession
Allen Dobson, Joan DaVanzo, and Namrata Sen, The Cost-Shift Payment Hydraulic: Foundation, History, and Implications, Health Affairs 25, January/February 2006, 2233.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Challenges
that began in 2007. Effective management of increasing bad debt levels requires a multi-disciplinary
effort within the organization, including patient financial service, case management, and risk management staff.
On the positive side, federal and commercial payors are making strides to link healthcare payment to actual achievement of quality processes and outcomes. And stakeholders are slowly coming
together to seek consensus on a better payment and pricing system.
As noted earlier, inadequate payment per unit of service is a key concern. And uncertainties
related to major payor sources such as Medicare and Medicaid increases both short-term operating
risks as well as longer-term strategic risks. Pricing concerns expressed by the public and policy makers
increase the risk of increased price regulation and hence reduced pricing flexibility. This increases the
uncertainty of producing the level of revenue per unit of service to cover increasing costs of providing
that unit of service.


Capital spending for healthcare organizations, especially hospitals, is driven by factors such as the
need to update or replace aging facilities, prepare for an aging population, and acquire new medical
technology. Hospitals have taken on significant amounts of debt to support increases in capital spending. Much of this capital investment is for replacement, modification, and in some cases, expansion of
facilities as well as investments in medical and business information technologies.
After years of relatively easy access, that situation is changing. Rising costs and payment challenges are eroding the margins for many healthcare organizations, and with that comes erosion of
credit quality. Exhibit 4 illustrates the growing gap between hospitals that are more creditworthy
and those that are less. In 1990, 5% of the credits rated by Moodys Investors Service were Aa rated,
65%were A rated, and 27% were Baa rated. By July 2007, the curve had attened, with 16% Aa rated,
44% A rated, and a larger 30% Baa rated. Late in 2008, several ratings agencies lowered their outlook
on both not-for-profit and for-profit hospital sectors to negative from stable and indicated that they
expect a rise in rating downgrades over 2009.
Experts predict that the cost of capital will go up in the next three to five years (see Exhibit 5)
because of concerns the rating agencies have over the medium term and the current turmoil in the
credit markets. This rising cost could well coincide with slowing growth in payment and volume for
healthcare organizations. The result could be a significant challenge to their profitability and ability to
finance their future endeavors. For example, financing of physician alignment strategies such as joint
ventures may prove significantly more difficult. Both hospitals and physician groups may need to
consider other compensation-based strategies to achieve alignment goals.
Profitable healthcare organizations will continue to have access to capital at relatively lower costs,
but they too are seeing the cost of capital increase. Unprofitable organizations will struggle even more
to keep up. The gap between the haves and have-nots can only accelerate as quality becomes more of
a differentiating strategy. Although the rising tide of the mid-2000s lifted most boats, that tide quickly
ebbed amid financial market turmoil and the economic downturn. While healthcare organizations at
Enterprise Risk Management for Healthcare Entities, First Edition


Financial Challenges
the top may continue to have access to capital, those in the middle tier may see their margins reduced,
and those at the bottom may see their margins drop to a negative level.
Capital finance issues such as capital demand (capital expenditures for facilities and equipment)
and capital access (cash from operations, equity, debt, contributions, grants) carry enormous risks.
Increased capital expenditures increase the fixed cost profile of an enterprise, which reduces flexibility
in times of uncertainty and requires new revenue streams to support increased cash flow demands.
Additionally, structuring of debt portfolios with both variable and fixed interest rate debt instruments carries credit market risks that are driven by national and global financial market dynamics.
Recent turmoil in the credit markets demonstrate how the risk profile of the enterprise can change
outside of managements control based on its debt structure. Too much variable debt increases volatility, but too little significantly increases the cost of capital.
Finally, capital issues also relate to the enterprises investment portfolios that are influenced by
many of the same market forces. Accounting and financial reporting requirements to mark investments
to market demonstrate the swings in asset values that can occur when financial markets rise and fall.
These accounting requirements also create a reporting risk as markets move up and down. Highly
variable debt portfolios and highly speculative investment portfolios can quickly change the financial
position of an enterprise.



The organization must have a clear vision of its fiscal policies that is well known to all
stakeholders. Some organizations will struggle to survive and maintain market share, while
others will not only maintain sound operations but realize revenue growth. Knowing where
the organization is in this cycle is critical.

Financial risks must be comprehensively identified in the context of enterprise risk management in order for the organization to appropriately prioritize its goals and objectives.

While many risks are not amenable to traditional risk transfer arrangements such as the purchase of commercial insurance coverage, use of techniques such as risk avoidance or loss
control should be considered in the overall context of managing financial risk.

The ability for the organization to be fiscally prudent in todays economy requires clear strategic direction by an engaged board of directors and implementation tactics by competent

The increased responsibility of the board of directors combined with heightened scrutiny
by regulators requires that board members, individually and collectively, be informed about
healthcare operations that may impact the financial performance of the organization and that
they are knowledgeable about current market and external financial trends. A thoughtful ERM
approach, considering the finance risk domain, can enhance the fiscal rewards and reduce the
risks to the organization.

Enterprise Risk Management for Healthcare Entities, First Edition

Financial Challenges



Understanding the business drivers of volume, cost, pricing/payment, and capital is critical in
evaluating the risk profile of a healthcare organization. These drivers are directly associated with
key financial risks, including the ability to raise and maintain access to capital, contracting issues,
and risk-financing treatments such as insurance and self-insurance. The strategies that are developed
must operate within the mission, vision, and objectives of the enterprise. In addition, management
and governance must consider the events that may impact the organizations risk profile. Few risks
exist in isolation. Risks associated with areas such as operations, human capital, legal and regulatory,
and technology may ultimately become a financial risk to the organization. Effective enterprise risk
management is a critical adjunct to successful financial management.

Exhibit 1 Most Significant Factors Related to Hospital Volume: 2008-2013

Exhibit 2 Most Significant Factors Affecting Hospital Costs, 2008-2013

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Challenges
Exhibit 3 Most Significant Factors Affecting Hospital Prices/Payment: 2008-2013

Exhibit 4 Shift in Credit Quality, 1990-2007

Source: Moodys Investors Service, Inc. and/or its affiliates. Reprinted with permission. All rights reserved.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Challenges

Exhibit 5 Most Significant Factors Affecting Hospital Capital: 2008-2013

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

Financial Stewardship
Elizabeth M. Mills, Esq.
Senior Counsel, Proskauer Rose LLP


In 2006, approximately 59% of the hospitals in the United States were operated by organizations
exempt from federal income tax because they are described in Section 501(c)(3) of the Internal Revenue
Code (Code). Of the remainder, 23% were operated by governmental units and 18% were operated by
for-profit entities.1 Nationally, in 2005 approximately 41,000 health-related organizations were Section
501(c)(3) tax-exempt organizations.2 This chapter is principally directed toward tax-exempt3 healthcare
organizations, although Section 7.5 on Use of Property Financed with Tax-Exempt Bonds and portions of Section 7.3 Tax Reporting and Payment Issues will be of interest to governmental entities,
and portions of Section 7.4 Corporate Oversight of Financial Affairs will be of interest to for-profit
healthcare organizations.
This chapter first explains the significance of maintaining tax exemption, the risks to tax exemption,
and how tax exemptions can be managed. The next section summarizes public reporting requirements
for tax-exempt healthcare organizations as well as employment tax issues and risks. Attention is then
focused on the current focus from many sources on governance as it relates to financial management
of the health organization. Finally, there is a brief summary of the risks when property financed by taxexempt bonds is not used in compliance with applicable requirements and how those requirements can
be met.

Maintaining Tax Exemption


Significance of Tax Exemption

Tax exemption provides substantial financial and non-financial benefits to healthcare organizations. Primary benefits are:

The organization does not pay federal or, usually, state income tax on its net income, except
to the extent it is derived from activities that are unrelated to exempt purposes (such as pharmacy or equipment sales to non-patients).

American Hospital Association, Fast Facts on US Hospitals, http://www.aha.org/aha/resource-center/Statistics-andStudies/fast-facts.html. Excludes federal hospitals.
Blackwood, Wing, and Pollak, The Nonprofit Sector in Brief: Facts and Figures from the Nonprofit Almanac 2008,
accessible at http://nccsdataweb.urban.org/kbfiles/797/Almanac2008publicCharities.pdf.
When used in this chapter, tax-exempt organization or exempt organization means an organization described in
Section 501(c)(3) of the Code unless another section or another type of tax exemption is indicated.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

The organization is eligible to use the proceeds of tax-exempt bonds, thereby reducing financing expenses. See Section 7.5 on Use of Property Financed by Tax-Exempt Bonds.

The organization is eligible to receive charitable contributions that are deductible by donors.

Perhaps less today than in the past, the organization enjoys the halo effect associated with
charitable organizations.

Tax-exempt organizations must generally be recognized by the Internal Revenue Service (IRS) as
having that status, either through applying to the IRS for recognition of exemption or through inclusion in a group exemption ruling (such the group ruling issued to Catholic organizations).4 The IRS
may revoke an organizations tax exemption following an audit, which may be prompted in one or
more of the following ways:

a complaint from the public;

a news report concerning the organization that piques the IRSs interest;

a compliance check or questionnaire on certain areas (such as executive compensation)

issued to selected types of organizations by the IRS; or

the IRSs selection criteria for auditing tax-exempt organizations (which may include assets,
income, type of activity, and other factors).

If the IRS revokes an organizations tax exemption, one immediate consequence can be that the
organizations tax-exempt bonds become taxable (that is, the interest on the bonds is no longer tax-free
to the holder). This is usually an event of default on the bonds, which may accelerate the organizations
debt and cause it to be immediately due and payable. Although a tax-exempt organization can challenge an IRS-proposed revocation of tax exemption both in administrative proceedings and in court,
a formal notice of proposed revocation is usually viewed as a material event that must be disclosed
to the markets. This disclosure can adversely affect the interest rate on the organizations outstanding
bonds if they are variable-rate or need to be remarketed, as well as adversely affecting public opinion.
Thus, revocation of tax exemption or even proposed revocation of tax exemption is usually not an
acceptable outcome for organizations using tax-exempt debt. The alternative, if the IRS has concerns
about whether the organization is operating consistent with tax exemption, is to conclude the audit
with a closing agreement between the IRS and the organization which lays out specific actions that the
organization will take and provides that the organization remains tax-exempt.
In addition, tax-exempt healthcare organizations are frequently eligible for exemption from property tax on their property and sales tax on their purchases. Property and sales tax exemptions are often
more important financially to healthcare organizations than exemption from tax on income; property
and sales taxes must be paid regardless of the organizations profitability, while income taxes need be
paid only if there is taxable income. Property and sales tax are governed by state and local law and
are not generally tied to federal income tax exemption. However, an organization that loses its federal
Organizations that are exempt from income tax under other subsections of the Code, such as Section 501(c)(4) social
welfare organizations or Section 501(c)(6) professional and trade associations, are not required by law to obtain recognition from the IRS of their tax-exempt status, although most do. Some types of 501(c)(3) organizations, such as churches
and very small organizations, are not required to obtain recognition of their status pursuant to Section 508 of the Code.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
income tax exemption is likely to be scrutinized by state and local taxing authorities for continued
compliance with property and sales tax exemption requirements, and an organization that does not
meet federal standards may not meet the (frequently) more stringent requirements for property or sales
tax exemption. For current issues in property tax exemption challenges, see Section 7.2.5 on Property
Tax Exemption below.
For these reasons, maintaining tax-exempt status is of utmost importance to exempt organizations. The next parts of this section summarize the requirements for maintaining tax exemption.

Standards for Tax-Exempt Status

Tax-exempt organizations must be organized and operated for exempt (charitable, educational,
scientific, or religious) purposes.
Being organized for exempt purposes means that the articles of incorporation (not the corporate
bylaws) of the organization (or other organizing document if not a corporation):

must state purposes that are exempt purposes;

may not state purposes that are not exempt purposes;
must provide that the organization will not intervene in an election for public office;
must provide that the organization will engage in lobbying only as an insubstantial part of its
activities (the distinction between political activity and lobbying is described below); and
must provide that, upon dissolution, the assets of the organization must be dedicated to exempt
purposesusually by transferring them to other tax-exempt organizations.5

In addition, if the tax-exempt organization is not a private foundation because it is a supporting

organization described in Section 509(a)(3) of the Code,6 the articles of incorporation must include
language specifying that the purpose of the organization is to carry out the purposes of, support, or benefit specified public charities. When amendments to articles of incorporation or equivalent documents
are made, care should be taken that required provisions are not dropped or impermissible provisions
added inadvertently.
Being operated for exempt purposes means that the following three requirements must be met:

The organization must operate primarily to achieve exempt purposes. If a substantial part
of the organizations activities is to achieve non-exempt purposes, it may not be eligible
for exemption. This criterion is frequently measured by the percentage of the organizations
activities (as measured by expenses, revenues, board time, employee time, or other relevant
factor) that are devoted to exempt as opposed to non-exempt purposes (for example, carrying on a business unrelated to exempt purposes), although there is not a simple formula or
numerical cutoff.

Treas. Reg. Section 1.501(c)(3)-1(b).

Every Section 501(c)(3) tax-exempt organization is classified as a private foundation under Section 509 unless it is
excluded from private foundation status because it qualifies as an organization described in Section 509(a)(1), (2), or (3) of
the Code. Qualification can be based on the nature of activities, the amount of support derived from contributions or payments
from the general public, or the organizations relationship to other organizations falling within the first two categories.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

The organization must not permit its net earnings to inure to the benefit of any private
shareholder or individual7 (inurement). The IRS, regulations, and courts interpret net earnings to mean the income or assets of the organization as well as its profits, and interpret
private shareholder or individual to mean a person with a personal and private interest in
the activities of the organizationbasically insiders such as directors and officers.8 Thus,
a tax-exempt organization may not provide an equity-type interest (such as a right to receive
profits) to a non-exempt person or organization and may not engage in transactions with
insiders that result in the exempt organization receiving less than fair market value.

The organization must serve public, rather than private, intereststhat is, it must not confer benefits on individuals or other persons (even disinterested persons) other than benefits
created as an incident to achieving exempt purposes.9 Thus, an exempt organization can be
disqualified for tax exemption because its activities benefit individuals even though those
individuals are not in control of the organization and even though the organization does not
engage in prohibited inurement.

The potential for violation of these standards can arise in many aspects of healthcare operations,
including: relationships with employed physicians; relationships, such as leases, service contracts, and
recruitment, with independent medical staff physicians; joint ventures with physicians or other nonexempt entities; compensation relationships with external managers and service providers; executive
compensation; financial relationships between the exempt organization or its affiliates and its directors
or officers; reimbursement of employees expenses when such reimbursement may be viewed as for
political contributions made by the individuals; and use of the exempt organizations resources in support of a political candidate. Many of these risks, particularly in physician and service relationships
and joint ventures, can be addressed through review in the contracting or transaction process. Risks
associated with executive compensation can be addressed through implementation of rebuttable presumption of reasonableness procedures referenced in Section 7.4. Risk associated with financial
relationships with directors or officers can be addressed through the rebuttable presumption of reasonableness procedures and conflict of interest procedures for transactions with interested persons.
Finally, risks associated with political campaign activity that may be attributed to the exempt organization can be addressed through systemwide policies and education detailing political campaign
behavior that is prohibited, as well as direction to accounts payable and expense reimbursement staff
to question transactions that have the appearance of involvement in political activities.

Other Consequences of Violating Tax-Exempt Status Requirements

In addition to or instead of loss of tax exemption, the IRS can impose penalties (technically, excise
taxes) on the violating exempt organization or those who have benefited from the violation. The penalties of broadest applicability are the so-called intermediate sanctions, or taxes on excess benefit
transactions, contained in Section 4958 of the Code. Under these provisions, a disqualifiedperson
Code Section 501(c)(3).
Treas. Reg. 1.501(a)-1(c); General Counsels Memorandum 39862 (December 2, 1991); United Cancer Council Inc. v.
Commissioner, 165 F.3d 1173 (7th Cir. 1999).
American Campaign Academy v. Commissioner, 92 T.C. 1053 (1989).


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
(a person who is in a position to exercise substantial influence over the organization, such as a director
or officer) who engages in an economic transaction with an exempt organization in which the exempt
organization receives less than fair market value consideration is subject to a penalty of 25% of the
excess benefit amount. The disqualified person must also correct or undo the offending transaction.
Directors and officers who knowingly approve the excess benefit transaction (whether or not they
individually benefit from it) are also subject to a tax, up to $20,000 in the aggregate. Exempt organizations must report on the Form 990 whether they have engaged in an excess benefit transaction during
the reporting year and whether they have discovered in the reporting year an excess benefit transaction
that occurred in a previous year, as well as the details of the transaction. Thus, the exempt organization
must self-report an excess benefit transaction to the IRS and indirectly to the public.
The key to whether a transaction with an insider is an excess benefit transaction is whether the
transaction is at fair market value. The intermediate sanctions regulations provide a process that, if
followed, provides the exempt organization and the insider a rebuttable presumption that the transaction is reasonable.10 This rebuttable presumption means that if the IRS believes a transaction is an
excess benefit transaction, it is the IRSs burden to prove that the transaction was not at fair market
valuea reversal of the usual situation, in which it is the taxpayers burden to prove it is entitled to
exemption. The rebuttable presumption requires that a compensation amount or a transaction (such as
sale of property) be 1) approved in advance by a disinterested committee or board that has 2) obtained
and relied upon appropriate data as to comparability prior to making its determination and 3) has
concurrently documented the basis for its determination.11 While the presumption of fair market value
does not apply if any element of the requirements is not met, satisfying as many of the rebuttable presumption requirements as possible is still desirable and helpful in demonstrating that the transaction
is in fact at fair market value. The risk of engaging in an excess benefit transaction, then, can be managed by executive compensation and conflict of interest policies that require compensation changes
or special benefit adjustments for executive employees, as well as financial transactions between the
organization and directors, officers, and other potentially disqualified persons, be approved through a
process that meets the rebuttable presumption of reasonableness.
Another penalty that can be imposed is on an exempt organizations expenditures for political
activity. For exemption purposes, political activity means activity that relates to influencing the outcome of an election for public office. As noted above, Section 501(c)(3) strictly prohibits exempt
organizations from engaging in any political activity. No de minimis amount is permitted. Section4955
provides that the IRS may impose a tax equal to 10% of the amount of the political expenditure on an
exempt organization making such expenditures. This is a tool for the IRS to use, short of revoking tax
exemption, to address isolated or inadvertent expenditures. As in the case of intermediate sanctions,
the organization must disclose on the Form 990 whether it has engaged in any political expenditures.
An exempt organization may participate in lobbying activities (attempting to influence legislation), but only as an insubstantial part of its activities. The statutory standard of insubstantial is,
of course, vague. Many exempt organizations are eligible to make a Section 501(h) election under
Treas. Reg. Section 53.4958-6. The regulations make clear that if the rebuttable presumption is not satisfied, no inference should be drawn that the transaction is at other than fair market value.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship
which the dollar amount of permissible lobbying expenditures is determined by a formula based on
the organizations expenditures. If an electing organization spends more than the permitted amount on
lobbying activities, the organization is subject to an excise tax on the excess expenditure.12 Because
exempt healthcare organizations, particularly hospitals, have extensive exempt activities, lobbying
activities typically do not exceed permitted levels, either under the 501(h) election or under the general
insubstantial standard. However, to prevent inadvertent violations, it is desirable to have corporate
policies limiting lobbying activities to an insubstantial portion of the organizations activities and
specifying who within the organization may engage in or direct such activities, so that the extent of
lobbying efforts is known and can be reported as required.

Tax Exemption for Healthcare Organizations

The IRS has interpreted these standards as they apply to hospitals in Revenue Ruling 69-545.13
Revenue Ruling 69-545 concludes that the following factors indicate that a hospital operates for the
charitable purpose of promoting the health of the public (the community benefit standard):

The hospital has a board of directors made up of community leaders, rather than physicians
and other persons interested in the operation of the hospital.

The hospital has an open medical staff (that is, medical staff membership is available to qualified physicians in the community, rather than to a few physicians who control the hospital).

The hospital has an emergency room that treats all in need of emergency services regardless
of ability to pay.

The hospital accepts Medicare and Medicaid patients and other patients who can afford to
pay for their care.

The criterion of a community board has been adapted to modern multi-corporate systems by IRS
interpretation that an organization controlled by an exempt organization with a community board
satisfies this criterion.14 Entities that deliver healthcare services but that are not hospitals or residential facilities are subject to the same community benefit standard, modified as appropriate for their
Notably, these criteria, which were articulated shortly after the establishment of the Medicare
and Medicaid programs, do not include the provision of non-emergency services without charge to
those unable to pay. Since that time, it has become evident that these programs have not provided the
anticipated access to care. The IRS, the Senate Finance Committee, other administrative and legislative bodies, and class action plaintiffs attorneys have examined exempt hospitals provision of free

Code Section 4911.

1969-2 C.B. 117, amplified by Rev. Rul. 83-157, 1983-2 C.B 94.
Internal Revenue Manual Exhibit 7.20.4-9.
Id. Nursing homes and homes for the elderly or disabled have slightly different standards for exemption that focus
on affordability and maintaining those who become unable to pay to the extent of the organizations financial ability.
Rev.Rul. 72-124, 1972-1 C.B. 145; Rev. Rul. 79-18, 1979-1 C.B. 194.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
care to those unable to pay and questioned whether exempt hospitals in fact operate differently from
for-profit hospitals.16
The recent revisions to the Form 990 discussed in Section 7.3 Tax Reporting and Payment Issues
(the information return filed by exempt organizations) require substantial, very specifically defined
reporting on exempt hospitals charity care policies, amount of charity care provided, amounts of other
types of community benefit provided, and billing and collection practices. Information on the Form 990
is available to the public. Many states also have enacted statutes addressing exempt hospitals provision
of charity care, including community benefit reporting requirements, hospital billing practices requirements, limitations on collection practices, and in some cases requirements that a certain amount of
charity care be provided. A compilation of information from the American Health Lawyers Association,
the Healthcare Financial Management Association, the Catholic Health Association, and VHA concerning community benefit, charity care, and the Form 990 is available at http://www.990forhospitals.org/.
If they have not already done so, exempt healthcare organizations should review their charity care
policies and procedures, in preparation for completing the new Form 990 if for no other reason. In this
area, the manner of implementation is even more important than the policy; the best policy is worthless
if it is not applied correctly and a needy patient is denied care or unfairly pressed for payment. This
review can include:

The charity care policy itself: what criteria a patient must meet to qualify, how income and
assets are determined, whether there is a limit based on patients income on the total amount
the patient may be asked to pay, and how exceptions may be made and documented.

Implementation of charity care program: timely response and follow-up to applications,

standard and consistent responses to patient requests for information, convenient business
hours, files and statistics maintained concerning applications and action thereon.

Collection practices: the organization has clear written standards and practices to be used in
collection activities, interest-free payment plans are available, wage garnishments and body
attachments are not used in ordinary circumstances, legal action is taken only when there is
evidence of patient income or assets available to make payment, outside collection agencies are
required to adhere to the organizations practices, patient accounts are reviewed prior to collection agency assignment to confirm that financial assistance was offered if the patient is eligible,
specified collection actions require review and approval at specified institutional levels.

Employee training: detailed and updated training materials for patient accounts personnel
are maintained, training on charity care policies is provided to all appropriate administrative
and clinical staff.

Public disclosure of charity care policies and procedures: policies are clear and understandable (taking into account languages of communities served), availability of financial
assistance is indicated on bills, policies are communicated to the community and to patients.

Staff Discussion Draft of Potential Non-profit Hospital Reforms, Senate Committee on Finance, July 17, 2007, available
at http://finance.senate.gov/press/Gpress/2007/prg071907a.pdf; Hospital Compliance Project Interim Report (Summary
of Reported Data), Exempt Organizations function of IRS Tax Exempt and Government Entities, 2007, available at

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

Property Tax Exemption

If healthcare organizations property is subject to property taxes, this can be a significant financial
impact, particularly since property taxes are not dependent on the income generated by the property
that is, they must be paid whether the facility is making money or not. Generally, property is exempt
from property tax if it is owned by a charitable organization and used for charitable purposes.17 State
and local governments periodically challenge the tax-exempt status of hospital property, with a flurry of
such attacks in the 1980s in Utah, Pennsylvania, and Vermont, among other states. Recently, appellate
courts in Illinois have upheld the denial of property tax exemption for hospitals and community health
centers, and the Provena case is now before the Illinois Supreme Court.18 The rationale set forth in the
Provena decision is that the organization owning the property is not an institution of public charity
and the property is not used exclusively for charitable purposes, the statutory standard, because: only
a small amount of the care providedunder 1%was charity care; it provided discounts to patients
unable to pay in part and then sued them for nonpayment of the remaining balance; its operating income
was derived almost entirely from charges; and its primary activity was to sell medical services in the
same manner as a for-profit hospital. The appellate court rejected the hospitals efforts to demonstrate
community benefit. This focus on charity care dollars and collection practices is in line with current
efforts in Congress and the IRS to refine the community benefit standard for income tax exemption.
As described above, it also means that healthcare organizations that bill and collect for services should
have internal controls over sending accounts to collection and over initiating lawsuits for payment to
limit such actions to situations in which there is some reason to believe that the patient has the ability
to pay. A few instances of perceived unfair collection treatment of poor patients, if picked up by the
media, can trigger IRS attention, property tax exemption review, and Congressional inquiries.

Tax Reporting and Payment Issues

As mentioned in Section 7.2.4, the IRS has redesigned the Form 990, or annual information
return, that must be filed by most tax-exempt organizations,19 to require reporting of substantially more
and more detailed informationparticularly about governance issues (as discussed in Section7.4 on
Corporate Oversight of Financial Affairs below), community benefit provided by hospitals, and
tax-exempt bond use. One reason the Form 990 revision has received so much attention is that exempt
organizations must make their Forms 990 available to the public for three years following the date the
return was due.20 In addition, the IRS provides filed Forms 990 for display on Guidestar.org. Thus,
information disclosed on the Form 990 is almost immediately available to the public, the press, and
government investigators. (The only exception to the requirements for public disclosure is that the
list of donors to the organization attached to Form 990 as Schedule B need not be disclosed.) Exempt
Some states tax real property only, while others tax both real and personal property.
Provena Covenant Medical Center and Provena Hospitals v. Illinois Department of Revenue, No. 4-07-0763, Ill. App.
(4th Dist.) August 26, 2008; Community Health Care, Inc. v. Illinois Department of Revenue, 307 Ill. Dec. 519 (3d App.
Dist. 2006).
Private foundations (see note 6, supra) file a different form that was not revised and have always had to file that form
regardless of level of financial activity.
Code Section 6104(d). The organization must also make its exemption application filed with the IRS available to the
public; if the organization received exemption before 1987, it must make the application available only if it had a copy in
its possession in 1987.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
organizations that have more than $1,000 in gross income subject to unrelated business income tax
must also file a Form 990-T to report taxable income and pay any tax due. Effective for returns filed
after August17, 2006, Section 501(c)(3) organizations must also make their Forms 990-T available
to the public. Smaller organizations that are eligible to file a Form 990-EZ rather than a Form 990
must make that form available under the same rules. More information on the requirements for making returns available to the public is available in IRS Publication 4221-PC and on the IRS web site at
http://www.irs.gov/charities/index.html. Of particular note is the requirement that a copy be available
for inspection on a walk-in basis during normal business hours; this means that a person must be designated to have these documents. Persons who ask for access to these documents and do not receive it
can complain immediately to the IRS, and the IRS takes these complaints very seriously.
Until recently, small exempt organizationsthose with $25,000 or less in annual gross receipts
did not have to make an annual filing with the IRS. In addition, there was not a specific provision that
exemption was endangered by failure to file. Beginning for tax years ending on or after December 31,
2007, all exempt organizations that do not have to file Form 990 or Form 990-EZ must complete an
online filing with the IRS providing basic information such as name and address. An organization that
is a supporting organization described in Section 509(a)(3) of the Code must also now file a Form990
regardless of the level of its financial activity.21 Importantly, an organization that fails to make the
required filing for three consecutive years now loses its tax-exempt status effective as of the date the
last missed filing was due, and exemption cannot be restored retroactively unless the organization
shows reasonable cause for the failure to file.22 Loss of exempt status for an affiliate in a healthcare
system that occupies tax-exempt bond-financed property can have particularly severe unintended consequences, so this new provision makes vigilance in filing particularly important.
If an exempt organizations unrelated business activities will generate a tax liability on the
Form 990-T of $500 or more, the organization must pay estimated taxes in the same way as taxable corporations. Further, while many states automatically treat organizations that are exempt from
income tax at the federal level as similarly exempt at the state level, many states require that exempt
organizations with a federal unrelated business income tax liability also file a state unrelated business
income tax return and pay state income tax on that income. This state filing is sometimes overlooked,
and interest and penalties for failure to file for several years can be costly.
As organizations eligible to receive tax-deductible charitable contributions, exempt healthcare
organizations must also comply with the requirements for providing substantiation to donors for
quidpro quo contributionsthat is, contributions in which the donor receives something of value in
return, such as the right to attend a benefit dinner. In this situation, the donor may deduct as a charitable contribution only the amount contributed in excess of the fair market value of the item received.
Inaddition, donors who contribute $250 or more to a charity may not deduct the contribution unless
they receive substantiation of the contribution from the charity. The exempt organization is not technically required to provide this substantiation to the donor but usually does so to prevent unhappy
donors. These substantiation requirements are set forth in more detail in IRS Publication 1771.
Code Section 6033(l).
Code Section 6033(j).


Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship
Like other employers, exempt organizations that have employees must withhold and pay federal
and state employment taxes and file employment tax returns. Penalties for failure to withhold or failure
to pay can be significant.23 In addition, the organization should confirm that individuals it is paying
and treating as independent contractors (as opposed to employees) actually qualify as independent
contractors. Determining whether individuals paid by the organization are employees as opposed to
independent contractors is important because if the organization treats individuals as independent
contractors and does not withhold or pay employment taxes, the IRS may reclassify the individual
as an employee and look to the employer for taxes, interest, and possibly penalties. In healthcare
organization audits, the IRS usually asserts the position that physicians performing medical director
or other administrative services on a part-time basis should be treated as employees of the healthcare
organization, rather than independent contractors.
Finally, while exempt organizations are often able to obtain exemption from state and local sales
taxes on items they purchase, they frequently are liable for withholding and paying sales taxes on
items they sell. Again, failure to register as a sales tax collector and to pay these taxes can result in
significant taxes and penalties.
In summary, particularly in a multi-corporate healthcare system, each entity may have multiple
filing obligations. The legal and finance functions should work together to make sure that filing
requirements are known and complied with. One system is to maintain a master entity list indicating
each entitys characteristics (e.g., type of entity, tax identification number, sales tax exemption status)
and filing requirements so that no type of filing for any of the entities is overlooked. This is especially
important now that an organization that fails to file its required IRS information return can lose its
tax exemption.

Corporate Oversight of Financial Affairs

Like the board of directors of a for-profit corporation, the members of the board of directors of
a not-for-profit corporation (whether they are called directors, trustees, or some other name) have a
fiduciary duty to exercise due care in overseeing the affairs of the corporation. This includes oversight
of the corporations financial affairs. In general, the standard of care for not-for-profit corporation
directors24 is the same as for directors of for-profit corporationsthe prudent man standard, which
requires that directors discharge their duties in good faith and with the degree of diligence, care, and
skill which ordinarily prudent men would exercise under similar circumstances in like positions.
This section summarizes the views of the Panel on the Nonprofit Sector and the IRS on how this
duty applies to the activities of an exempt organization board in being the stewards of the corporations
financesoverseeing investment management, executive compensation, accounting and recordkeeping, tax reporting, and other matters. In 2007, the Panel on the Nonprofit Sector published Principles
for Good Governance and Ethical Practice: A Guide for Charities and Foundations,25 which lists
See Verret v. United States, 103 AFTR 2d 2009-1189 (5th Cir. 2009), which upheld a finding under unusual facts that a
hospital board chair and manager was personally responsible for more than $400,000 in taxes withheld but not paid over.
Trustees of a trust are generally held to a higher standard of care; trusts are not discussed in this section.
Available at http://www.nonprofitpanel.org/Report/index.html.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
33principles (the Panel Principles). In February, 2008, the IRS posted its own list of good governance
practices, Governance and Related Topics501(c)(3) Organizations26 (the IRS Practices).
With respect to investment management, Panel Principle 22 states in part:
The board of a charitable organization must institute policies and procedures to ensure that the
organization (and, if applicable, its subsidiaries) manages and invests its funds responsibly, in
accordance with all legal requirements.
IRS Practice 4.C. states:
The governing body...may be required either by state law or by the organizational documents
to oversee or approve major investments made by the organization. Increasingly, charities
are investing in joint ventures, for-profit entities, and complicated and sophisticated financial
products or investments that require financial and investment expertise and, in some cases,
the advice of outside investment advisors. The [IRS] encourages charities that make such
investments to adopt written policies and procedures requiring the charity to evaluate its
participation in these investments and to take steps to safeguard the organizations assets and
exempt status if they could be affected by the investment arrangement. The [IRS] reviews
compensation arrangements with investment advisors to see that they comply with federal
tax law.
The revised Form 990 asks whether an organization has adopted procedures and policies regarding participation in a joint venture or similar arrangement with a taxable entity; it does not specifically
ask about investment policies.
The National Conference of Commissioners on Uniform State Laws adopted a Uniform Prudent
Management of Institutional Funds Act (UPMIFA) in 2006.27 UPMIFA is intended to replace the
Uniform Management of Institutional Funds Act, adopted in 1972 and eventually enacted in 47 jurisdictions. UPMIFA updates the previous act by incorporating the rules of the Uniform Prudent Investor
Act, which was promulgated in 1994 and has been enacted in 43 jurisdictions. UPMIFA requires those
investing and managing the funds of a charity to:

act in good faith and in compliance with the prudent man standard;

incur only reasonable costs in investing and managing funds;

in managing and investing funds, consider general economic conditions, the possible effect
of inflation or deflation, the expected tax consequences (if any) of investment decisions or
strategies, the expected total return from income and the appreciation of investments, other
resources of the institution, and the needs of the institution to make distributions and to preserve capital;

make decisions about each asset in the context of the portfolio of investments as part of an
overall investment strategy;

Available at http://www.irs.gov/pub/irs-tege/governance_practices.pdf.
Available at http://www.nccusl.org.


Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

diversify investments unless special circumstances dictate otherwise;

dispose of unsuitable assets; and

develop an investment strategy appropriate for the charity.

These standards were not set forth in the previous act.

With respect to executive compensation, the need to pay no more than reasonable compensation to
insiders and the rebuttable presumption of reasonableness procedure were discussed above in Section
7.2.3 Other Consequences of Violating Tax-Exempt Status Requirements. Overseeing executive
compensation is also part of financial stewardship. Panel Principle 8 states:
A charitable organization must have a governing body that is responsible for reviewing and
approving the organizations mission and strategic direction, annual budget and key financial
transactions, compensation practices and policies, and governance policies.
IRS Practice 4.A. states:
A charity may not pay more than reasonable compensation for services rendered. Although
the [Code] does not require charities to follow a particular process in determining the amount
of compensation to pay, the compensation of officers, directors, trustees, key employees, and
others in a position to exercise substantial influence over the affairs of the charity should
be determined by persons who are knowledgeable in compensation matters and who have
no financial interest in the determination....The [IRS] encourages a charity to rely on the
rebuttable presumption test ... when determining compensation of its executives....The [IRS]
has observed significant errors or omissions in the reporting of executive compensation
on the IRS Form 990 and other information returns (e.g., Form W-2 and employment tax
returns). Organizations should take steps to ensure accurate and complete compensation
reporting on these forms, and to also ensure that appropriate income and employment taxes
are withheld and deposited with the [IRS]. Executive compensation continues to be a focus
point in [theIRSs] examination program.
The revised Form 990 asks whether the process used to determine the compensation of an organizations top management official and other officers and key employees included a review and approval
by independent persons, comparability data, and contemporaneous substantiation of the deliberation
and decisionthe elements of the rebuttable presumption of reasonableness.
Spurred by the Sarbanes-Oxley requirements for publicly held companies, todays good governance practices generally indicate that an exempt organization should have an audit committee of the
board of directors made up of disinterested persons and that the audit committee should oversee the
outside auditor. Most healthcare organizations of any size will obtain audited financial statements, for
compliance with bond covenants if for no other reason.


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
Panel Principle 21 states:
A charitable organization must keep complete, current, and accurate financial records. Its
board should receive and review timely reports of the organizations financial activities and
should have a qualified, independent financial expert audit or review these statements annually
in a manner appropriate to the organizations size and scale of operations.
IRS Practice 5.A. states:
[E]ven if an audit is not required, a charity with substantial assets or revenue should consider
obtaining an audit of its financial statements by an independent auditor. The board may
establish an independent audit committee to select and oversee an independent auditor. An
audit committee generally is responsible for selecting the independent auditor and reviewing
its performance, with a focus on whether the auditor has the competence and independence
to conduct the audit engagement, the overall quality of the audit, and, in particular, the
independence and competence of the key personnel on the audit engagement teams.
Form 990 asks whether organizations financial statements were compiled or reviewed by an
independent accountant, audited by an independent accountant, and subject to oversight by a committee within the organization. The instructions indicate that if the reporting organization is included in a
consolidated audited financial statementusually the case in a multi-corporate healthcare system
the organization should respond no to these questions but it may explain that it is included in a
consolidated audit.
The board of directors also has a duty to see that the corporation maintains financial and other
important records. Panel Principle 5 states:
A charitable organization should establish and implement policies and procedures to protect
and preserve the organizations important documents and business records.
IRS Practice 4.F. states:
The [IRS] encourages charities to adopt a written policy establishing standards for document
integrity, retention, and destruction. The document retention policy should include guidelines
for handling electronic files. The policy should cover backup procedures, archiving of
documents, and regular check-ups of the reliability of the system....Charities are required by
the [IRS] to keep books and records that are relevant to its tax exemption.
The revised Form 990 asks whether the organization has a written document retention and destruction policy.
Financial stewardship in todays environment also includes transparency to the public and other
constituencies. Panel Principle 7 states in part:
A charitable organization should make information about its operations, including its
governance, finances, programs and activities, widely available to the public.
Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship
IRS Practice 6 states:
By making full and accurate information about its mission, activities, finance, and governance
publicly available, a charity encourages transparency and accountability to its constituents.
The revised Form 990 asks how the organization makes its Form 1023, Forms 990 and 990-T,
governing documents, conflict of interest policy, and financial statements available to the public.
The revised form also asks whether the Form 990 was provided to the organizations board before
it was filed and asks for a description of the process, if any, used by the organization to review the
Finally, while the issue may not be as commonplace for exempt healthcare organizations as it is
for other types of exempt organizations, an exempt organization should consider adopting a gift acceptance policy outlining the types of gifts (real property, partial interests, closely held stock, etc.) that
it will and will not accept and the types of conditions on property (for example, a restriction on sale)
that it considers acceptable. Gifts can carry potential liabilities; for example, gifts of real property can
present exposure to environmental issues. A gift acceptance policy can outline the types of information that must be presented (e.g., an environmental study) before a gift is accepted. Along these lines,
PanelPrinciple 30 states:
A charitable organization should adopt clear policies, based on its specific exempt purpose,
to determine whether accepting a gift would compromise its ethics, financial circumstances,
program focus or other interests.

Use of Property Financed by Tax-Exempt Bonds

A primary benefit of tax exemption for healthcare organizations is the ability to use the proceeds
of tax-exempt bonds. Tax-exempt bonds enjoy tax-favored status because the proceeds from these
governmentally issued bonds are used for the benefit of tax-exempt organizations or governmental
units. (The governmental issuer of the bonds may be a state or local health facilities authority, acounty,
acity, or other governmental unit; the issuer then lends the bond proceeds to the tax-exempt organization, or to the governmental user if it cannot issue the bonds itself.) The holders of these bonds are not
subject to income tax on the bond interest and the exempt organizations or governmental units enjoy
the corresponding benefit of lower interest. In exchange for this benefit, however, the use of the borrowed monies and the facilities they fund are subject to many restrictions. If these restrictions are not
observed, the result can be that the bondholders are taxed on the income they receive and the bonds
are in defaulta disastrous outcome. Further, the IRS has increased its enforcement of these restrictions in recent years, conducting compliance surveys and audits of bond users to determine whether
restrictions are being observed and whether appropriate records of the use of bond-financed property
are being kept.28 The revised Form 990 also requires, for reporting years starting on or after January 1,
2009, detailed information on the use of proceeds of each post-2002 outstanding bond issue.
See, e.g., the September 2008 report of the Tax-Exempt Bonds function of the IRS Tax Exempt and Government
Entities division on its tax-exempt charitable financings compliance project at http://www.irs.gov/taxexemptbond/


Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
Thus, it is essential that the use of bond proceeds and bond-financed property be continually
monitored to prevent issues or, if problems have already occurred, to correct them as soon as possible.
Even though the governmental issuer is viewed as the taxpayer by the IRS, bond documents typically place responsibility for compliance with tax rules on the exempt organization or governmental
entity using the proceeds.29 If potential bad use is detected before it occurs, remedial action, such as
using bond proceeds for an alternative purpose or redeeming bonds, can be taken to avoid bad use.30 If
bad use has already occurred, voluntary compliance steps, resulting in a closing agreement and, usually, some payment, can be taken with the IRS.31 Use of bond-financed property and bond proceeds is
typically reviewed by bond counsel during a financing or refinancing. However, if a problem is discovered at that point and the IRS must get involved in a voluntary compliance agreement, the financing
can be delayed or derailed.
A primary restriction affecting ongoing compliance for bond-financed facilities throughout the
life of the bonds is that only a small portion of the facilities can be used by a private person or used
by a tax-exempt person in an unrelated trade or business. Such use is bad use. If bad use limits are
exceeded, the bonds may no longer be tax-exempt. For bonds issued for the benefit of tax-exempt organizations, the limit is generally that no more than three percent of the proceeds of an issue can be used in
a bad use if the permitted 2% of proceeds is used to fund the costs of bond issuance (ifless than 2% is
used for costs of issuance, the remainder increases permitted bad use). In addition, for bonds issued for
the benefit of tax-exempt organizations, bond-financed property must be owned by an exempt organization. For bonds issued for governmental facilities, the limit on bad use is generally 10%.
The percentage of bad use is measured for the facilities financed by each bond issue and over the
life of each bondin other words, it is measured on a bond issue by bond issue basis. One question
that frequently arises is how to determine which property is bond-financed and by which bond issue.
This can be very difficult to track because a single bond issue may fund the purchase of many items of
equipment as well as work on various parts of the physical plant. Also, recordkeeping can be difficult
because of the length of time (often up to 30 years) that bond issues are outstanding. The money borrowed in each bond issue is traced to the expenditures made with that money or with the bond issue
that the new bond issue is refinancing. Thoughtful allocations at the time of expenditure can prevent
future confusion or unnecessary restrictions. Responsibility for maintaining records of bond-financed
property and allocations should be clearly assigned to a position in the organization so that these
records can be preserved despite reorganizations or changes in personnel.
The following generally create bad use:

Bond-financed property is leased to non-exempt persons (such as physicians in private


The bondholders who are not taxed on their interest income are technically the taxpayers; however, the IRS attempts to
resolve violations without taxing bondholders and instead works with the issuer. Notice 2008-31, 2008-11 IRB 592.
Remedial action provisions are in Treas. Reg. Sections 1.141-12 and 1.145-2.
Rev. Proc. 97-15, 1997-1 C.B. 635, sets forth in IRS formal closing agreement program. Notice 2008-31, 2008-11 IRB 592
describes the IRSs tax-exempt bond voluntary closing agreement program.

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

An exempt organization uses bond-financed property to conduct an unrelated trade or business (such as reference laboratory services).
A service contract involving bond-financed property does not comply with the requirements
of Revenue Procedure 97-13,32 which sets forth IRS safe harbors for avoiding bad use. Aservice contract includes independent contractor and management arrangements but does not
include janitorial, billing, or equipment maintenance contracts.
Arrangements under which physicians receive no compensation from the hospital, but
instead provide services for which the physicians bill patients directly, may be service contracts which need to comply with Rev. Proc. 97-13, usually as per-unit fee

A service contract must generally meet the following requirements to comply with Rev. Proc.

Compensation cannot be based on profits of the bond-financed facility, and cannot be calculated using both revenues and expenses of the facility.

The entity providing the services to the bond-financed facility cannot be a non-Section 501(c)(3)
entity controlled by or under common control with the facility. For example, a service contract with taxable subsidiary or Section 501(c)(4) affiliate in a multi-corporate system cannot
comply with Rev. Proc. 97-13.

Board and officer overlap between the service provider and the facility is limited.

The contracts term and compensation provisions must fall within one of several categories.
(Reimbursement paid to the service provider for expenses paid by the service provider to
unrelated parties is not treated as compensation for these purposes.)

All of the compensation for services is based on a per-unit fee or a combination of a

per-unit fee and a fixed fee. The term of the contract does not exceed three years. The
contract is terminable by the facility on reasonable notice, without penalty or cause, at
the end of the second year of the contract term.

At least 50% of the compensation for services for each year during the term of the contract is based on a fee. The term of the contract does not exceed five years. The contract
is terminable by the facility on reasonable notice, without penalty or cause, at the end of
the third year of the contract term.

At least 80% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
10years or 80% of the useful life of the financed property.

At least 95% of the compensation for services for each year during the term of the contract is based on a fixed fee. The term of the contract does not exceed the lesser of
15years or 80% of the useful life of the financed property.

In addition, in limited circumstances a two-year contract with a one-year termination

provision may have a percentage of fees or expenses compensation arrangement.

1997-1 C.B. 632, modified by Rev. Proc. 2001-39, 201-2 C.B. 38.



Enterprise Risk Management for Healthcare Entities, First Edition

Financial Stewardship
As with the issues discussed at the end of Section 7.2.2 Standards for Tax-Exempt Status, the
key to compliance with these requirements is through the contracting process. Contracts for the lease
of property, sale of property, affiliations, joint ventures, and similar transactions should be reviewed
before the transaction is completed to determine whether bond-financed property is involved and, ifso,
whether remedial action is necessary. Contracts for services, whether they are for medical director,
hospital-based department, interpretation, physician independent contractor, dietary, or management
services, should be reviewed to confirming either that they meet Rev. Proc. 97-13 requirements or that
they do not involve bond-financed property.


The matters discussed in this chapter fall primarily into the financial risk domain and, to some
extent, the legal and regulatory risk domain. It is rare that taking risk in financial stewardship produces
a competitive advantage. Further, while the risk frequency may be low, the risk severity is catastrophic.
Fortunately, for most healthcare organizations, risk reduction efforts frequently discover substantial
low-hanging fruit:

Board-level policies and procedures should be reviewed and amended or adopted as necessary. These policies should include:

investment management and participation in joint ventures;

conflict of interest;
transactions involving insiders and implementation of rebuttable presumption of
reasonableness procedures for such transactions;

patient financial policies (charity care, collections);

executive compensation philosophy and procedures, including implementation of
rebuttable presumption of reasonableness procedures;

expense reimbursement policies and procedures;

prohibited political activities;
lobbying activities; and
document retention and whistleblower policies.

The financial management oversight function should include:

implementing of procedures and recordkeeping for patient intake, billing and collection
that demonstrate compliance with the board-adopted policies and procedures, including
staff training and documentation thereof;

maintaining of a master list of legal entities and their tax and filing status so that filing
requirements can be met and tax-exempt status preserved;

Enterprise Risk Management for Healthcare Entities, First Edition


Financial Stewardship

tracking of use of tax-exempt bond proceeds and monitoring of bad use amounts; and
providing direction to accounts payable and expense reimbursement staff to question
suspicious transactions.

Finally, the legal and contract management function should include review of proposed contracts and transactions for:

potential excess benefit transactions, so that rebuttable presumption of reasonableness

procedures can be followed;

transactions that may provide private benefit, so that the need for such transactions can
be documented; and

compliance as necessary with the restrictions on use of tax-exempt bond-financed




Healthcare organizations, particularly tax-exempt organizations, are certain to receive greater

scrutiny in the coming years from the IRS, the public, Congress, and others. Tax-exempt organizations
are now required to disclose significantly more operational information to the IRS and the public than
before. Information that must be disclosed includes:

governance policies;

details on executive compensation and methods of determining compensation;

transactions with insiders;

specific use of tax-exempt bond proceeds; and

charity care, collection, and community benefit policies, procedures, and results.

The same factors will be considered in whether property tax exemption should be maintained.
Inaddition to specific disclosures, the IRS will be attentive to tax-exempt boards oversight of financial
investments. Because of the potentially catastrophic financial consequences (including bond defaults)
of actual or threatened loss of tax exemption, and extensive disclosure requirements (making discovery of issues likely), the issues addressed in this chapter are a significant source of risk to tax-exempt
healthcare organizations but can be readily addressed.


Enterprise Risk Management for Healthcare Entities, First Edition

Part III

Energy Management as an ERM Process

Energy Management as an ERM Process
Sheila Hagg-Rickert, JD, MHA, MBA, DFASHRM, CPHRM, CPCU
Senior System Director of Risk Management, CHRISTUS Health


An energy management initiative is not the first thing that comes to mind when healthcare organizations consider various enterprise risk management (ERM) opportunities. While discussions
regarding energy management no doubt routinely occur within healthcare organizations, especially in
a time of rapidly increasing energy costs, the literature reports few examples of healthcare institutions
that have approached the issue through an ERM framework. However, when traditional risk management competencies of risk identification and loss control, claims management, and risk financing are
applied to issues related to unchecked energy demand in the face of spiraling energy costs, an effective
enterprise-wide energy management strategy may result.

Energy Management as an ERM Process

Energy costs are a significant budgetary item for large healthcare organizations, particularly for
hospitals. Hospitals typically operate within large physical plants on multi-building campuses in which
air temperature and humidity levels must be maintained within relatively narrow limits for the comfort
and safety of visitors and staff and the effective operation of equipment. They have constant ingress
and egress that make indoor climate control more difficult. They utilize large amounts of heated water
that must be available on demand and house large and complex medical equipment, such as MRIs and
CT scanners that require vast amounts of power to operate.
The costs of electrical power in the U.S. have risen over 133% in the past five years.1 Price
increases have also been seen for natural gas.2 In addition, the increased public focus in recent years on
global warming, climate change, and the consequences of failing to adopt a greener approach to construction, plant maintenance, and waste management has forced healthcare organizations, like other
large institutions, to step up their energy management efforts. Given the new criticality of effectively
managing skyrocketing energy costs while contributing to global sustainability through increased
corporate responsibility for reducing carbon emissions and preserving limited energy resources, the
energy management field is ripe for consideration from an ERM perspective.
U.S. Department of Labor, Bureau of Labor Statistics, Consumer Price Index Summary (Washington, DC: GPO, June 2008).
U.S. Department of Labor, Bureau of Labor Statistics, Producer Price Index Summary (Washington, DC: GPO, June 2008).


Enterprise Risk Management for Healthcare Entities, First Edition


Energy Management as an ERM Process

At its core, enterprise risk management employs traditional risk management competencies
related to risk identification and loss control, claims management, and risk financing to non-fortuitous
and therefore uninsurable potential causes of loss. It expands the notion of risks amenable to the
deployment of risk management interventions to a variety of business, operational, financial, political,
and other risks previously not examined and addressed within the risk management framework. The
energy management issues impacting healthcare institutions can be examined along these lines as part
of a comprehensive enterprise-wide initiative.

Energy Management and Loss Prevention

Opportunities for effective loss prevention abound in the area of energy management. Most such
efforts revolve around energy conservation programs aimed at reducing the organizations overall
energy usage and shifting energy demands to off-peak periods when energy costs may be less.3
Good conservation practices begin prior to breaking ground for new healthcare buildings. Organizations seeking to reduce energy costs can work with their planning and construction management
personnel as well as outside architects, engineering firms, and contractors to ensure new buildings
and major renovations incorporate green building techniques and adhere to principles articulated in
programs such as Energy Star4 and LEED.5 Purchase decisions for major patient care and other equipment can include consideration of energy efficiency.
External consultants can be employed to perform energy audits of existing buildings to identify
opportunities to improve energy efficiency through replacement or enhancement of existing roofing
systems, window glazing systems and heating, ventilation, and air conditioning (HVAC) equipment.
While capital available for the systematic replacement of such equipment tends to be limited in most
healthcare organizations, where such projects must constantly compete for dollars with technology
up-grades and remodeling of patient care areas, entities committed to an energy conservation strategy
can create a multi-year energy enhancement capital improvement plan to ensure that, over time, the
organization moves in a more energy efficient direction.
Most electrical utility providers offer variable rates for power used during different times of the
day, particularly in hotter months during which strains on the energy system peak in the late afternoon
and early evening period when temperatures reach their daily highs and air cooling demands are at their
highest. An operational review to identify high-energy demand activities that can be deferred from peak
energy periods to off-peak times will typically yield additional savings in overall energy costs.

Energy Management and Claims

Claims management activities related to risk management traditionally focus on selecting and
monitoring counsel, setting reserves, negotiating settlements, and performing other duties related to
defending various liability and workers compensation claims brought against the healthcare organi Texas Electric Choice Education Program. www.PowerToChoose.org (2007).
www.EnergyStar.gov (2008).
U.S. Green Building Council, Leadership in Energy and Environmental Design Green Building Rating System,
www.usgbc.org (2008).


Enterprise Risk Management for Healthcare Entities, First Edition

Energy Management as an ERM Process

zation and handling first-party property and auto claims on behalf of the organization. In the energy
management process, claims management activities revolve around assisting the healthcare organization in pursuing claims it may have against utilities providers.
Most healthcare organizations of any size have multiple utility meters that track the organizations
usage of electrical power and natural gas. In the case of large multi-location healthcare providers, the
corporate real estate portfolio often includes hundreds of discrete address locations, each with one or
more utility meters, so the total number of meters can number in the thousands for a single organization. The meters pertaining to a given entity are constantly changing as the organization buys or leases
new space and sells or terminates leases at other locations. Given this scenario, it is no wonder that
utility bills may not always track with the organizations responsibilities for bill payment.
Outside consultants are available to assist the larger healthcare entity with developing a utility bill
audit process. While a single hospital or clinic may have a manageable number of bills to review, large
healthcare corporations usually need to avail themselves of the services of a consultant to review bills
to ensure that charges for utilities provided at closed, sold, or leased out locations are not included on
the organizations bills. While one might think that such billing errors are the exception to the rule,
they are, in fact, surprisingly common and well worth auditing. Given the multi-million dollar annual
energy costs experienced by many large healthcare providers, even a modest 12% savings which
result from identifying locations for which the organization is paying for utility costs in error may
result in hundreds of thousands of dollars in savings.
For not-for-profit healthcare providers, another aspect of bill review involves looking for the
inclusion of various taxes on utility bills for which the organization may legitimately claim exemption.
While jurisdictions may vary somewhat in the degree to which not-for-profit providers are exempt
from taxes on utilities usage, if a large hospital is found to have been paying unnecessary taxes over a
significant period of time, six-figure refunds may be possible.

Energy Management and Risk Financing

When dealing with energy management, risk financing looks at the various financial models and
tools available to a healthcare organization to contain energy costs. Given the governmental deregulation of utilities,6 organizations in many parts of the United States now have the option to select from
multiple suppliers of energy when purchasing power for their operating needs. Terms and conditions,
prices and billing options may vary among various suppliers so, when consumer choice is an option,
healthcare entities may elicit proposals from various vendors to determine which best serve their
needs. Again, utilizing the services of an energy management consultant may be helpful. Rate plans,
budget billing options, and service terms may be somewhat complex and confusing, and it is often
useful to employ the services of a firm specializing in making distinctions among various providers in
determining the best fit for a given healthcare organization.

Daniel H. Cole and Pete Z. Grossman, The End of a Natural Monopoly: Deregulation and Competition in the Electric
Power Industry, Boston, MA: JAI Press, 2003.

Enterprise Risk Management for Healthcare Entities, First Edition


Energy Management as an ERM Process

Employing hedging strategies is also a potentially useful tool in managing energy costs over time.
Like the prices of many other commodities, utility prices may, under some circumstances, be locked
in via futures contracts. If the healthcare organization, typically with the help of an experienced energy
management consultant, anticipates that the prices of electrical power or natural gas are going to rise
over time, it may be able to lock in a set rate by contract to cover future operating periods. Of course,
if prices actually fall during the contract period, the organization will be forced to pay the higher rate.
However, in the recent era of rapidly escalating utilities prices, many entities have enjoyed significant
savings due to the execution of hedging strategies in prior periods.


Taking a comprehensive approach to energy management is still a new concept to most healthcare
organizations. While most have had various conservation and efficiency efforts in place for some time,
looking at the issue strategically as an enterprise risk has not been widely adopted. However, as energy
costs continue to rise and assume greater prominence in an entitys overall operating budget, there may
be a future trend toward adoption of an ERM framework to better address organization needs.


Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

An Enterprise Risk: Pandemic Influenza
Gisele Norris, DrPH
National Directory, Aon Healthcare Alternative Risk Transfer Practice
Amy Norris, Esq.
Associate General Counsel, Clif Bar & Company


There has been much speculation about the emergence of a global influenza pandemic. An influenza pandemic is defined as a global outbreak of disease that occurs when a new influenza A virus
appears or emerges in the human population, causes serious illness, and then spreads easily from
person to person worldwide. Such viruses often occur first in other species (e.g., birds or pigs), subsequently infecting humans with direct contact to infected animals. A pandemic ensues once the virus
adapts to allow sustained human-to-human transmission. Pandemic influenza is distinguished from
seasonal influenza by its transmissibility: whereas most people have some immunity to seasonal influenza, humans have little natural immunity to pandemic influenza. Furthermore, the disease caused by
pandemic influenza may also be graver than that caused by the seasonal flu. Although estimates differ
slightly, influenza pandemics appear to occur roughly three times per century. The first pandemic was
reported around 490 BC.
The recent emergence of the H1N1 virus makes it clear that proactively identifying a virus with
pandemic potential is very difficult. Furthermore, novel flu viruses often result in multiple waves of
illness that arrive a few months apart. The severity of the illness my be different in each wave.
Just as the timing of a pandemic cannot be precisely predicted, neither can its severity. However,
modeling studies suggest that the impact of a pandemic on the United States could be substantial. In
the absence of any control measures such as vaccination or drugs, it has been estimated that a medium-level pandemic in the United States could cause 89,000 to 207,000 deaths, 314,000 to 734,000
hospitalizations, 18 to 42 million outpatient visits, and another 20 to 47 million illnesses. Between
15% and 35% of the U.S. population could be affected by an influenza pandemic, and the economic
impact of could range between $71.3 and $166.5 billion.1 There is currently no vaccine for the avian
flu, and antiviral treatments are in scarce supply in the United States.2
Centers for Disease Control and Prevention, Emerging Infectious Diseases: The Economic Impact of Pandemic Influenza in the United StatesPriorities for Intervention, Vol. 5, No. 5, SeptemberOctober, 1999.
Centers for Disease Control and Prevention, March 2006. Note: Vaccines prevent the flu while antivirals are generally
used to cure disease (if used in early stages). Antivirals can be used as a prophylaxis if large quantities are available.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

Therefore, even a moderate influenza pandemic would be expected to lead to the following

significant absenteeism due to a rise in morbidity and mortality;

ensuing production and supply chain interruptions;

shifts in consumer preferences leading to decreased demand for some products and increased
demand for others; and

increases in benefits costs.

Such outcomes will result in direct and significant impact on all types of business, including
healthcare. Furthermore, because pandemic will affect multiple risk domains (operations, human capital, finance, etc.), mitigation planning will require multi-disciplinary involvement. The assertion that
pandemic is a highly probable event with severe expected impact affecting multiple risk domains
qualifies it as a meaningful enterprise risk worthy of serious consideration.

Healthcare Facilities Will Be on the Front Line

The healthcare system itself will be forced to confront such challenges in the face of dramatically
increased demand for services. This situation is exacerbated by the fact that hospitals are themselves
a high-risk environment for contracting pandemic flu. For these reasons, healthcare facilities have an
urgent need to engage in rigorous pandemic planning if they are to fulfill effectively their missions
during a pandemic outbreak. Facilities should consider the following scenarios:
1. Surging demand: Whereas many businesses may experience a decline in demand for their
products, healthcare facilities will be faced with an unprecedented surge in demand for services
and must prepare accordingly. The CDC offers software that allows hospitals to put in population and hospital bed statistics to provide information about the range of hospital admissions
and total deaths. For example, a metropolitan area with over 4 million people could expect to
have nearly 14,000 hospital admissions over an eight-week timeframe, with over 2,500 deaths
due to influenza. Calculations can be made using a range of factors, from number of people
and hospital beds as well as the expected duration (6, 8 or 12 weeks) to the attack rate
(15%,25%, 35%). To work with this software, go to http://www.cdc.gov/flu/tools/flusurge/.
2. Employee fear of contracting pandemic flu at work: In addition to staying home due
to illness or the need to care for ill family members, employees in all lines of work may
fear coming into contact with their co-workers and contracting the virus. This fear may be
particularly great among healthcare personnel who know they will come into contact with
many infected people. This scenario is exacerbated by the fact that sufficient vaccines and
antivirals are unlikely to be availableeven to healthcare workersduring the early waves
of a pandemic. This environment of high absenteeism in the face of surging demand threatens
to impact quality of care materially.
3. Supply chain interruptions: The impact on the overall workforce will also mean interruptions in the supply chain, creating shortages of critical equipment and drugs and reducing
efficacy of care. As people throughout the world become sick, all businesses will be affected,

Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

resulting in interruptions to critical healthcare supply chains from laundry services to pharmaceutical supplies to food service.
4. Difficulty in maintaining infection control: Influenza strains that cause pandemics are by
nature, extremely infectious. Such infectivity is compounded by the fact that humans have
little immunity to new flu strains. Failure to control infection during a pandemic may lead
to unnecessary threats to human health and even claims of professional liability. Healthcare
facilities may need to review and revise infection control strategies to control the spread of
disease effectively during a pandemic.
5. Effect on benefit plans: As noted above, even a mild pandemic will produce a large increase
in the frequency of illness and subsequent demand for medical care. Such an increase will
impact employer-sponsored healthcare plans. Healthcare workers may also claim workers
compensation benefits if they suspect that they have been infected at work. The financial
impact of pandemic on benefit plans must be carefully considered, particularly if the healthcare facility participates in self-insurance or alternative risk strategies.
In order to consider the financial and legal ramifications of pandemic on the healthcare facility,
one must consider the facilitys duty to and relationships with its patients, workforce, community, and
suppliers and how these covenants may change in the event of pandemic. The purpose of this chapter
is to begin to explore these relationships and to raise issues to be considered by healthcare facilities as
they consider material risks to the healthcare enterprise.

Duty to Patients


Providing a Safe Environment

The primary mission of the healthcare facility is to provide safe and constructive care to its patients.
Not only is this an ethical duty, but a legal requirement, as well. For example state and federal government regulations require hospitals to provide a safe environment.3 The infectiousness of pandemic,
however, threatens the very safety of the hospital environment. The healthcare facility must make
every effort to mitigate this risk and, for this reason, an infection control program that consciously
addresses pandemic must be in place.
Because influenza is primarily spread through human-to-human contact, the pandemic infection
control procedures should, first and foremost, address the provision of adequate numbers of disease free
staff and/or volunteers. As mentioned above, healthcare workers will be in short supply and hospitals
will be pressured to reorient workers and stretch capacity however possible. For this reason, hospitals
need to understand which local, state, and federal agencies may have control in coordinating various
medical personnel during a pandemic and how this may affect a healthcare facilitys workforce.
More traditional infection control procedures must also be revisited and refreshed, including:

promotion of respiratory etiquette and hand washing among patients, staff, and visitors;

See, e.g., Murillo v. Good Samaritan Hospital, 99 Cal. App. 3d 50, 5657 (1999), imposing on hospitals duty to provide
safe environment in which to diagnose and treat patients.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

provision of Personal Protective Equipment (PPE) and masks for patients, staff, and visitors;

appropriate disinfection of surfaces;

air filtration; and

disinfection of equipment.

CDC and others have published guidelines for infection control in the event of a pandemic, and
healthcare institutions should be diligent about documenting any change in policy. Furthermore, to the
extent possible, patients entering the healthcare facility during a pandemic should understand the additional risk. To this end, care providers should consider whether current informed consent and release
provisions are adequate or require revision.
As healthcare facilities consider stretching their workforce through use of volunteers, retired health
professionals, and out-of-state health professionals, they must also consider the legal ramifications of
such strategies including: licensure requirements, provision of workers compensation, professional
and general liability coverage, and proof of adequate training.
The use of volunteer services gives rise to several legal issues. Facilities should examine minimum
wage and overtime laws to determine whether they apply to volunteers. The Fair Labor Standards Act
defines volunteer rather broadly for purposes of wage and hour laws. A person who performs activities
without a promise or expectation of compensation for his or her personal pleasure falls outside the Fair
Labor Standards Act.4
State labor codes may, however, have a more narrow definition of volunteer for purposes of wage
and hour laws.5 In addition, healthcare facilities should analyze the applicable state workers compensation laws to determine what coverage, if any, is extended to volunteers.
Another consideration is the possibility that volunteers will expose themselves to liability by
offering their services. The potential liability exposure may discourage volunteers. Hospitals should
strategize how best to limit the liability exposure of volunteers. To address this concern during
Hurricane Katrina, one commentator reports that medical personnel were appointed as temporary
uncompensated federal employees. They were thus classified as employees of the United States and
qualified for the protections of the Federal Tort Claims Act (28 U.S.C. 2671 et seq.).6

Walling v. Portland Terminal Co., 330 U.S. 148, 152 (1947).

California law defines volunteer very narrowly. A person is a volunteer and not an employee subject to minimum
wage and overtime provisions only if he or she intends to donate his or her services to religious, charitable, or similar
nonprofit corporations without contemplation of pay and for public service, religious, or humanitarian objectives. (See
Division Labor Standards Enforcements 2002 Update of the DLSEs Enforcement Policies and Interpretations Manual
43.6.5-43.6.7 O.L. 1988-10.27.)
Public Health Emergency Legal Preparedness: Legal Practitioner Perspectives, Demetrios L. Kouzoukas, Journal of
Law, Medicine & Ethics.


Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza


Isolation and Quarantine

States and counties may impose isolation and quarantine during a pandemic. Isolation refers to
the separation of persons who have specific infectious illness from those who are healthy. Quarantine
refers to the separation and restriction of movement of persons who, while not yet ill, have been
exposed to an infectious agent and therefore may become infectious.
Many levels of government have basic authority to compel isolation of sick people to protect the
public. States and local jurisdictions have primary responsibility for isolation and quarantine within
their borders, whereas the federal government has responsibility for preventing the introduction of
communicable diseases from foreign countries. A states authority to compel isolation and quarantine
within its borders is derived from its inherent police power. As a result of this authority, individual
states are responsible for isolation and quarantine practices within their state.
State and local regulations vary significantly and, whereas some states have codified new and
detailed provisions, others rely on old statutes that may be very broad in scope.7 Furthermore, in
some jurisdictions, state law governs the local public health departments whereas elsewhere, local
authorities may have greater responsibility. States may also look to the Model State Emergency Health
Powers Act for guidance.8 This Act is described in greater detail below. Many states have incorporated
various provisions of the Act.9
In addition to understanding the direct impact of isolation and quarantine on their own facility,
healthcare facilities should understand the laws of quarantine across state, tribal and country
borders and how quarantine may restrict trade and travel in their region, and how this may
affect the supply of critical staff and supplies. Furthermore, facilities should consider the fact
that they may be deemed isolation and/or quarantine facilities with legally restricted ingress
and egress, and prepare accordingly.

Security Considerations

The security of the facility and access to patients and supplies should also be revisited. In the
event that they are not deemed quarantine facilities, policies should be developed to govern visitor
access in the event of a pandemic and such policies should consider the treatment of anxious family
members and loved ones, with respect to the law. Healthcare facilities should give careful consideration to access requirements for parents of sick children, as well as dealing with practical scenarios,
e.g., how to handle children whose single parent and sole caregiver is under hospital care.
Healthcare facilities are likely to receive, house, and distribute items such as vaccines and anti
virals. Vaccine is unlikely to be available at all in the early days of a pandemic, and it is estimated that
antivirals will be in short supply. Because such items will be in high demand, it is critical to establish
See http://www.healthyamericans.org/reports/bioterror04/Quarantine.pdf for a summary of state quarantine and isolation laws.
See http://www.publichealthlaw.net/MSEHPA/MSEHPA2.pdf.
For a summary of state activity, see the MSEHPA State Legislative Activity Table at http://www.publichealthlaw.net/MSEHPA/MSEHPA%20Leg%20Activity.pdf and the MSEHPA State Legislative Surveillance Table at

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

a hierarchy of eligibility in advance of a pandemic event. Such criteria should first consider healthcare
staff, volunteers, first responders, and patients. Because supplies are likely to become more available
during the course of the pandemic, processes should be constructed that allow for adjustments in the
priority list.
However, beyond this, facilities should also bear in mind that they may have a role administering vaccine/antivirals to the community. In preparation for such a role, facilities should be concerned
about how and with whom they will communicate at the federal, state, and local level to fulfill this
role. Providers should determine whether the vaccine is mandatory. The Public Health Services Act
includes broad language that may permit the Secretary of Health and Human Services to require mandatory vaccinations. That act permits the Secretary to make and enforce such regulations as in his
judgment are necessary to prevent the introduction, transmission, or spread of communicable diseases
from foreign countries into the States or possessions, or from one State or possession into any other
State or possession. 10
Many states have legislation requiring mandatory vaccinations of school-aged children. In addition, some states provide for mandatory vaccination in the event of a public health emergency or
outbreak of a communicable disease.11 States often provide exemptions to the mandatory vaccine laws
for religious, philosophical, or medical reasons. Care providers should familiarize themselves with the
applicable laws. In addition, facilities should consider whether the vaccine may be administered by
non-licensed volunteers and whether providers or volunteers are liable for any problems arising from
the administration of vaccines.
Pandemic will undoubtedly cause much fear and uncertainty in the community, and such sentiments may generate public disorder. Because healthcare facilities will house and potentially restrict
access to both ill, loved ones, and precious medical supplies, they may find themselves at the center of
the chaos and even targets of violence. For these reasons, facilities need to understand that a plan for
maintaining public order is required, and should be familiar with protocols for requesting assistance
from local, state, and federal governments and the National Guard. A plan for secure storage for vaccines and antivirals should also be established as should a protocol for securing needed supplies from
state and federal government.

Ethical Considerations

As implied above, some communities have begun difficult ethical discussions about the priority
of care provision during a pandemic. In addition to concern about who should have access to early
doses of vaccine and antivirals, much of this discussion has been focused around the hierarchy of
eligibility for ventilator care. Certain groups (including the very elderly and the chronically ill) have
been deemed by some communities to be lower priority for ventilator care in times of shortage. See,

42 U.S.C. 264.
CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws, Angie A. Welborn, updated January18, 2005, Order Code RS21414.



Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

for example, Allocation of Ventilators in an Influenza Pandemic by the New York State Department of
Health and Task Force on Life & the Law.12
An effective system for triaging patients during a pandemic (e.g., severe illness treated in hospitals; milder illness in less equipped facilities) is practical and necessary but also gives rise to legal
concerns, including claims of discrimination and possible wrongful death actions. Hospitals should
endeavor to mitigate the effects of possible claims by developing and implementing a triage plan for
access to ventilator services. Priority for treatment should be determined only on the basis of clinical
need. The plan should include clear criteria for making triage determinations and guidelines for implementation. Allocation of an insufficient supply of ventilators is likely to cause death in patients who
would otherwise survive if given access to a ventilator. For that reason it is suggested that a neutral
third party healthcare professional direct the triage process rather than those medical professionals
tasked with care of the patients who require the use of a ventilator.13 The triage policy should ensure
fair allocation of the limited resource and access based on objective clinical factors.


In an environment of scarce beds, facilities will be compelled to discharge patients as soon as

possible. Discharging patients too soon (e.g., while still infectious) could result in additional disease
in the community, potentially resulting in liability for the hospital. Discharge policies must address
when it is safe to release pandemic patients considering that different types of people may be infectious for different periods of time (e.g., children may be infectious for longer periods). Such policies
must also identify the locations to which the hospital will discharge a patient (e.g., if patient is still
ill, are there others at home to care for him/her; when is step-down care appropriate, etc.) Even in a
mild pandemic, there will be excess mortality, which prompts considerations regarding disposition of
remains. During the 1918 flu, more than 12,000 people died within a single month in Philadelphia.
Improper storage and burial added another layer of public health and infection concern to an already
daunting situation. Disposition of remains may be exacerbated in hospitals if survivors fear claiming
deceased flu victims.

Duty to Workforce

As always, the facility must ensure that its own employees are protected from infection to the
maximum extent possible. The Occupational Safety and Health Act (OSHA) requires employers
to provide a safe workplace free of hazards likely to cause death or serious physical harm to its
employees.14 OSHA permits the Secretary of Labor to impose temporary emergency standards if he

The Pandemic Ventilator Project whose goal is to attempt to construct a ventilator design for use in a Flu Pandemic that
can be made from readily available materials at the last minute also maintains a website which discusses the moral and
ethical dilemmas of limited ventilator access. See http://www.penvent.blogspot.com.
Ethical and Legal Considerations in Mitigating Pandemic Disease: Workshop Summary, Stanley M. Lemon, Margaret
A. Hamburg, P. Frederick Sparling, Eileen R. Choffnes, and Alison Mack, 2007.
29 U.S.C. 654.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

or she determines employees may be exposed to grave danger from physically harmful agents or new
Facilities may wish to consult OSHAs guide on pandemic preparedness.16 OSHA anticipates
employers will develop and implement pandemic plans that minimize the risk of infection to employees, provide employees with PPE, limit employee contact with infected persons, make sick leave
available to infected employees, and educate and train employees about protective clothing and equipment and alternate duties which they may be asked to assume. OSHA also recommends reducing
contact among employees by permitting people to work from home, when possible, and using email
or video rather than face-to-face meetings.
If vaccines and/or antivirals are available, critical healthcare personnel should receive priority
access. In the absence of such effective medical prophylaxis, hospitals may be forced to employ more
practical (and less reliable) methods to protect staff from infection. Such mechanisms could include
using as few personnel as possible to care for flu patients by using cohort units to isolate pandemic
patients and using (to the extent possible) staff who have recovered or who are sick with the flu but
well enough to work. Whatever strategy the facility decides to pursue, it should conduct an analysis of
state labor code statutes to ensure that it will satisfy the minimum workplace safety requirements.17
Policies should also be developed that provide guidance to managers about what to do when an
employee appears sick. Healthcare facility managers should decide if and when an employee who
appears sick should be denied work within the healthcare facility and how this will affect compensation and terms of employment for various classes of employees (e.g., salaried, hourly, contract,
union). In addition to crafting such guidelines for employees, hospitals should also consider how
and when physicians who appear sick will be denied work in the hospital. Guidelines should include
referral criteria for apparently sick employees that provide instructions on where such individuals will
be referred, including criteria for admission, home care, or outside referral. Lastly, facilities should
consider procedures for rudimentary contact tracing if an infected employee is known to have been at
work while infectious.
Regardless of effective infection control within the healthcare facility, absenteeism will be high
due to disease, fear,and other care-giving obligations. Facility leadership must determine how they will
compensate various staff members for different types of absence during a pandemic. For example:

If a full-time staff member stays home from work because he/she fears becoming infected,
will his/her salary be continued?

If an employee is compelled to work (in order to guarantee salary continuance) and becomes
infected, what are the legal ramifications?

What is the policy towards salary continuance for hourly staff?

29 U.S.C. 655(c).
Guidance on Preparing Workplaces for an Influenza Pandemic, OSHA Publication No. 3327-02N 2007,
Hospitals in California, for example, should consult the California Division of Occupational Safety and Health, which
promulgates additional regulations in addition to OSHA. See 8 Cal. Code of Regs., Chapter 3.2.


Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

If salary continuance policy towards exempt and hourly employees differs, will this be considered discrimination?

How will overtime be paid? Does the facility have adequate reserves to meet estimated overtime requirements?18

If employees are asked to shelter-in-place at the facility for several days or weeks, how will
they be compensated for this additional service?

Are compensation policies in compliance with the Fair Labor Standards Act19 and any applicable state labor codes relating to compensation/meal and rest periods? 20

In the case of employees who do become ill, the hospital must consider how sick leave, vacation,
disability and workers compensation will respond. Considerations might include prioritizing sick
leave, disability, and vacation leave and determining how disability will be triggered. In determining
those circumstances in which sick leave will be paid, hospitals should create a policy that encourages
infected and potentially infected employees to stay home so as to reduce the possibility they may
infect other employees. Facilities should also consult with their disability insurers to discuss whether
the insurer would require proof of illness as a trigger for disability payments and if such proof is likely
to be available during a pandemic.
An analysis of vacation and sick leave should include examination of the Family Medical Leave
Act (FMLA)21 and any applicable state leave acts.22 FMLA permits employers to require the use of
paid leave (i.e., vacation and sick leave) in lieu of FMLA leave.23 State leave statutes should be examined to determine if they provide greater protections than FMLA.
In a healthcare environment, some employees are likely to contract flu in the workplace. For this
reason, employers must consider how workers compensation coverage will respond. Questions to
ponder include:
Does your institutions workers compensation cover pandemic flu?
If the institution is self-insured for any portion of its professional, general, or workers compensation programs, are its reserves adequate?
When will coverage be triggered?
Will exposure be considered a workplace injury covered by workers compensation?
Should the physician panel be suspended/expanded?
State overtime laws vary widely. Some states provide exemptions to overtime regulations for healthcare emergencies.
See, e.g., 8 Cal. Code of Regs. 11040.
29 U.S.C. 206 and 207.
Hospitals should pay particular attention to their states labor code provisions regarding meal and rest periods. Failure
to provide adequate meal and rest periods may lead to extensive penalties. See, e.g., California Labor Code 226.7 and
512 and 8 Cal. Code of Regs. 11040 and 11051.
29 U.S.C. 2601.
California, for example, has adopted the Family Rights Act which permits an employee to take leave to care for a sick
family member. California Government Code 12945.2 and 2 Cal Code of Regs. 7297.5. See also California Labor Code
29 U.S.C. 2612; 29 CFR 825.207.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

Are there reasonable accommodation requirements for return to the workplace after a pandemic exposure?
Is there adequate coverage for psychiatric claims that may arise due to stress of working in
the pandemic environment?24
Will exhaustion from overwork be considered a compensable workplace injury?
A facilitys workers compensation exposure will be largely determined by the manner in which
the state interprets its workers compensation laws. If the laws provide for a liberal application of the
remedy, as most do, it is quite likely that pandemic related exposures will be covered by workers
compensation. Furthermore, if a hospital is self-insured for any portion of workers compensation,
professional, or general liability, it must consider whether its own reserves are adequate. One of the
key issues in this analysis will be the applicable statutes defining covered injuries (i.e., those defining
injuries that arise out of or in the course of employment).25
One should also pay special attention to the reasonable accommodation issue. Although FMLA
contains no reasonable accommodation requirement for an employee returning to work after FMLA
leave, the regulations caution that ADA may govern reasonable accommodation requirements.26 State
law may also affect the employers obligation to make a reasonable accommodation. In California, the
Family Rights Act does not include a reasonable accommodation requirement, but the Fair Employment and Housing Act does.27
Finally, when is termination appropriate and legally acceptable? Are the employees subject to
employment contracts or collective bargaining agreements that limit the employers ability to terminate? Are the employees subject to at will employment arrangements? How long must an employer
continue salary for an employee who repeatedly refuses to report to work but is not ill? What are
the legal ramifications of compelling an employee to report to work in an environment where
he/she is at high risk for contracting the flu? Do the applicable statutes require reinstatement of employees? Is an employee entitled to reinstatement to his or her former position? FMLA requires that an
employee returning from leave be returned to the same position the employee held when the leave
commenced or to an equivalent position with equivalent benefits, pay and other terms and conditions
of employment.28 State law may also contain reinstatement requirements.29
While causation is likely to be a question with respect to any psychiatric claims, these claims should be anticipated in
light of most states liberal construction of workers compensation laws.
The relevant provisions for California may be found at section 3600 of the California Labor Code. California requires
that the injury be proximately, although not exclusively, caused by employment. The employment need only contribute
to the injury to make satisfy the proximate cause requirement. California Comp. & Fire Co. v. Workmens Compensation
Appeals Board, 68 Cal. 2d 157 (1968). New York also applies a liberal construction in favor of the employee. New York
Workers Compensation Law 2(7) and 10. Absent substantial contrary evidence, the injury will be presumed to have
occurred in the course of employment. Johannesen v. New York City Department of Housing Preservation and Development, 84 NY 2d 129 (1994).
29 CFR 825.214.
See California Gov. Code 12940 and Neisendorf v. Levi Strauss & Co., 14 Cal. App. 4th 509 (2006).
29 C.F.R 825.214.
See 2 Cal. Code of Regs. 7297.2, requiring employer guarantee to reinstate employee to same or comparable position
upon return from Family Rights Act leave. That regulation also sets forth certain defenses to the guarantee.


Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

Relationships with labor unions should be re-examined in preparation for pandemic. Healthcare
facilities should consider how such an event might affect various provision in collective bargaining
agreements, such as overtime stipulations, benefit specifications, and seniority (e.g., how will seniority be affected if an healthcare worker is absent from work for several weeks?). Facilities should also
determine whether they will be obligated to continue paying into union funds (vacation, retirement,
disability, etc.) during a pandemic.
It is important to consider the effects of a diminished workforce on the healthcare facilitys ability
to comply with state and federal regulations and other legal obligations. Examples include nurse ratios,
HIPPA regulations, collective bargaining agreements, environmental issues and lease provisions that
could trigger a facility shut-down.
Illness rates are likely to vary between communities during a pandemic and, as a result, hospitals (particularly hospital systems) may need to redeploy staff and contract employees. As facilities
accommodate surging demand, they will likely utilize alternative and sometimes non-traditional care
facilities (e.g., dentist offices, high school gymnasiums, etc.). To prepare for such eventualities, hospitals should determine:
whether there are policies in place that limit redeployment of employees;
how redeployment may affect compensation (Will labor laws obligate hospital to pay for
travel time? Do collective bargaining agreements or employment agreements provide for
some type of hardship pay?);
implications for licensing (e.g., if out-of-state professionals are used) and attendant implications for liability exposure;
whether the hospital can compel staff to work at a different hospital and if this could be associated with different or increased liability;
how this temporary arrangement is memorialized from a legal standpoint (Has the facility
drafted a pandemic policy that permits it to temporarily reassign employees to work off site,
to work an alternate schedule, or to receive a different pay rate? Will the facility ask employees to sign an acknowledgement of any temporary changes in their employment arrangement?
If so, will these agreements preserve applicable at will employment status? To what position
and on what terms must a hospital reinstate an employee working under a temporary arrangement if he or she took FMLA leave?).
Although it is unlikely, it is possible that some hospitals may be faced with temporary closure.
Healthcare facilities should understand federal and state notice provisions30 and consider what scenarios are sufficient to trigger such a shutdown and a construct a shutdown game plan. Items to be
consider include: continuation of salary and benefits during a shutdown and if so, for how long; and
availability of holidays, sick days, and vacation time for payment during such an event. Here again,
knowledge of the terms of any applicable collective bargaining and employment agreements and state
A shutdown may trigger the federal notice provisions set forth in the Worker Adjustment and Retraining Notification
(WARN) Act at 29 U.S.C. 2101 et seq.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

law is crucial. In addition, one should ensure the hospital has maintained adequate reserves to meet
this eventuality.

Duty to the Community

Healthcare facilities, and hospitals in particular, will have an especially unique responsibility
to their communities in the case of a pandemic. They will be looked to not only for lifesaving care
but also for information, leadership, and guidance in a time of chaos. Therefore, it is incumbent on
hospitals to obtain comprehensive knowledge of the local, state, and federal (e.g., CDC) officials with
whom they will coordinate during a pandemic and create a plan for communication with these individuals and their alternates. In addition to assisting in coordinating planning care efforts with county
and state health departments and other hospitals, these government entities will likely control the
access and flow of, not only vaccine and antiviral resources, but also information about the evolving
characteristics and movement of the disease. For this reason, appropriate coordination is essential to
preserving maximum availability and continuity of care.
Facilities must also consider how they will communicate with their communities. Items to be
considered in advance of a pandemic include:
designating a spokesperson for the media and public;
key messages you would like the public to hear and understand;
medium of communications;
how priority groups for vaccine and antivirals will be explained; and
how facilities will organize and communicate vaccination campaign efforts.
Many states are likely to look to the Model State Emergency Health Powers Act, which was drafted
in the wake of September 11. The Model Act provides broad authority for the states governor to:
declare a public health emergency;
grant the public health authority the ability to exercise emergency powers with respect to the
licensing and appointment of health personnel;
authorize state and local officials to use and appropriate property for patient care;
allow officials to destroy contaminated facilities or materials;
empower officials to provide care, testing, and treatment;
provide the public health authority with the ability to prioritize and ration healthcare
mobilize organized militia into service of the state;
grant emergency access to individual health information under specified circumstances;
permit separation of affected individuals from the population at large (isolation and quarantine); and
provide various immunities with respect to liability to the state itself and those assisting the
state during a public health emergency.

Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

Healthcare leaders should strive to understand this Act, specifically: what constitutes a public
health emergency, their obligations should the Act be adopted, and the impact it will have on their
facilities (e.g., ramifications of government appropriation of the hospital) and the civil rights of patients
and employees.

Other Key Relationships

This chapter addresses the duty of the healthcare facility to its various constituents in the case of
a pandemic. Other key relationships, such as those with suppliers, should also be taken into account.
Healthcare facilities should consider requesting pandemic preparation plans from key suppliers,
reviewing contracts to determine remedies for failure to supply (e.g., will pandemic be considered
force majeure?), and ensuring that the hospital is not dependent on sole-source provision for essential
products and services.


Although many enterprise risks are specific to an individual entity or geography, pandemic is a
material risk faced by all healthcare facilities. The severity of the event will be unprecedented and the
impact complex, as absenteeism disrupts all aspects of facility operations. Despite this extraordinary
level of hardship, the hospital will be obliged to provide the safest possible environment for patients
and staff. In addition, the facility has a special responsibility to provide information and leadership to
the public. These duties should be addressed by developing comprehensive pandemic plans that take
into account the facilitys ethical and legal obligations to patients, workforce and community. Such
planning should also strive to protect the organizational well-being of the facility during a pandemic
by carefully considering the financial and legal ramifications of various courses of action.

Enterprise Risk Management for Healthcare Entities, First Edition


An Enterprise Risk: Pandemic Influenza

Compendium of Pandemic Policy Resources
Safety of Facility

Murillo v. Good Samaritan Hospital, 99 Cal. App. 3d 50, 5657 (1999)


Walling v. Portland Terminal Co., 330 U.S. 148, 152 (1947)

Division of Labor Standards Enforcements 2002 Update of the DLSEs Enforcement Policies and Interpretations Manual 43.6.5-43.6.7 O.L. 1988-10.27

Isolation and Quarantine

Public Health Emergency Legal Preparedness: Legal Practitioner Perspectives; Demetrios

L. Kouzoukas Journal of Law, Medicine & Ethics



MSEHPA State Legislative Activity Table: http://www.publichealthlaw.net/MSEHPA/


MSEHPA State Legislative Surveillance Table: http://www.publichealthlaw.net/MSEHPA/


Mandatory Vaccination

42 U.S.C. 264

CRS Report for Congress, Mandatory Vaccinations: Precedent and Current Laws,
Angie A. Welborn, Updated January 18, 2005 Order Code RS21414

Resource Allocation


Ethical and Legal Considerations in Mitigating Pandemic Disease: Workshop Summary,

Stanley M. Lemon, Margaret A. Hamburg, P. Frederick Sparling, Eileen R. Choffnes, and
Alison Mack, 2007

Employee Safety


29 U.S.C. 654

29 U.S.C. 655(c)

8 Cal. Code of Regs. Chapter 3.2

Enterprise Risk Management for Healthcare Entities, First Edition

An Enterprise Risk: Pandemic Influenza

Compensation, Meal, and Rest Periods

8 Cal. Code of Regs. 11040

29 U.S.C. 206 and 207

California Labor Code 226.7 and 512

8 Cal. Code of Regs. 11040 and 11051


29 U.S.C. 2601

California Government Code 12945.2

2 Cal Code of Regs. 7297.5

California Labor Code 233

Workers Compensation

29 U.S.C. 2612

29 CFR 825.207

California Comp. & Fire Co. v. Workmens Compensation Appeals Board, 68 Cal. 2d 157


New York Workers Compensation Law 2(7) and 10

Johannesen v. New York City Department of Housing Preservation and Development,

84 NY 2d 129 (1994)


29 CFR 825.214

California Gov. Code 12940

Neisendorf v. Levi Strauss & Co., 14 Cal. App. 4th 509 (2006)

29 C.F.R 825.214

2 Cal. Code of Regs. 7297.2

Facility Closure

Worker Adjustment and Retraining Notification (WARN) Act at 29 U.S.C. 2101 et seq.

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

Environmental Compliance in the Context
Nicola A. Nelson, Esq.
Richard S. Porter, Esq.
Hinshaw & Culbertson LLP


The United States Environmental Protection Agency (EPA or the Agency) rigorously applies
environmental statutes and regulations to healthcare facilities, and history has shown that the Agency
does not hesitate to impose stiff penalties for violations of its regulatory requirements. Environmental
contaminants associated with healthcare facilities include mercury, dioxin, and other persistent, bioaccumulative toxics (PBTs). In addition, hospitals are recognized as generating hazardous wastes such
as antineoplastic chemicals, solvents, formaldehyde, photographic chemicals, radionuclides, waste
anesthetic gases, and chemotherapy agents, as well as more common waste materials such as batteries,
light bulbs, and pesticides.
In response to Agency concerns about the environmental risks associated with healthcare facilities, EPA Region 2 launched a compliance initiative in 2002 that targeted facilities in New York, New
Jersey, Puerto Rico, and the Virgin Islands. That initiative offered incentives for self-auditing and
disclosure and warned of the Agencys intent to step up healthcare facility enforcement actions. This
well-publicized decision to target healthcare facilities delivers an unmistakable warning: environmental compliance is a vital component of an organizations enterprise risk management strategy.
Organizations must, therefore, be proactive in developing and updating their environmental compliance programs, and must be prepared for the possibility of an environmental inspection at any time.
To effectively manage risk in the context of the ever-changing, ever-expanding web of environmental
laws and regulations, organizations must arm themselves with detailed knowledge, enlisting the aid
of environmental law professionals to formulate policies and protocols that address the organizations
legal duties and areas of vulnerability.
It is vital for the organization to recognize that environmental considerations must not be compartmentalized and relegated solely to the development of policies dealing with the discharge of wastes
and refuse. Rather, a responsible organization will recognize that environmental considerations play a
role in almost every aspect of an organizations operations. Contract review, for example, should rouEnterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

tinely include an evaluation of potential environmental risk. Such risk is not limited solely to contracts
relating to the disposal or handling of wastes. Rather, environmental risk comes into play in a variety
of contracts, including those relating to an organizations role as landlord or as a buyer or seller of
real estate. The responsible organization will therefore limit its liability by ensuring that appropriate,
protective contract provisions are included in its contracts.
Additionally, environmental risk management necessitates the consideration of liabilities arising
in the context of an organizations affiliate facilities, such as medical office buildings, clinics, physician practices, and freestanding outpatient units, with whom coordinated environmental policies and
protocols should be implemented. Similarly, purchasing decisions should incorporate the knowledge
that when choosing among different itemswhether those items are cleaning supplies, medical equipment, lighting, or building materialsthe cost of disposal, risk of injury, or potential for environmental
contamination is an inherent, hidden cost. In the event of unexpected spills, breakage, or accidental
destruction (e.g., fire), or simply the need to dispose of the product at the end of its useful life, that hidden cost has the potential to overshadow the purchase price. Clearly, then, responsible organizations
have a duty to take environmental risk management seriously and to formulate appropriate policies
and procedures, with the help of knowledgeable experts, that incorporate such policies and procedures
throughout their sphere of operations.
It is important to have at least a basic understanding of the framework of environmental regulation
in order to understand the organizations responsibilities and duties. Although federal environmental
laws and regulations are legion, among those with the greatest impact on healthcare facilities are: the
Clean Water Act (CWA); the Resource Conservation and Recovery Act (RCRA); the Emergency Planning and Community Right-to-Know Act (EPCRA); the Clean Air Act (CAA); the Toxic Substances
Control Act (TSCA); and the Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA). While this
chapter briefly describes each of these laws in the context of healthcare facilities, the complexity of
modern environmental regulation makes it impossible to fully address all relevant environmental mandates and prohibitions in the space available here. The reader is therefore cautioned to remember that
this chapter provides only a brief overview of some of the most significant laws and regulations.1 To
manage its environmental risk, an organization should utilize environmental professionals to design
a comprehensive, integrated compliance program, often referred to as an environmental management
system (EMS). The basic components of a good EMS are described and discussed below, and because
compliance inspections of healthcare facilities are inevitable, this chapter also offers an overview of
the self-audit and inspection process, describing what can be expected when an Agency inspector
shows up at the door.

The Appendix to this chapter includes a chart describing the record-keeping requirements for many of the relevant
laws and regulations discussed in the chapter, as well as some regulations that commonly apply to healthcare facilities
but are not specifically addressed in the chapter. An excellent source for additional information regarding environmental
issues of concern to healthcare facilities is the website of the Healthcare Environmental Resource Center (HERC) at
http://www.hercenter.org. For those seeking a truly comprehensive and detailed guide to environmental compliance, the
EPA makes available its 155-page Profile of the Healthcare Industry compliance manual, geared specifically toward those
in the healthcare field, at http://epa.gov/compliance/resources/publications/assistance/sectors/notebooks/health.pdf.


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM


Environmental Laws that Affect Healthcare Facilities


Clean Water Act (CWA)

The Clean Water Act (CWA) is designed to protect the nations waters, which include both groundwater and navigable waterways.2 The CWA includes the national water quality standards program, a
permit program for the discharge and treatment of wastewater and stormwater, and a program designed
to prevent oil pollution.
The EPA defines water pollutants as any type of industrial, municipal, and agricultural waste discharged into water, including solid waste, incinerator residue, sewage, garbage chemical wastes,
biological materials, radioactive materials, heat, wrecked or discarded equipment and industrial,
municipal, and agricultural waste.3 Under the CWA, pollutants are classified as one of three types:
(1)toxic, (also known as priority), which includes dioxins, mercury, and ammonia; (2) conventional,
which includes biochemical oxygen demand (BOD) substances, total suspended solids (TSS), fecal
coliform, oil and grease, and pH; or (3) non-conventional, a catch-all category that includes any pollutant not identified as either conventional or priority.
Healthcare facilities may have a variety of wastewater sources, including sinks, drains, showers,
toilets, and tubs, as well as stormwater (which typically washes away dirt, debris, oil from parking lots,
pesticides, lawncare chemicals, and other pollutants). Unless a facility discharges wastewater directly
into a stream or river, it is categorized as an indirect discharger of wastewater. As an indirect discharger,
a facility is subject to all relevant wastewater regulations, including local sewer authority regulations,
and may be required to obtain an industrial user permit from the local municipal pretreatment program.
Municipal regulations usually prohibit the discharge of medical waste, and the CWA regulations prohibit
the discharge of fire or explosion hazards; corrosive discharges (with a pH of less than 5.0); discharge
of solid or viscous pollutants; heat discharge that would cause treatment plant influent to exceed 104
degrees F.; discharges that would create toxic gases, fumes, or vapors; and the discharge of other pollutants that could interfere with or pass through a treatment plant (for example, oil and grease).
A facility that uses or stores oil may be subject to the Spill Prevention Control Countermeasure
(SPCC) rule, and those with a total aboveground oil storage capacity of greater than 1,320 gallons,
or with a total underground storage capacity of greater than 42,000 gallons are subject to SPCC plan
requirements, which require the preparation and implementation of an SPCC plan to prevent the discharge of oil into navigable waters or adjoining shorelines.
In the context of the CWA, EPA inspectors are authorized to enter a facility to conduct an inspection to determine compliance. The most common areas of focus in a CWA compliance inspection are
wastewater discharges, stormwater discharges, and aboveground or underground storage containers.
Inspectors typically ask to review a facilitys permit for indirect discharge to the local municipality,
itsSPCC plans, its Phase II NPDES stormwater permits (for facilities in urban areas), and any NPDES
general permits for direct discharge into a water body.
EPA training materials concerning the CWA, as well as a link to the Act itself and the implementing regulations, are
available at http://www.epa.gov/watertrain/cwa.
USEPA NPDES website, http://cfpub.epa.gov/npdes/faqs.cfm (May 14, 2008).

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

The most common CWA violations at healthcare facilities include lack of a permit for wastewater
discharges, failure to be fully informed about local treatment plant sewer use regulations and prohibitions, inadequate secondary containment for storage tanks, improper disposal down floor drains, and
lack of a Spill Prevention, Control and Countermeasure Plan.

Resource Conservation and Recovery Act (RCRA)

The Resource Conservation and Recovery Act regulates facilities that generate, transport, treat,
store, or dispose of hazardous waste.4 Virtually all healthcare facilities are deemed hazardous waste
generators under RCRA, therefore compliance with RCRA and its implementing regulations represents a major area of concern for healthcare facilities.
Hazardous waste is classified as either listed (i.e., specifically identified hazardous substances,
including, for example, solvents and insecticides) or characteristic. Characteristic substances are those
with properties that EPA has identified as hazardous to human health or the environment, including
the characteristics of: (1) ignitability (substances that are flammable under certain conditions); (2)corrosivity (those that corrode metals or have a very high or low pH); (3) reactivity (those that readily
explode); and (4) toxicity (those that are known to be harmful or fatal if ingested, and are known to
leach into ground water, such as arsenic, lead, or mercury).
The RCRA regulations categorize facilities as Large Quantity Generators (LQGs), Small Quantity
Generators (SQGs), or Conditionally Exempt Small Quantity Generators (CESQGs), based on the
amount of waste they generate per month and the amount of waste stored onsite. These categories
determine the applicable regulatory requirements.
An EPA inspection for RCRA compliance is usually extensive and can take up to a week to
complete. Inspections typically focus on universal waste storage areas,5 used oil storage areas, vehicle
maintenance facilities, battery storage areas, transfer terminals, secondary containment structures, dispenser pumps and check valves, leak detection equipment, alarms, sight gauges, fill ports, catchment
basins, and cleanup equipment. Other areas that will be inspected include the facilitys laboratories,
pharmacy, and morgue.
An inspector will also review all required records relating to mandatory notifications of hazardous waste activity, hazardous waste manifests, manifest exception reports, biennial reports, inspection
logs, employee training documentation, the hazardous substance spill control and contingency plan,
material safety data sheets, spill records, the Spill Prevention Control and Countermeasure Plan, emergency plan documents, the placarding of hazardous waste and hazardous materials, permits, if any,
waste analysis plans, universal waste transportation/shipping records, records concerning underground
storage tanks (USTs), and all relevant permits.
The most common RCRA healthcare facility violations include a failure to comply with hazardous
waste generator regulations and related lack of documentation, failure to comply with UST regula The EPA handbook on understanding hazardous wastes is available for download at http://www.epa.gov/region02/
Universal waste includes batteries, pesticides, mercury-containing equipment, and lamps/bulbs. See 40 CFR Part 273.


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

tions, incorrect or inadequate hazardous waste labeling, failure to have waste batteries or fluorescent
lamps stored and labeled in proper universal waste containers, inadequate compliance with required
weekly inspections of hazardous wastes storage/satellite areas, open containers of hazardous wastes,
failure to have hazardous waste determinations on file for all wastes, failure to have procedures in
place to ensure spent aerosol containers are empty before disposal as solid waste, malfunctioning leak
detection systems on USTs, disposal of hazardous wastes down a drain, improper management of
expired pharmaceuticals, lack of a contingency plan, inadequate training for employees in hazardous
waste management, and failure to ensure hazardous waste meets land disposal restrictions.

Emergency Planning and Community Right To Know ActEPCRA

The Emergency Planning and Community Right to Know Act (EPCRA) is designed to promote
emergency planning and preparedness.6 It mandates emergency planning, the notification of state and
local government with respect to the presence of certain chemicals, and the reporting of hazardous
substance releases. Emergency planning requirements apply to any facility that has any chemical designated as extremely hazardous (for example, liquid oxygen) at or above its planning threshold quantity,
and require that such facilities notify the State Emergency Response Commissioner (SERC) and Local
Emergency Planning Committee (LEPC) within 60 days of receiving or producing an extremely hazardous substance. EPCRA also requires that such facilities provide the LEPC with a representative to
participate in the emergency planning process. Reportable releases of a hazardous substance require an
emergency notification and written follow-up notice. Annual inventory reports are mandatory.
Typical records reviewed by an inspector evaluating EPCRA compliance include the facilitys
proof that required timely notifications were made for environmental releases of hazardous substances,
the facilitys emergency response plan, MSDS information, and inventory reporting forms.
The most common EPCRA healthcare facility violations include a failure to report accidental
chemical releases and emissions data to local authorities, and the storage of chemicals (e.g., heating oil
and gasoline) onsite above threshold amounts.

Clean Air Act (CAA)

The Clean Air Act (CAA) is designed to protect and preserve air quality.7 In the context of healthcare facilities, the EPA is most concerned with a healthcare facilitys air conditioning and refrigeration
systems, boilers, medical waste incinerators, and with the presence of asbestos. All are subject to
federal emissions, monitoring, and recordkeeping regulations, which are strictly enforced. Facilities
that are deemed a major source of hazardous air pollutants (HAP) (10 or more tons per year of a single
HAP or 25 tons per year of combined HAPs), must obtain a Title V operating permit. Application
for a permit typically requires submission of information concerning emissions, control devices, and
general processes at the facility. Such permits limit emissions, and require monitoring, recordkeeping,
and reporting.
Detailed information on EPCRA is available from the EPA at http://www.epa.gov/Compliance/civil/epcra.
Although the CAA is federal legislation and establishes federal standards, state and local regulations may also apply,
and enforcement of the CAA generally occurs at the state or local level. The CAA and accompanying regulations may be
viewed online at http://www.epa.gov/air/caa.


Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

Additional CAA regulations govern refrigerants, and prohibit venting of refrigerant, impose
service requirements, and require equipment certification, leak repair, proper disposal, and recordkeeping.
The most common CAA healthcare facility violations include a failure to use properly trained and
accredited asbestos personnel, failure to notify EPA of asbestos removal projects and keep required
records, failure to properly dispose of asbestos debris, failure to maintain CFC leak rate records for
chillers and AC units, failure to have EPA certified technicians for CFC-containing air conditioning
and refrigeration systems, failure to get boilers permitted with the relevant state agency, and failure to
apply for a necessary Title V operating permit.

Toxic Substances Control Act (TSCA)

The Toxic Substances Control Act (TSCA) is designed to facilitate the collection of data to evaluate, mitigate, and control risks posed by the manufacture, processing, and use of chemicals.8 The TSCA
regulations most relevant to healthcare facilities are the lead hazard reduction regulations (relevant in
renovations that may involve pre-existing lead-based paint); hexavalent chromium regulations (relevant with respect to water treatment in cooling towers); and polychlorinated biphenyls (PCB) hazard
reduction regulations (relevant in renovations, particularly those involving pre-1979 materials and
equipment that may contain PCBs). Other important regulations are those governing the use and disposal of asbestos, including the Asbestos Hazard Emergency Response Act (AHERA), which requires
the development of management plans and specifies work practices and engineering controls for the
removal and handling of asbestos.
The most common TSCA healthcare facility violations include failure to properly address lead
paint in buildings and lack of knowledge of a lead hazard.

Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA)

The Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) regulates the distribution, sale,
and use of pesticides, including insecticides, herbicides, fungicides, rodenticides, and antimicrobials.9
The Act mandates that virtually all pesticides sold in the United States be registered by the EPA. Registration includes the classification of pesticides as unclassified, general use, or restricted use. Those
with the potential for causing unreasonable adverse effects on the environment may only be applied
by, or under the direct supervision of, a certified applicator. It should be remembered that a facilitys
sterilants, disinfectants, and sanitizers generally fall within the definition of antimicrobials, which are
regulated under FIFRA. The law mandates that labeling directions delineating the appropriate dilution,
specified contact times, and methods of application be followed.

A summary of TSCA rules and regulations can be viewed at http://www.epa.gov/lawsregs/laws/tsca.html. In addition,

the EPA maintains a TSCA Assistance Information Service, which answers questions and distributes guidance pertaining
to TSCA standards. The Service can be contacted via e-mail at tscahotline@epa.gov.
The EPA maintains a FIFRA compliance webpage at http://www.epa.gov/compliance/assistance/bystatute/fifra. In
addition to describing the scope of FIFRA, the webpage includes links to the Act itself, the regulations, and additional
resources. The EPA also maintains a webpage specifically devoted to antimicrobials at http://www.epa.gov/oppad001.


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

An inspection for compliance with FIFRA typically focuses on personal protection equipment,
pesticide application equipment, pesticide storage areas including storage containers, and cleaning
disinfectants and labels. Additionally, an inspector will review records of pesticides purchased, inventory records, pesticide application records, a description of the facilitys pest control programs, the
certification status of pesticide applicators, pesticide disposal manifests, contract files, and the recent
ventilator rating for the facilitys pesticide fume hood and pesticide mixing/storage areas.
EPA also regulates the disinfectants applied to surfaces (including both housekeeping and clinical
contact surfaces) in healthcare settings, and the regulations require users to follow label directions,
including safety precautions.
The most common FIFRA healthcare facility violations include misuse of a registered pesticide
product, use of an unregistered product, lack of proper records concerning pest control application
within the facility or on its grounds, and failure to report pesticide poisonings within the facility.

EPAs Integrated Data for Enforcement Analysis (IDEA)

The EPA compiles facility compliance data generated pursuant to the laws and regulations discussed above through the Integrated Date for Enforcement Analysis system (IDEA), which utilizes a
Master Source ID identification number to extract records and data from a variety of sources, to match
a facilitys Air, Water, Waste, Toxics/Pesticides/EPCRA, and enforcement records, and generate a list
of permit, inspection, and enforcement activity, resulting in a master list of records.10
Because the federal government maintains and tracks facility data and does not hesitate to punish organizations that fail to report and maintain mandatory records, the need for an organization to
engage in meticulous record-keeping is paramount. Maintenance of well-organized records not only
allows an organization to easily track its own compliance, it also enables the entity to prove compliance should the Agency assert that mandated records or reports are missing or were never filed.

Environmental Audits

The EPA has a self-policing audit policy designed to facilitate the discovery, disclosure, correction, and prevention of environmental violations. The auditing process minimizes the need for EPA
investigation enforcement actions, and offers the incentive of eliminating or drastically reducing the
penalties normally associated with violations.
The primary incentive of a healthcare facilitys environmental compliance is that any self discovered problem can be reported to the EPA without subjecting the facility to gravity-based penalties.
Gravity-based penalties are the portion of the penalty that is over and above the economic benefit of
noncompliance. In other words, gravity-based penalties are the punitive portion of the penalty.

The EPAs IDEA page allows users to query the IDEA database and obtain compliance monitoring, enforcement, and
demographic data online at http://www.epa.gov/compliance/data/systems/multimedia/idea.

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

In order for these gravity-based penalties to be completely eliminated, an environmental violation must be discovered as part of a formal audit policy, and each of the following conditions must be

Systematic Discovery

The violation must be discovered through environmental auditing or implementation of a compliance management system.

Voluntary Discovery

The violation must not have been detected due to a legally required (rather than voluntary) monitoring, sampling, or auditing procedure.

Prompt Disclosure

The disclosure must be promptly made in writing to the EPA, generally within 21 days of discovery (or less if required by law). Disclosure becomes required when a facility, director, employee, or
agent has an objectively reasonable basis to believe the violation has or may have occurred.

Independent Discovery and Disclosure

The discovery of the violation must occur before the EPA or another regulator would likely have
identified it through its own investigation.

Correction and Remediation

The violation usually must be corrected within 60 days from the date of discovery (unless otherwise agreed to by the EPA).

Prevent Recurrence

The healthcare facility must take steps to ensure the violation will not recur.

Repeat Violations Ineligible

The healthcare facility must not have committed the same violation (or closely related violations)
within the past three years. If a healthcare institution owns several parcels of land or facilities, this
exclusion might be triggered even though the violations occur at different parcels or facilities. However, if a facility is newly acquired, the existence of a prior violation does not trigger this exclusion.

Certain Types of Violations are Ineligible

Violations resulting in serious actual harm, such as those that present imminent and substantial
danger to the public, and those that violate specific terms of an administrative order, judicial order, or
consent agreement, may not be eligible. While at first blush it might appear that this exception could

Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

swallow the rule, in practice, the EPA has not attempted to use this exclusion to such a degree that it
would quell the incentive to perform a self-policing audit.


Finally, the healthcare facility disclosing the violation must cooperate with the EPA in investigating and remediating the environmental issue.
If a disclosing entity meets all of the above-referenced policy conditions except detection of the
violation through a systematic discovery process, then gravity-based penalties are reduced by 75%.
In other words, a complete reduction of gravity-based penalties is only available if the discovery was
part of an environmental audit or environmental management system. Likewise, the Agency will not
recommend criminal prosecution of a healthcare facility that has disclosed violations if all policy
conditions are met. However, for the organization to enjoy this benefit, the discovery of the violation
must have resulted from the adoption of an environmental management system or auditing process and
must have been discovered in good faith.
In general, the EPA will not request copies of audit reports, although it may request documentation
evidencing a facilitys compliance with the management system. There is also a modified audit policy
that applies to small businesses with fewer than 100 employees, and that provides longer periods of
time within which to make disclosures.


If an EPA inspector knocks on a facilitys door, the organization must be prepared to deal with
that inspection to avoid substantial civil and even criminal penalties. Inspectors are authorized to
enter a facility to conduct an inspection to determine if a healthcare organization is complying with
all relevant environmental laws. The inspection usually involves an opening conference, a review of
records, interviews, a tour of the facility, and a closing conference. The inspection may also involve
taking samples of discharges, the copying of records, and the photographing of portions of the facility.
If violations are found, a written notification will be sent explaining the violations and Agency recommendations for correction.
The inspection will usually not be pre-arranged and will often be multi-faceted, relating to a
variety of environmental laws, including air, water, and waste. There may be one or more inspectors,
all of whom should be required to provide their name, identify their affiliation agency, and produce an
official, photographic identification card.
The opening conference may be a formal meeting, a brief discussion, or a plan for inspection. The
inspector may ask about facility operations, facility layout and processes, and management structure,
and will identify which records he or she will want to review. The environmental records (e.g., emissions data, hazardous and non-hazardous waste manifests, landfill receipts, clean air permits, NPDES
permits, etc.) should be organized and kept readily accessible. Inspectors will be looking for past
records of up to three to five years old. A chart depicting document retention requirements for healthcare facilities is included at the end of this chapter. It is likely that inspectors will request copies of the
Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

records they review, and the facility should keep a list of each record copied by inspectors. Inspectors
will inquire about facility processes, waste generation, air emissions, permit requirements, infectious
medical waste treatments, and mishaps during the interview process. If an inspector collects samples,
the facility should request duplicates or split samples and generally must provide its own containers
and analytical services. As to photographs, if there are any proprietary processes at the facility (not
usually a concern in the healthcare industry), a request may be made that photographs not be taken, or
that they be kept confidential. Physician-patient and mental health privileges must always be protected.
At the closing session, the inspector should be asked to provide his or her general observations, and to
identify any problems observed. He or she may request additional information at that time as well.
To prepare for a possible inspection, a facility should designate the person or persons who will take
the lead in responding to the questions of inspectors, provide the necessary records, and accompany the
inspectors during their time at the facility. If a facility has developed an environmental management
system, its manager is usually the best candidate. That individual should have a designated backup
in case he or she is absent on the day of the surprise inspection. Facilities should implement a policy
requiring staff to contact the appropriate personnel, including the facilitys environmental attorneys,
if a surprise inspection occurs.
Part of the inspection policy should include a requirement that important environmental records
be kept in an accessible location. Facilities that engage in environmental audits or that have implemented an environmental management system will generally have a procedure in place that requires
the compilation and maintenance of organized records. Facilities should also keep a camera, preferably
digital, readily accessible to document the areas inspected. When communicating with the inspector, only necessary personnel should be present. During the pre-inspection conference, the inspector
should be asked why the inspection is taking place and whether there have been any complaints. At
the pre-inspection meeting, the environmental system manager should request that a closing conference be held at the end of the inspection to discuss the findings. Any and all questions and answers of
the inspector should be noted or recorded. Laying this groundwork increases the chance that a facility
will be given early notice of perceived deficits and perhaps an opportunity to explain or correct such
deficits and thereby avoid notices of violation. Warrantless Inspections
If an inspection occurs without a warrant, the inspector should be followed at all times. If he or
she has any conversations with employees, take notes identifying the interviewee and the content of
the conversation. If documents are produced, be certain to keep a separate copy of every document
taken by the inspector. Personnel being interviewed by the inspector should be directed not to guess or
to assume the answer to an interview question. Rather, if the answer is unknown, the inspector should
be told that the interviewee does not know the answer at this time but will get back to the inspector on
that issue. Although it is a natural human reaction to try to paint the facility in the best light, if information proves to be false it could lead to civil or even criminal penalties for impeding the inspection.
The inspection report should not be signed by anyone unauthorized to do so. Again, at the closing


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

conference, questions should be asked as to what was found, whether any problems were identified,
and what the process will be going forward from this point. Search Warrant Inspections
If the inspection is done with a search warrant, attorneys should be called immediately to review
the warrant and determine the scope of the search because the search is limited to the scope of the
warrant. An inspector should not be resisted or interfered with in any way; however, copies of what is
seized should be requested and, at a minimum, an inventory provided. Employees should be informed
that they have a right to speak with, or not to speak with, inspectors, and only authorized personnel should be made readily accessible to the inspectors. In addition to reviewing the warrant itself,
the affidavit supporting the warrant should be requested in order to determine what prompted the
The question of whether to insist on a warrant is a discretionary matter that should be discussed
with the facilitys attorney. Someone should be available onsite to make a determination as to the facilitys degree of compliance so that an appropriate decision can be made as to whether a warrant should
be demanded. Far greater cooperation can be expected from the EPA if a warrant is not demanded,
particularly if it is truly a routine inspection.

The Significance for In-House Counsel, the Governing Board, and Executive

A responsible healthcare organization must take appropriate steps to manage the risks associated
with environmental non-compliance. A failure to properly manage environmental concerns may lead
to contamination of land, air, or water; personal injury; civil or criminal penalties or proceedings; private lawsuits; and/or bad publicity. Clearly, the affected stakeholders include not only those within the
organization itself, but also those in the surrounding community, governmental agencies and entities,
and the natural environment. The potential risks may be quantifiable in the form of fines, penalties,
or loss of market share, or they may be non-quantifiable, such as hard-to-remediate environmental
degradation, physical injury to people or wildlife, or simply a loss of reputation or standing in the
To manage these risks, healthcare organizations should focus their attention on regulatory compliance (i.e., loss prevention), since strict compliance not only minimizes the possibility that the
organization will be assessed fines or other penalties, it also generally provides a degree of assurance
that the organization will not create or contribute to environmental degradation. Due to the complexity
of environmental laws and regulations, which include state and local rules in addition to the federal
rules discussed in this chapter, in-house counsel and other members of the organizations leadership
team must commit to the creation and adoption of a systematic environmental plan so that nothing is
left to chance.

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM


The Key to Success: Environmental Management Systems (EMS)

To manage the risk associated with potential environmental contamination and regulatory noncompliance, a healthcare organization should utilize the expertise of environmental professionals to
conduct an assessment of the organizations legal duties and responsibilities, as well as its areas of
vulnerability, and to develop a comprehensive system of protocols to ensure compliance and thereby
minimize risk. Such an assessment can then be used to develop an Environmental Management System
(EMS), which will identify and rank the organizations institutional objectives and most significant
environmental issues, and formulate a system to utilize records to track compliance, indentify of problems, and implement solutions. Although the EPA maintains a webpage with a how-to guide and
links for information that can be useful in developing an EMS,11 creation of an EMS without professional assistance can engender a false sense of security, and the notion of a do-it-yourself plan should
be viewed with great skepticism by an organization committed to the responsible management of risk.
Nevertheless, it is important for those responsible for managing an organizations environmental risk
to understand and recognize the components of a well-designed plan.
As the Environmental Protection Act explains, an EMS plan should be based on what it terms the
Plan, Do, Check, Act model. The Plan aspect of the model is self-explanatory, denoting the planning
phase in which an organization identifies its environmental responsibilities and vulnerabilities, and formulates its goals. The Do aspect of the EMS model involves implementation of the goals identified in the
planning stage. The models Check component refers to ongoing monitoring and corrective action, and
the Act component acknowledges the need to continually review, modify, and update the EMS plan.
The foundation of a good EMS plan will rest upon the development of a matrix of environmental
legal requirements, incorporating those imposed by the CAA, CWA, RCRA EPCRA, FIFRA, and
TSCA, as well as any relevant state or local laws and regulations. An EMS plan should also incorporate the organizations aspirational goals, such as increasing recycling and reducing waste. The matrix
should be updated regularly and should include a written procedure that describes the method that will
be used to stay current on changing regulations, the method to be used for measuring institutional performance against the matrix, and the procedures to be used for tracking problems with non-compliance
to ensure proper follow-up. It should create mandatory checklists that must be completed, and should
specify that the plan is to be audited annually, at which time the auditor(s) will assess whether problems that have been identified were corrected in a timely fashion.
An EMS plans written procedures should require the reporting of violations when mandated by
law and should create a list of performance-based objectives, such as maintaining compliance with
all applicable environmental regulations and submitting all necessary paperwork on time. It should
require the continual updating of objectives and targets and should specify a procedure for communicating updates to staff. It should require the development of written emergency response procedures
that are to be tested annually and updated where accidents reveal a problem with existing procedures.
As previously noted, record-keeping is the key element in an effective environmental compliance
program, therefore, it is important that here, too, records of all tests conducted, and any changes implemented, be carefully maintained.



Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

Finally, an effective EMS plan should mandate that all employees are trained in EMS awareness
and compliance, including periodic re-training to reinforce compliance. Newsletters, emails, and/or
bulletin boards may form a useful component of the ongoing training process. An EMS internal auditing team should be designated and trained, and an EMS manager should be appointed to oversee and
be responsible for the programs success, although reliance on a manager must be balanced, and accurate documentation must be maintained in an orderly fashion to preserve institutional memory so that
when existing staff, including the manager, leave, there is no loss in functional capacity. A properly
conceived and implemented EMS plan that is audited and updated annually is the lynchpin to managing environmental risks.
The following checklist offers a helpful way to evaluate the effectiveness of the organizations
EMS plan. Ask whether the plan:

identifies the organizations goals?

articulates the organizations legal duties and responsibilities under federal, state, and local

identifies areas of vulnerability (including a list of special vulnerabilities, including those

associated with affiliate sites and facilities)?

provides protocols to ensure environmental compliance, including:

written record-keeping procedures that identify those responsible for records

the designation of individuals responsible for reporting incidents to authorities, and a
requirement that every reportable incident be documented?
a mandatory follow-up system to track action after environmental incidents?
written emergency response procedures?
a procedure for tracking changes to relevant regulations?
a mandatory annual audit system?
a mandatory employee training system to ensure employees know and understand what is
required, emphasizing the organizations zero-tolerance policy toward non-compliance?

A plan that meets these objectives, and has been developed with the help of a knowledgeable
environmental professional, offers a systematic way for an organization to evaluate and manage its
environmental risks and, as noted above, may provide an additional benefit by mitigating penalties if
regulators find a violation.

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM



Environmental risks should be evaluated in the context of the entire organization, recognizing
the potential interplay with occupational risk, the risk that may arise from contracts with third
parties, and other exposures.

Given the far-reaching implications of environmental impairment, environmental risk assessments should be part of the due diligence required in any acquisition or consolidation of
healthcare organizations.

Underground storage tanks, aboveground storage tanks, asbestos removal, and removal of
hazardous waste (particularly via onsite medical waste incinerators) have presented the most
time-consuming issues from the healthcare enterprise risk management perspective. The
issues involve not only loss prevention and reduction but the possibility of handling the
exposures (risk financing) through environmental impairment liability insurance or through
contracting (risk transfer) with third parties (such as hazardous waste removal companies) to
assume the risk of exposure.

Note that commercial general liability polices have excluded coverage for contamination
and pollution except when sudden and accidental. And, while there are some specialty lines
insurers who provide environmental impairment liability coverage (including clean-up costs),
the best approach to dealing with such exposures is to develop good loss prevention programs
(compliance programs) as outlined above.



Both regulatory non-compliance and environmental contamination can present grave risks to a
healthcare organization, and can give rise to repercussions that may include: the imposition of substantial fines; the creation of unsafe conditions for employees, patients, and the neighboring community;
the initiation of lawsuits; the generation of poor publicity; and loss of business.
As with most risks, the key to success lies in taking an aggressive, proactive approach, including
the periodic assessment of the organizations areas of vulnerability. Notwithstanding the complexity
of environmental regulation and the dangers of regulatory non-compliance, and the substantial risk
of environmental contamination that is inherent in the industry, a healthcare organization that establishes and implements detailed protocols, maintains a commitment to meticulous record-keeping, and
engages in an ongoing self-audit process can effectively manage its environmental risk.


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

Recordkeeping Requirements for Many of the Relevant
Environmental Regulations Discussed In Chapter12
40 CFR 60.7

40 CFR 70.6

Air - New Source

Air - Title V


Records documenting: start-up, shut- 2 years
down, or malfunction of pollution control equipment; periods when continuous
monitoring systems or devices have been
inoperative; performance testing measurements; continuous monitoring system
performance evaluations and calibration
checks; emissions records and reports;
maintenance of equipment
Records required by the operating permit; 5 years
records documenting date, location, and
time of sampling or measurements and
operating conditions at time of sampling;
records identifying the entity performing the analysis, the method or analytical
techniques used in performing the analysis, the date analysis was performed, and
the results of the analysis.

Requirements can change over time, so practitioners are cautioned to periodically review the relevant regulations for

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

40 CFR 82.166

Air - Ozonedepleting Class
I and Class II


As to appliances containing 50+ pounds 3 years
of refrigerant: servicing records showing
service dates, type of service performed
and quantity of any refrigerants added.
Owners that add their own refrigerant
must keep dated records of refrigerant
purchased and added.
Certified technicians must keep cop-

40 CFR 82.166

29 CFR


ies of their certificates at their place of

Air - Refrigerant Records identifying rate of leak, method 3 years
used to determine leak rate and measure
refrigerant charge, date when leak was
discovered, site of leak, and type of repair
work performed. If repair is delayed for
more than 30 days, records must show
reason for delay and when repair will be
completed. Follow-up testing records
must show date and type of testing, plans
for retrofitting/retirement, and date EPA
was notified of retrofit/retirement plans.
Records documenting presence, location For duration
- Asbestos
and quantity of ACM
of ownership
and transfer to
Material (ACM)
subsequent owners

Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

40 CFR 61.150

Asbestos - Waste Shipment records concerning all asbes- 2 years
disposal for
tos-containing waste material transported
demolition and off site, with records to include:
Name, address, and telephone number of
the waste generator
Name and address of local, state or EPA
Regional office responsible for administering the asbestos NESHAP program
Approximate quantity in cubic yards
Name and telephone number of the disposal site operator
Name & physical location of the disposal site
Date transported
Name, address and phone of transporter

40 CFR

Waste (Small

Certification that contents being transported are fully and accurately described
by proper shipping name and classified,
packed, marked and labeled, and are in
proper condition for transport by highway per international and governmental
Copies of reclamation agreements.
3 years after
termination or
expiration of the

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM


40 CFR 262.40(a) Hazardous
40 CFR 262.44(a) Waste


40 CFR 262.40(c) Hazardous

40 CFR 262.44(a) Waste

Records of test results, analyses, and other

hazardous waste determinations.

40 CFR 262.44(b) Hazardous


Exception reports.

3 years from
date waste was
accepted by initial
3 years from date
waste was sent to
on-site or off-site
treatment, storage,
or disposal facility
3 years from the
due date of the
3 years after
facility ceases
using or storing

40 CFR 761.180 PCBs Annual Facilities that use or store PCBs: annual
records and annual log of disposition of
PCBs and PCB items, including all manifests generated or received by the facility;
Certificates of Disposal received by the
facility; inspection and cleanup records;
annual logs that provide all information
required under the regulations.
40 CFR 60.58c Medical Waste Records for emission control equipment 5 years
HMIWI records that identify data gaps in the recording
of emissions data or operating parameters, an explanation for the event, and
steps taken to correct the problem. Must
also identify dates, times, and duration
of malfunctions, the type of corrective
action taken, and dates when emissions or
operating parameters exceeded relevant
limits, as well as results of compliance
testing (initial and annual). Training and
qualification records also required.


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM


40 CFR 171.11(c) Pesticides Certified RUP
7 USC 110
7 USC 136i-1

40 CFR 372.10
40 CFR 372.22
40 CFR 372.25
40 CFR 704.11

40 CFR 280.34


RUP records identifying names and 2 years
addresses of those for whom pesticides
were applied; pests targeted; date, time
and site of application; specific crop or
commodity; brand name; EPA registration number; amount of pesticide applied;
concentration of active ingredients; treatment area size; name and certification
number of person applying or supervising the application; and detailed information concerning pesticide disposal
(type, amount, method, and location of
Toxic chemical Toxic chemical release forms and all sup- 3 years (5 years
release (Section porting documentation (including exemp- recommended, to
313 SARA Title tions, calculations, monitoring, testing, match the statute
releases, receipts or manifests, estimates of limitations for
of treatment efficiencies, ranges of influ- EPCRA)
ent concentration to the treatment, the
sequential nature of treatment steps, and
actual operating data to support the treatment efficiency estimate for each toxic
USTs - General Records of corrosion experts analysis of Through closure
site corrosion potential if no corrosion of the UST and 3
protection equipment is used; opera- years thereafter
tion of corrosion protection equipment;
UST system repairs, recent compliance
with release detection requirements; and
results of site investigation conducted at
permanent closure

Enterprise Risk Management for Healthcare Entities, First Edition


Environmental Compliance in the Context ofERM

40 CFR 280.45

USTs - Release


Records documenting all written perfor- Performance
mance claims concerning release detec- claims: 5 years
tion systems and justification or testing
Tests (other than
provided by manufacturer or installer;
results of sampling, testing, or monitor- tank tightness): 1
ing; reports of all calibration, mainte- year;
nance, and repair of on-site release detec- Tank tightness:
tion equipment; manufacturers schedules retain until the next
of required calibration and maintenance. test is done
Maintenance: 1

Schedules:5 years
40 CFR 280.74 USTs - Closure Closure compliance records must be 3 years
maintained by owners and operators who post- closure
took UST system out of service, or by
current owners and operators of UST system site. May be mailed to implementing
agency if records cannot be maintained at
the closed facility.
40 CFR 280.111 USTs - Financial Evidence of financial assurance mecha- Until closure, or
nisms used to demonstrate financial after corrective
responsibility- to be maintained at UST action is completed
site or operators place of work.
29 CFR
Material safety date sheets; inventory of MSDS must be
Communication hazardous chemicals; container product kept as long as the
warning labels; written employee train- chemical is used at
ing policies.
the location


Enterprise Risk Management for Healthcare Entities, First Edition

Environmental Compliance in the Context ofERM

29 CFR

40 CFR 112.3

- Employee
exposure and
Wastewater Spill Prevention,


Records of employee exposure and 30 years
monitoring, including medical surveillance information and efforts at exposure
reduction. Employees have legal right of
access to records, including after separation from employment.

SPCC Plan must be maintained at the

facility if it is normally attended at least
Control, and
8 hours per day - otherwise at the nearest
Countermeasure field office.
40 CFR 112.7(e) Wastewater Inspection and test records; facility-speSPCC Plan
cific written procedures.
40 CFR 122.21 Wastewater Discharge monitoring reports (DMRs),
NPDES storm
sampling records, and records of all data
water and
used to complete permit applications.
discharge permits
40 CFR 122.21 Wastewater Sewage sludge use and disposal records.
NPDES storm
water and
discharge permits
40 CFR
Reports submitted to the POTW.

Enterprise Risk Management for Healthcare Entities, First Edition

Throughout facility

3 years
3 years

5 years

3 years


Part IV
Human Capital

Minimizing Risk in the Employment Relationship

Minimizing Risk in the Employment Relationship
Deborah Martin Norcross, Esq.
MartinNorcross LLC


Not that long ago, there was little need for enterprise risk management professionals to be educated about, or involved in, the human resources function. Unhappy employees did not file many
claims. When they did file, their disputes typically were investigated under a few federal laws by
administrative agencies rather than in the courts. Jury trials were not available for the most part, and
large awards were rare.
That landscape has changed dramatically. New and expanded employee rights laws have proliferated on the federal, state, and local levels. Employment disputes have become common in both federal
and state courts, often requiring lengthy and expensive discovery and motion practice. Defense costs
often exceed $100,000 for even the most uncomplicated individual case. Jury trials are routine, and
recovery of substantial awards, including punitive damages, by successful plaintiff-employees is common. Accordingly, the enterprise risk management professional cannot afford to leave to others the
responsibility of managing the risks attendant to the employment relationship.
The following discussion will be a useful guide for healthcare attorneys to understanding how
organizations assess and deal with their employment liability risks from an enterprise risk management perspective.

Regulation of the Employment Relationship

A complete description of the laws governing the employment relationship is beyond the scope
of this discussion. Federal laws that apply to most employers include: Title VII of the Civil Rights
Act of 1964 (prohibiting discrimination because of race, color, religion, sex, and national origin); the
Age Discrimination in Employment Act (prohibiting discrimination against employees who are 40 or
over); the Americans with Disabilities Act (prohibiting discrimination against qualified persons with
disabilities); the Family and Medical Leave Act (providing eligible employees with the right to unpaid
leaves of absence to care for a newborn or adopted child, certain family members, or the employees
own serious health condition); the Uniformed Services Employment and Reemployment Act (providing a broad array of protections for members of the military services); the National Labor Relations
Act (offering protections to employees engaged in union activities); the Fair Labor Standards Act
Enterprise Risk Management for Healthcare Entities, First Edition


Minimizing Risk in the Employment Relationship

(governing hours of work, minimum wages, and overtime); and the Consolidated Omnibus Budget
Reconciliation Act (COBRA) (requiring certain employers to offer continued insurance coverage following separation under enumerated circumstancessome employers are required to subsidize the
cost of COBRA coverage, but may be entitled to recover that cost under the American Recovery and
Reinvestment Act of 2009). The Genetic Information Nondiscrimination Act (GINA), which takes
effect on November 21, 2009, generally prohibits employers from acquiring genetic information on
their employees.
In addition to these and other federal laws, most states and many cities have enacted their own
separateand often more stringentlaws regulating the employment relationship. Further complicating matters, every jurisdiction has a body of common law, legal requirements developed by courts
through case law. Separately and in combination, these laws apply to virtually every aspect of the
employment relationship and can pose litigation and liability traps for the uninitiated employer. To
navigate this seemingly unruly maze of regulation, the organization should have the following basic
information on hand:

Know what laws regulate employers in the organizations state and city. This information can be obtained from many sources, including the Human Resources department,
employment law counsel, the local department of labor or EEOC office, or from various trade
associations. If the organization utilizes outside employment counsel or consultants, ask them
to provide this information; most will do so without charge.

Know which laws apply to the organization. Most laws apply only to employers with
minimum numbers of employees; the number varies by statute and also may vary by how
employee is defined. Some laws exempt certain types of businesses, most often certain religious entities.

Know how to determine which employees are covered. Even if the organization is subject to a statute, all of its employees may not be covered. Sometimes a statute protects only
employees who have worked for an organization for a minimum length of time or who have
worked a minimum number of hours over a given period.


Managing the Stages of the Employment Relationship

Employment law obligations arise even before an individual is hired and can continue long after
an employee leaves the organization. Enterprise risk management principles encourage the risk management professional to work closely with Human Resources to set best practices and then provide an
auditing function on either a regular or spot-check basis. To do this effectively, an organization must be
familiar with the specific risks attendant to each stage of the employment relationship and how to avoid
them. The following are practical suggestions for managing these stages and their attendant risks:


Enterprise Risk Management for Healthcare Entities, First Edition

Minimizing Risk in the Employment Relationship


Recruiting and Hiring

Job Descriptions

Make sure there is a written job description for each position in the organization. At a minimum,
job descriptions should include: (1) the positions duties and responsibilities, differentiating between
essential and non-essential functions; (2) the pay range for the position; and (3)the minimum criteria
(education, experience, etc.) necessary for the position. Care must be taken not to impose criteria that
are not necessary for successful performance of the positions duties.


Every applicant should be required to complete and sign an employment application. Application
forms should be reviewed to be sure that they are non-discriminatory, both on their face and in their
impact. For example, an application not only should refrain from asking for an applicants age but also
should not request information that would reveal age, such when the applicant graduated from high
school. Applications should recite the organizations employment-at-will and drug testing (if applicable) policies, and should contain release languageimmediately above the applicants signature
linepermitting background and reference checks and releasing the organization from liability.

Recruiting Sources

Employers can face discrimination claims and lawsuits if they fail to include all protected categories (members of minority groups, women, persons with disabilities, etc.) in their recruiting efforts,
no matter how inadvertently. Make sure the organization provides information about job openings to
organizations that serve minorities, women, and persons with disabilities, and communicates its nondiscriminatory hiring policies clearly and regularly.


Untrained interviewers create enormous risks. Using an enterprise risk management approach, the
Human Resources department ensures that anyone with interviewing responsibilities knows whatand
what notto ask. A written list of interview questions or topics that is reviewed before the interview
can go a long way toward minimizing the risk attendant to the interview process.

Reference Checking and Background Checks

Many organizations request references from applicants, but then do not check them. To the extent
permitted in the state where the organization is located, obtain the applicants consent (see Section, Applications, above) and check all references. Under some state laws, both requesting and
responding employers are protected from lawsuits based on reference requests. A healthcare organization also should consider conducting (or retaining an outside firm to conduct) a criminal background
check. Keep in mind, however, that an organization can refuse to hire an applicant only if a criminal
background check reveals a conviction (contrasted with an arrest that did not result in conviction) that
is job-related.
Enterprise Risk Management for Healthcare Entities, First Edition


Minimizing Risk in the Employment Relationship

Restrictive Covenants

Make sure applicants are asked to identify any restrictions they may have (such as non-compete,
non-solicitation, or similar agreements) with a prior employer. It is not uncommon for hiring employers to be sued for facilitating an employees violation of a pre-existing restrictive covenant.

The Ongoing Relationship

Orientation and Training

New employees should be given a general orientation into the organizations policies and procedures, especially its problem resolution programs. Provide employees with copies of any existing
employee handbooks, codes of conduct, etc. Make sure the organization obtains a written, signed
receipt from employees acknowledging receipt of whatever has been provided to them and keeps
a sign-in sheet for all training sessions. If the organization makes policies and procedures available
only on an intranet, require employees to sign a statement acknowledging that they understand how
to access those policies and procedures. These suggestions are designed to prevent an employee from
later claiming that he or she was unaware of the policies and procedures.


Employees with extraordinary technical skills or professional capabilities are not necessarily adept
at managing people. This often-ignored fact has led many employers to the courtroom. Organizations
that employ enterprise risk management principles should provide management training to all new
supervisors and managers. Consider establishing short-term mentoring relationships by pairing a new
supervisor or manager with a respected, experienced managerial veteran to provide support and catch/
correct problems early. Managerial performance should be evaluated as a critical component of every
supervisors performance evaluation.

Performance Evaluations

Every organization should evaluate every employees performance on some regular basis, most
typically once a year. Make sure the organization not only promises regular performance appraisals in
its policies but also actually ensures that they are done. Regularly conducted reviews force employees
and supervisors to communicate and can help identify potential problem areas and allow for early
intervention and correction. Additionally, regular performance evaluations can be invaluable when
defending against employment-related claims and in making difficult decisions when implementing
reductions in staff.

Leaves of Absence and Workers Compensation

There is a complex interrelationship among state workers compensation laws, federal and state
mandated leaves of absence programs, and the American with Disabilities Act and its state counterparts. All aspects of this relationship must be analyzed whenever a workplace injury causes a serious
condition that may (or may not) qualify as a protected disability. Workers compensation claims must

Enterprise Risk Management for Healthcare Entities, First Edition

Minimizing Risk in the Employment Relationship

be processed accurately and timely. Employees must be notified of their leave rights promptly, and
reasonable accommodations must be offered if needed and possible without undue hardship to the
Axiomatically, the best way to minimize the organizations exposure is to reduce injuries in the
first instance. In this effort, effective safety programs and a functioning multi-disciplinary safety
committee are a must. Safety and hazardous materials manuals must be readily accessible. The organization must understand, communicate, and comply with OSHA and state safety regulations. And most
importantly, regular training must be provided across the organization.

Counseling and Discipline

Whether it is called progressive discipline, problem resolution, colleague counseling, or something

else, every organization should have a systematic method of addressing performance and behavioral
deficiencies. That method should be specific and in writing, should be communicated clearly to the
organizations workforce, should be followed as closely as possible, and should require detailed documentation. Perhaps conversely, the organization must also reserve the discretion to deviate from
proscribed procedures when appropriate or necessary. Managers and supervisors often dislike confronting employees about poor performance or unacceptable behavior, and avoid doing it if they can.
Such avoidance creates risk for the organization and, ultimately, is unfair to employees, who may
not realize how their performance is being perceived or how those perceptions may impact future
employment. Managing the counseling and discipline function should be part of the organizations
management training, especially in the training provided to new managers.
A typical progressive system provides for: (1) oral counseling; (2) written warning; (3) suspension; and (4) termination. In all instances, the organization must provide that it can impose any or all
of these stepsincluding terminationin whatever order and without first imposing a lower step, if it
deems it appropriate. Whatever system the organization has adopted, it must be followed consistently,
and the required documentation must be prepared, submitted, and retained.

Complaint Procedures

Every organization must have a procedure through which employees can raise complaints and
concerns, especially relating to matters such as perceived harassment (sexual or otherwise) or suspicions of other unlawful activity. In addition to the organization having such a policy in place, it
must also provide adequate safeguards to protect a reporting employee from any sort of retribution.
Although complaints should be handled as discretely as possible, a reporting employee cannot be
promised absolute confidentiality, which might impede a thorough investigation. Similarly, once a
complaint is received, it cannot be ignored even if the reporting employee asks that no action be
taken. Once a report is received, the organization is on notice that a potential problem exists. Failure
to act under those circumstances can create strict liability, severely limiting the organizations defense
options in the event of legal action.

Enterprise Risk Management for Healthcare Entities, First Edition


Minimizing Risk in the Employment Relationship


Professional Staff Turnover and Shortages

Many reasons are offered for the current shortage of both physicians and trained nursesburnout,
medical school admission caps, shrinking reimbursement rates, insurance company demands, concerns over being sued, and even changing generational lifestyle expectations. Whatever the causes, it
cannot be escaped that the supply of trained professional staff is limited.
Long-term solutions to the problem will be multi-faceted, and likely will be highly influenced by
both legislative and political developments. In the shorter term, however, organizations can best meet
this crisis by, first and foremost, doing what it can to attract and retain quality professional staff. This
can include, for example, replacing autocratic top-down leadership with more participatory practices;
providing better continuing education support; offering mini-sabbatical or other lifestyle enhancing
programs; and ensuring that its professionals know, through regular internal and community-wide
communication vehicles, that both they and their input are recognized and valued. Organizations that
build reputations for being both supportive and collaborative not only have a better chance of retaining
professional staff but also in making their organizations more attractive from a recruiting standpoint.

Ending the Relationship

Deciding to terminate an employee is perhaps the most difficult of all employer-employee interactions. It certainly is the stage of the employment relationship that most often leads to lawsuits. Proper
preparation, including adopting and following the practices and procedures described earlier in this
discussion, can minimize both the stress inherent in the termination process as well as the organizations exposure to costly and time-consuming litigation.
The two most common situations that lead to involuntary dismissals are the individual discharge
and the elimination of a position or positions.

Individual Terminations

Before discharging an employee, the organization should make certain that: (1) its policies and
procedures have been followed; (2) the steps taken before the decision to terminate was made are
properly documented; and (3) the decision to terminate this employee is consistent with the manner
in which the organization has treated other similarly situated employees. If the employee is a party to
an employment contract with the organization, it is important to make certain that the organizations
actions are consistent with the terms of the contract.


A reduction-in-force generally occurs when the number of employees in the employers overall
workforce (or within a work unit) is reduced to a lower number. It also can occur through the elimination of a specific position, function, or title. Any organization contemplating a workforce reduction
should consult with an employment lawyer who is familiar with the laws and regulations in the organizations industry and geographic location. The following process can help prepare for that consultation
and minimize legal exposure after a reduction:

Enterprise Risk Management for Healthcare Entities, First Edition

Minimizing Risk in the Employment Relationship

Decide which positions (not which individuals) will be affected by the reduction.

Decide how many employees (again, not yet which individuals) within each position to

Identify objective, business-based, non-discriminatory criteria for selecting which employees

in the identified positions to terminate. Appropriate criteria can include, for example, length
of service or performance evaluations. Avoid criteria such as wage rates, which can lead to
the selection of a disproportionate number of older workers.

Create a list of employees to be terminated.

Evaluate selections to be certain no problematic patterns emerge and investigate any areas of
concern. It can be useful to have an objective committee review all selections as part of this

Separation Agreements

Separation agreements (sometimes called severance agreements) can be useful in minimizing an

organizations exposure to termination lawsuits. They can be used in individual and group terminations alike. Essentially, an organization uses a separation agreement to obtain an employees waiver
of his or her right to sue the organization in exchange for something of value (usually although not
always some form of severance compensation). Legal counsel should review any proposed separation
agreement, especially because some states require specific provisions to ensure enforceability. Certain
provisions, however, are necessary in all jurisdictions. For example:

Employees must be given adequate time to consider signing the agreement. Employees who
are age 40 and over must receive at least 21 days in an individual discharge; 45 days in a
group termination or reduction-in-force. Employees who are under 40 must receive only a
reasonable period of time to consider and sign the agreement.

Employees must be advised, in writing, of their right to consult with an attorney before

Employees who are age 40 and over are entitled to revoke the agreement for seven days after
they sign it. Younger employees have no revocation rights.

In the context of a group termination or reduction-in-force, terminating employees who are

age 40 or over must be provided with detailed information regarding the criteria used and
the titles and ages of both the persons being terminated and the persons being retained. This
process should not be undertaken without an attorneys assistance or review.


Handling Challenges to Employment Decisions

Employment lawsuits can be, and are, filed in both federal and state courts. No matter where they
are filed, employment cases often assert both federal law and state law claims. If an organization is
served with a complaint, it likely goes without saying that employment counsel should be contacted
without delay. If the organization maintains commercial employment practices liability insurance, the
carrier should be notified immediately. If, on the other hand, the organization insures this risk through
its own risk financing mechanism, appropriate individuals within the organization should be advised.
Enterprise Risk Management for Healthcare Entities, First Edition


Minimizing Risk in the Employment Relationship

The following explains the EEOC charge investigation process. State and local agency procedures usually are similar, but should be checked to insure compliance with any unique requirements.
Before an employee can bring an action based on federal anti-discrimination laws, in most cases
he or she must first have filed an administrative charge with the designated federal agency, usually the
Equal Employment Opportunity Commission (EEOC). Many, but not all, states also require the filing
of an administrative charge as a condition precedent to civil litigation. It is beneficial to understand the
agency investigatory process, since a successful defense at the administrative level often discourages
employees from initiating much more time-consuming and expensive civil litigation.


To initiate a charge, the employee is required to complete an intake form, describing the acts the
employee contends constitute unlawful discrimination. Intake can be, and usually is, undertaken without a lawyer. Agency personnel assist employees in completing the charge forms and in articulating
their complaint.

Service on Employer and Requests for Information

A charge of discrimination is prepared by the EEOC and mailed to the employer. The employer
will be asked to submit a statement of its position in response to the allegations contained in the charge.
The employer may also be asked to provide specified data. The EEOC will set a deadline by which the
employer must respond. These documents may be sent to human resources, the employees supervisor,
the risk management department, or to some other department, depending on what information the
employee has provided to the EEOC. It is important that whoever receives the initial communication
make certain it gets to the individual with responsibility for responding without delay.

Determination and Notice of Right to Sue

The EEOC investigation may go on for a while. The EEOC may ask for additional documents and
may seek to conduct interviews. The agency has the authority to conduct fact-finding conferences but
rarely exercises that authority. When it completes its investigation, the EEOC will issue a determination, holding either that there is no cause to believe discrimination occurred, or that there is cause.


A no-cause determination ends the matter at the EEOC level. With the no-cause determination, the EEOC also will issue a Notice of Right to Sue. The employee has 90 days following
receipt of the Notice of Right to Sue to file a complaint in civil court.

If the EEOC finds cause, it will initiate a conciliation. Essentially, the EEOC will try to get
the employee and the employer to come to an agreed upon resolution. While the conciliation
process is similar to a settlement negotiation, unlike most settlements, conciliated resolutions
are not confidential. If conciliation fails, the EEOC either will file a civil action on behalf of
the employee or issue a Notice of Right to Sue permitting the employee to file suit on his or
her own behalf. The EEOC does not have the authority to order an employer to pay any sum
or take any action. Some state and local agencies do have the authority to conduct public
Enterprise Risk Management for Healthcare Entities, First Edition

Minimizing Risk in the Employment Relationship

hearings, where judgments and awards can be entered. It therefore is critical to be familiar
with the local regulations and to consult with an employment attorney whenever a charge of
discrimination is received.


Managing exposure to the panoply of employment laws and regulations can only begin
with a comprehensive understanding of what mandates apply to the organization. There are
multiple sources from which this information can be obtained, including internal human
resources and risk management personnel, in-house or outside labor counsel, and various
trade associations.

Healthcare lawyers need to appreciate that the consequence of non-compliance, no matter how
inadvertent, can be significant. Employment lawsuits are costly to defend, require substantial
investments of time by leadership personnel and co-workers, can be lead to large awards of
both compensatory and punitive damages, and can damage the organizations reputation,
making it more difficult to attract high-quality professionals in an already critical recruiting

Organizations need to facilitate frequent and open collaboration among its various departments regarding all phases of the employment relationship. The turf wars of the past, such as
those that sometimes occurred between human resources and risk management, or between
risk and the legal department, must be excised. Employment law exposure today is multifaceted; minimizing its risk can only be done effectively when all members of the leadership
team meet the Three Cs: Communicate, Consult, and Collaborate.

Healthcare lawyers also can assist their organizations by exploring litigation-avoidance techniques. The regular use of employment and separation agreements can minimize the number
and scope of employment lawsuits. Implementing alternative dispute resolution procedures,
such as internal appeal processes, mediation, arbitration, etc., also can be extremely useful.



This discussion obviously has not been able to cover every employment-related risk management
challenge faced by healthcare organizations. It should, however, provide a useful starting place and a
practical guide for managing an organizations employment practices risks. Enterprise risk management
experience shows that these risks can be significantly minimized when all related professionalsrisk
management, human resources, senior operational management, and legal counsel (whether in-house
or outside)make reduction of employment-related loss prevention a priority and work collaboratively to achieve that goal.

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

What to Expect and What to Do When OSHA
Comes Knocking
Steven O. Grubbs, Esq.
Amanda J. Flanagan, Esq.
Sheehy, Ware & Pappas, P.C.


Congress enacted the Occupational Safety and Health Act of 1970 (the Act) after recognizing the
need for comprehensive job safety and health legislation. Not only were there a startling number of
work related injuries and deaths, but the injuries and illnesses arising in the workplace substantially
hindered interstate commerce because of lost production, lost wages, medical expenses, and disability
compensation payments. Currently, an estimated 6 million workplaces and 90 million employees from
every state, the District of Columbia, Puerto Rico, and all American territories are covered by the
Act. However, the Act does not apply to working conditions of employees over whom other state and
federal agencies exercise statutory authority to prescribe or enforce standard or regulations affecting
occupation safety or health.
The Acts primary purpose is to assure so far as possible every working man and woman in the
Nation safe and healthful working conditions and to preserve our human resources.1 In order to achieve
that purpose, the Department of Labor created the Occupational Health and Safety Administration
(OSHA). It is OSHAs responsibility to ensure that each employer keep its place of employment free of
recognized hazards that are likely to cause death or serious harm. In order to accomplish this purpose,
OSHA may conduct unannounced inspections, issue citations for violations, and assess monetary penalties ranging from $1 to $70,000 per violation. OSHA has recently made headlines for multimillion
dollar fines given to the most egregious of violators. In addition to monetary fines, the United States
Justice Department recently joined forces with OSHA to provide for criminal prosecution of the most
flagrant workplace safety violators.2 In assessing penalties, OSHA will consider the good faith of the
employer, the gravity of the violation, the employers past history of compliance, and the size of the
employer. In addition, the immediate consequence of receiving a monetary or criminal penalty, OSHA
citations may also affect future litigation arising from the workplace accident or death.

OSH Act Sec. 2(b).

New York Times, With Little Fanfare, a New Effort to Prosecute Employers that Flout Safety Laws, May 2, 2005.


Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

General counsel should be aware that the healthcare industry remains one of a handful of industries targeted by OSHA for intensified safety and health inspections from year to year.3 In fact, nursing
and personal care facilities made up the highest concentration of worksites on the targeted inspection
list in the past couple of years. According to recent directives, OSHA inspections are to focus on
healthcare-related hazards such as patient handling, exposure to blood and other potentially infectious
materials, exposure to tuberculosis, and slips, trips, and falls. Given this targeted focus on the healthcare industry by OSHA and the United States Justice Department, healthcare administrators, their risk
managers, and general counsel must equip themselves to handle an increase in OSHA inspections.
This chapter will provide the healthcare general counsel a practical, hands-on guide to understanding OSHA, the risks of noncompliance, and how to effectively manage an OSHA inspectionincluding
a discussion of a healthcare facilitys rights during an inspection, what to expect following an inspection, and a discussion of some of the more pragmatic issues involved in appealing an OSHA finding.

The OSHA Process


OHSA Standards

While explanation of the several thousand standards applicable to the healthcare industry exceeds
the scope of this chapter, a brief discussion of key OSHA standards may be useful. An employer must
comply with specific occupational safety and health standards promulgated under the Act. OSHA
standards are grouped under four broad industry categories: General Industry, Construction, Maritime
and Longshoring, and Agricultural. An employer must comply with the specific standards that apply
to its place of employment for which it has employees exposed to the hazard. OSHA has the burden
to prove by a preponderance of the evidence that the standard applies, that the employer was out of
compliance, and that there were employees exposed to the hazard. OSHA standards have been drafted
for literal compliance, and employers are expected to comply with them in every detail regardless of
an employers use of its own safety methods4 or an employees substantial experience.5 Further, an
employer must protect its employees even when they are in the process of abating a hazard.6
In addition to the responsibility to comply with specific standards, section 5(a)(1) of the Act
guards against hazards where no specific standard applies. Employers have a general duty to provide
a place of employment that is free of recognized hazards (the so-called general duty clause). This
works as a catchall provision. If an employee is injured, but there is no applicable specific standard,
OSHA may complain that the employer failed to provide a workplace free from recognized hazards.
Section 5(a)(1) is improper where a specific standard is appropriate. To prove a violation of section5(a)(1), OSHA must establish that the employer failed to render its workplace free of a hazard
that was recognized by the employer or its industry, and that was causing or likely to cause death or
serious physical harm. In addition, OSHA must demonstrate the feasibility and likely utility of spe OSHA Targeted Inspection Plan for 2005, at p. 12, August 9, 2005, http://www.osha.gov/pls/oshaweb/owadisp.
Sierra Constr. Corp., 6 OSHC 1278, 1978 OSHD 22,506,
Cornell & Co., 5 OSHC 1018, 197677 OSHD 21,532,
H.S. Holtze Constr. Co., 7 OSHC 1773, 1979 OSHD 23,925, affirmed in part, reversed in part, H.S. Holtze Constr. Co.
v. Marshall, 627 F. 2d 149 (8th Cir. 1980).


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking

cific abatement measures. Importantly, an employer may violate section 5(a)(1) even when there is
no actual occurrence.7 Likewise, the occurrence of an accident, by itself, does not prove the existence
of a violation.8

The Three Most Important OSHA Standards in Healthcare

OSHA maintains a list of the most frequently cited OSHA standards in the healthcare industry.9
This list may be found at www.osha.gov. Many healthcare employers are surprised to see that most of
the standards cited are not really healthcare related but are relevant to all industries. Medical services
and first aid, for instance, ranked only ninth on the list, behind wiring methods, lock out-tag out, and
exit routes.10 The following discussion will begin by highlighting the three most widely cited violations in the healthcare industry

Bloodborne Pathogens

The OSHA Bloodborne Pathogen Standard is the most frequently cited standard in healthcare.11
This requires employers to protect employees from exposure to blood or other potentially infectious
materials that may contain bloodborne pathogens.12 There are many bloodborne pathogens, but the
main infections that pose the greatest risk to workers are the human immunodeficiency virus (HIV),
Hepatitis B virus (HBV), and Hepatitis C virus (HCV). The Bloodborne Pathogens Standard applies
to employers who have employees with occupational exposure to blood or other potentially infectious
materials, even if no actual exposure incidents have occurred.13 In 2001, OSHA added an additional
requirement regarding the protection of employees from needlesticks. Every healthcare employer is
required use engineering and work practice controls to eliminate or minimize employee exposure to
bloodborne pathogens. Further, healthcare employers are mandated to keep a sharps injury log for
the recording of percutaneous injuries from contaminated sharps. Finally, healthcare employers are
required to adopt an exposure control plan.14
The exposure control plan requires the healthcare employer to adopt technology that eliminates or
reduces exposure to bloodborne pathogens.15 For instance, the plan must reference how the employees have been trained in self sheathing needles, and where to dispose of the sharps.16 Next, the plan
requires employees to document annually and implement appropriate commercially available and
effective safer medical devices designed to eliminate or minimize occupational exposure.17 Finally,
in the identification, evaluation, and selection of effective engineering and work practice controls, the
plan must have a requirement to solicit input from non-managerial employees responsible for direct
Titanium Metals Corp. of America v. Usery, 579 F. 2d 536, 542 (9th Cir. 1978).
29 CFR 1910.1030.

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

patient care, who are potentially exposed to injuries from contaminated sharps.18 This solicitation must
also be documented in the exposure control plan.19 Hazard Communications
While applicable to all employers, this standard is the second most cited standard for the healthcare industry.20 The Hazard Communication (Haz-Comm) Standard requires that the hazards of all
chemicals used in a place of employment are evaluated, and that information concerning its hazards
is transmitted to employees.21 This transmittal of information is to be accomplished by means of a
comprehensive hazard communication program which must include training on container labeling and
material safety data sheets (MSDS).22 Laboratory facilities that ship hazardous chemicals are considered to be either a chemical manufacturer or a distributor under this rule and, thus, must ensure that
any containers of hazardous chemicals leaving the laboratory are correctly labeled.23
Every chemical used in the workplace needs to have an accompanying MSDS. Each MSDS spells
out the properties of a specific chemical used in the workplace, including the symptoms of exposure,
ingestion, or inhalation, for example. Employers are also required to maintain copies of all material safety data sheets that are received with incoming shipments in sealed containers of hazardous
chemicals, obtain a material safety data sheet as soon as possible for sealed containers of hazardous
chemicals received without a MSDS if an employee requests the material safety data sheet, and ensure
that the material safety data sheets are readily accessible during each work shift to employees when
they are in their work area. Moreover, employers are charged with training employees as to where to
find this information.
Many employers are caught off guard by this standard because, as a general rule, if it is not water,
OSHA will likely consider it a hazardous chemical and require the employer to maintain a MSDS.
Take, for example, Clorox (chlorine) and Windex (ammonia). Alone, these chemicals are fairly inert,
and common sense tells you not to ingest them or get them on your skin. However, MSDSs note that,
if used together, these chemicals combine to create a toxic and carcinogenic mixture of chloramine and
hydrazine that can be lethal if inhaled. This is precisely the type of accident Hazard Communication
programs seek to prevent, and it is easy to see why OSHA takes this so seriously. Many employers fail to enact a comprehensive Haz-Comm program to address every single chemical used in the
workplace. Recordkeeping Violations
Employers who have more than 10 employees in the entire company are required to keep records
of all recordable injuries and illnesses. The forms used to keep track of these records are called the
OSHA Form 300 and the OSHA Form 301. The Form 300 is a log used by the employer for recording








29 CFR 1910.1200.


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking

and classifying work-related injuries and illnesses and for noting the extent of medical care provided.24
When an incident occurs, this form is used to record specific details about how it happened. The OSHA
Form 301, also known as the Injury and Illness Incident report, is a form used for each work-related
incident or accident.25 This form must be filled out by the injured worker within seven days of the
report of the incident or accident and must be kept for five years. Employees have the right to review
unredacted copies of these logs at any time upon reasonable notice.
Employers making a good faith effort to fully comply with these recordkeeping requirements are
generally given some slack. It is the employer who declines to comply or plays games with the definition of work-related who receives citations. Further, the fact that healthcare employers were cited
160 times implies that many in the healthcare industry have a lot to learn about complying with this
It is important for the healthcare employer to keep in mind the fact that, even though there is no
specific regulation concerning a workplace hazard, the general duty clause nevertheless requires the
employer to provide a safe workplace. One recent example concerned a file cabinet drawer that would
not stay closed. After several complaints by the employee who kept running into it went unaddressed,
the employee complained to OSHA. OSHA cited the employer under the general duty clause for failing to provide a safe workplace, even though there is not a specific standard that says file drawers must
be able to close.

What Triggers an Inspection?

Under the Act, OSHA is authorized to conduct workplace inspections and investigations to determine whether employers are complying with standards issued by the agency for a safe and healthful
workplace.26 Workplace investigations and inspections are conducted by OSHA compliance officers.
These officers do not typically provide an advance warning of the investigation/inspection. Rather,
their typical modus operandi is to simply arrive unannounced. An OSHA inspection is usually triggered by one of a several events, discussed in the following sections.

Targeted Inspection

First, an inspection may be triggered by a targeted inspection. As demonstrated above, the

Department of Labor may target a particular industry (i.e., healthcare) that it believes constitutes a disproportionate safety and health risk to employees as compared to other industries. For those industries,
OSHA randomly selects several employers within that industrys Standard Industrial Classification
(SIC) or North American Industry Classification System (NAICS) codes. OSHA compliance officers
then drive to those establishments to perform an inspection without warning or prior notification to
the employer. Compliance with the Needlestick Prevention Act, under OSHAs bloodborne pathogen
standard, is on their list of targeted areas of enforcement.27




29 CFR 1904.29.
OSH Act Sec. 8
29 CFR 1910.1030.

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking Random Inspection
Not all inspections are targeted inspections. Many inspections are performed on employers from
which SIC or NAICS codes are chosen at random. Therefore, even if an employers given industry is
not targeted by OSHA, that employer may still be selected for an inspection. Employee and/or Third Party Complaints
Employee complaints about specific safety and health issues may also trigger an OSHA inspection. In those instances, OSHA will anonymously evaluate that employees complaint for its validity.28
Not surprisingly, the filing of OSHA complaints is a favorite harassment technique of disgruntled
employees and ex-employees. Furthermore, interested third parties (e.g., a physician or family member of an employee) may also make complaints.29 Also not surprisingly, such third-party complaints
open the door for harassment by disgruntled competitors. Occupational Fatality or Multiple Hospitalizations
Perhaps the clearest indicator that an employer will be visited by an OSHA compliance officer is
if the employer experiences an occupationally related fatality or has three or more employees hospitalized as a result of an injury or exposure related to their employment.30 It is important to recognize that,
in these two situations, the employer has an obligation to report the incident to OSHA, in person or by
phone, within eight hours of the incident.31 Once reported, OSHA is obligated to visit the employers
facility within 24 hours. Failing to timely report the incident creates exposure to additional fines and,
in the event of subsequent litigation, plaintiff lawyers invariably use these types of citations to demonstrate a covering up of relevant evidence. For these reasons, it is imperative that a reportable incident
be reported within the eight-hour deadline. Negative Workplace Media Exposure
The last event that will trigger an OSHA inspection is negative workplace exposure in the media.32
OSHA is a political entity that answers to the public. Therefore, OSHA administrators are compelled
to address any concerns that receive press coverageeven if there is no immediate public health or
safety concern. For instance, if the media reports that your medical office building has experienced a
gas leak necessitating the evacuation of a significant portion of your facility, an OSHA visit should be

Id. at Sec. 8(f).

OSHA Field Inspection Reference Manual at Ch. II-B-2.
OSHAs 24-hour hotline number is 1-800-321-6742. As will be discussed later, it is extremely important to be as brief
and factual as possible. Your conversation and/or report to OSHA will be recorded and transcribed and a copy placed in
the investigators file.
OSHA Field Inspection Reference Manual at Ch. II-B-2.


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking


What Can I Do to Prepare for an Inspection?

In general, OSHA relies on the element of surprise and does not give advance warning of an
inspection. In fact, OSHA is authorized to issue criminal penalties to anyone who gives an employer
advance notice of an inspection.33 An astute risk manager will act prospectively to make preparations
ahead of time for what to do in the event that a compliance officer arrives.

OSHA Posters

The first preparation to be made is to order the official employee rights poster from OSHAs website (DOL Poster PackageID# 5049) and post it in areas where nurses and other healthcare workers
congregate.34 If the medical center has a high number of employees who, for example, speak and/or
read Spanish to the exclusion of English, it would be advisable to order the Spanish version as well
(DOL Poster PackageID# 5052). Although it may sound ridiculous, healthcare employers have been
cited for failing to post the required posters. Company OSH Officer and Action Plan
The next preparation item is to establish a healthcare facility Occupational Safety and Health
Officer (the Facility OSH Officer), and implement an Action Plan for execution when an inspection
occurs. Many times this officer is the General Counsel or outside attorney. The responsibilities of the
Facility OSH Officer are to assure that the Action Plan is carried out in the event of an inspection. He
or she should preemptively determine which standards and regulations apply to the healthcare facility,
and make sure all required written programs are up to date. Updated OSHA Policies
There are a few programs that OSHA requires for almost every facility, including hazard communication, lock-out-tag-out, and fall protection.35 For the healthcare industry, several policies are
also on the short list of must-haves, including but not limited to bloodborne pathogens and needle
stick prevention, as noted above.36 Because OSHA will likely request a copy of those policies and seek
assurances that employees are trained in them, healthcare employers need to be sure their policies
are up-to-date with OSHAs requirements and that those policies are appropriately communicated to
employees. Housekeeping
It is also a good idea for employers to do some housekeeping. If there are activities at the worksite
that regularly create an impression of disarray, extra time should be taken to make sure those areas
are clean and orderly if an OSHA visit is anticipated. For instance, if there is a janitorial closet that
OSH Act Sec. 17(f) authorizes up to $1,000 penalty and up to six months imprisonment, or both, for giving advance
notice of an inspection.
Look for the posters that apply to your business at http://www.osha.gov/pls/publications/pubindex.list#posters1.
See generally 29 CFR 1910 and 29 CFR 1926.
See generally 29 CFR 1910 and 29 CFR 1926.

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

always seems to be cluttered, care should be taken to have the area cleaned up, remove chemicals off
the floor, and to secure access to the material safety data sheets that would apply to each chemical. As
noted above, the second most cited standard for the healthcare industry involves employers who fail
to have the required MSDS information for relatively benign chemicals such as WD-40, Go-Jo hand
cleanser, Clorox, and ammonia.37 Accurate OSHA Recordkeeping
Employers should also make sure that OSHA-required recordkeeping is up-to-date and readily
accessible. Further, OSHA records of workplace injuries (i.e., OSHA 300, 300a, and 301 logs) should
be updated monthly and kept in the same office as the employee personnel files, and annually posted
in accordance with the OSHA regulations. As has been discussed, this is the third most cited violation
of OSHA standards in the healthcare industry. OSHA and HIPAAPrivacy Concern Cases
There is significant confusion among government and industry alike as to how to reconcile the
duties of HIPAA and the obligations under the Act. General Counsel should also be aware of the
potential for liability with respect to privacy concerns that can arise when OSHA records are originated, maintained, and disclosed to others. Briefly, the Health Insurance Portability and Availability
Act of 1996 (HIPAA) was enacted to protect the unauthorized disclosure of personally-identifiable
health information that pertains to a consumer of healthcare services.38 The conundrum is that by
complying with OSHA and following its injury and illness recording, reporting, and posting requirements, concerns often arise among General Counsel as to whether or not compliance with OSHA
will then create liability under HIPAA. On the one hand, an employer is required to publicly post
a list of all workplace injuries, and list the employee name and the nature of the injury, days off of
work, and lost time due to injury. Employees have a right to inspect the OSHA 300 and 301 logs at
any time, many of which could contain sensitive, personally identifiable protected health information. However, the U.S. Department of Health and Human Services commands that the healthcare
employer must protect the disclosure of protected health information of its employees under HIPAA.
Who winsOSHA or HIPAA?
In an August 2, 2004 OSHA Standards Interpretation Letter, OSHA weighed in on this potential
conflict of duties and concluded that HIPAAs privacy requirements do not necessarily require employers to remove personally-identifiable information from the OSHA 300 log for all employees.39 OSHA
reasoned that even if such a record falls within the scope of HIPAAs protection, a HIPAA exception
applies.40 The U.S. Department of Health and Human Services has not released any comment on the

This is a recurring concern of OSHA.

See 45 CFR 164.500 et seq.
A copy of the letter can be found at: http://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=
See 29 CFR 1904.


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking

The HIPAA exception relied on by OSHA provides that [a] covered entity may use or disclose
protected health information to the extent that such use or disclosure is required by law and the use
or disclosure complies with and is limited to the relevant requirements of such law.41 However,
when applying the HIPAA exception, OSHA cited 29 CFR 1904.35(b)(2)(iv), which requires that
employees, former employees, and employee representatives have access to the complete OSHA log,
including employee names, except for privacy concern cases. Therefore, at least in the eyes of OSHA,
the inclusion of personally identifiable information on the OSHA 300 log would not be a violation of
HIPAA so long as the subject entry is not a privacy concern case.
Fortunately, OSHA provides further guidance as to what constitutes a privacy concern case and
the extent to which personally identifiable information can be disclosed under various circumstances.42
OSHA defines a privacy concern case as a case involving:
(1) an injury or illness to an intimate body part or the reproductive system;
(2) an injury or illness resulting from a sexual assault;
(3) mental illness;
(4) HIV infection, hepatitis, or tuberculosis;
(5) needlestick injuries and cuts from sharp objects that are contaminated with another persons
blood or other potentially infection material; and
(6) other illnesses, if the employee voluntarily requests that his or her name not be entered on the
Therefore, if the workplace injury qualifies as a privacy concern case, the employer should not
enter the employees name on the OSHA 300 Log. Instead, the employer should enter privacy case
in the employee name blank and keep a separate, confidential list of the case numbers and employee
names for its privacy concern cases.44
Additionally, if such measures are taken and the employer reasonably believes that the remaining
information will still identify the particular privacy concern employee, OSHA will allow the employer
some liberty in describing the injury or illness so as not to identify the employee through the details of
the injury. For example, OSHA suggests that an injury to a reproductive organ be described as a lower
abdominal injury.45 However, OSHA does warn that the employer must enter enough information to
identify the cause of the incident and the general severity of the injury or illness.46
Because disclosure of OSHA forms 300 and 301 are typically limited to government representatives, employees, former employees, or authorized representatives, employers may only disclose those
forms to other persons if the employer removes or redacts the employees names and other personally
identifying informationirrespective of whether or not the case is a privacy case. The only excep






45 CFR 164.512(a).
See 29 CFR 1904.29(b)(6)(10)
See id. at 1904.29(b)(7)(9).
See id at 1904.29(b)(6).
See id at 1904.29(b)(9).
See id.

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

tions to this rule is if the disclosure is made: (1) to an auditor or consultant hired by the employer to
evaluate the safety and health program; (2) to the extent necessary for processing a claim for workers compensation or other insurance benefits; or (3) to a public health authority or law enforcement
agency for uses and disclosures for which consent, an authorization, or opportunity to agree or object
is not required under HIPAA.47

Inspections and Investigations

The first visit to the place of employment by the OSHA compliance officer is a fact-finding mission. At this stage, OSHA typically knows very little about the situation and is only there to do a
big-picture investigation called a walk around. An employer and any employee representative have
the right to accompany an OSHA representative on his walk around.48 The corporate attorney should
accompany the OSHA compliance officer at all times. If an employee complaint is the reason for the
inspection, the healthcare employer will be given a copy of the employee complaint with the name of
the complainant redacted.
OSHA may or may not provide a warrant for this inspection. OSHA is allowed to seek an ex parte
(without notifying you) warrant to inspect your facility, without having any probable cause that a violation of the act was committed.49 Without a warrant, however, OSHA is prohibited from conducting
an inspection in the absence of consent. Be advised that in cases of a workplace fatality or other emergency situation, OSHA has nearly unlimited right of access and a warrant is generally not required.50
Nevertheless, remember that any items in plain view of the compliance officer are fair game in
the inspection. Therefore, if you grant access to a part of the healthcare facility, anything he observes
enroute to that part of the facility is open to inspection. It is not uncommon to take the compliance
officer on a circuitous route to the area of concern, so as not to take the officer past other areas of
concern (like the aforementioned janitors closet).

Employee InterviewsNon-Managerial

Following the facility inspection, the compliance officer will likely ask to interview employees.
Although a compliance officer generally has the right to private interviews with rank-and-file nonmanagerial employees, an employer is not obligated to produce an employee for an interview during
regular work hours if it creates a risk of injury to other workers or unduly disrupts the provision of
healthcare.51 However, reasonable arrangements can be made to produce the employee for interviews
after work hours or on the next regularly scheduled break. The prevailing wisdom is that neither the
healthcare representative nor the medical center attorney can participate in this interviewalthough
employees may ask that their own attorney or their employee representative (in union situations)
See id. at 1904.29(b)(10).
OSH Act Sec. 8(e).
See Marshall v. Barlows Inc., 436 U.S. 307, 98 S.Ct. 1816, 56 L.Ed.2d 305 (1978); see also Rockford Drop Forge Co.
v. Donovan, 672 F.2d 626 (7th Cir. 1982.).
For a more thorough discussion of warrants for an OSHA inspection, see Marshall v. Barlows, Inc., 436 U.S. 307
See Urick Foundry Co. v. Donovan, 542 F.Supp. 82 (W.D. Pa 1982); see also National Engineering & Contracting Co.,
v. OSHA, 928 F2d 762 (6th Cir. 1991).


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking

accompany them. Importantly, no employee may be discharged or in any other manner discriminated
against for filing a complaint, testifying, or exercising any other right during an OSHA inspection.52
Controlling employee disclosures to OSHA during his or her interview is perhaps the strongest
weapon a healthcare employer possesses in managing an OSHA investigation. It is crucial for the
healthcare facility OSH officer to meet with each employee prior to their interview to go over witness
strategies. If possible, this should be conducted by the company attorney.
In those instances where OSHA agrees to allow the employee to have an attorney present, OSHA
will generally object to allowing the employee to utilize the employers attorney who has been provided at no cost to the employee. It is OSHAs view that such an attorney may have a conflict of
interest in representing the employer and the employee. In difficult situations where, in the judgment
of the employer, it is determined that a particular employee must be assisted during their interview,
one technique an employer may utilize is to have the employee sign a waiver of any conflict of interest
and presenting it to the compliance officer.
After obtaining the waiver, the healthcare facility-provided attorney may insist on attending the
interview with the employee. There is support that OSHA must allow the interview under these circumstances.53 This, once again, may be viewed as a hostile act, so it is advised to use this method only
when absolutely necessary. OSHA may decline to interview the employee at that time and come back
with a subpoena for the employees testimony. However, the conflict waiver should still apply. Employee InterviewsManagerial
Managerial employees have the right to have a company representative or its attorney present during interviews.54 Managerial employees are generally defined as those employees who have the right
to bind the healthcare facility by their statements. However, in practice, a broader definition is often
applied such that any employee who has the right to hire and fire, is a supervisor to one or more other
employees, or is considered a foreman, may be considered a manager. Because of the right to have a
representative present during interviews, a broad construction of managerial is advisable. Legal counsels role in these interviews is to try to force the compliance officer to ask clear, nonleading questions
and to make sure the witness understands the question prior to answering. Because OSHA compliance
officers are not trained litigators, they are prone to asking leading, vague, overly broad, and speculative questions that tend to cause problems later. Environmental Sampling
OSHA also has the right to conduct environmental sampling of the healthcare facility.55 Environmental sampling can include air monitoring, noise level evaluation, radiation exposure, chemical
exposure, and soil sampling, to name a few. The employer is advised to conduct sampling of its own
See 29 CFR 1977.
See Reich v. Muth, 34 F.3d 240, 244 (4th Cir. 1994) (upholding the right of an employee to voluntarily choose counsel
prior to an interview with OSHA regardless of the fact attorney represents both employer and employee); see also Dole v.
Bailey, 14 OSHC 1534, 1990 O.S.H.D. P28898, 1990 U.S. Dist. LEXIS 10512 (N.D. Tex. 1990).
OSHA Field Inspection Reference Manual at Ch. II A(4)(d)(4).
Id., at Ch. II A(4)(c).

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

in conjunction with the OSHA team to assure accuracy. Compliance officers will generally agree to
advance notice of a sampling team coming to the facility in order to allow the employer to retain a
sampling team of their own choosing to conduct side-by-side testing. Courts are split as to whether
OSHA has the right to require an employee to wear sampling devices, like radiation badges, during an

The Closing Conference

At the conclusion of the onsite investigation, OSHA will conduct a closing conference. The purpose of the closing conference is to signify the formal end of the investigation and to review the
Departments findings with the employer. At this point, the compliance officer has a good understanding of what the citations will contain.57 It affords the healthcare facility and its legal counsel an
opportunity to visit with the compliance officer to discuss his or her potential findings before a citation
is issued.
Since anything stated during that closing conference is still fair game to be used against the
healthcare facility, the closing conference is best treated as a listening exercise rather than a free flow
exchange of ideas. OSHA sometimes uses the closing conference as a method to fish for what the
employers response to an issue will be before writing the citations so they can craft the citation around
the employers defenses. It is sometimes worthwhile to press the compliance officer for all information
collected that justifies a particular area of concern; however, this is sometimes futile.
It is also helpful to ask the compliance officer if there are any matters that should be corrected
by the employer. If so, the employer can begin taking steps to abate the hazard before the citation is
issued. Although the employer is not under any obligation to correct any issues prior to the issuance of
citations, OSHA will give the employer a deadline to comply at the time the citation is issued. Because
this abatement deadline can sometimes be brief, an employer will benefit by having additional time to
Another helpful item to obtain at the closing conference is a receipt from the officer itemizing
all the materials provided to him or her during the course of the investigation. Such a receipt helps
to assure that there is no misunderstanding about whether something was or was not provided to
Once the closing conference is completed, the OSHA compliance officer will return to his or
her office and begin drafting the citation(s). It is unlikely that a compliance officer will return to the
healthcare facility to conduct any additional investigation. The Act requires that citations should be
issued with reasonable promptness and imposes a deadline of six months following the occurrence
of any violation.58 It is not unusual for two or three months to elapse after the closing conference
before citations are received in the mail.
See Marshall v. Wollaston Alloys, Inc., 479 F.Supp. 1102 (D.Mass. 1979), affirmed, 695 F.2d 1 (1st Cir. 1982); compare Donovan v. Metal Bank of America, Inc., 516 F.Supp. 674 (E.D. Pa. 1981), appeal dismissed as moot 700 F.2d 910
(3dCir. 1983).
Although the Area Director reserves the right to change or supplement the recommendations of the compliance officer.
58 See OSH Act Sec. 9(a), (c).


Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking


I Was Just Served with CitationsNow What?

Because deadlines begin to run on upon receipt of the citations, it is crucial that the healthcare
facilitys General Counsel be immediately notified when citations are received. The facility should
notify the mail room or any other person in charge of circulating the mail that any materials received
from OSHA should be immediately delivered to the person managing the inspection. Once citations
are received, an employer has only 15 working days to contest the citations before they become a
final and unappealable order from the Department of Labor. Hence, the date the citations are received
should be noted in the file and 15 working days from that date should be noted on the calendar.
Once a healthcare organization receives citations, it has essentially three options. First, the
employer can simply agree to the citations as issued, and write a check to cover any associated fine.
This is not recommended. The second option is to file a Notice of Contest and challenge OSHA in
court to prove the allegations asserted in the citations.59 It is strongly recommended that an employer
retain competent counsel should it choose this alternative. Although OSHA will do its best to convince
you to go forward without a lawyer, the fact remains that the employer will be in litigation and there
are traps for the unwary. The next option is to set up an informal conference. No matter what option an
employer ultimately utilizes, an informal conference with OSHA should always be sought.

Informal conferences

An informal conference is exactly what it sounds likean informal meeting with the OSHA
office that issued the citations. At the informal conference, the healthcare facility representative can sit
down with the local field office area director or his or her assistant area director and discuss ways to
resolve the citations without resorting to litigation. Typically, the area director will begin by discussing
the many variables present in an OSHA citation. In addition to the monetary penalties, OSHA citations
contain a gravity determinationOther than Serious, Serious, Willful, Repeat, and even Criminal.
The next variable in the citation is the language of the citation itself. This language can be negotiated in the same manner as the penalty amounts and the gravity. Many times, the language of the
citation is much more damaging to the employer than the dollar amount or the gravity.
The usual set of citations contains some fluff that OSHA uses during negotiations. In other words,
OSHA will cite a healthcare facility for some matters they know will not pass muster on appeal just to
give themselves some bargaining material. If a healthcare facility goes into the informal conference
with a realistic expectation of a workable solution, the healthcare facility will more than likely be able
to resolve the dispute at the informal conference. Generally, more than 90% of citations are resolved
at the informal conference level.
Perhaps the most important reason for resolving a claim at the informal conference is that, if the
healthcare facility is concerned about subsequent litigation resulting from the OSHA investigation, the
healthcare facility can request language in the settlement agreement that will give its attorney more
ammunition to argue against the admissibility of the citations in any subsequent civil action. While
such language by no means guarantees the inadmissibility of OSHA citations, it will give the healthcare
See OSH Act Sec. 10(a).


Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

facilitys lawyer more to work with. If the employer litigates the citations with OSHA and a finding is
made against the employers interest or if the employer simply pays the citations without obtaining an
agreement, then the admissibility of the citations in subsequent civil litigation is nearly certain.
If an agreement cannot be reached in the informal conference, the healthcare facility must file
its Notice of Contest within 15 business days of the original receipt of the citations. Therefore, when
scheduling an informal conference, it is important to do so with enough time remaining on the contest
deadline to allow for continued negotiation after the conference is over and, if still unsuccessful, allow
for time to file a Notice of Contest. It is recommended that at least five business days be saved for this
continued negotiation period. Abatement date
Citations will also contain an abatement date. This is the date by which the citation must be
corrected. The general rule is that the abatement date should be a sufficient amount of time for the
employer to evaluate the violation, formulate a plan of correction, and implement those plans.60 In
some instances, it may be impossible for an employer to fix the problem by the date requested. If
so, the employer may request an extension via a formal written letter. OSHA will typically grant an
extension up to the deadline to file a Notice of Contest. If that is still not enough time, the employer
may file their notice of contest, which will suspend the abatement date until there is a final order of the
Occupational Safety and Health Review Commission.61 Employers who do not abate the violation by
the abatement date risk additional citations.
OSHA is generally willing to extend the abatement date for good reasons. However, if OSHA is
unwilling, a healthcare facility may file a Petition to Modify Abatement (PMA) with OSHA. This is,
once again, one of those filings that only should be pursued with the assistance of an attorney. Detailed
discussions of the procedures for filing a PMA exceed the scope of this chapter, but take note of the
fact that the procedure exists if needed. Filing Your Notice of Contest
If OSHA is unwilling to negotiate a workable solution with a healthcare facility at the informal
conference and the facilitys deadline is running out, the facility should file its Notice of Contest. Once
again, it is imperative that the healthcare facility enlist the assistance of its attorney at this stage of the
process. There is a fair degree of success resolving claims at the litigation level that were believed to
be incapable of being settled at the local level. The introduction of an attorney often helps to remove
personality conflicts from the equation, particularly in contentious situations where OSHA and the
healthcare facility clashed in the inspection. Of the 10% of cases that are appealed to the litigation
level, experience shows that 80% of those can be resolved in lawyer-to-lawyer communications. For
the remaining 20%, the healthcare facility will be served with a lawsuit by OSHA, and the facility will
be required to file an answer.

See Matthews & Fritts, Inc., 2 OSHC 1149, 197475 OSHD 18,455.
See Reich v. Manganas, 70 F.3d 434 (6th Cir. 1995).



Enterprise Risk Management for Healthcare Entities, First Edition

What to Expect and What to Do When OSHA Comes Knocking


Significance for In-House Counsel, the Governing Board, and Executive Leadership

Like death and taxes, at some point a visit from OSHA is a near certainty. The when and the why
is less certain. Therefore, when OSHA arrives unannounced, it is important to be prepared and know
your rights and responsibilities. It is also crucial for any in-house counsel, governing board, and executive leadership to keep in mind the big picture throughout the inspection and investigative process.
The consequences of a healthcare facilitys actions or inactions from the inspection to the issuance of
citation may affect future litigation. For example, simply paying the $5,000 fine without contesting
the citation or attempting to negotiate the citation language may end up costing tens of thousands of
dollars in any subsequent litigation. The ultimate goal is to reduce the impact of any citation issued and
to minimize the citations effect on future litigation.


Know and understand the OSHA standards applicable to your facility. There are many
thirdparty safety and health compliance experts who can assist you with this.

Like any good boy scout, always be prepared. While, a healthcare facility may not know
when an OSHA official may arrive, it canand shouldprepare for it. For example, posting
the official employee rights poster from OSHAs website in both English and Spanish in areas
where workers congregate, and establishing a facility Occupational Safety and Health Officer
to implement and oversee an Action Plan for execution when an inspection occurs, are two
important ways to prepare. Also, make sure the healthcare facilitys OSHA recordkeeping
is up to date and its health and safety plan has been fully implemented. From a compliance
standpoint, it is worse to have a policy that is never or incompletely implemented, or worse,
implemented but not followed, than not having one at all. If a healthcare facility makes the
effort to have a comprehensive safety and health plan, the facility must follow your plan.

See the big picture. Actions that any healthcare administrator, risk manager or general counsel takes during an OSHA investigation will not only affect the outcome of the investigation,
but may also affect future litigation. For example, while OSHA citations are technically inadmissible hearsay, plaintiffs attorneys have circumvented this rule by allowing their expert
to review the citation and later testify about it. A citation that cites the healthcare facility
for having a willful disregard for safety will be powerful evidence in a subsequent gross
negligence case where the plaintiffs burden is to show that the healthcare facility willfully
disregarded the safety of the employee.

Set the tone from the beginning. When an OSHA compliance officer arrives, do not treat it
as an adversarial process. Avoid actions such as demanding a warrant or refusing to provide
employees or documents in a timely manner. These actions may be perceived by the compliance officer as hostile, and may diminish your chances of later resolving any issues or
obtaining favorable citation language.

Handle the warrant issue with care. OSHA will perceive a denial of entry and a demand for a
warrant as a hostile act and will assume the healthcare facility is hiding something by hindering access. Rest assured their inspection will be more comprehensive when they return with a

Enterprise Risk Management for Healthcare Entities, First Edition


What to Expect and What to Do When OSHA Comes Knocking

warrant. However, requiring a warrant can force OSHA to more narrowly define the scope of
their inspection and document request. Or, more importantly, requesting a warrant may buy
the employer time to get ready for the inspection. Generally, however, the better approach
is to informally negotiate the scope of the inspection, including documents to be produced,
witnesses to be interviewed, and parts of the facility to be produced for inspection.

Negotiation is a valuable weapon in your arsenal. From the scope of the inspection to the
language in the citation, negotiating with the OSHA compliance officer may reduce the consequences of a citation or future litigation.

Do not inadvertently give OSHA additional ammunition to use against the healthcare facility. Because OSHA may issue citations for any violation seen while on the premises, avoid
inspection routes that would take the officer past any other areas of concern.

It is good to have a single point of contact. As more people become involved, information
becomes fragmented, and no single person will have the complete story. Therefore, only one
person should have principal communication with OSHA. That person could be the healthcare facilitys attorney or risk manager. Whoever he or she is, that person should be charged
with the exclusive responsibility of (1) providing written documents to OSHA and (2) knowing exactly what was said to OSHA, what was given to OSHA, and what OSHA has seen.

Remember, OSHA is listening. It is important to understand that the healthcare facilitys representative is on the record even at informal times such as the walk around. Stray comments
can and will be used by the compliance officer if it is relevant to his investigation. While it is
always important to be polite, the less that is said, the better.



OSHA is concerned about worker safety and it does its best to do its job fairly and apply the
standards uniformly. Unfortunately, the unprepared healthcare facility representative can be taken
advantage of if he or she is not ready for the inevitable OSHA visit. With careful planning, a healthcare
facility may assert some control over the process and reduce its exposure to significant OSHA fines
and subsequent litigation difficulties and, most importantly, foster a safer workplace.


Enterprise Risk Management for Healthcare Entities, First Edition

Part V
Legal & Regulatory

Adverse Event Reporting: Reporting for Patient Safety and Public Health

Adverse Event Reporting: Reporting for Patient
Safety and Public Health
Kathryn K. Wire, JD, MBA, FASHRM
Principal, Kathryn Wire Risk Strategies


Since the 1999 Institute of Medicine report To Err Is Human1 spotlighted the significant role of
adverse events in healthcare, federal and state legislatures and agencies have moved to increase the
reporting and analysis of those events. The IOM expanded its call for improved healthcare outcomes,
including quality and safety reporting, in Patient Safety: Achieving a New Standard of Care (2004).2
Progress toward these goals has occurred in small steps, but it remains slow.
The number of adverse event reporting structures has increased since 1999, but they vary greatly.
On a state level, Oregon is the one state that has a voluntary adverse event reporting system; all the
remaining states that have adverse event reporting systems require providers to follow a proscribed list
of adverse events for which reporting is required primarily on the part of hospitals. The most prominent example of voluntary reporting is to Patient Safety Organizations enabled through the passage
of the federal Patient Safety and Quality Improvement Act of 2005. It is difficult to address mandatory adverse event reporting without considering the myriad other reporting programs that sometimes
overlap both the event reporting systems and each other. Quality reporting as an example, while theoretically voluntary, can take on some of the aspects of adverse event reporting and can have significant
implications on reimbursement and accreditation.

An Overview of Programs

Adverse event reporting systems take different forms and cover different issues. This chapter cannot realistically describe them in detail, but some specific programs warrant identification here.
1. A number of states encourage or require specific reports of adverse events,3 but they differ
on the specific occurrences that providers must report. Most draw heavily from the National
Accessible free online at http://www.nap.edu/openbook.php?isbn=0309068371.
Accessible free online at http://books.nap.edu/openbook.php?isbn=0309090776.
A Review of Current State-Level Adverse Medical Event Reporting Practices: Toward National Standards, Megan K.
Beckett, et al., Rand Health (2006). The National Academy for State Health Policy maintains an online list of state reporting statutes at http://www.nashp.org/_docdisp_page.cfm?LID=2A789909-5310-11D6-BCF000A0CC558925.

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health
Quality Forum (NQF) list of 28 Serious Reportable Events or Never Events.4 See Appendix
for a list of those events.
2. In October 2008, the federal government implemented the Non-Payment for Hospital-Acquired Conditions, or CMS HAC, program that identifies events through billing codes and
dictates reimbursement consequences when the events occur, another form of event reporting.5 Using submitted billing codes, CMS is accumulating data on adverse outcomes with
every submission of a Medicare bill. The program can track a number of adverse outcomes;
CMS will deny reimbursement for care arising from some of them. It is anticipated that the
current list of 10 hospital-acquired conditions6 will continue to expand and be announced
with the yearly fiscal changes to the Centers for Medicare and Medicaid Inpatient Prospective
Payment System (CMS IPPS).
3. The 2005 Patient Safety and Quality Improvement Act encourages reporting for patient safety,
but even under the act, all reporting remains voluntary, and a very heterogeneous group of
organizations will receive and process the information. PSQIA is discussed in more detail
4. CMS, unquestionably, does not want to be a primary payer when other forms of insurance
are available. To that extent and to add additional strength to the Medicare Secondary Payer
(MSP) statutes, the Medicare, Medicaid, and SCHIP Extension Act of 2007 was passed in
December 2007.7 Section 111 refers specifically to reporting obligations by liability insurers
including self-insured plans to report on behalf of Medicare beneficiaries dollars paid for certain adverse events. This in essence makes for a federal mandatory reporting requirement.
5. Section 5001(a) of the Deficit Redution Act (DRA) sets out new requirements for the Report-

ing Hospital Quality Data for Annual Payment Update (RHQDAPU) program. RHQDAPU
builds on the ongoing voluntary Hospital Quality Initiative (HQI). Hospitals are required
to report quality measures of process, structure, outcomes, patients perspectives on care,
efficiency, and cost of care that relate to services furnished in inpatient settings on the CMS
website. Currently, hospitals must report 30 quality measures to receive a full payment update
in FY 2009. By law, CMS must reduce payments to hospitals that do not successfully report
quality measures.

See www.qualityforum.org.
See Rules and discussion of CMS program regarding non-payment for hospital-acquired conditions at Federal Register
Vol. 73 No. 161, pp. 48471-91, accessible at http://edocket.access.gpo.gov/2008/pdf/E8-17914.pdf
The 10 conditions are : (1) foreign object retained after surgery; (2) air embolism; (3) blood incompatibility; (4) pressure ulcers stage III and IV; (5) trauma related to falls and other hospital associated incidents; (6) catheter-associated
urinary track infections (UTI); (7) vascular-catheter associated infections; (8) Surgical site infectionsMediastinitis after a
coronary artery bypass graft, certain orthopedic surgeries, bariatric surgery for obesity; (9) manifestations of poor Glycemic control; and (10) deep vein thrombosis (DVT) and pulmonary embolism (PE).
Mandatory Insurer Reporting Requirements of Section 111 of the Medicare, Medicaid and SCHIP Act of 2007 (MMSEA)
(Pub. L. 110173); Use: Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007 (Pub. L. 110173) amends
the Medicare Secondary Payer (MSP) provisions of the Social Security Act (42 U.S.C. 1395y(b)). For more information,
visit http://www.cms.hhs.gov/MandatoryInsRep/.


Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health


Non-Reporting Penalty

While most healthcare facilities will report to one or more of these systems, they may also report
to managed care organizations, voluntary non-governmental groups, and their own health system

An Overview of Reporting Processes

With this hodge-podge, it helps to consider the characteristics of different reporting systems that
most strongly influence their potential impact on organizational risk.
1. Adverse event reporting (mandatory or voluntary) relies on the submission, aggregation,
and analysis of information about specified undesirable outcomes from hospitals, in order
to design improved processes and support patient safety. The state programs that gather data
on never events are examples. Some report the data by facility, others do not. Some use
public health data to put the numbers in context noting, for example, the statewide number of
wrong-site surgeries as a percentage of total procedures. Generally, they view the events as
rare enough that they do not calculate rates for each facility.
2. Other programs center on universal outcome reporting, in which the agency gathers data on
all of the facilitys outcomes (denominator) and then assesses the proportion of undesirable
outcomes (numerator), to calculate a rate of failure or, conversely, of success. Facility mortality and infection rates fall in this category. This data is gathered from a variety of sources,
some administrative and some based on clinical record review.
3. CMSs HAC program represents another form of outcome reporting, pulling statistics from
billed diagnoses. It sorts through administrative (billing) data that indicates whether a defined
outcome occurred by tracking submitted diagnosis codes on the bills.
4. Other programs gather data on process compliance; they focus on whether recommended
processes take place, but dont directly track individual cases or outcomes. For example,
CMS and the Joint Commission collect data through the National Hospital Quality Measures on process points like administration of pre-operative antibiotics or aspirin for patients
with a possible heart attack.8 Process reporting should be combined with some form of outcome measurement to determine whether improving process compliance actually improves
The discussion below describes the more prevalent models and then discusses the potential risk to
the enterprise that can arise from either participation or non-participation in the programs.

National Hospital Quality Measures, see http://www.jointcommission.org/PerformanceMeasurement/Performance


Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health
The Patient Safety and Quality Improvement Act of 2005
and Patient Safety Organizations9
Amid the background pressure to devise a comprehensive reporting system for adverse events, the
federal Patient Safety and Quality Improvement Act of 2005 (PSQIA or Patient Safety Act) became
law. Final rules for implementing the PSQIA were published November 21, 2008.10 The Patient Safety
Act establishes a framework by which doctors, hospitals, and other healthcare providers may voluntarily report information on a privileged and confidential basis regarding patient safety events and
quality of care.11
The federal law removes one disincentive to reporting, as it protects patient safety activities from
discovery. Since reporting to a PSO is voluntary, it does little to address the IOMs goals of universal
reporting. As stated in the Federal Register on August 29, 2008, the Patient Safety Act requires PSOs,
to the extent practical and appropriate, to collect patient safety work product from providers in a standardized manner in order to permit valid comparisons of similar cases among similar providers. One
of the goals of the legislation is to allow aggregation of sufficient data to identify and address underlying causal factors of patient safety problems. In order to facilitate standardized data collection, the
Secretary of DHHS requested the Agency for Healthcare Research and Quality (AHRQ) to coordinate
the development of Common Formats for patient safety events. The Common Formats Version 0.1
Beta was released by AHRQ on August 29, 2008.12 Soliciting comments from the public, providers,
and PSOs will help AHRQ (assisted by the NQF) to revise future versions of the Common Formats.
AHRQ plans on publishing a revised version within six to nine months from its first Beta Version then
yearly thereafter,
This section does not offer a definitive discussion of the Patient Safety Act and its processes.
Rather, it will provide enough information to discuss the potential impact of PSO-related activities in
an enterprise risk environment.13
The Patient Safety Act centers on Patient Safety Organizations (PSOs), which will gather data
from healthcare providers.14 Figure 1 describes the flow of information under the Act. The data can
consist of adverse event reports or other patient-safety-related information. A PSO can analyze its own
data and can collaborate with other PSOs to analyze a broader base of information. The Patient Safety
Act protects data reported to and processed by the PSO, as well as PSO activities, from discovery and
most other forms of involuntary disclosure. A PSOs ultimate work product (free of identifiers) has no
protection. Aggregated data about patient safety issues will be available to PSO members, collaborating PSOs, and, possibly, to the public.
James M. Barclay and Ruden McCloskey contributed research and editorial assistance for this section.
Final Rule PSO Legislation, Federal Register, Friday, November 21, 2008, Vol. 73, No. 226, Rules and Regulations,
pages 7073170814. See: http://edocket.access.gpo.gov/2008/pdf/E8-27475.pdf.
Federal Register, Vol. 73, No. 169, Friday, August 29, 2008, Notices.
The Common Formats can be accessed electronically at the following website of the Department of Health and Human
Services at http://www.pso.ahrq.gov/index.html.
The PSQIA assigns enforcement of the law to the AHRQ, which has an extensive website about the law, regulations, and the current status of implementation at http://www.pso.ahrq.gov/index.html. The Office of Civil Rights
has enforcement responsibility for the confidentiality provisions, and their website with information is accessible at
The term provider encompasses nearly all types of healthcare providers. PSQIA 921(8). In that sense, the PSQIA
provides much broader protection to safety processes than many state quality and peer review statutes.



Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health
Figure 1

2008, James M. Barclay, Ruden McClosky,

used with permission.

Healthcare providers that contract with a PSO, then gather and report their data also known as
Patient Safety Work Product (PSWP) via a Patient Safety Evaluation System (PSES), are protected
from disclosing that data. The regulations define the confidential data-gathering process narrowly, so
providers should use caution when counting on the confidentiality of their programs.
In summary, the Act outlines a program with these characteristics:

Healthcare providers gather information about adverse events (or other patient-safety-related information) and transmit it to one or more PSOs. They can choose which PSO, if any,
to use.

A Patient Safety Evaluation System (PSES) is the collection, management, or analysis of

information for reporting to or by a PSO.

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health

PSOs collect, aggregate, and analyze (via their PSES) the information reported by healthcare
providers. The Act assumes that by analyzing patient safety information, PSOs will be able
to identify patterns of failure and propose measures to eliminate patient safety risks and
improve care. PSOs can share data among themselves.

PSWP receives federal privilege and confidentiality protection. PSWP is the information
assembled and reported by providers to a PSO or developed by a PSO as part of its Patient
Safety Activities (PSAs).

Any information gathered for purposes other than reporting it to a PSO is not protected under
the Act, though it may be under state law.

Consent of all identified providers to a disclosure of PSWP can waive the confidentiality of
that information.

The Patient Safety Act preempts state law that is less protective of data disclosure but interferes neither with state law that provides greater protections nor with state law regarding
information that does not qualify as PSWP.

A provider may not take an adverse employment action against an individual who reports
patient safety concerns to the provider or directly to a PSO in good faith. 15

Protected PSWP cannot ordinarily be used in state, federal, or local civil or criminal actions
or administrative disciplinary proceedings. However, it can be used in criminal proceedings
if an in camera review determines that the PSWP (1) contains evidence of a criminal act,
(2) is material to the proceeding, and (3) is not reasonably available from any other source.
Courts can use PSWP to provide equitable relief in certain whistleblower actions. In short,
the PSQIA will not shield evidence of criminal or retaliatory behavior.

The government can assess monetary penalties for violations of confidentiality or privilege

A network of patient safety databases will provide interactive, evidence-based management

resources for providers, PSOs, and other entities for use in analyzing trends and patterns of
patient safety events. The network will employ common reporting formats and will promote
interoperability among reporting systems. (Neither the law nor the regulations provide guidance or support for the development of the network.)

PSOs are business associates and patient safety activities under the Act are healthcare operations for HIPAA purposes.


Mandatory State Reporting

A growing number of states require that providers report adverse events to a state agency. Many
state reporting programs create active patient safety agencies to process and publish the information.
Most also provide protection against disclosure of non-aggregated data, though some states publish

Adverse employment action, as defined in 922(e)(2) of the Act, includes loss of employment, failure to promote an
individual, failure to provide any other employment-related benefit for which the individual would otherwise be eligible,
or an adverse evaluation or decision made in relation to accrediting, certifying, credentialing, or licensing the individual.



Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health
the events naming the institution.16, 17, 18 These programs differ from the federal structure in two ways.
First, they require reports while the federal law favors a voluntary system. Second, all reports go to one
agency. (State agencies that receive mandatory reports may also quality as PSOs). Under the Patient
Safety Act, a provider can report to any PSO, multiple PSOs or, in some cases, create its own. Some
state programs publicly report data by provider.

Joint Commission Sentinel Events

The Joint Commission has a well-established program requiring that providers report sentinel
events. The reporting process is complex and, in some cases, the provider need only demonstrate when
asked that it fully investigated the event with a root cause analysis. The Joint Commission gathers the
reports and issues periodic Sentinel Event Alerts based on its findings.19 As of December 2008, the
Joint Commission had issued 42 Sentinel Event Alerts on a variety of patient safety topics affecting

Other Quality and Safety Reporting Programs

Several other programs gather reports regarding specific safety issues such as equipment malfunctions, medication errors, and adverse events from drugs. These programs generally protect
non-aggregated data from disclosure. MedWatch, the FDA safety information and adverse event-reporting program, gathers mandatory and voluntary reports about the safety of medications and medical
devices. The program also directs that some reports go to the manufacturers of the item, to be aggregated there and reported to the government.20

The Medication Errors Reporting (MER) Program implemented by the U.S. Pharmacopeia
(USP) created a reporting program which became the national model for healthcare providers
and patient to report medical errors on a confidential basis. The Institute for Safe Medication Practices (ISMP) has been a partner with USP since 1991 and has now taken over this
program. ISMP will continue to use these reports to affect changes in products and practice
both nationally and internationally. ISMP is a designated PSO which support the move of the
MER program from USP to ISMP.21

Another program which has seen recent change is MEDMARX. Previously managed and
maintained by U.S. Pharmacopeia, it has now been transferred to Quantros, a healthcare
technology company recently named as a PSO, to create a more robust database of medica-

Pennsylvania has one of the oldest and most active state organizations; further information is available at
http://www.psa.state.pa.us/psa/site/default.asp. Information about the Indiana Patient Safety Center can be accessed at
http://www.indianapatientsafety.org/. Both agencies report on their event reporting activities each year and issue safety
bulletins periodically when they believe a pattern of events requires attention.
See Hospital Adverse Event Reporting: Review of State Statutes and Administrative Rules (2006), at
http://www.nahdo.org/documents/25StateAdverseEventReportingRequirements.pdf. This report lists all state programs
and summarizes their requirements and also refers to some web resources for further information.
For reporting or additional information, contact ISMP at www.ismp.org or 1-800-324-5723.

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health
tion and other medical errors, and to deliver the output to a larger base of providers through
an improved user interface.22

Effective May 7, 2001, the FDA requires that hospitals and blood centers maintain a method
to report, investigate, and track errors and accidents. The Medical Event Reporting System for
Transfusion Medicine (MERS-TM), a web-based system, meets that requirement. MERS-TM
was developed under a grant by the Heart, Lung and Blood Institute and is maintained by
its developers at Columbia University. MERS-TM is an event reporting system developed
for transfusion services and blood centers to collect, classify, and analyze events that could
potentially compromise transfusion safety.23


Reporting and Risk

The reporting of clinical data, whether mandatory or voluntary, carries some risks that can affect
the various ERM domains. Some connections are very clear while others are more subtle and require
investigation. ERM leaders must seriously consider both the myriad consequences of any reporting
system, and how those effects might appear in their organization. Reporting system variables will
substantially define the potential risks a reporting program presents for an organization. Questions to
answer include:

Will the data be publicly available, with or without identifiers?

Is the information risk adjusted?

Are comparisons reflective of the organizations current environment?

For negative or poor outcomes, what strategies and solutions are in place to prevent future

How accurate is your reporting process?

To what extent does the reporting process divert resources needed elsewhere in your

Table 1 outlines some of the likely risks of reporting programs, and associated steps an organization can take to reduce those risks.


Many healthcare providers dive into the reporting process blindly, assuming that the activity is
necessary and that it will benefit the organization. Because reporting requires substantial time and
energy, an ERM analysis will help determine the initial wisdom of participation, provide for the necessary resources to do it well, and allow for redirection if necessary. By assessing the risks, costs, and
benefits of reporting, the organization will knowingly engage in the process, understanding its goals
in participating. By watching how the reporting process works, the organization can redirect resources
In the interest of public health and to assist practitioners and patients, USP will post its five years of MEDMARX data
and eight annual reports on www.usp.org for free, ensuring full access to this clinically important information. All queries
about MEDMARX should be addressed to Quantros (www.quantros.com).
For more information, go to http://www.mers-tm.org/about.html.


Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health
and adapt its reporting efforts over time. By evaluating the results, it can know where to direct its
efforts in clinical improvement.
Participation in any reporting process must be weighed against competing uses for resources,
based on an analysis of all domains. How will the effort affect regulatory and legal compliance? How
will it affect the organizations financial picture? In what ways will it change the human resource picture, both by using human capital and influencing the organizations relationship with its employees?
Is the organization ready to make the necessary changes that results may require? How will the act of
reporting and the results of reporting impact the organizations reputation and relationships in all of its
various communities, including the medical staff?
If reporting is mandatory, some of these questions are not relevant. However, the entity can still
determine its own best response to possible reporting outcomes. Does it really want to be best? What
is the upside of being bestwhat will it really bring? What are the costs? What are the true downsides
of poor results?
Reporting, like any other organization activity, can support or detract from an organizations strategic goals. The ultimate result will depend on whether leadership examines reporting options like any
other business decision and then implements its conclusions effectively.
Table 1
1. Inaccurate reports cause risk in three areas:
The provider will have a false picture
of its patient safety needs and misdirect
The entire reporting system (e.g., a PSO
and its clients) may misdirect resources
based on bad information.
If aggregated data are published, then
the audience of those reports will have
a false picture of either individual providers or the safety of the healthcare

Because reporting is a relatively new phenomenon, providers lack standardized methodologies
for gathering or testing data internally. This can
lead to wide variations in the accuracy of reports.
When developing procedures to gather and report
data, concurrently establish protocols for data
review and testing to accomplish the following
Inspect the systems for generating data.
Are the sources likely to be accurate? Are
the systems comprehensive?
Compare the data to itself (over time and
between clinical areas) for consistency.
Use a gut check: does it look and sound
How does the organization compare to
others, and does that comparison make

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health



2. Any reporting structure that involves incen- Keep any direct consequences of reporting in
tives or punishment can encourage participants context by looking at the following questions:
to game the system. This leads to dysfunctional
What is the provider getting by meeting
results and potentially could impact patient care.
the goal? What is it giving up?
For example, the publication of mortality rates
may discourage providers from taking the sick What unintended shifts in clinical proest patients. Alternatively, it might discourage
cesses and/or outcomes have resulted (or
physicians from offering non-aggressive comare likely to result) from the incentives?
fort care for the sickest patients.
Can the link between the incentives and
the unintended result be broken?
How do the potential unintended consequences balance against the gain from the
reporting incentives?
Educate employees and physicians about the
downside of unintended consequences.
3. Issues subject to reporting tend to get more
attention, and that can divert valuable resources
from other provider needs. Mandatory reporting
systems do not usually address issues based on
individual assessments of providers. So unique
concerns not covered by the reporting systems
may be ignored for lack of capital and human

Utilize an ERM framework to rank the risk of nonreporting or of ignoring reported issues against
the opportunity cost of directing resources to the
issues highlighted by outside programs with the
following questions:
What does the provider lose with noncompliance or gain with compliance?
Look at governance, regulatory, financial,
reputation, liability/legal, and human
resources implications.
How do those findings fit into the organizations strategic goals?
What other applications of those resources
will be abandoned?
Who will do the work? Is there new staff,
or will existing staff add this to their
responsibilities? Will it require new technology or additional staff? Is the diversion
of human and financial capital justified in
light of other strategic goals?
Can the content and structure of reporting be altered by reevaluating PSO


Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health



4. Providers that do not improve will suffer dis- Several steps need to occur in the face of a persisproportionately. Ongoing data collection will tent failure to improve:
demonstrate their mounting failure to keep up
Analyze the benefits and risks of meetwith others who improve, as the move to transing the expectations (process outlined
parency puts more data out to consumers. The
above). Is continuing with this reporting
failure to improve can arise from a number of
and evaluation process mandatory? If not,
is it a good idea?
Insufficient resources to address the
Consider allocating the financial and
problem without compromising other
human capital for the difficult process of
strategic goals.
generating behavior change.
Inability or unwillingness to change
behavior to improve care, a purely local
effort unrelated to the reporting process
or the proposed solutions.

If the approach to improvement is just

wrong, others should experience the same
problem and generate a wide response and
changes to the recommended solution.

Incorrect approaches to improvement.

Any failure to improve should result from

a conscious decision, not from incomplete planning from poor implementation
of the process.
Behavior change often requires intense work at
the front line, working with the staff that delivers
care. It does not come from education or punishment. A number of leadership initiatives address
this issue, and management should choose one that
meets the particular needs of the organization.

5. The ever-expanding variety of reporting programs has generated a plethora of data-gathering

activities. They measure very different things,
in different ways. This consumes tremendous
amounts of time and energy (discussed above)
and can produce apparently inconsistent results.
For example, a facility might track pressure
ulcers through event reports and report on the
number of pressure ulcers that appear through
the billing codes. Those numbers might differ,
because the pressure ulcer will only appear in
the billing if the physician identified it as a primary or secondary diagnosis.

Using an ERM ranking approach, examine the

reporting options, including the realistic cost of
each, the benefits of reporting, the risk related
to poor data-gathering, and the opportunity cost
resulting from any steps to reconcile the data.
This should include an intense review of similar
or overlapping programs to look for opportunities for efficiency.
If two or more programs touch the same source
information, confirm that the resulting data do
not conflict, or if they do conflict, that there is a
reason. Are they necessary and/or desirable?

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health



6. Public reporting of negative findings can lead Make sure that all relevant departments learn
to a loss of trust.
of the likely publication of unfavorable results
so systems like public relations, marketing, and
physician relations can prepare. Be ready to talk
about the efforts to improve. This requires the
organization to study and understand the data
before reporting it.
7. Efforts to improve reported results can lead to
the inappropriate use of medical treatments such
as antibiotics. For example, efforts to encourage
early administration of antibiotics for patients
with possible pneumonia resulted in overtreatment with those drugs.

Any new clinical initiative, including those for

patient safety, should include ongoing review of
related care to look for changes, both negative and
positive. After this assessment, decide whether
the benefits justify any negative outcomes.

8. Reports may mislead consumers if the under- Accuracy of data should be a priority.
lying data are not accurate or appropriately
The risk adjustment process often falls outside
of the providers control. Address it through
Caution: If the provider knowingly incorporates audience education. If the risk adjustment is just
inaccurate reports into marketing materials, the wrong, examine the organizations data that sets
affected consumers could seek recovery under the risk adjustment. Is accurate information going
consumer protection laws which allow for into case mix calculations?
greater recoveries, attorney fees, or recovery in
Providers need to accept that no reporting or
the absence of physical injury.
measuring system is perfect.
9. An increase in the number of events reported
often indicates greater cooperation with a patient
safety program. Higher numbers also may lead
to an inaccurate perception of poor care.

The entity publishing the data should explain

that the programs success depends on complete
reporting, and that increasing numbers reflect
improved compliance with the reporting requirements. For example, Indianas report on its 2007
Medical Error Reporting System data reflects
that the state expected increased numbers, and
that consumers should not judge providers based
on those numbers.
The provider can also educate the audience,
stressing its efforts to learn and improve. Positive
patient satisfaction results and great patient experiences will balance the community perception.


Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health



10. Many laws protect whistleblowers who Good personnel records that include ongoing
report information to a PSO or state agency evaluations of competency and compliance with
from retaliatory treatment, including discharge. employee regulations can protect a provider
that takes action against a whistle blowing
Effective and trusted internal contact points
for concerned employees can deflect employee
reports to outside agencies. However, the
employer cannot mandate that employees report
internally first.
11. Information gathered and analyzed in antici- State quality and peer review statutes may propation of reporting may be discoverable, even if vide protection, and the organization should
consider those provisions when designing reportthe actual information reported is not.
ing structures.
Reported events may be published.
The PSQIA regulations do not protect information unless it is reported.
The ERM analysis should include consideration
of both the upside and downside of reporting,
as well as evaluating whether the information is
likely to be discoverable in another form, making
this threat less important. For example, if a plaintiff could ask for the facilitys infection rate and
get that information, then the protection of the
process that develops that figure is less important. Can the organization use its participation in
a quality or safety program as a positive thing?

Enterprise Risk Management for Healthcare Entities, First Edition


Adverse Event Reporting: Reporting for Patient Safety and Public Health
AppendixNational Quality Forum 2006 Serious Reportable Events
Surgical Events
1. Surgery performed on the wrong body part.
2. Surgery performed on the wrong patient.
3. Wrong surgical procedure performed on a patient.
4. Unintended retention of a foreign object in a patient after surgery or other procedure.
5. Intraoperative or immediately post-operative death in an ASA Class 1 patient.
Product or Device Events
6. Patient death or serious disability associated with the use of contaminated drugs, devices, or
biologics provided by the healthcare facility.
7. Patient death or serious disability associated with the use or function of a device in patient
care, in which the device is used or functions other than as intended.
8. Patient death or serious disability associated with intravascular air embolism that occurs
while being cared for in a healthcare facility.
Patient Protection Events
9. Infant discharged to the wrong person.
10. Patient death or serious disability associated with patient elopement (disappearance).
11. Patient suicide, or attempted suicide resulting in serious disability, while being cared for in a
healthcare facility.
Care Management Events
12. Patient death or serious disability associated with a medication error (e.g., errors involving
the wrong drug, wrong dose, wrong patient, wrong time, wrong rate, wrong preparation, or
wrong route of administration).
13. Patient death or serious disability associated with a hemolytic reaction due to the administration of ABO/HLA-incompatible blood or blood products.
14. Maternal death or serious disability associated with labor or delivery in a low-risk pregnancy
while being cared for in a healthcare facility.
15. Patient death or serious disability associated with hypoglycemia, the onset of which occurs
while the patient is being cared for in a healthcare facility.
16. Death or serious disability associated with failure to identify and treat hyperbilirubinemia in
17. Stage 3 or 4 pressure ulcers acquired after admission to a healthcare facility.
18. Patient death or serious disability due to spinal manipulative therapy.
19. Artificial insemination with the wrong donor sperm or wrong egg.

Enterprise Risk Management for Healthcare Entities, First Edition

Adverse Event Reporting: Reporting for Patient Safety and Public Health
Environmental Events
20. Patient death or serious disability associated with an electric shock or elective cardioversion
while being cared for in a healthcare facility.
21. Any incident in which a line designated for oxygen or other gas to be delivered to a patient
contains the wrong gas or is contaminated by toxic substances.
22. Patient death or serious disability associated with a burn incurred from any source while
being cared for in a healthcare facility.
23. Patient death or serious disability associated with a fall while being cared for in a healthcare
24. Patient death or serious disability associated with the use of restraints or bedrails while being
cared for in a healthcare facility.
Criminal Events
25. Any instance of care ordered by or provided by someone impersonating a physician, nurse,
pharmacist, or other licensed healthcare provider.
26. Abduction of a patient of any age.
27. Sexual assault on a patient within or on the grounds of the healthcare facility.
28. Death or significant injury of a patient or staff member resulting from a physical assault
(i.e., battery) that occurs within or on the grounds of the healthcare facility.

Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

Human Research and IRBs
Fay A. Rozovsky, JD, MPH
President, The Rozovsky Group, Inc.


Clinical research is a major factor in healthcare organizations, from large teaching hospitals to
medical group practices and home health organizations. Human research spans the gamut, from investigational drugs and devices to behavioral studies. For healthcare organizations, being the venue for
sponsored research can result in a significant source of revenue. It can also expose healthcare entities
to an array of liability risk.
In many ways the ability to control clinical research risk exposure turns on the effectiveness of the
institutional review board (IRB) and research office. Due diligence in reviewing research protocols,
rigorous review of sponsor agreements, ongoing vigilance and oversight of research trials and billing
are important measure to thwart potential risk exposure.
Successful human research and IRB activity demands input from healthcare counsel for a healthcare entity. Understanding potential liability exposures and mechanisms to control it make human
research ripe for the application of enterprise risk management.

Overview of Human Research Requirements

In the United States, human research is governed by both federal and state requirements. At the
federal level, some 19 federal departments and agencies follow what is termed the Common Rule,1
a set of consistent regulatory requirements that are found in the Code of Federal Regulations. Thus if
one views consent requirements for clinical trials overseen or sponsored by the Department of Energy,
the language would be the same in a corresponding section of the CFR for the Department of Health
and Human Services. One major exception is the Food and Drug Administration (FDA), which has
some variations, particularly in the area of consent to participation in clinical research trials.2

See, generally, 44 CFR 46 et seq.

See, generally, 21 CFR 50.20.


Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

At the state level there is an array of legislative and regulatory requirements on human research
trials. California,3 New York,4 and Virginia5 have the most detailed state laws on human research.
Other states have taken a different approach, including provisions addressing participation in clinical
trials in legislation governing long term care residents,6 prisoners,7 and those with substance abuse
challenges.8 Other state laws address fetal research.9
The point is that in the United States there is no one law that addresses the conduct of human
research trials. For legal counsel, a threshold consideration is to determine which laws are applicable
to clinical research in the healthcare entity.

Federal Regulatory Infrastructure

Using the Department of Health and Human Services regulations as a model for others under the
Common Rule, one can see the logic of the rules governing human research. The regulations identify
what are considered exempted activities10 and those that require review by an Institutional Review
Board.11 The regulations are quite specific, too, about the membership of the IRB and the obligations
of this group in reviewing protocols with a view to safeguarding the rights and welfare of research
subjects.12 Thus, the IRB is obliged to review study design with a view to approval of research trials,13
consent requirements and documentation,14 and, in appropriate cases, take action to either suspend or
terminate a protocol.15
A duly constituted IRB must give written assurances that it will comply with the federal policy on
human research.16 The Federalwide Assurance (FWA) for human research tracks the core principles
found in the Common Rule. The Office of Human Research Protections (OHRP) has created forms to
complete for the written assurance.17
The Federalwide Assurance (FWA) is the only type of new assurance of compliance accepted
and approved by OHRP for institutions engaged in non-exempt human subjects research conducted or
supported by HHS. Under an FWA, an institution commits to HHS that it will comply with the requirements set forth in 45 CFR part 46, as well as the Terms of Assurance.
FWAs also are approved by OHRP for federalwide use, which means that other federal departments and agencies that have adopted the Federal Policy for the Protection of Human Subjects (also









Cal. Health & Safety Code 24170; Cal. Penal Code 3500 et seq.
NY Pub. Health Law 2440 et seq.
Va. Code 32.1-162.16 et seq.
See, e.g., Md. Health Code Ann. 19-344.
Ariz. Re. Stat. Ann.31-321 et seq.
Okla. Stat. Ann. 63 2-101.
See, e.g., Ind. Code Ann. 16-34-2-6 and Neb. Rev. Stat. 28-342.
45 CFR 46.101(b).
45 CFR 46.103.
45 CFR 46,111.
45 CFR 46.117; for FDA consent requirements, see 21 CFR 50.25.
42.CFR 46.113.
42 CFR 46.103.
See the form at http://hhs/gov/ohrp/humansubjects/assurance/filasurt.htm.


Enterprise Risk Management for Healthcare Entities, First Edition

Human Research and IRBs

known as the Common Rule) may rely on the FWA for the research that they conduct or support.
Institutions engaging in research conducted or supported by non-HHS federal departments or agencies
should consult with the sponsoring department or agency for guidance regarding whether the FWA is
appropriate for the research in question. There are two versions of the FWA and the Terms of Assurance, one of each for domestic (U.S.) institutions and for international (non-U.S.) institutions.18
The FWA19 is a key component of regulatory compliance. The Office of Human Research Protections Division of Compliance Oversight (DCO) conducts evaluations and responds to allegations
of noncompliance. On its website OHRP publishes information about significant findings of noncompliance.20 It also offers a variety of guidance documents that can be used to avoid regulatory
For healthcare counsel conversant with the Conditions of Participation and State Operations
Manual, the FWA and OHRP compliance guidance is an analog in the area of clinical research. As
healthcare counsel would use the COP standards and Interpretive Guidelines to achieve regulatory
compliance, the same approach can be used with the OHPR material.
Beyond the OHRP, other federal requirements should be kept in mind. Of particular import are
provisions involving clinical trials and Medicare. In a National Coverage Decision (NCD), Medicare
has delineated what it will and what it will not consider a covered service or item.22 From a practical
perspective, the NCD requires careful legal review and discussion with those responsible for coding
and billing to make certain that items and services are attributed correctly to Medicare, private payors,
and clinical trial sponsors. Taking such a step is important to avoid allegations of fraud and abuse
related to human research trials.

Sponsored Research Trials

Federal, state, and international legal requirements are but one side of a much more complex legal
context for clinical trials. To a large extent, sponsor agreements dictate the scope and dimensions of
human research. Subject recruitment, retention, and termination of subjects from a trial, conflict of
interest, access to data, record retention, suspension of research, payment, information sharing with
data safety monitoring boards (DSMBs), liability, and insurance are just some of the topics often
addressed in sponsor agreements. The terminology and phraseology used may often dictate the scope
of sponsor risk-taking and risk-shifting to healthcare facilities. As such, legal counsel should review
carefully the terms and conditions of a sponsor agreement with a view to diffusing needless liability
risk exposure.





From: the Office of Human Research Protections, http://www.hhs.gov/ohrp/FWAfaq.html#q5.

To view this information, go to www.hhs.gov.ohrp/compliance/findings.pdf.
To view these documents, go to www.hhs.gov/ohrp/policy/index.htm#topics.
For a good Q&A on the topic, see http://cms.hhs.gov/determinationprocess/downloads/id210qa.pdf.

Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

Consider the following risk exposures in a sponsor agreement:
Record retention. The agreement sets a limitation period that is inconsistent with the healthcare
organizations policy on electronic or paper based records. The timeframe used may also be inconsistent with the healthcare facilitys e-Discovery rules.
Record access. The agreement severely limits access to data by the principal investigator or the
healthcare organization. In doing so, the agreement attempts to label information often necessary for
legal or regulatory purposes as intellectual property. In other situations, the sponsor may insist on
access to patient level identifiable information to an extent not contemplated by the healthcare organizations HIPAA Privacy acknowledgment signed by a patient or surrogate.
Vague Definitions. A common problem found in many sponsor agreements is the lack of precision in key definitions. For example, a clause may state that the sponsor agrees to hold harmless and
indemnify the healthcare organization for any injuries to research subjects directly related to the use
of the test article or device, provided, however, that the test article or device was used in a manner
outlined in the study protocol. On the face of it, the clause appears quite straightforward. However,
what is the meaning of the phrase, directly related to when a patient experiences an adverse outcome
while also receiving treatment with a drug approved for therapeutic use? How would one be able to
establish that the injury was directly the result of the test article and not either a synergistic effect of
the combined therapy and test article or the test article alone?
Insurance Coverages. The contract may give the appearance of having appropriate insurance
coverages. However, if it does not address cyber risk or identity theft, and the healthcare organization has not contemplated such exposures in its insurance portfolio, how will it address such liability
Principal Investigator Continuity. The sponsor agreement permits the substitution of another individual for the principal investigator, typically within a specified timeframe. However, the language
states, approved by the sponsor. However, it does not speak to the healthcare entity having a voice
in the selection or approval process.
Notification Provision. The contract requires the healthcare facility or principal investigator to
report adverse outcomes or deaths, but there is no reciprocal provision for the sponsor. Absent such
a provision, the healthcare organization and principal investigator may continue with the trial even
though serious adverse events have taken place at other venues that would warrant the local IRB to
consider suspending the trial.
Changes to the Research Protocol or Agreement. The sponsor may reserve the right to modify
the protocol or the numbers of participants in a trial in the study agreement. Absent the IRB knowing
about such changes, the study design may be modified to an extent that is not acceptable in terms of
the rights or welfare of subjects. Similarly, if the sponsor changes the formula for payment, there can
be considerable gaps in cash flow.


Enterprise Risk Management for Healthcare Entities, First Edition

Human Research and IRBs


IRBs and the Research Office

A healthcare organization may or may not have its own IRB. Often a research protocol may be
approved by an IRB situated elsewhere. Under agreements, the local healthcare organization agrees
to participate in the trial, following the provisions of the research protocol. At other times the local
healthcare organization may have its own IRB and that body will review the protocol. In such a multicenter trial the opportunity is ripe for disputes about consent provisions between IRBs. Yet in other
situations a CRO or clinical review organization may be involved as the IRB.
Separate from the IRB what is often seen in healthcare facilities is a Research Office. Staffed
with individuals responsible for sponsored trials, clinical trials contracts, and daily administration, the
opportunity is great for high quality programs that detect early on the potential for regulatory noncompliance and billing issues. Many Research Offices include a Chief Research Officer or Director of
Research with compliance training.
The IRB often has a full-time administrator who is skilled at managing the work of the institutional review board. Training and certification programs exist for IRB personnel, including the CIP
program from PRIM&R.23 Other training programs including education materials are made available
by OHRP24 and propriety courses.25
At the IRB level, hands-on training is required for members. This includes orientation and regular
updates. The same kind of approach is prudent for principal investigators and their staff.
Training regimens should extend to senior management of the healthcare organization and the
board of directors or trustees. It should not be assumed that an IRBs approval is sufficient. With good
training, the board should know the types of questions to ask when providing final approval for a major
research project to be rolled out at the healthcare organization. At the senior management level, the
CFO, CNO, CMO, and risk management should be conversant with what is anticipated in the research
trial. In this way, coding, billing, insurance coverages, and staffing needs can be anticipated for the
human research investigation. Getting to this stage, however, requires rigorous review by legal counsel of the legal dimensions of the research project.

Why an Enterprise Risk Management Model

Human research involves clinical, financial, regulatory, liability, and fiduciary responsibilities.
Although the IRB may act on delegated authority of the board of directors of a healthcare entity, it
is the healthcare organization that is ultimately responsible for acting on the recommendations of the
Institutional Review Board. Negligent review or oversight can trigger liability for the organization.
Similarly, approval of an imprudent study resulting in losses for the organization can impact the liability of the board and officers of the organization in terms of their fiduciary responsibility as the good

Information on the Certification for Institutional Review Board (IRB) Professionals can be found at www.primr.og/
See http://www.hhs.gov/ohrp/educational/index.html#materials.
See, e.g., Research Compliance & Research Integrity, www.hccs.com/research.html.

Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

stewards of the healthcare entity. Given these issues, a comprehensive risk framework would be very
useful for addressing successful human research and IRB activity.
A case example illustrates this point.
T.M. Provenci, M.D., had a long track record in clinical research. He was also respected as an
interventional cardiologist. Dr. Provenci landed a three-year study to test a new medication
to prevent restenosis following angioplasty. The study involved a double-blind, randomized
protocol requiring the enrollment of a minimum of 5,000 qualified subjects between the age of
55 and 72 years of age who had not previously undergone any revascularization procedures.
The study required local IRB approval. The sponsorship agreement did not contain any hold
harmless or indemnification provision. It did not make clear that the study was part of an
international study that originated in Australia and that the choice of law was Australian
federal requirements. The latter information was in an attachment B referenced in the main
document but not appended to the master sponsorship agreement. Dr. Provenci assured the
IRB Administrators assistant that the attachment was just routine information.
Dr. Provenci was in a rush to get the IRB to approve the study. The hospital CMO also
wanted the study approved quickly. Unbeknownst to the IRB, the CMO held stock in the
pharmaceutical company that was sponsoring the study. Although the CMO did not sit on the
IRB, he reminded the IRB Chair of the importance of the research for the hospital.
The IRB approved the study. Dr. Provenci and his research coordinator began a vigorous
campaign to enroll patients in the study. The Director of Research was on extended leave
and his administrative assistant did the best she could to provide oversight. She dutifully
reviewed the reports submitted by Dr. Provenci that described in a succinct manner how
research subjects were enrolled in accordance with the study protocol.
During the course of the three-year study, Dr. Provenci accepted a visiting lectureship in
Toronto. He was out of the country for 12 months. However, the study coordinator continued
to submit claims under the grant indicating that at all times Dr. Provenci was providing direct
supervision of the study.
An internal auditor pinpointed discrepancies in coding and billing for some 25 patients who
were also enrolled in the Provenci study. Many of the questions involved double-billing
for electrocardiograms, lab studies, and diagnostic imaging. The amount in dispute was
$250,500. When the internal auditor called to speak with Dr. Provenci, she learned that he
was unavailable.
Using the tip of the iceberg approach, the internal auditor delved more deeply into the
study. She found that there were glaring errors in research subject enrollment practices. Over
34% of participants were outside the age parameters specific in the study plan and 15% had
undergone a previous revascularization procedure that should have been a disqualification

Enterprise Risk Management for Healthcare Entities, First Edition

Human Research and IRBs

About the same time, the risk manager took receipt of a formal claim alleging negligent
informed consent involving an angioplasty patient. The patient asserted that he had not been
properly informed of the alternatives to the experimental treatment and that had he received
this information, he would have chosen established therapy. The risk manager opened a claims
file and reviewed the situation. He found the claimant was a research subject in Dr. Provencis
study. When he attempted to speak with Dr. Provenci, the risk management learned that he
was out of the country.
Three other claims occurred in short order involving the study, all with the same allegation.
The risk manager spoke with the research office coordinator and obtained a copy of the
sponsorship agreement. The risk manager discovered the absence of boilerplate language for
hold harmless and indemnification that was supposed to be standard in all research agreements
at the facility.
About the same time, the research office received a registered letter from the sponsor
questioning a number of invoices submitted under the study. The sponsor had done an audit
of the local files and found many of the same issues identified by the internal auditor. The
letter concluded, We believe that there are glaring deficiencies in the conduct of the study. An
attempt to meet with Dr. Provenci during the site visit was unsuccessful. It was learned that
he was on a visiting lectureship and was not expected to return for three months. However,
the invoices submitted for the research trial indicate that he is providing on-site supervision.
We believe that these invoices have been submitted in a fraudulent manner and in accordance
with clause 3.2.5 of our sponsorship agreement hereby terminate Dr. Provenci and the hospital
from further participation in the study. Further pursuant to clause 5.7.8, we are withholding
any further payments and demand the return of the amounts paid to satisfy claims 308, 309,
and 310 in the amount of $79,670.00.
Dr. Provenci was summoned to return to the hospital to account for what had transpired. His
actions were considered to constitute professional misconduct and his appointment to the
medical staff was terminated. Because Dr. Provencis medical professional insurance did
not cover clinical research related events, the hospital decided to settle the four claims. The
decision was based on a desire to contain what could be very expensive claims and onerous
A whistleblower complaint was filed with the Office of Human Research Protection alleging
impropriety in the conduct of clinical research at the facility. Among the allegations were
claims that the IRB did not exercise appropriate oversight, that safeguards were not in place
to monitor subject enrollment and consent, and there was evidence of conflict of interest
that had not been addressed in the institution. At the same time, state Medicaid launched
an investigation into alleged fraudulent billing for services it said were to be satisfied by
the research sponsor. The hospital entered into a corrective action agreement that involved
a major overall of the research office, the IRB, and the termination of the CMO. It also
remitted more than $35,000.00 in payment to the state Medicaid program and it entered into
Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

a corporate integrity agreement that required development of a rigid firewall in billing
research sponsors and the state Medicaid program.
This is a fictitious case illustration. However, it demonstrates the type of complexity that can arise
in legal exposures stemming from clinical research. It illustrates, too, the importance of an enterprise
risk management approach to clinical trials and the work of the IRB.
The case study reflects a number of enterprise risk exposures, including the following:
Regulatory Risks. The case involved non-compliance with respect to human research review and
oversight and Medicaid fraud.
Legal Risks. Compliance issues were plentiful in the case study giving rise to legal issues. Breach
of contract and allegations of negligence were also issues found in the case study.
Operational Risks. The case study revealed serious concerns in terms of qualified personnel to
handle research and oversight. Process issues involving billing and coding were evident. That the
CMO had a financial conflict of interest was not well-elucidated. However, he used his position to try
to exert influence on the IRB. This is an ethical issue and a matter that involves operational integrity
risks. Further, the lack of adherence to a consistent process in IRB review, oversight, and research
oversight played a role in the case study.
Financial Risks. The failure to review carefully the sponsorship trial agreement led to a gap in
possible insurance coverage that may have helped to address the costs of the claims filed by four
research subjects. The case study revealed an absence of good financial management in terms of
billing and coding mechanisms. The legal fees associated with responding to negligence claims, the
whistleblower matter and the Medicaid investigation could involve serious financial risk exposure for
the healthcare facility.
Contractual Risks. The contract had major flaws, including insurance coverage provisions and the
ability to cure defects, a mechanism often found in agreements. Moreover, the contract lacked the
ability to substitute a new person to serve as principal investigator when there were concerns about
Dr. Provenci.
Reputational Risks. The losses associated with the claims, and the investigations had the potential
to give rise to serious adverse publicity. Bad press coverage could serve as a deterrent to other sponsors involving the healthcare entity in clinical research trials. Further, the community may question the
integrity of the institution in the aftermath of alleged research improprieties.
Staffing Risks. The lack of qualified personnel was evident in the management of the research office.
When a key administrative person is absent for a period of time there needs to be a business continuity
plan that anticipates filling the position on a temporary basis by someone with appropriate credentials
and experience. The failure to do so can lead to the type of issues that emerged in the case study.
In an enterprise risk management program, healthcare counsel has considerable responsibility
and the need for good communication systems. In human research trials and IRB administration the

Enterprise Risk Management for Healthcare Entities, First Edition

Human Research and IRBs

healthcare counsel can help establish parameters for an enterprise risk management program that
encompasses a number of factors. Rather than wait for a problem to emerge that triggers legal involvement, healthcare counsel can facilitate development of enterprise-wide practices and systems to
forestall the types of situation that emerged in the case study.

An Enterprise Risk Management Systems Checklist for Human Research and

IRB Administration

The following checklist provides a framework for an ERM approach to human research and IRB
administration. Central to such an approach is a collaborative effort among leadership, clinical research
professionals, risk management, billing, and the healthcare counsel.
the institution has a current FWA;
the institution has a template for reviewing and negotiating sponsor research agreements;

there is a training program with demonstrated competencies for principal investigators and
research staff;

there is a training program with demonstrated competencies for members of the IRB;

there is a training program with demonstrated competencies for personnel in the Research

there is a practice routine for identifying and partitioning billing and coding for clinical

there is an internal audit process used on a regular basis to evaluate compliance with coding
and billing in clinical research;

there is a current policy and procedure that addresses administrative aspects of the IRB and
Research Office;

the IRB reviews research protocols consistent with applicable federal and state

oversight mechanisms evaluate;

subject enrollment;

subject remuneration practices;

consent practices with all types of research subjects;

assent with minor research subjects;

consent documentation practices;

expedited review;

exempted work activity;

emergency use (See FDA regulations26);

See 21 CFR 50.3.


Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs

emergency research (See FDA guidance27 and state law28);

conflict of interest provisions;

early termination of study;

disenrollment from a study;

adverse event identification;

adverse event reporting;

mandatory reporting to sponsors;

mandatory reporting to medical examiner or coroner;

monthly checks of the Office of Scientific Misconduct list;

monthly checks of federal debarment lists (Medicare and Medicaid);

management of insured research subjects;

a policy and procedure for disclosure of adverse and unanticipated outcomes of clinical

use of root cause analysis to evaluate research studies resulting in serious injury or death;

there is a linkage with the corporate compliance program zero tolerance process to address
identified issues of scientific misconduct and fraud and abuse;

there is a regular review of insurance coverages for clinical research including but not limited

workers compensation;
business interruption;
key person;
cyber risk;
identity theft;
intellectual property theft; infringement;
insurance specifications for international research.

Checklists aside, there are some specific measures for healthcare counsel to consider in helping
to give shape to an enterprise risk approach to clinical research and the work of the IRB. A threshold
initiative calls for legal counsel to identify the statutes and regulations that apply to research trials.
Identifying applicable law is fairly straightforward when a protocol involves competent adults
within the confines of the jurisdiction in which the research is to take place. However, it is quite another
Guidance for Clinical Investigators, Institutional Review Boards and Sponsors, Exception from Informed Consent
Requirements for Emergency Research, 71 Fed. Register 51,198 et seq. (August 29, 2006).
See, e.g., R.I. Gen. Laws 23-17-19.1.


Enterprise Risk Management for Healthcare Entities, First Edition

Human Research and IRBs

matter when research involves a multicenter or multinational protocol. On an international level, it
is important to note that many countries have laws that govern human research trials. The international provisions may address privacy requirements and research protocol review standards. It may also
involve specific insurance requirements that must be met before embarking on a clinical trial.29
With a host of laws potentially applicable to a research trial, healthcare counsel can foster a practical yet comprehensive legal review that helps resolve the impact of these disparate laws governing
research. Similarly, legal counsel can help synthesize solutions to contractual requirements that are
inconsistent with applicable law and the legal philosophy of the healthcare organization with regard
to research trials Seen in this way, handling these legal considerations can help solidify a strong enterprise risk management for clinical research.


Human research is an important aspect of the healthcare industry. It provides the context for
important innovations in clinical care and it offers the potential of a strong, consistent revenue stream
for a healthcare organization.
Human research trials also involve the unknown and risks abound to potential research subjects. It
is imperative that appropriate mechanisms are in place to safeguard the well-being of human subjects
and the integrity of the research process.
Enterprise risk management offers a context for addressing the range of risks associated with
human research trials and the work of the IRB. Pivotal to success is the involvement of legal counsel in
all segments of the ERM model for such endeavors. To this end, a useful list of resources can be found
in this chapter to help start the process toward an ERM model for clinical research.

F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to Regulatory Compliance,
San Francisco: Jossey-Bass, 2003.


Enterprise Risk Management for Healthcare Entities, First Edition


Human Research and IRBs



E.A. Bankert and R.J. Amdur, Institutional Review Board: Management and Function, Second Edition. Boston: Jones and Bartlett, 2006.

P. Brent and L. W. Vernaglia, Editors, Clinical Research Compliance Manual: An Administrative Guide. New York, 2007.

R. Carroll, Editor, Risk Management Handbook for Health Care Organizations, Fifth Edition. San Francisco: Jossey-Bass, 2006.

ECRI, Healthcare Risk Control. ECRI Institute.

F.A. Rozovsky, Consent to Treatment: A Practical Guide, Fourth Edition. New York: Aspen
Publishers (2007 with 2008 supplement).

F.A. Rozovsky and R.K. Adams, Clinical Trials and Human Research: A Practical Guide to
Regulatory Compliance. San Francisco: Jossey-Bass, 2003.

F.A. Rozovsky and J.L. Conley, Health Care Organizations Risk Management: Forms,
Checklists & Guidelines, Second Edition. New York: Aspen Publishers, 2007 (with 2008

Listing of Federal Departments and Agencies participant in the Common Rule:

Agency for International Development

Central Intelligence Agency

Consumer Product Safety Commission

Department of Agriculture

Department of Commerce

Department of Defense

Department of Education

Department of Energy

Department of Health and Human Services

Department of Homeland Security

Department of Housing and Urban Development

Department of Justice

Department of Veterans Affairs

Department of Transportation

Environmental Protection Agency

International Development Cooperation Agency

National Aeronautics and Space Administration

National Science Foundation

Social Security Administration

Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

Mandatory Disclosure of Adverse Events
Peter J. Hoffman, Esq.
Eileen Lampe, Esq.
Joseph V. Conroy IV, Esq.
Eckert Seamans Cherin & Mellott, LLC
Joan D. Plump, Esq.
Attorney at Law


In 1999, the Institute of Medicine (IOM) released a landmark report, To Err is Human, which
revealed that medical injury was causing many deaths and called on the healthcare community to make
reduction of medical errors a priority. Since then, medical errors and tort reform have received a great
deal of attention and many changes have occurred in how healthcare organizations think about and
deal with adverse events.1
One essential change has been that now, after an adverse event, providers are encouraged and
often required to share information about what went wrong and why. Sometimes details relating to the
event must be reported so they can be studied, with the hope that organizations and people may truly
be able to learn from mistakes. Additionally, both to promote patient safety and in an attempt to help
contain skyrocketing medical professional liability costs, healthcare organizations and providers may
be required to disclose the occurrence of a adverse event to the affected patient, and perhaps to the
patients family.
Obviously, it is important for a healthcare organization to be aware of when disclosure of adverse
events is required. The people within those organizations also should understand why disclosure is a
beneficial practice for everyone involved, and how best to go about it. This chapter will deal briefly
with these subjects.

The American Society of Healthcare Risk Management (ASHRM) defines an adverse event as an injury that was caused
by medical management rather than the patients underlying disease. It may or may not result from a medical error. Medical
management includes all aspects of healthcare, not just actions and decisions of physicians and nurse.

Enterprise Risk Management for Healthcare Entities, First Edition


Mandatory Disclosure of Adverse Events toPatient/Family


When Disclosure is Necessary

Disclosure may be required by the Joint Commission, state law, insuring provisions, and organizational policies and procedures, just to name a few. This section will briefly discuss some of these

The Joint Commissions Requirement

The Joint Commission requires that patients, and when appropriate, their families be informed
about the outcomes of care, treatment, and services that have been provided, including unanticipated
outcomes.2 One element of performance under this standard is that, at a minimum, patients, and
where appropriate the family, be informed about unanticipated outcomes of care, treatment, and
services that relate to sentinel events considered reviewable by the Joint Commission.3 The list of
sentinel events considered reviewable by the Joint Commission includes the following:

any patient death, paralysis, coma or other major permanent loss of function associated with
a medication error;

an operation on the wrong side of a patients body;

any maternal death related to the birth process;

a hemolytic transfusion reaction involving major blood group incompatibilities; and

a foreign body, such as a sponge or forceps, left in a patient after surgery.4


State Law

Disclosure of adverse events or unanticipated outcomes also may be required by state law. As
of 2008, at least 12 states, i.e, California, Connecticut, Florida, Maryland, Nevada, New Jersey, New
York (only facilities licensed by the N.Y. Dept. of Mental Health), Oregon, Pennsylvania, South Carolina (Ambulatory Surgery Centers only), Tennessee, Vermont, and Washington, had statutes requiring
mandatory notification to patients of adverse events.5 Other states may well adopt similar laws as the
evidence supporting the practice of disclosure grows. Currently, many other states have laws that
exclude expressions of sympathy after an adverse event being from being used as proof of negligence,
but do not also require that adverse events be disclosed.6

JCAHO Standard RI.2.90, Comprehensive Accreditation Manual for Hospitals: The Official Handbook; Refreshed
Core, January 2007.
Id., Standard RI.2.90; EP2.
California (HospitalsIn Person), Cal. H & S Code 1279.1(c); Florida (Different Requirements for Hospitals and Physicians), Fla. Stat. 395.1051 and 456.0575; Maryland (Hospitals Only), COMAR 11(F); Nevada (Hospitals
and Physicians), Nev. Rev. Stat. 439.855; New Jersey (Hospitals and Physicians), N.J. Stat. 26:2H-12.25; New York
(Only Facilities licensed by Department of Mental Hygiene), 14 NYCRR, 624.6; Oregon (Hospitals and Physicians),
Oregon Law 2003, Section 4, Chapter 686; Pennsylvania (HospitalsIn Writing), 40 P.S. 1303.308(b); South Carolina
(Ambulatory Surgery Centers Only), S.C. Code of Regs. 61-91-601(C); Tennessee (Hospitals and Physicians), TCA
68-11-211(d)(1); Vermont (HospitalsIn Person), 18 V.S.A. Chapter 43A 1915(1)(D); Washington (Hospitals and
Physicians), RCW 70.41.3805.


Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

The specific circumstances in which disclosure of an adverse event is required, as well as details
of how and when disclosure must be accomplished, vary among the states that currently have mandatory disclosure laws. It is critical, that attorneys working within an organization or advising healthcare
organizations are familiar with state specific statutory or regulatory requirements regarding the disclosure of adverse events are providers and risk managers also must be aware of applicable disclosure
requirements. In some states, such as Pennsylvania, there are also reporting requirements with respect
to adverse events.7 The appropriate people in the organization must be aware of these requirements as
well. It is possible that some day soon there also will be a federal law requiring disclosure. Two U.S.
senators recently proposed such legislation as one element in a comprehensive tort reform plan.8

Insurance Provisions

The prohibition of insurance companies not allowing healthcare providers to disclose and apologize is quickly giving way to a more patient-centered approach. In some instances, disclosure of adverse
events, along with an apology, is strongly encouraged under medical professional liability policies. For
example, the Colorado Physicians Insurance Company (COPIC) has formalized an apology process
that authorizes payment of up to $30,000 in expense restitution to affected patients.9 Under this program, which began in 2000 and which COPIC has entitled 3R for Recognize, Respond, and Resolve,
insured doctors are encouraged to continue the physician-patient relationship honest based on honest,
open communication and attend education on disclosure. Others medical professional liability insurers
have different types of programs to encourage disclosure of medical errors and adverse events.

Institutional Requirement or Policy

It may also be the policy or a requirement of the healthcare facility that adverse events must be
disclosed to the patient and family. Such a requirement is becoming more common as the patient safety
culture expands. Two notable examples of healthcare systems in which disclosure is required are The
University of Michigan Health System (UMHS) and the Veterans Health Administration. In 2001,
UMHS began a new approach to claims management that included altering staff and institutional
behaviors that forced patients to resort to courts for satisfaction as the only alternative.10 Its disclosure policy is based on three principles, which are made public to staff members, the local bar and the
courts. These principles are:
1. UMHS will compensate quickly and fairly when inappropriate medical care causes injury;
2. UMHS will defend medically appropriate care vigorously;
3. UMHS will reduce patient injuries, and therefore claims, by learning from mistakes.11
40 P.S. 1303.308(a)
See Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med.
2006; 354:22052208.
Roberts, R., The Art of Apology: When and How to Seek Forgiveness, American Academy of Family Physicians (2007),
at www.aafp.org/fpm.
Boothman, R., Transparency: The Benefits of an Open and Honest Dialogue, presentation at University HealthSystem
Consortium in Oak Brook, IL, September 22, 2005.
Welti, M.K., Disclosure of Medical Adverse Events: A Study of the University of Michigan Health System Model, at

Enterprise Risk Management for Healthcare Entities, First Edition


Mandatory Disclosure of Adverse Events toPatient/Family

Since implementing its program and disclosure policy, UMHS has seen a drastic reduction in the
number of open claims and suits, and the average time from the opening of a claim to resolution has
been reduced significantly as well. UMHS has seen its litigation costs decree by two-thirds. It has
reinvested a portion of these savings into its patient safety reporting system.12 Similarly, VA hospitals
have adopted a policy of consistent disclosure of medical errors, along with early offers of compensation
to injured patients. The results in this program have been comparable to those at UMHS.13
In the patient safety culture, an adverse event is seen as opportunity to identify and learn from
a possible error or failing within a system, and thereby improve the quality of care. People involved
in patient safety generally believe it is important for care providers to work in an environment where
free exchange of information among providers, and between providers and patients, is encouraged or
required. There also is increasing awareness that disclosure may help prevent litigation by improving
the relationship and trust between the patient and care providers and by reducing patient anger and
frustration. The effects of programs such as those at UMHS and the VA provide strong anecdotal evidence in support of this theory.

Professional Ethics

Ethical standards applicable to physicians also require disclosure in limited circumstances. For
example, The AMA Code of Ethics requires disclosure when a patient suffers significant medical
complications that may have resulted for the physicians mistake or judgment.14 Also, The American
College of Physicians (ACP) Ethics Manual provides that doctors should tell their patients about procedural or judgment errors if that information is material to the patients well-being.15

Moral Requirement

Finally, there is a strong feeling among some people and groups within the healthcare community
that disclosure of adverse events is necessary because it is the right thing to do; it is honest. Moreover,
it is how most people would want to be treated themselves, and how most people would want their
loved ones treated. Providers and others who share this philosophy often believe that a hospital and
its physicians and staff should avoid contributing to an adversarial relationship with patients through
incomplete communication and, consequently, should share all relevant information about care with
patients, including when and how adverse events occur.
As all the above discussion and examples demonstrate, disclosure of adverse events may be mandated by one or more law, standard, policy or philosophy that applies to the organization. Even if
disclosure is not mandated, the organization may believe that disclosure is in the institutions, the care
providers, and the patients best interests.

Clinton H.R., Obama B., Making Patient Safety the Centerpiece of Medical Liability Reform, 354 N Engl J Med. 2006;
Wei, Doctors, Apologies, and the Law, 40 J. Health L. 107, 107149 (2007).


Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

The remaining portion of this chapter will assume that it has been decided, for whatever reason,
that adverse events at the organization will be disclosed to patients and their families. It is important
that all healthcare providers involved in the disclosure process within the organization understand the
basis for this decision, the objectives hoped to be achieved and, how disclosure should best be made.
It is also useful for those involved to understand the history and tradition of nondisclosure, as this
knowledge helps to illuminate why some providers are resistant to any requirement for or policy of
disclosure and how such resistance may be overcome.

Barriers to Disclosure

Traditionally, there have been significant barriers to disclosure of adverse events to patients and
their families. One significant barrier has been a culture of blame in which the unrealistic expectation of perfection on the part of physicians, the punishment of practitioners and institutions for errors
or bad outcomes, the habit of fingerpointing, fear of loss of reputation or license, a tolerance for
errors as long as they are not caught, and fear of legal liability have all played a part. In this culture of
blame, there is little emphasis on relationships between healthcare providers and patients that involve
listening and full disclosure. This way of operating has existed for a long time for a variety of reasons,
including constraints on time and resources, lack of support from hospital administration for any other
way, fear of increased litigation, lack of scientific data to suggest a better way, and support for the
system within medical schools. As a result of all these factors, this way of operating became ingrained
in the medical culture.
Another formidable barrier to the disclosure of adverse events is the emotional challenge of disclosing and possibly apologizing for an error or bad outcome. This barrier is compounded by the fact
that many physicians do not have strong communication skills, as well as by a pervasive lack of awareness among providers of how silence or lack of information after an adverse event impacts patients and
their families. These barriers can sometimes be overcome when an organization adopts a consistent
practice of disclosing adverse events and provides education, training, and support to help providers
understand why, when, and how to talk with patients about adverse events.

How Patients and Providers Experience Adverse Events

To understand why disclosure is both important and also difficult, it is helpful to realize that both
patients and healthcare providers typically experience powerful emotions in reaction to an adverse
event, particularly if the event was caused by a medical error. The patient and family, as well as the
physician or other providers involved, are all likely to feel sadness, anger, anxiety, vulnerability and
worry. Partly because of these strong emotions, everyone involved needs emotional support and providers also need guidance in how to prevent an unfortunate situation from escalating. The involved
provider will likely feel shame, guilt, a sense of failure, grief, and job stress. Consequently, is important for the provider to be able to talk about the event with other providers and to have help in planning
and executing the disclosure conversation with the patient and family. The patient and family may feel
powerless and that their trust in the doctor has been violated. These feelings naturally will be compounded if the physician fails to acknowledge the adverse outcome and any error that caused it, and if
Enterprise Risk Management for Healthcare Entities, First Edition


Mandatory Disclosure of Adverse Events toPatient/Family

the patient is not provided with information about how and why the adverse event occurred. This may
include the provider accepting responsibility for the medical error that created the adverse event.

How to Disclose

The law in some states, such as Pennsylvania, requires a hospital to give patients written notice
when an adverse event occurs.16 Such a requirement technically could be fulfilled simply by handing
or sending the patient a piece of paper that states an adverse event occurred, without offering any
additional information or an opportunity for questions or discussion. Disclosure by this method is
not likely to provide any benefit to either the patient or the physician and hospital. When disclosure
is mandated or done as a matter of policy, it is preferable for the disclosure to take place in person
through a conversations with knowledgeable providers present; offering an opportunity for the patient
and family members to ask questions and receive immediate answers. Disclosing an adverse outcome
without giving the patient sufficient information and a chance to ask questions is a practice that should
be avoided.

Preparing for Disclosure of an Adverse Event or Medical Error

If adverse events are going to be disclosed to patients and their families as a matter of course at
the organization, it is important that each disclosure conversation is planned carefully and that those
involved receive guidance and assistance. Before any disclosure, those responsible for planning the
conversation should consider the following issues:

Who should attend?

Who should speak?

When should the conversation occur?

What should be said and how should it be said regarding:

known facts and circumstances;

continuing investigation and follow-up;
ongoing care;
responsibility, if determined;

What will the patient and family want to hear and to know?

What are the needs and concerns of the providers involved?

Whether an apology is appropriate and should be given?

What next steps should be taken?

In deciding who should attend and speak, it is important to think about who has the best relationship with the patient; who has the best information about what happened; who knows the most about
40 P.S. 1303.308(b). This statute requires written notice to be provided within seven days of the occurrence or discovery of the event.


Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

the patients prognosis and any further treatment needed; who knows the most about how much further
treatment may cost and who will pay for it, and what can and will be done in the way of further investigation. Another important consideration is who is emotionally best able to participate. Sometimes
it may be preferable to not involve a provider who is unable to be empathetic or express concern.
Be aware, though, that patients usually expect and want to hear from the physician most involved.
Organizational and provider attendance should not overwhelm the patient and their family. Only those
that have a defined role and or critical information should attend. Current thinking, extends the list of
attendee to now include nursing, as they maintain a consistent relationship with the patient and support
care continuity.
As for where and when the disclosure should occur, it is generally best for the conversation to
take place as soon as possible. Some states that require disclosure, also dictate the time frame in which
disclosure must be made. It is critical that this time frame be know by all those involved in disclosure
at the organization and that it is met. It is important that the conversation to be planned to allow sufficient time for a complete conversation, including questions and expressions of emotion. Disclosure
should happen in a place where the patient, family, and providers have privacy and can be physically
With respect to the substance of the conversation, what patients want after a medical error or
adverse event is to know what happened, and why; what the implications are for their health; how any
problem that caused the adverse event will be corrected and, importantly, how future similar events
will be prevented. Patients also want to be assured that they will not suffer financially because of any
error. If the adverse event was, in fact, caused by an error, most patients want an apology and responsibility accepted. Whatever the cause of the adverse outcome, patients typically want some emotional
support from their physician.17 It is important to note that disclosure together with a full apology,
where appropriate, has been shown to decrease the likelihood of litigation, facilitate settlement and
improve the patients perception of the adverse event.18 A full apology includes recognition of the error
that has occurred, an admission of fault and acceptance of responsibility, and an expression of regret
or remorse.19 In contrast, a partial apology, an expression of sympathy without acceptance of responsibility, has been shown to have minimal, if any, beneficial effect, especially where fault is known or
obvious or where the injury is severe.20
Ruddell, Jane, Effective Patient-Physician Communication: Strengthening Relationships, Improving Patient Safety,
Limiting Liability, Lebanon, PA: Westcott Professional Publications, p. 45, 2005.
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-82; see also, Pelt, JL,
Faldmo, LP. Physician error and disclosure, Clin Obstet Gynecol. 2008;51(4):700-8; Straumanis, JP, Disclosure of medical error: Is it worth the risk?, Pediatr. Crit. Care Med. 2007; 8(2 Suppl):S38-S43; Mazor, KM, Reed, GW, Yood, RA,
Fischer MA, Baril, J, Gurwitz, JH, Disclosure of medical errors: what factors influence how patients respond?, J. Gen.
Intern. Med. 2006;21(7):704-10; Robbennolt, JK. Apologies and Legal Settlement: An Empirical Examination, Mich. Law
Rev, 2003-2004; 102:406-516; Wu, AW, Handling hospital errors: is disclosure the best defense?, Ann. Intern. Med. 1999;
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-382, 376.
See Robbennolt, JK. Apologies and medical error, Clin. Orthop. Relat. Res. 2009; 467(2):376-82; see also, Pelt, JL,
Faldmo, LP. Physician error and disclosure, Clin Obstet Gynecol. 2008;51(4):700-8; Straumanis, JP, Disclosure of medical error: Is it worth the risk?, Pediatr. Crit. Care Med. 2007; 8(2 Suppl):S38-S43; Mazor, KM, Reed, GW, Yood, RA,
Fischer MA, Baril, J, Gurwitz, JH, Disclosure of medical errors: what factors influence how patients respond?, J. Gen.
Intern. Med. 2006;21(7):704-10; Robbennolt, JK. Apologies and Legal Settlement: An Empirical Examination, Mich. Law

Enterprise Risk Management for Healthcare Entities, First Edition


Mandatory Disclosure of Adverse Events toPatient/Family

The disclosure conversation should also include an explanation of whatever plans there are for
gathering additional information. Someone should ask the patient and family what they think about
these plans and if they have additional suggestions. The patient and family should also be given a
telephone number for any follow-up questions they may have. Most often disclosure does not involve
just a single meeting, but rather several sequential conversations.

RememberIts About the Relationship

Sometimes when disclosure of adverse events is considered, the thought is that the disclosure
and an apology will serve as a remedy sufficient to protect the physician and the organization. When
considering and planning for disclosure conversations, it is important to remember that such disclosure and any attendant apology do not happen in a vacuum.21 They occur in the context of the whole
relationship between the patient and the providers. Disclosure conversations will be most effective
and helpful if the patient and the physician already have a history of speaking honestly and listening
to each other. Given this fact, it is advisable for all providers to establish a good relationship in which
the patient and all providers always communicate openly and honestly. This may improve patient care.
Moreover, the quality of the doctor-patient relationship is believed by many to be a primary factor in
determining if a patient will sue after an adverse event.

Communication and Conflict Resolution Skills Important in Disclosure Conversations

At any healthcare facility in which disclosure of adverse events is mandatory or supported, it

is advisable for those who participate in such conversations to be trained in and practice good communication and conflict resolution skills. The institution should make resources available to support
disclosure and good communication including; identification of providers proficient in disclosure conversations and other resource personnel such as in-house/corporate counsel and the risk manager,
books, websites, seminars, and conferences.
Three communication skills that are crucial in the context of disclosure are active listening, talking
openly, and inviting participation. Active listening encourages other people to speak and communicates to them that you are hearing what they say. To listen actively, you should:

Be aware of body languageno hand on the door knob as though you want to leave the

Make eye contact (if culturally appropriate).

Ask clarifying questions.

Identify and respond to interest (needs, concerns) not positions (demands, assertions).
Reflect what others have said.

Acknowledge feelings expressed.

Rev, 2003-2004; 102:406-516; Wu, AW, Handling hospital errors: is disclosure the best defense?, Ann. Intern. Med. 1999;
See Kramer, S, Boothman R,, Sorry Doesnt Work Alone, at www.sorryworks.net/article31.phtml.

Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

Talking openly is a companion skill to active listening and will help build trust. In a disclosure
conversation, talking openly should include giving the patient and any family present the basic information known at the time in understandable terms. Do not guess about what happened or why it
happened. Describe what additional questions need to be answered still. If known, describing how the
adverse event occurred. If appropriate, apologize authentically, accepting responsibility. Finally, it is
important that providers acknowledge and express their own feelings.
The final crucial skill in a disclosure conversation is inviting participation. This can be done by
answering questions as they arise, not interrupting, and asking the patient and the family what information they have previously been told or know about what happened. It is also important that you
specifically request questions. Rather than asking do you have questions?, say what questions do
you have?
Other behavior that can also improve the disclosure process includes:

Providers should speak and pace the conversation slower than normal whereby patients are
better able to absorb the information.

Providers should sit down with the patient and family and avoid configurations (the across
the desk) that further promotes them versus us.

Providers should use easy-to-understand terms, eliminating medical terminology, jargon, and

Providers should have all beepers, cell phones, BlackBerrys, PDAs, etc. turned off or on
vibrate only during the meeting. If necessary, medical coverage for providers in attendance
should be obtained for the meeting so that they are not distracted and can concentration on
the conversation at hand.

Providers in attendance should ask questions rather than assume they have all the answers.
Often, the patient and family will not know what questions to ask and will need prompting.

Providers should be aware that emotions will cloud everyones ability to process and absorb
information, therefore all important information should be repeated.

Finally, there are several things any hospital staff member or provider should not to do in a disclosure conversation. The list of what not to do includes:

assuming you know how the patient or other speaker feels;

anticipating what the speaker is going to say;

wishing the speaker would get to the point;

becoming defensive when you feel criticized;

being inflexible, anxious to follow your own agenda;

failing to concentrate, wandering from the conversation;

being trapped in role assumptions.

Enterprise Risk Management for Healthcare Entities, First Edition


Mandatory Disclosure of Adverse Events toPatient/Family

Of course, even with education, training, and practice, not all providers will be good at managing
and/or participating in disclosure conversations. They are, by their very nature, difficult conversations.
Nevertheless, education, training, and practice are important and should be provided.


Increasingly, common requirements for mandatory disclosure mean that practicing in-house
counsel should be knowledgeable about what requirements are applicable, and will likely be
called upon to help implement and guide when and how mandatory disclosure is provided.

It is important to remember that reluctant and grudgingly given disclosure will offer far less
than maximum benefits to patients and the organization. Partial, inadequate or ill-prepared
disclosure conversations may actually harm ongoing patient-provider relationships and hamper continuing care. It is best if the organization is one in which disclosure occurs fairly
naturally because the prevailing philosophy is one of respect for patients and their right to be
informed about and participate in their own care.

Obviously, failing to disclose adverse events when required may subject the organization to
fines or penalties that are included in any legislation, regulation, or other source requiring
disclosure. Failing to foster an environment in which disclosure is just one aspect of a culture
of patient safety and transparency may negatively impact the quality of care and could also
subject the organization to increased liability.

Education and support for all care providers is needed to help any organization create an
environment of openness and honesty, in which disclosure of adverse events will be the norm
and will occur in a manner that will be beneficial to patients and the organization.

The governing board and executive leadership of any organization are the people best suited
to adopt, promote, and spread a philosophy and practice of transparency. They must support
and encourage the culture of patient safety before reluctant practitioners within an organization will be able to accept a shift from the traditional and harmful fallacy of physician
infallibility and from the old paradigm of non-disclosure of any adverse event.



If disclosure of adverse events is not currently practiced within your organization, it may become
so shortly. This change may come about because of statutes, standards, regulations or voluntary changes
in organizational culture that support the delivery of care that is patient centered. As more people
working in and with healthcare become familiar with and knowledgeable about patient safety philosophy and practices, disclosure may become the norm. The culture of blame appears to be evolving into
a culture of learning, in which transparency and honest communicationwhich necessarily require
disclosure of all adverse eventsare essential elements. This basic shift in how healthcare organizations think about and deal with adverse events involves everyone within the organization. Each person
within the organization has an obligation to support a culture that embraces patient-centered care. The
hope is that this cultural shift can benefit all involved, both providers and patients.


Enterprise Risk Management for Healthcare Entities, First Edition

Mandatory Disclosure of Adverse Events toPatient/Family

Berlinger, Nancy, After Harm, Baltimore: The Johns Hopkins University Press, 2005.
Leape L, ed. When Things Go Wrong: Responding to Adverse Events. Burlington, MA: Massachusetts
Coalition for the Prevention of Wedical Errors, 2006.
Liebman, Carol and Chris S. Hyman, Medical Error Disclosure, Mediation Skills & Malpractice
Litigation. www.medliabilitypa.org, 2005.
Mazur, K.M., Simon, S.R., Yood, R.A., Martinson, B.C., Guinter, M.J., Reed, G.W., and Gurwitz,
J.H., Health Plan Members Views about Disclosure of Medical Errors. Ann Intern Med. 2004;
Robbennolt, J.K., Apologies and Legal Settlement: An Empirical Examination. Mich Law Rev.
20032004; 102:406516.
Ruddell, Jane, Effective Patient-Physician Communication: Strengthening Relationships, Improving
Patient Safety, Limiting Liability. Lebanon, PA: Westcott Professional Publications, 2005.
Sorry Works! Coalition, http://www.sorryworks.net, 2005.
Stone, Douglas, Patton, Bruce, and Heen, Sheila, Difficult Conversations. New York: Viking, 1999.
Weiler, Paul, Hiatt, H.H., Newhouse, J.P., Johnson, W.G., Brennan, T.A., and Leape, L.L., A Measure
of Malpractice Cambridge, MA: Harvard University Press, 1993.
When Things Go Wrong: Responding to Adverse Events; A Consensus Statement of the Harvard
Hospitals, at www.macoalition.org, 2006.
Wu, A.W., Handling Hospital Errors: Is Disclosure the Best Defense? Ann Intern Med 1999;
Zimmerman, R., Doctors New Tool to Fight Lawsuits: Saying Im Sorry, Wall Street Journal,
18May 2004:A1.

Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

Compliance and Enterprise Risk Management
John R. Evancho, JD
Senior Vice President and Chief Compliance Officer, OSF Healthcare


This chapter describes the essential elements of a well-functioning corporate compliance program
for the healthcare industry. Reference is made both to the guidance provided under federal law as
well as best practices that have developed in the industry. By its very nature, an effective corporate
compliance program supports and enhances enterprise risk management (ERM). Just as ERM is a
comprehensive approach for health care organizations to analyze risk opportunities, to proactively
assess strategic and operational impact, and to effectively manage the response to achieve the organizations objectives, corporate compliance programs are designed to prevent, detect, and remedy
violations of the lawa critical component of ERM
Federal Sentencing Guidelines,1 produced by the United States Sentencing Commission an independent agency in the judicial branch, established in turn, by the Sentencing Reform Act of 1984,2
established a uniform approach to sentencing defendants in federal court. In 1991, the Guidelines were
extended to organizations found guilty of violating federal law.3 The Guidelines specify the steps that
an organization should take both before and after a criminal offense has occurred, steps that may well
serve to reduce the organizations culpability and, therefore, the fines or other penalties imposed on
the organization. These measures, which are designed to prevent, detect, and remedy violations of the
law, are the hallmarks of an effective corporate compliance program.4
Since 1998, the Office of Inspector General (OIG) of the federal Department of Health and Human
Services (HHS) has issued guidance, based, in part, on the Federal Sentencing Guidelines, with respect
to the elements of a compliance program for use by various types of healthcare providers. These comments are based, in turn, on the 1998 OIG Compliance Program Guidance (CPG) for Hospitals5 and
the 2005 Supplemental CPG for Hospitals.6 The 1998 guidance notes that it encompasses principles
United States Sentencing Commission, Guidelines Manual [hereinafter USSC], 8B2.1 (2004).
Title II of the Comprehensive Crime Control Act of 1984, 18 USC 4106.
USSC 8A1.1.
USSC 8B2.1(a).
63 Federal Register [hereinafter 63 FR] 89878998 (February 23, 1998).
70 Federal Register [hereinafter 70 FR] 48584876 (January 31, 2005). The 2005 guidance, on page 4858, specifically identifies itself as a document [that] may serve as a benchmark or comparison against which to measure ongoing

Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

that are applicable to hospitals as well as a wider variety of organizations that provide healthcare services to beneficiaries of Medicare, Medicaid and all other Federal healthcare programs.7

Preliminary Points

Two important preliminary notes: first, the organizations governing authority8 and high-level
personnel9 must be interested and involved in the corporate compliance program. As the 1998 CPG
points out, Adopting and implementing an effective compliance program requires a substantial commitment of time, energy, and resources by senior management and the hospitals governing body.10 In
order for the directors and the senior leaders to be effective in their compliance roles, they should be
actively involved in the creation of the compliance program. The board of directors must be educated
about potential liability throughout the organization. A formal compliance orientation program for
new board members and new senior leaders and an ongoing education process for the board and the
senior leadership team, as a whole, should be in place.
The board and the leadership of the organization must create a culture that values the prevention,
detection, and resolution of compliance problems. The 2005 CPG states that the hospital should
endeavor to develop a culture that values compliance from the top down and fosters compliance from
the bottom up. Such an organizational culture is the foundation of an effective compliance program.11
The board and the senior management team must set the tone through ongoing support for the compliance program and must establish the expectation that all employees comply with applicable laws
and regulations and internal policies. The board should communicate, in a formal, consistent and
unequivocal manner, its commitment to compliance throughout the organization.12 The 1998 OIG
guidance makes clear that, as a first step, a good faith and meaningful commitment on the part of the
hospital administration, especially the governing body and the CEO, will substantially contribute to
the programs successful implementation.13
The board should determine compliance metrics and regularly review the organizations progress
against the measures, just as it does with financial targets and results. As the 1998 OIG CPG notes,
The existence of benchmarks that demonstrate implementation and achievements are essential to any
effective compliance program.14 The board must take steps to ensure that the organizations policies
and compensation structures do not create undue pressure to pursue profit over compliance. Also, the
board must allocate adequate resources to the compliance program.15
The second preliminary point: a written corporate compliance plan, issued under the CEOs auspices, needs to be drafted and disseminated. The plan outlines the key aspects of the compliance
program and specifies the consequences of noncompliance. It identifies and addresses the organiza 63 FR 8987.
Defined in USSC 8B2.1.
Defined in USSC 8A1.1.
63 FR 8988.
70 FR 4874.
USSC 8B2.1(b)(2)(A) and (B).
63 FR 8989.
63 FR 8988.
USSC 8B2.1(2)(C).


Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

tions principal compliance risks and potential (or actual) weaknesses in its internal systems. The plan
establishes structures, processes, and controls in the reimbursement and payment areas, including
procedures for monitoring billing and coding error rates, the number of overpayments and underpayments, and the results of internal and external audits. It should provide for regular self-assessments and
ongoing improvements to the existing compliance program.
The compliance plan is intended to be a living document, which employees throughout the organization consult regularly for direction in making decisions, providing care, and doing business. The
plan should include reference to the organizations mission and core values. It should be readily available to all employees, physicians, and members of the board of directors. It should be written in plain
and concise language, so that every employee understands what the law demands and what is expected
in terms of his or her conduct. It is often helpful to provide examples of scenarios with compliance
implications, including situations that employees commonly face. It should be a document separate
from the organizations policies and procedures and distinct from the employee handbook. The plan
should be reviewed regularly and updated as often as is needed.
The objective is to have the corporate compliance program, as it is outlined in the compliance
plan, serve as the central organization-wide mechanism for supplying useful information to employees
about federal and state statutes and regulations and for providing practical guidance to them about the
steps that they must take (or avoid taking) and what they must do when missteps occur. The compliance
program should guide each employees decisions and actions and those of the organization, as a whole,
and must become part of the fabric of the organizations governance and day-to-day operations.

Elements of an Effective Corporate Compliance Program

As mentioned, the Federal Sentencing Guidelines and the CPG set forth the specific elements of
an effective corporate compliance program: They include the following elements:
1. developing and disseminating written policies and procedures;
2. designating a compliance officer and a compliance committee;
3. conducting effective training and education;
4. developing effective lines of communication;
5. enforcing standards through well-publicized disciplinary guidelines;
6. auditing and monitoring; and
7. responding to detected offenses and developing corrective action initiatives.
These specific elements are discussed in greater detail below.

Developing and Disseminating Written Policies and Procedures

A healthcare organization should create and distribute both an enterprise-wide code of conduct
and more specific policies. The code of conduct is to be disseminated to all employees. Unlike the
more detailed policies, the code should be relatively brief and should cover general principles that are
Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

applicable to all employees. The code is intended to reflect the organizations spirit and culture and
address the providers mission, values, and fundamental principles. The code should summarize the
organizations legal and ethical standards and emphasize its commitment to compliance with federal
and state laws and regulations.
The code of conduct should be approved by the board of directors and be supported by the officers
and senior leaders of the organization. It should be issued with a letter or other communication from
the CEO that endorses the code of conduct and emphasizes the obligation on the part of all employees
to comply with the code. In its 1998 CPG, the OIG made clear that it strongly encourages high-level
involvement by the hospitals governing body, chief executive officer, chief operating officer, general
counsel, and chief financial officer, as well as other medical personnel, as appropriate, in the development of standards of conduct. Such involvement should help communicate a strong and explicit
statement of compliance goals and standards.16 The code should be reviewed annually and revised
when needed (to reflect new regulatory requirements, for example).
Every employee should receive training on the code during annual compliance education programs, and new employees should be introduced to the code at orientation. It should be clear and easily
understandable and should be translated into various languages as the workforce requires. Penalties
for failure to comply with the code should be developed and communicated to all employees, who
should understand clearly the consequences of noncompliance. Yearly, employees should acknowledge in writing (or by means of an online verification tool) that they have received and reviewed the
code. The importance of complying with the code of code of conduct, as well as the concrete steps
that employees have taken to demonstrate their compliance with the code should be discussed as part
of the periodic performance appraisal process. Also, the code should stipulate that physicians and
other healthcare providers are required to follow the ethical standards of their respective professional
associations. The standards contained in the code should be made binding on nonemployed physicians
and other providers, vendors and suppliers, and other third parties.
The code of conduct should be highly visible within the organizations facilities and should be
promoted by means of posters, computer screensavers, Intranet messages, and other reminders. The
code, however, must be more than a plaque. It must be a living, breathing guide for employees at all
levels of the organization. So that they understand the importance of the code of conduct and its impact
on their day-to-day work, the format of the code should lend itself to operational decision-making,
and the code should be discussed regularly during employee meetings as a tool for setting direction,
making decisions, and taking action.
The code of conduct should mention the need to comply with the organizations compliance
policies and procedures, which, like the code itself, must be living documents that are integral to
the organizations day-to-day operations. The goal of policy development is the establishment of
bright-line rules that help employees carry out their job functions in a manner that complies with the
requirements of the federal healthcare programs and that furthers the mission and values of the organization. Therefore, compliance policies need to be clearly written and easy to understand. They should
63 FR 89898990.



Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

be comprehensive, realistic, and capable of being fully applied. They also need to be well-organized
and readily accessible to employees. (Publishing the policies on the organizations Intranet site makes
version control easier than does printing the policies on paper.)
Some compliance policies should be provided to all employees, while others should be shared
only with the employees who are affected by the policies. Employees should be trained on the policies
and procedures based on the work that they do and the area in which they work, and employees should
sign a statement attesting to the fact that they have been trained on and understand the policies, at least
the most important ones.
Compliance policies should be reviewed and revised every three years or as required by regulatory
changes. A tool for developing (and implementing) policies and procedures is often helpful, including
a template or sample policy. The template should include a schedule for reviewing and updating the
policy. Changes should be communicated to employees.
As is the case with the code of conduct, policies should be discussed regularly with employees,
and compliance with policies should be an aspect of the performance appraisal process. Disciplinary
measures for noncompliance with the organizations policies should be developed and enforced. Like
the code, relevant policies should be imposed on nonemployed physicians, vendors, and other third
Although the need for some compliance policies is obvious, the need for others may be identified only through an audit or other investigation. That is, the results of an audit may reveal a gap in
existing policies or procedures and may also help in prioritizing the specific areas of risk that need to
be addressed through policy development and implementation. After compliance policies have been
drafted and disseminated, audits should be conducted to determine compliance with the policies and
to verify that risks have been addressed and that there have been fewer errors in the areas in which the
policies have been implemented.
The OIG guidance stipulates that policies and procedures should focus especially on areas of
particular concern to the OIG, including problems or issues that the OIG has uncovered through audits
and investigations. The latter includes: improper coding and billing; violations of the antikickback and
Stark physician self-referral laws; and failure to comply with the patient antidumping requirements
of the Emergency Medical Treatment and Active Labor Act (EMTALA). The CPG places particular
emphasis on the proper preparation and submission of claims.
Policies should also concentrate on areas of compliance risk identified by the healthcare organization itself. A compliance risk assessment tool is often helpful in identifying risks, gaps, and weaknesses.
The assessment may take the form of audits, questionnaires, interviews, site visits (or some combination). Note, these assessment tools are similar to those used in the overall ERM assessment of
opportunity risk. The assessment tool should be re-evaluated on a regular basis and should include an
analysis of compliance with the requirements of the federal healthcare programs, the CPGs, the annual
OIG work plans, the OIG special advisory bulletins, and the OIG special fraud alerts. Based on the
assessment results, including the findings of analyses based on data from claims and cases, risks are
Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

rated and prioritized, and a coordinated remediation plan is put in place. Compliance policies are then
updated, and training on the policies is conducted.
Finally, compliance policies should be reviewed and approved by the organizations board of
directors, and the boards approval should be tracked and recorded on the policies. The policies should
be developed under the direction and supervision of the chief compliance officer and the compliance

Designating a Compliance Officer and a Compliance Committee

The board of directors of the healthcare organization should appoint a well-qualified corporate
compliance officer and should stipulate that the compliance officer be a member of senior management and report to the president, CEO, or chairperson of the board. The compliance area should
be independent of the legal and finance departments. According to the 1998 CPG, [f]ree standing
compliance functions help to ensure independent and objective legal reviews and financial analyses
of the institutions compliance efforts and activities. By separating the compliance function from the
key management positions of general counsel or chief hospital financial officer (where the size and
structure of the hospital make this a feasible option), a system of checks and balances is established to
more effectively achieve the goals of the compliance program.17 The compliance officer should also
have direct access to the board of directors or other governing body. In fact, the compliance officer
should present periodic reports to the board on the scope, direction, and implementation of the compliance plan. The compliance officer should have the authority to conduct independent investigations on
matters of compliance and should be provided with access to the individuals, documents, and other
sources that are needed to pursue the investigation. He or she should have the independent authority
to retain outside legal counsel.
The corporate compliance officer is responsible for properly organizing the compliance department and must see that the department has a clear, well-crafted mission. The department must receive
sufficient resources, including necessary staff and sufficient budget, as well as the needed authority
and autonomy. The compliance officer should strive to maintain good working relationships with other
areas, while remaining objective about their state of compliance.
Put broadly, the corporate compliance officer serves as the focal point of compliance activities
across the organization. The compliance officers overarching responsibility is to coordinate the development, implementation, and oversight of the compliance program, including periodic updating of
the program. The compliance officer should not be regarded, however, as the one individual who is
responsible for the organizations complying with federal and state laws and regulations and internal
policies and procedures. In an important sense, every employee is accountable for compliance, just as
they are for ERM. In healthcare systems consisting of more than one hospital or other operating units,
the compliance officers coordinating role is expanded. As the 1998 CPG notes, For multi-hospital
organizations, the OIG encourages coordination with each hospital owned by the corporation or foun-

63 FR 8993.



Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

dation through the use of a headquarters compliance officer, communicating with parallel positions in
each facility, or regional office, as appropriate.18
The compliance officer is advised and supported by a compliance committee. Corporate compliance committee members should be active, visible, and vocal advocates of the compliance program.
They should receive compliance training when they join the committee and regularly thereafter. The
training program should include the elements of the compliance program, as well as developments in
the healthcare industry and trends in enforcement. Compliance committee members should include
members of senior management and representatives of a variety of functions, such as legal, finance,
risk management, audit, coding and billing, human resources, utilization review, social work, and discharge planning. It is often beneficial to have a physician representative on the compliance committee.
In integrated healthcare systems consisting of multiple hospitals, each facility should be represented
by its own compliance officer.
The importance of the corporate compliance committee cannot be overstated. Compliance committee members must exhibit a commitment to compliance that becomes part of the overall operating
structure and daily routine of the healthcare organization. The compliance officer should look to committee members to uncover specific areas of risk. As risks are identified, committee members should
work with the compliance officer to develop or revise policies and procedures, to provide needed
training, and to implement internal controls and follow-up measures. Committee members should
work with the compliance officer to develop a system that solicits, evaluates, and responds effectively
to complaints or reports of compliance-related gaps or problems. What is expected of compliance
committee members should be set forth in a committee charter and in their position descriptions. Committee members should be evaluated on their demonstrated commitment and competence with respect
to compliance. It is appropriate for the compliance officer to provide written feedback as part of the
annual performance appraisal process.

Conducting Effective Training and Education

The underlying purpose of compliance education is to train members of the board of directors,
employees, volunteers, contractors and others who function on behalf of the healthcare organization,
so that they are fully capable of carrying out their responsibilities in compliance with federal and state
laws and regulations and the organizations standards and policies. Compliance education should be
included in every new employees orientation program. Training should be delivered at least annually
and should be provided more often for employees in positions or areas identified as highrisk. A policy
should be developed that specifies the frequency of training and mandates attendance. Participation in
compliance education programs should be tracked, and completion of compliance training should be
noted in an employees annual performance appraisal. Incentives may be offered to employees who
are actively involved in compliance education. Conversely, sanctions should be imposed, according
to the established policy, on employees who fail to attend training programs, and employees should
clearly understand the consequences for noncompliance with the training requirements.



Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

Compliance education programs need to be interesting and engaging. There is no reason why,
without compromising the seriousness of compliance matters, compliance training cannot be enjoyable, with a game show format, for example, complete with prizes for the winners. A variety of formats
for delivering training should be used, from in-person programs to web-based sessions, taking into
account the material and the audience. (It is helpful to have compliance education programs and materials developed with adult learning theories in mind.) Many healthcare organizations find, for example,
that in-person education is well-suited to physicians. (continuing education units (CEUs) should be
offered, as appropriate.) The programs should build on previous programs so that employees gain
a deeper understanding of compliance requirements with each program they attend. In general, the
frequency, length, format, and content of training should be carefully considered in order to maximize
the effectiveness of any compliance education program.
Trainers, whether dedicated compliance educators or others who have participated in train-thetrainer sessions, should thoroughly understand the materials and clearly communicate the information.
Training materials should be clear (translated into other languages as dictated by the needs of the
workforce), concise, relevant, and practical. The education programs themselves may be formal and
require relatively more time, or the training may be informal and rather brief. It is often the case that
concise, to-the-point, and issue-specific refresher programs are as effective as more structured, broadbased training.
Managers should provide a good example by participating actively in compliance education programs and should expect and encourage employees (and manage their schedules and workloads) to do
the same. Managers should be conversant with the compliance requirements related to their areas and
responsibilities, and they should be aware that they are expected to serve as the front lines of compliance education, both formal and informal.
Compliance education falls into two broad categories: first, general training aimed at raising
employees awareness of the impact of federal and state laws and regulations on the healthcare organizations activities, and second, specific training focused on the impact of particular government
requirements on certain job functions. (In most cases, it is helpful to modify at least portions of general
compliance training programs to reflect particular employees functions and to provide examples specific to their roles.) Examples of more general training topics include privacy and information security,
coding and billing (and documentation), and fraud and abuse. All employees should be trained on the
requirements of the organizations compliance plan, including the affirmative duty on the part of every
employee to report misconduct. All employees should receive a copy of the code of conduct and should
be educated on the expected standards of behavior. Employees should be trained on the organizations
compliance policies that are broadly applicable. Employees should also understand the major areas of
risk within the organization and know what steps to take to prevent or mitigate the risks.
In addition, employees should receive compliance education specific to their roles and functions.
They should understand thoroughly the ways in which particular laws and regulations affect their
work. They should also be familiar with the organizations policies that apply to their jobs and be in
the habit of referring to the policies in making decisions and taking action. Employees involved in
sales and related functions, for example, should be trained in marketing practices that are in line with

Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

the current requirements of the federal healthcare programs. Also, although all employees should
understand the importance of properly billing federal healthcare programs and private payors, it is
essential that in-depth training on correct coding and billing be presented regularly to employees in
the organizations billing department and that ongoing education on appropriate documentation be
provided to physicians and other healthcare practitioners.
All employees should be kept up-to-date on the changes in the organizations policies and government requirements, including recent Center for Medicare and Medicaid Services (CMS), OIG,
and other agency guidance and advisories. The content of compliance education programs should
be reviewed on an ongoing basis and revised to reflect changes in the requirements of the federal
healthcare programs and in the policies developed and the services offered by the healthcare organization. This updating requires, in turn, that a process be put in place to monitor changes in rules and
The compliance officer should be involved in developing the curriculum for both general and
specific compliance training programs and is responsible for overseeing compliance education. The
compliance officer should make certain that all levels of the organization, beginning with the board of
directors, are dedicating the necessary amount of time to taking the appropriate training at established
intervals. (It is especially important that members of the organizations board of directors or other governing body understand the requirements and expectations with respect to governance and fraud and
abuse.) Employees of the organizations vendors, such as third-party medical billing companies, should
also be required to participate in compliance training sponsored or approved by the organization.
When designing compliance education programs, the compliance officer should take into account
the results of recent audits and investigations. Any trends from compliance hotline logs and other
reported compliance problems should be incorporated into the training. Discussions that the compliance officer has had with various employees may also alert him or her to areas that need to be
addressed through compliance education.
The effectiveness of the training and the level of employees understanding should be gauged
through tests administered to participants. (One of the most useful functions of online education programs is the ability to record and track test results.) This data, in turn, should be shared with managers,
senior leaders, and the organizations board of directors, as the information may point to gaps in
employees awareness and understanding of government requirements and internal policies, as well
as other compliance concerns.

Developing Effective Lines of Communication

A key objective of any corporate compliance program is to create and sustain a culture within the
healthcare organization that actively promotes compliance with federal and state laws and regulations
and internal policies and that, in turn, encourages employees at all levels of the organization to be
firmly committed to compliance. That commitment entails open communication of actual or potential
gaps in compliance, without fear of retaliation.

Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

One important tool for employees to use in bringing to light suspected misconduct is a compliance
hotline. This tool is not intended to supplant direct access on the part of employees to the compliance
officer (who, at any rate, should maintain an open door policy) or to undercut the internal reporting
structure of the organization. In fact, employees should be encouraged to report illegal or inappropriate
behavior directly to their supervisors, and managers should take steps to demonstrate their openness to
being informed of compliance problems and their willingness to follow up on these reports.
In the end, some employees prefer to report compliance concerns using the compliance hotline.
The organization, therefore, should establish an anonymous hotline or a similar means, such as an
e-mail reporting mechanism, for employees, medical staff members, patients, visitors, and contractors
to use in reporting compliance issues. Confidentiality should be stressed. Callers should be assured
that the corporate compliance department will protect their anonymity to the extent possible. Callers
should be warned, however, that intervening events, such as the need for a government investigation,
may lead to discovery and disclosure of their identity. A step taken by many organizations to address
callers concerns that their identity will become known is to engage a third-party vendor to administer
the hotline, to take and record calls and to provide telephonic responses to callers.
With respect to the compliance hotline, confidentiality and non-retaliation policies should be
developed and distributed by the organization and should be understood clearly by all employees,
especially by managers. (The policies should stipulate that reporting misconduct through the hotline
does not insulate a wrongdoer from disciplinary action.) Managers should be aware of the sanctions
imposed for retaliating against employees who have recourse to the hotline.
The nature and purpose of the compliance hotline should be widely publicized throughout the
organization by means of posters, employee newsletters, computer screensavers, and compliance and
other Intranet sites. The hotline number should be posted in common work areas and should be readily
available to all employees and contractors. Employees at all levels of the organization should understand how to use the hotline to report compliance problems or raise compliance questions. They should
be surveyed regularly to evaluate their knowledge of the existence and purpose of the hotline and, just
as important, their confidence in the integrity of the reporting process and the resulting follow up.
Every issue brought to the attention of the organization through the compliance hotline should be
investigated, and the necessary corrective steps should be taken. Allegations of serious misconduct,
improper coding and billing, for example, should be pursued vigorously. It is the responsibility of the
compliance officer to see that all reported compliance issues are investigated. The compliance officer
himself or herself may conduct especially significant or sensitive inquiries. A compliance problem presented by a caller should be regarded by the compliance officer and everyone else involved in resolving
the matter not as a burden (although many investigations are complicated and time-consuming), but,
instead, as an opportunity to uncover, to analyze, and to learn.
Investigations should be completed according to the timetables established by the compliance
hotline policy. Different timeframes may apply to different types of reported compliance problems.
When employees initially call the compliance hotline, they should be informed that they may call back
on or after a specified date to learn of the status of the investigation of the matter that they are report258

Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

ing. Presuming that the investigation is complete, the caller is to be informed when he or she calls back
of the nature of the inquiry and the results of the investigation, including what the organization has
done or will do to resolve the matter. In the event that more time is needed to complete the investigation, the caller is to be told of the status of the investigation and the expected completion date.
A complete log of open and closed hotline calls should be maintained by the compliance officer.
The steps taken to investigate and follow up on the calls should be documented. The compliance officer should guarantee that each investigation is conducted timely and that effective measures are put in
place to address any bona fide issues reported. The compliance officer should periodically analyze the
logs to determine the overall timeliness and thoroughness of responses and should regularly report the
results of the analysis to the organizations board of directors or other governing body. The compliance officer should present to the board not simply statistics, but some sense of the nature or flavor
of the calls, especially calls that point to the same compliance issues. The board should address, in
particular, recurring compliance gaps and compliance problems in need of organization-wide remedial

Enforcing Standards through Well-Publicized Disciplinary Guidelines

An important aspect of fostering a culture that promotes and supports compliant and ethical conduct is the fair and consistent enforcement of disciplinary standards in instances in which behavior
does not measure up to the requirements of federal and state laws and regulations or internal policies.
Consistency means that standards and penalties are applied evenly and fairly to employees across the
organization, from senior executives to managers, to employees, to members of the medical staff. Fairness implies that the penalties imposed on employees are commensurate, generally speaking, with the
relative degrees of their misconduct.
The policy should define the degrees of disciplinary actions that are to be taken in particular
circumstances, actions that include verbal and written warnings, financial penalties, termination of
employment, and suspension or revocation of clinical privileges. The policy should also establish
the processes for handling misconduct (keeping in mind that misconduct may take the form of either
commission or omission, the latter including the failure to take appropriate action either to stop wrongdoing or to report misconduct) and imposing discipline. The policy should identify the roles of those
responsible for taking appropriate steps in various cases, namely, senior leaders, supervisors, and
medical staff officers. Managers should be trained in the various aspects of the discipline policy and
process, including the importance of documentation at each stage, and they should be held accountable for failing to discipline employees appropriately, timely, and effectivelyand in compliance with
applicable laws and standards and internal policies and procedures. Supervisors are also responsible
for seeing to it that follow-up steps by or with respect to one or more employees are actually taken.
Periodically, the discipline policy should be reviewed with an eye to its fairness, generally, and
to the consistent application of its enforcement across the organization. The review should also look
at the effectiveness of the policy in deterring misconduct. In the area of employee discipline, the
compliance officer should work with the organizations human resources (HR) department in a wellcoordinated way, with respect both to assessing the policy itself and to handling specific instances of
Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

misconduct. The compliance and HR functions should work together to publicize the standards of
conduct throughout the organization and to make certain that the standards are readily available to and
understood by all employees.
Another aspect of enforcing standards of behavior is avoiding hiring, retaining, or contracting
with individuals who have been sanctioned for misconduct previously. Background investigations and
credit checks should be conducted in advance on all employees, vendors, and medical staff members.
These individuals should also be screened beforehand and routinely (at least annually) thereafter against
the government sanctions lists, including the OIGs List of Excluded Individuals/Entities (LEIE) and
the General Services Administrations Excluded Parties Listing System. (Many hospital credentialing
and privileging software programs offer the built-in capacity to sweep such government databases.)
The organization should have in place a policy calling for the nonemployment (or refusal to contract
with a supplier or grant privileges to a physician or other healthcare practitioner) of any individual
who has been convicted recently of a crime or excluded from participation in a federal healthcare
program. In the event that such an individual has already been hired (or retained or privileged), his
or her employment (or engagement or privileges) must, as a general rule, be terminated. Applications
for employment and credentialing and privileging, as well as the questionnaires offered to prospective
vendors should specifically require applicants to disclose any criminal convictions or exclusions from
the federal healthcare programs.

Auditing and Monitoring

In the context of an effective compliance program, monitoring refers to reviews that are repeated
on a regular basis during the normal course of the operations of the healthcare organization. One
way in which monitoring may be used is to verify that the follow-up steps contained in a corrective
action plan have actually been taken and have had a demonstrable impact on operating procedures and
results. Auditing, typically, is a more formal process conducted by individuals who are independent
of the department or function that is the subject of audit. Audits may be conducted by internal (to the
organization, but outside of the area under review) or external auditors. Although monitoring and
auditing are often performed in response to a detected or suspected compliance problem, such reviews
should also be done on a proactive basis to strengthen operations and ferret out compliance gaps
before they become a major problem.
As such, the organization should develop a detailed audit plan and should reevaluate the plan
every year. The plan should include the frequency and timing of audits, as well as the needed reporting
and staffing. The plan should consider the findings of audits from prior years and should focus on risk
areas identified through earlier audits and on high-volume services provided by the organization. Audit
results should also be used to assess the need for particular compliance training programs.
The audit plan should require ongoing monitoring of compliance with federal and state laws and
regulations, the requirements of the federal healthcare programs, the findings of previous audits and
internal policies and procedures. This review may be performed by managers in some instances and
by designated auditors in other cases. The audit plan should include a frequent and thorough assessment of the billing systems that is directed at verifying the accuracy of claims submitted to the federal

Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

healthcare programs and to private payors and at determining the rate and root cause of detected coding
and billing errors, including inaccuracies in cost reporting and gaps in clinical documentation. If the
error rates do not decrease from one audit to another, then further investigations should be conducted
to uncover hidden deficiencies.
Audits should also focus on the specific policies that have been the subject of particular attention on the part of the organizations Medicare fiscal intermediary or carrier or the focus of recent
enforcement action by the OIG or other government agency. The audit plan should also address the
organizations compliance with Stark and antikickback prohibitions, as well as areas highlighted in
the annual OIG work plan. The ongoing effectiveness of the organizations compliance program itself,
including each element of the program, should be reviewed at least annually.
The audit plan should clearly establish the role of the auditors. As mentioned, auditors, whether
employees or contractors, should be independent of the areas under review. They should be well-qualified, with the requisite certifications. Auditors, including employees in the internal audit department,
should be made available to conduct both scheduled and unscheduled audits.
Audit results should be shared in short order with senior management and with the audit or compliance committee of the organizations board of directors or other governing body. The committee
should approve the standard audit approach, including sampling technique, data collection and analysis,
reporting and corrective action. Audit processes may include onsite visits, mock surveys, interviews,
questionnaires, and document reviews. Exit interviews with departing employees may prove to be
a rich source of information about actual or perceived compliance problems, so compliance-related
questions should be included in the exit interview process.
An organization-wide audit database should be developed and monitored on an ongoing basis
with an eye to emerging trends. Corrective action steps needed and taken should be included in the
database. The database should capture detailed information about the return of overpayments to the
fiscal intermediary or private payor, including the reasons for the overpayments. The database should
also make note of which audits are being or have been conducted under any legal privilege and legal
counsel should be consulted before any audit is undertaken to determine the appropriateness of asserting the privilege.

Responding to Detected Offenses and Developing Corrective Action Initiatives

A consistent approach to addressing detected violations of law and other compliance deficiencies
is essential. Investigations should be initiated as soon as compliance problems are uncovered and
should be conducted with a sense of urgency. At the same time, investigations should be thorough and
well documented at every step. Documentation should include a summary of the deficiency, a description of the way in which the problem was discovered, an outline of the investigative process, a list of
the documents reviewed, a list of the employees and other persons interviewed, copies of the interview
tools that were used and the interview notes that were made, changes in policies and procedures that
were implemented, recommendations that were made, disciplinary actions and other remedial steps

Enterprise Risk Management for Healthcare Entities, First Edition


Compliance and Enterprise Risk Management

that were taken. A policy and procedure for conducting (and documenting) investigations should be
The nature and outcome of compliance investigations should be reported regularly to the organizations board of directors or other governing body. The need for corrective action should be discussed
with the board, which should direct that adequate resources be dedicated to the process. The corrective
action plans themselves should be based on a thorough review of the root causes of the deficiencies
that are identified. The questions of when, how, and where in the organization the problems arose must
be asked and answered. On a related note, the issues of how far back in time the investigation needs to
go and how broad a scope it needs to have should be addressed.
A corrective action plan also needs to be workableand actually implemented. A periodic review
of the progress being made in putting the plan into action should be undertaken. The review should
confirm that the causes of the violation (and the violation itself) have been eliminated. More broadly,
the organizations investigative processes should be evaluated from time to time.
Even before an investigation is begun, the necessary steps should be taken to prevent continuing
harm and the destruction of documents or other evidence. The employees responsible for the investigation need to be adequately trained on the organizations policies governing the process, including
documentation, reports, and corrective action plans. It may be helpful to form a response team, including auditors and the compliance officer. Consideration should also be given to the need for outside
attorneys, independent auditors, or healthcare experts to assist in the investigation. Legal counsel
should be consulted beforehand to determine the appropriateness of handling the investigation under
the attorney-client or other privilege.
The compliance officer, at the direction of legal counsel, may need to report to government authorities the results of an investigation that uncovers misconduct, including the impact of the wrongdoing
on the federal healthcare programs and any affected enrollees in the programs. The compliance officer
should see to it that overpayments are returned promptly to the fiscal intermediary, together with the
necessary documentation and a thorough explanation of the need for the refund.



The compliance function focuses on identifying compliance risk through the use of risk
assessment tools similar to those used in the enterprise risk management function. However,
compliance risk is only one category or component of an organizations ERM assessment of
opportunity risk.

Compliance focuses on adherence to various laws and regulations in order to eliminate risk.
And, while ERM is concerned with liability risk that may flow from a lack of adherence to
various laws and regulations, it is also concerned with the broader range of opportunity risks
generated through clinical operations, financial operations, human resources, strategic operations, technological issues, and natural disasters/hazards.

The nature of compliance is such that every employee to a greater or lesser extent has responsibility for the compliance function. So, too, every employee shares in managing a healthcare
Enterprise Risk Management for Healthcare Entities, First Edition

Compliance and Enterprise Risk Management

facilitys opportunity risks. Hence the importance of ongoing training for employees on both
compliance and risk management.

ERM and compliance share another critical element of success: open communication. Effective compliance programs depend on information that can be communicated through formal
(e.g., hotlines) or informal channels. Likewise, ERMs success depends on open communication of actual or potential incidents either through formal incident reporting systems or
informal conversations in hallways or over the phone.

A final characteristic of both ERM and compliance programs is that in order to be successful,
a healthcare organization must build and maintain a just culture. That is, a learning culture
that (1) places high value on communication; (2) has a well-established system of sharedaccountability; and (3) provides a safe haven in which errors may be reported without the fear
of disciplinary action for events in which there was no intent to harm.



Two brief points by way of conclusion: First, there is no one-size-fits-all approach to compliance.
As the 2005 OIG CPG acknowledges, [b]uilding and sustaining a successful compliance program
rarely follows the same formula from organization to organization.19 What is more important than
conforming to a defined model is the overall effectiveness of the program in meeting the specific
compliance needs of the healthcare organization. The 2005 guidance indicates that the OIG strongly
encourages hospitals to identify and focus their compliance efforts on those areas of potential concern
or risk that are most relevant to their individual organizations.20
Second, an effective compliance program should contribute to the fundamental purpose and
mission of the hospital and healthcare organization. The 1998 CPG sees compliance as a dynamic
process that helps to ensure that hospitals and other healthcare providers are better able to fulfill their
commitment to ethical behavior,21 or, as the 2005 CPG puts it, to honest and responsible corporate
conduct.22 Of course, the immediate goal of the OIG guidance is to assist hospitals and their agents
and subproviders develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of Federal, State and private health plans.23 More
broadly, the overarching outcome, as envisioned in the 1998 CPG, is a program that is regarded by
each employee and everyone else involved in providing or supporting care as an effective means to
advance the prevention of fraud, abuse, and waste in these healthcare plans while at the same time
furthering the fundamental mission of all hospitals, which is to provide quality care to patients,24 to
which the 2005 guidance adds as objectives enhancing healthcare providers operations and reducing the overall cost of healthcare services.25







70 FR 4874.
70 FR 4859.
63 FR 8998.
70 FR 4859.
63 FR 8987.
63 FR 89878988.
70 FR 4859.

Enterprise Risk Management for Healthcare Entities, First Edition


Part VI

Consent to Treatment: An ERM Perspective

Consent to Treatment: An ERM Perspective
Fay A. Rozovsky, MPH, DFASHRM, Esq.
President, The Rozovsky Group, Inc.


Consent to treatment is a fundamental patients right issue intrinsic across the continuum of
care. A topic that is the subject of federal and state legislation, regulation, case law and accreditation
standards, consent to treatment is also a topic of ongoing concern for counsel in an enterprise risk
management (ERM) healthcare organization.
This chapter addresses the basic requirements and exceptions in consent to treatment. A case
study demonstrates the enterprise risk management opportunities involved in consent matters. Practical ERM style risk management strategies are discussed, including measures to facilitate disclosure
communication involving adverse and unanticipated outcomes of care.

The Key Elements for Consent to Treatment

Although there are notable differences from one jurisdiction to another, the core elements of an
effective consent process are quite similar. These include the following elements:

a description of the indications for a test or treatment;

an explanation of what is involved in the test or treatment;

a description of the probable benefits and probable risks associated with recommended tests
or treatment;

a discussion of alternative tests or treatment and the associated probable benefits and probable risks linked to these options; and

a description of the likely consequences of declining either recommended or alternate tests or


The discussion is one that is carried out between the caregiver and patient. The caregiver maybe a
physician, a dentist, psychologist, podiatric practitioner, or a physicians assistant or nurse practitioner
who, under the terms of relevant scope of practice legislation may be authorized to carry out such tests
or treatment.

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

Adults are presumed to have the requisite legal capability and mental capacity to make a treatment decision. These presumptions may not apply in some situations. For example, a patient may
have a court-appointed guardian empowered to make treatment choices. Likewise, a patient may have
executed a mental healthcare advance directive authorizing a spouse to make treatment decisions on
his behalf when a healthcare professional determines that the patient is clinically unable to engage in
a consent process.
Consent discussions should be geared to the comprehension ability of the patient or surrogate
decision maker. Descriptions of benefits and risks that rely upon sophisticated medical terminology or
a strong working knowledge of statistics may serve to vitiate the consent process because the patient
could not understand the information provided by the caregiver. This comprehension issue extends to
ancillary aids used in the consent communication process, including complex diagrams, brochures,
and video media. Written and visual material should meet health literacy standards just as verbal communication must be understandable for the patient or surrogate decision maker.
Patients should have the opportunity to synthesize information and to pose questions. Responses
provided should be in terms understandable to the patient.

Exceptions to the Rules of Consent

There are a number of recognized exceptions to the rules of consent. These include the


EmergenciesA true emergency is a situation that involves a life- or health-threatening

event that requires immediate treatment. The patient is unable to participate in a consent
process, and the urgency of the situation precludes communicating with someone who by law
is authorized to make treatment decisions on behalf of the individual. In this circumstance,
the law implies that if the patient was able to participate in a valid consent process, he or she
would readily agree to the care required to address the emergency. Care is limited to those
diagnostic and therapeutic interventions to address the emergency.

Impracticality of ConsentSimilar to the emergency situation, a patient presents with a lifeor health-threatening event that requires immediate care. As with the emergency exception,
time is of the essence. The difference is that in the impracticality exception the patient is
capable of participating in the consent process. The urgent nature of the situation precludes a
full-blown consent process. The caregiver asks the patient for relevant medication and medical history information and provides a brief description of what will be done to address the
life- or health-threatening event. The exception fits such situations as a patient who presents
in anaphylactic shock due to a snake bite, a food allergy, or a stroke in progress. The caregiver
uses the information provided by the patient to hone the care plan. Treatment is limited to
those diagnostic and therapeutic interventions that are necessary to address the life- or healththreatening event.

Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

Therapeutic PrivilegeA patient who is at high risk for psychogenic, emotional, or physiologic injury may require a diagnostic or therapeutic intervention. Based on the patients
mental health, the caregiver is reluctant to impart some information required under the rules
of consent. The concern is that discussion of this information may cause harm. In such a
situation, the caregiver may wish to invoke the therapeutic privilege exception. To do so, it
is important to obtain a behavioral health consultation from someone not otherwise involved
in the care of the patient. If the behavioral specialist concurs with the attending caregiver,
he or she would then document his or her professional opinion, including what information
should be avoided in the consent discussion. The attending practitioner would then complete
the consent process absent the information that is considered likely to cause harm. A notation in the medical record would document what information was withheld and the rationale
for doing so. At a later time, the information withheld may be shared with the patient. This
exception is used rarely as it is at variance with the underlying principles of consent: individual choice making and autonomy.

Compulsory TreatmentPatients may be compelled to submit to treatment in some situations.

Compulsory care may be the product of a court order or a consequence of the application of
public health legislation designed to address infectious disease transmission. The right to
agree to or to decline treatment may be revoked in this situation. However, it would not
apply to noncompulsory treatment situations. Even in the midst of compulsory treatment, it
is useful for the caregiver to obtain relevant medical history and medication information from
the patient in order to avoid unnecessary risk exposure. For example, if the drug of choice
is a derivative of penicillin and the patient is severely allergy to the medication, an effective
dialogue may elicit the risk factor and enable the caregiver to select a suitable medication

When A Patient Refused to be InformedSometimes a patient is agreeable to undergoing a

recommended test or therapeutic intervention. However, they decline to be informed about
the test or procedure, probable benefits and risks, and treatment alternatives. The patient
just says do it. For the caregiver, this can be fraught with risk exposure, particularly if the
patient must be awake or take a participatory role in the test or treatment. Concerned that the
person could react adversely not knowing what to expect, the caregiver may be hesitant to
proceed without a full consent discussion. Caregivers might try to ascertain why the patient
does not want to engage in a discourse. If the patient persists, the caregiver may decline to
proceed out of a concern for patient safety and well being. The caregiver should not abandon
the patient; rather, he or she should make a good faith effort to help the patient find another
caregiver who is willing to accept the patient without a full consent discussion.


Clinical Research

Some 19 federal departments and agencies follow a consistent set of regulations with respect to
human research. Termed the Common Rule, the regulations include very specific requirements with
respect to consent and participation in human research. A good illustration of the general requirements
for consent can be found at 45 CFR 46.116 and, for consent documentation, at 45 CFR 46.117.
Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

Consent requirements for vulnerable populations can be found in various subparts of the regulation.
For example, children are addressed in a specific subpart in which principal investigators follow a
consent process with a parent or guardian and obtain research subject assent for many pediatric
The Food and Drug Administration (FDA) regulations do vary somewhat from the consent provisions found in the Common Rule.2 Since many healthcare organizations are clinical research sites
for investigational drugs and medical devices, it is important to become familiar with these consent
Federal requirement also recognize an emergency exception for otherwise detailed consent requirements. These are found in regulations promulgated by the FDA3 and through a waiver that was issued
by the Department of Health and Human Services.4 From a practical perspective, this consentless
human research tracks many of the elements of the therapeutic emergency exception, but there are
notable differences. In particular, the IRB must approve use of the protocol and make the community
aware that the protocol will be used in the area.
Virginia,5 California,6 and New York7 have a number of laws governing human clinical trials.
These laws and the related regulations address consent to treatment. In doing so, many of the provisions look quite similar to those found in the federal rules.
Other state laws reflect a tableau of laws governing specific types of research. Rhode Island,
for example, has enacted a consentless human research requirement.8 Others have focused on fetal
research9 and the right of a person receiving care under a mental health advance directive to participate
in clinical research.10
For counsel, there are some important considerations. First, it is important to know the relevant
laws in the jurisdiction governing consent and research. Second, if one determines that the research is
part of a multicenter trial, to find out if the IRB approval for the research encompasses applicable state
law. Third, it is important to make certain that federal rules for consent have been applied correctly
with regard to the research trial.

Information Flow in the Consent ProcessAn Enterprise Risk Exposure

One of the important aspects of the consent process is communication of information necessary
for the patient or surrogate to make a treatment choice. Traditionally, the information conveyed came
by way of a conversation with the caregiver. He or she might supply ancillary details in an information
See 45 CFR 46.408.
See 21 CFR 50.20; 50.25 and 50.27.
See, for example, 21 CFR 102(d).
See 45 CFR 46.101(i) and 60 Federal Register 143, July 26, 1995.
Va. Code 32.1-162.16 et seq.
Cal Health & Safety Code 24170 et seq. and Cal. Penal Code 35.000 et seq.
NY Pub. Health Law 2440 et seq.
R.I. Gen. Laws 23-17-19.1.
See, e.g., Minn. Stat. Ann. 145.422.
See Pa. Stat. Ann. Title 20 5808.



Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

sheet or brochure. Over a period of time, other information tools have entered the picture, including
videotapes, DVDs, trusted websites, and interactive online or computer-based programs.
Another aspect of tradition has eroded in the consent process. As was noted earlier, the traditional
perspective was that the consent process took place between a caregiver and a patient. Today, other
healthcare professionals may play a role in the information-giving process. Nurses, physicians assistants, nurse practitioners, and others may impart relevant information and asked questions designed to
illicit medical history information. Once in hand, the information can be used to hone recommended
and alternate forms of care.
While in days past there may have been concern that a doctor did not provide sufficient information, today the concern is more about inconsistent and too much data provided to the patient or
surrogate. The result may be a consent process that is flawed by misinformation.
Information overload is a genuine reason for concern. Ready access to questionable information
on the Internet may prove overwhelming and conflicting. A patient may not like what he or she heard
the doctor suggest as the recommended form of treatment. To corroborate the doctors recommendation the patient conducts an Internet search and findsto his or her delighta host of other options
not discussed by the doctor. Missing is a balanced perspective in which the caregiver discusses his or
her information with the patient. Present now is a level of distrust between the patient and doctor. The
patient may think, why was the doctor not forthcoming? Why was I not given information about these
treatment options? Does this doctor know his or her field? Is the doctor clinically competent? Should
I look elsewhere for a different doctor? Should I trust this person?
From an enterprise risk perspective, the Internet introduces a new risk factor in the consent
process. In essence, data available on questionable websites or in a host of healthcare blogs becomes
an interloper in the consent process. With healthcare professionals unable to control this input, the
Internet data can diminish and disparage the quality of the caregiver-patient relationship and the
consent process.
It is an enterprise issue because it triggers a number of risk opportunities. These include:

legal/regulatory risk exposure;

staff competencies risk exposure;

operational risk exposure;

reputational risk exposure; and

professional licensure risk exposure.


Consent Documentation

Some type of documentation is necessary to substantiate completion of the consent process. In

some states there is a specific legislative requirement for a consent form. Indeed, some procedure-specific consent forms can be found in state legislation. In other instances, federal requirements mandate

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

a written informed consent. Thus under the Conditions of Participation for Hospitals in Medicare and
Medicaid, such a requirement can be found in the standard for surgical services.
Consent forms can be viewed as falling in three or four categories. The first is the so-called
longform consent in which the caregiver delineates copious amounts of information from the discussion with the patient. The second, the short form consent indicates that the caregiver has completed
the consent process and that the patient or surrogate agrees to a specific type of care. A third form is
procedure-specific and is often rather detailed in terms of the content. The last form, a checklist-style
consent, enables the caregiver to follow the elements of the consent process delineated in the tool.
Once completed, signed, and dated, it serves as written evidence of a completed consent process.
Beyond forms, another option is for the caregiver to write a concurrent entry in the progress
notes that describes the consent process. Simply writing risks and rewards explained is not written
evidence of a consent process. More detail is required.
From an enterprise risk perspective, consent documentation is important to substantiate statutory
and regulatory compliance. It is also the basis for coding and billing of claims information with regard
to government and private sector health plans. A slipshod consent document raises the risk vulnerability in defending claims for lack of informed consent. For individual caregivers, under the terms
of many state licensure laws, the absence of an appropriate consent process may serve as evidence of
unprofessional conduct, an allegation that has repercussions well beyond health professional liability.
Even from a patient safety perspective, consent documentation can be used to avoid wrong site, wrong
procedure, wrong patient interventions, especially as a tool in the time-out process. Hence, consent
documentation merits close scrutiny in an enterprise risk management process. That good documentation is in place does not diminish the need for effective communication and dialogue in the consent

Risk Exposures in a Consent ERM Model

Although many believe that consent risk exposure involves negligence and claims based on the
intentional tort of battery, there are other legal vulnerabilities. These include the following legal risk


Breach of contract claimsallegations that the caregiver guaranteed a specific result or that
a healthcare organization failed to meet the terms and conditions of a general consent admission agreement.

Deceptive trade practice claimsalleged violations of state legislated consumer protection

laws, especially where statutory provisions do not exempt such actions against healthcare
facilities or providers.

Misrepresentationa claim based on a purposeful misstatement of material or significant

information that a reasonable person would want to know in order to make a treatment

Frauda claim based on fraudulent disclosure of material or significant information that a

reasonable person would want to know in order to make a treatment choice.
Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

Professional license proceedingslicensure proceedings based on allegations that a caregiver

acted in an unprofessional manner in the way in which he or she disclosed, misrepresented, or
failed to disclose information necessary for patient decision making and treatment.

Reputational risk and concomitant risk of loss of market sharea caregiver and a healthcare
organization may see a diminished market share as a result of adverse publicity stemming
from reputational harm. Such harm may flow from allegations of negligent consent, battery,
deceptive practices, fraud, misrepresentation, or allegations of professional misconduct in
patient information management.

The following case study demonstrates some of these points.


Case Example

Dr. T.R. Enden, a renowned specialist in minimally invasive back surgery, had a wonderful reputation as a caring, compassionate, skilled surgery. Employed by Englet Hospital, Dr. Enden helped
build the minimally invasive surgery program at the healthcare organization.
Dr. Enden saw Julia Stewart in the hospital clinic. Ms. Stewart had sustained a herniated disk as
the result of a number of falls on the ski slopes. In her day, Ms. Stewart had won a number of championships and she was known today as an aggressive downhill racer on the senior ski circuit. She came to
Dr. Enden when conservative treatment and medication management failed to address her problem.
Ms. Stewart had a good discussion with Dr. Enden. He explained the probable benefits and risks
of the minimally invasive procedure. He described as well treatment alternatives and related benefit
and risk information. Ms. Stewart reviewed a DVD about the procedure, and she received a pamphlet
and an information sheet about the operation. Dr. Enden encouraged her to give it some thought and to
discuss with her husband whether this was the right approach to treat her back problem.
When she went home, Ms. Stewart reviewed the literature provided by Dr. Enden. She noted
discrepancies about benefits and risks between the brochure, the information sheet, and with what she
recalled from the DVD. Ms. Stewart discussed her concerns with her husband and he encouraged her
to perform a web search. Ms. Stewart found a number of scientific articles, blog entries, and newspaper reports. She learned that the procedure had a much lower success rate than that described to her by
Dr. Enden. She also learned that there were new noninvasive procedures available for her condition
that Dr. Enden had not discussed with her. However, she also found laudatory comments from patients
about Dr. Enden.
Conflicted and aching badly, she called the doctors clinic. Dr. Enden was not available, and her
call was transferred to Tim Langton, a nurse practitioner in the clinic. After listening to Ms. Stewarts
concerns, Mr. Langton said, I understand what you are saying. Dr. Enden follows the most current
research in the field to guide his treatment recommendations. I would not put a lot of stock in those
blogs and those avant-garde websites. All I can tell you he is the best. If it was me, I would have him
do my surgery. Let us know if you have any questions.

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

Ms. Stewart decided to go ahead with Dr. Enden doing the minimally invasive procedure at the
hospital day surgery department. Three weeks before the procedure, Ms. Stewart underwent a preoperative history and physical (H&P) at her primary care providers office. The preoperative report
was sent to the hospital day surgery department. Ten days before the scheduled operation, Ms. Stewart
had a tooth abscess that required a complete extraction. One week before the procedure, she developed
an infection in the gum area and jaw surrounding the extraction site. The dentist told Ms. Stewart that
this was a common problem and that a course of antibiotic therapy would clear up the problem.
On the morning of the operation, a nurse practitioner completed the H&P review process. She
asked Ms. Stewart what she was having done, who was performing the procedure, and whether she
had seen her doctor since the H&P had been completed at the office. She checked off all the answers
on a form.
The procedure was uneventful. Ms. Stewart went home with discharge instructions and an appointment for a follow-up visit in 10 days. Two days later, however, Ms. Stewart had a temperature of 102 F
and shaking chills. Dr. Enden was at a conference upstate. The on-call physician for the clinic told
Ms. Stewart to go the hospital urgent care for an assessment. The nurse who took her history was
alarmed, especially since she learned that no one knew about the preoperative abscess and jaw infection. Ms. Stewart was admitted to the hospital and treated for a systemic infection. Another infection
had developed at the site of the operation. Although the systemic infection was resolved, the surgical
site wound required an open procedure. Ultimately, Ms. Stewart required months of antibiotic therapy
administered via a port-a-cath. She endured a long period of pain before she felt better.
This is a hypothetical situation, but it demonstrates a variety of risk exposures appropriate for an
enterprise risk management approach to consent to treatment.
Consider the following risk opportunities in the case study:


Legal/Regulatory Risk ExposureThere were numerous legal and regulatory risks in this
case study. The consent process was not consistent with recognized standards of care. The
physicians assistant may have exceeded the scope of his practice in the way in which he
interceded in the consent process. The intake H&P assessment on the day of surgery was not
in accordance with CMS requirements. If it can be established, Ms. Stewart may have a good
claim for misrepresentation, deceit, and fraud with respect to the success rate data provided
to her by Dr. Enden. In addition, if she decided to file a complaint with the accrediting body
for the hospital, there may be standards non-compliance regarding patient consent and intake
requirements. A formal patient grievance and complaint to the state agency or CMS could
trigger an onsite review. In each instance, there is apt to be substantial legal fees and staff
time involved in responding to the legal or regulatory action.

Operational Risk ExposureThe operational risk here involved a flawed H&P intake assessment. The questions posed to Ms. Stewart were quite general. There was no effort made to
expand the scope of inquiry to encompass encounters with other healthcare providers since
the office-based pre-operative assessment. This operational issue may be the most obvious
part of a much deeper issue, including inadequate training or demonstrated competencies for
those credentialed by the medical staff of the hospital to fulfill the H&P screening process.
Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

Staff Competencies Risk ExposureThe lack of familiarity with questions to pose during
the H&P update process suggest a need to examine carefully how credentialed personnel are
trained for this function. If it is determined that staff are assumed to know how to fulfill this
responsibility but lack the ability to do so, it is a staff competencies risk exposure.

Reputational Risk ExposureAny publicity associated with healthcare-acquired infection

and litigation can diminish the reputation of a healthcare organization. When a prominent
surgeon is involved and a headline reads, Well-Known Doctor Did Not Tell All to Patient,
the consequence could be reduced market share. When the healthcare organization and physician are together as employer and employee, it can be a difficult reputational risk exposure to
address. In essence, one would not want to try to shift the light of circumspection from one
to the other. For example, if the hospital did try to dissociate itself from the situation, it could
send a negative signal to other employed staff physicians.

Professional Licensure Risk ExposureIf, in the course of a consent process, a physician

provides misleading information, it may form the basis for a claim of unprofessional conduct.
As noted previously in the discussion of Operational Risk Exposure, when the physicians
assistant interceded in the consent process, it may have constituted a violation of his scope of
practice. In either case, there could be professional licensure risk exposure.


ERM Treatment of Consent Risk Exposures

Consent to treatment is not simply a clinical risk exposure. As seen in the case study earlier, flawed
consent practices can involve staff competencies, operational issues, and both legal and regulatory risk
exposures. In some instances, a flawed consent process can trigger reputational risk issues, too.
From an enterprise risk perspective, legal counsel has a pivotal role and responsibility with regard
to effective consent practices. Other key stakeholders in the organization also have accountabilities
for consent practices. Together, legal counsel, clinical leadership, and management might want to
consider the following enterprise risk management strategies in the context of consent to treatment:

Evaluate current consent policies and procedures and practices. Conduct a gap analysis
to identify variations from what is expected under applicable state and federal law and hospital policy.

Evaluate current medical staff bylaws and rules and regulations of the medical staff. Conduct a gap analysis to identify variations from what is expected under the medical staff bylaws
and rules and regulation in terms of consent and H&P screening requirements.

Take Corrective Action. Remove any ambiguity and confusing or conflicting information
to eliminate any misunderstandings from current policy, procedure, and practice routines.
Encourage similar action with respect to the medical staff bylaws and rules and regulations.

Evaluate current consent documentation. Working with colleagues in clinical leadership,

review a sampling of current consent documentation for diagnostic and surgical procedures.
Determine if there is variability and risk exposure that merits focused review.

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

Consider interoperable consent information. Working with senior management and clinical
leadership, consider a process for making consistent and interoperable information provided
to patients in consent forms, information sheets, trusted websites, interactive computer programs, and brochures.

Offer practical consent education. Provide medical staff members with educational opportunities regarding consent to treatment. Include such programming topics as the following:
role and responsibility for the consent process;
assessing patient capacity to participate in the consent process;
how to accommodate patients with specific communication needs;
how to share information in an understandable manner;
managing multimedia information; and
how to document consent to treatment.
Consider consent screening in the H&P process. Work with clinical leadership to design
and implement a systemic approach for verifying patient understanding and readiness for
scheduled, elective procedures. Recognize that this would include a series of straightforward
rule in/rule out questions. Discrepancy situations would constitute a rule out until differences
can be resolved. Discrepancies would include:


patient stating he or she is having a different procedure;

patient stating that he or she has not prepped for the procedure; and
information that there has been an intervening health event that merits further review
prior to proceeding with the scheduled elective diagnostic or surgical intervention.
Setting the Context for Patient Communication

Patients and their family members are often recipients of conflicting information in the caregiving process. The delivery of contradictory information is not intentional; rather, it is a consequence
of interaction with a myriad of healthcare professionals and administrative personnel.
Contradictory information can pose difficulties in terms of a persons understanding of the indications for treatment, clinical status, and outcomes of care. Sometimes too, patients and family members
contribute to this problem. Not accepting from the physician information about treatment, the prospective outcome, or actual results, patients and family members may seek out more details from a nurse,
a physicians assistant, or a trusted advisor in the healthcare field. As noted earlier, sometimes the
Internet is used for this purpose.
Contradictory information can jeopardize the caregiver-patient relationship. Distrust can impede
the free flow of important information. When an adverse or unanticipated outcome occurs, the prospect for poor patient communication can be accentuated.


Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

From an enterprise risk management perspective there are some fundamental considerations to
put in place as part of the physician-patient relationship for effective communication. These fundamental considerations include the following:

View the consent process as the intravenous of communication. Encourage caregivers to

recognize that consent to treatment is tantamount to starting a regular intravenous line.11 How
well it is set up and maintained is indicative of the ability to use this communication conduit
to impart important informationincluding disclosure of adverse or unanticipated outcomes
of care.

View the consent process as a volume switch for controlling expectations. Encourage
caregivers to review regularly patient expectations about treatment and outcomes. Using
the consent process as the conduit for establishing effective communication is the first step.
The next step is to adjust expectations. In essence, consent becomes a volume switch on
the patients boom box of expectations.12 This concept is important, especially with patients
experiencing chronic illnesses. It is equally useful with patients who are terminally ill. By the
same token, those with a very poor sense of wellness and survival may benefit from a discussion to help increase expectations.

Adopt a one-voice approach to patient communication. Encourage healthcare facility

clinical and office reception staff to refer questions or concerns about the consent process to
the attending caregiver. Avoid conjecture, speculation, or opinion rendering as this could lead
to misunderstanding and diminished patient communication. Recognizing that questions may
be posed along any point in the continuum of care, the response should be the same: You
know, that is a good question. Let me help you get in contact with your caregiver who can
answer your question.

Each of these points is important as it forms the context for what is often a very challenging communication: disclosure of adverse and unanticipated outcomes of care.

Disclosure of Adverse and Unanticipated Outcomes

In July 2001, the Joint Commission implemented a standard that called for a discussion of the
outcomes of care with patients, and when appropriate, with their families.13 Here the term outcomes
included unanticipated outcomes of care.
Although the Joint Commission may have helped formalize the need for discussion of adverse
and unanticipated outcomes of care, it was and remains the logical conclusion of the physician-patient
communication continuum that was initiated with the consent process. Most never questioned that
caregivers would happily share good news with patients. However, as the Joint Commission standard
implied, caregivers were loathe to share adverse information. Whether it was fear that such informa F.A. Rozovsky, Consent To Treatment: A Practical Guide, Fourth Edition. New York: Aspen Publishers, 2007 (with
annual supplementation).
R.I.1.2.2., Comprehensive Accreditation Manual for Hospitals. Oakbrook Terrace, Illinois: Joint Commission on
Accreditation of Healthcare Organizations, 2001.

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

tion would lead to litigation or be perceived as an admission of liability or fault, caregivers were and
often remain reluctant to engage in a discussion of adverse and unanticipated outcomes of care.14
Since 2001, many states have enacted laws that encourage or require so-called disclosure discussions. Some bar as evidence in legal proceedings the fact that the caregiver had such a discussion with
the patient.15 Others define the discussion as one that does not constitute an admission of fault or an
admission against interest.16 National associations have offered practical guidance on the subject that
merits close review by counsel, including a white paper17 and a monograph on the subject.18
Although still a subject of controversy with some questioning the value of disclosure and some
arguing that disclosure may foster rather than thwart litigation,19 communication of adverse outcome
information has become part of the fabric of healthcare in many settings.
Sometimes called the disclosure process and, in other instances the apology, it requires careful
planning and skill. As Kadzielski and Barton have suggested, an effective disclosure and apology
process reflects respect for the patient and the basis for healing.20 It necessitates good communication
skills and a framework for ongoing discussion. Such a process can be encapsulated in a well-designed
policy and procedure.21 The one suggested by Kadzielski and Barton reflects a sweeping approach
consistent with an enterprise risk management approach to the topic.22
Questions to consider in developing an enterprise risk management framework for disclosure and
apology include the following:

What factual information should be gathered for the first discussion?

What information should be related back to risk factors discussed during the consent
When should the initial discussion take place?
Where should it be held?
How should potential security issues be addressed?
Who will speak with the patient and/or family?
Who will be asked to participate along with the patient and family?
Will the patient or family need a language interpreter?
What will be discussed in the initial session?

J.R Woods and F.A. Rozovsky, What Do I Say? San Francisco: Jossey-Bass, 2003.
See e.g., Conn. Gen. Stat. Ann. 52-184d.
See e.g., Colorado Revised Statute 13-25-135.
Perspective on Disclosure of Unanticipated Outcome Information, American Society for Healthcare Risk Management, July 2001.
See Risk Management Pearls on Disclosure of Adverse Events, American Society for Healthcare Risk Management,
July 2006.
For an interesting set of insights on the topic, see Popp, P.L., How Will Disclosure Affect Future Litigation? ASHRM
Journal of Healthcare Risk Management, Vol. 23, No. 1: 59, 2003; and Gallagher, T.H. et al., Patients and Physicians
Attitudes Regarding the Disclosure of Medical Errors, JAMA. 289(8): 10011007, 2003.
See Kadzielski, M. and Barton, E., Tell Me Now and Tell Me Later: Disclosure and Reporting of Medical Errors,
AHLA Annual Conference, June 2007, Concurrent Session Paper.
Id. See sample disclosure policy from this session paper.


Enterprise Risk Management for Healthcare Entities, First Edition

Consent to Treatment: An ERM Perspective

What questions should be asked of the patient and family?

What social service and religious support systems should be made available to the patient
and family?
How and where should the initial discussion be documented?
Who should manage follow-up conversations, including those by telephone?
How should difficult cases be managed, including those that involve ongoing investigations
by law enforcement and requests to bring legal counsel to discussion sessions?
Should there be access to a bioethics consult as part of the disclosure process?
What counseling and support mechanisms should be put in place for caregivers involved in
the unanticipated or adverse outcome?
How should questions of compensation be addressed during the disclosure communication
How will disclosed information be shared with other key stakeholders in the organization
including the board, senior management, compliance counsel, and those responsible for managing formal patient grievances and complaints?
How will requests for write-offs be addressed in the disclosure process?
What information, if any, should be made available to staff, especially with regard to
highprofile cases or cases in the press involving an unanticipated or adverse outcome?
How should media inquiries be addressed?
Will lessons learned from the disclosure process be incorporated into medical staff
Should legal counsel be involved in the disclosure process? If so, what should be the role of
legal counsel?
Should the risk manager be involved in the disclosure process? If so, what should be the role
of the risk manager?
The list of questions points to a number of risk exposure opportunities often seen in enterprise risk
management: staffing competencies, legal/regulatory matters, media/reputational risk, and operational
issues. The potential for litigation, regulatory review, accreditation action, and adverse media reports
points to the need for a coordinated effort.

Role of Legal Counsel in an ERM Framework for Disclosure

Legal counsel should take a leadership role in shaping a disclosure process that addresses a variety of risk issues that could emanate from discussion of and apology for unanticipated and adverse
outcomes of care. In this role, legal counsel can help facilitate policy and process design, taking into
consideration such issues as:

policy design consistent with applicable state evidentiary laws;

policy design consistent with requirements under applicable professional liability insurance
and captive management provisions;

policy design with respect to collective labor agreements;

Enterprise Risk Management for Healthcare Entities, First Edition


Consent to Treatment: An ERM Perspective

policy design with respect to the medical staff bylaws and rules and regulations of the medical staff;

development of a mandatory reporting matrix under applicable federal and state law;

notice provisions with all levels of insurance carriers, captive managers, and third party
administratorsa process that can be completed collaboratively with the risk management
professional; and

coordination among various legal counsel, including compliance, accreditation, contract, and
defense counsel.



Consent communication and disclosure of unanticipated and adverse outcomes are integral components of a thoughtful enterprise risk management model in the healthcare field. Good communication
can help identify problems prior to treatment, leading to the potential for alternate care plans or the
caregiver putting in place strategies to lessen the risk of injury. Although patients may be angry and
upset about an unanticipated or adverse outcome, having a factual explanation may lessen the risk of
In the nonemergent care setting, consent is the initiator of the communication process. Along the
way, that process can be used to provide clinical updates and adjust expectations of care. When used
effectively, consent sets a framework for disclosure of unanticipated and adverse outcomes, too. The
greater context for the communication process is enterprise risk management, a deliberate, thoughtful
recognition of potential risk opportunities coupled with strategies for eliminating, preventing, reducing, and transferring identified loss exposures. Seen in this way, consent to treatment and discussion
of adverse outcomes can help augment comprehensive efforts to achieve quality safe, effective, and
efficient patient care.


Enterprise Risk Management for Healthcare Entities, First Edition

Peer Review and Credentialing in an Era ofEnterprise Risk Management

Peer Review and Credentialing in an Era
ofEnterprise Risk Management
Mark A. Kadzielski, Esq.1
Fulbright & Jaworski, L.L.P


Peer review and credentialing are areas in which significant liabilities exist for healthcare organizations. Accordingly, astute legal counsel should periodically review a facilitys bylaws and policies
on peer review and credentialing, and keeps abreast of current developments in health law. The maintenance of state of the art bylaws and credentialing policies and procedures by a healthcare facility is
among the most effective preemptive risk management tools available.
Although health facilities have little, if any, control over the practice of medicine, they can exercise
substantial control over the qualifications and competence of practitioners and allied health professionals (AHPs) who are allowed to provide care to the facilities patients. In this era of increased healthcare
grading and transparency, effective peer review and proper credentialing are necessary for facilities
to improve utilization patterns and quality outcomes. The concomitant costs and inconveniences are
clearly outweighed by the benefits.
This chapter discusses aspects of peer review and credentialing for both practitioners andAHPs,
including sources of potential liability, federal and state requirements, and accreditation standards.

Practitioner Credentialing

Credentialing is the process by which healthcare organizations review a practitioners licensure,

certification, references, and other professional information pertaining to his or her qualifications and
ability to provide healthcare services. It entails a decision by a healthcare delivery system that determines whether the applicant is qualified to provide healthcare services for that organization.
Credentialing involves granting medical staff membership to practitioners and/or granting them
clinical privileges, two diverse concepts that require the analysis of different criteria. Accordingly,
Mark A. Kadzielski is the partner-in-charge of the West Coast Health Law practice at Fulbright & Jaworski L.L.P. in
Los Angeles. Portions of this chapter have been published in a chapter on credentialing written by Mr. Kadzielski in The
Risk Management Handbook for Healthcare Organizations, and in Health Care Credentialing: A Guide to Innovative
Practices, which he coauthored with Fay Rozovsky and Christine Giles.

Enterprise Risk Management for Healthcare Entities, First Edition


Peer Review and Credentialing in an Era ofEnterprise Risk Management

healthcare delivery systems should clearly differentiate between them. Membership provides practitioners with a voice in the governance of the healthcare delivery system, while clinical privileges provide
practitioners with the opportunity to provide clinical services.
From a risk management perspective, granting privileges is more critical than granting membership
alone, since significant potential liability accompanies the ability to perform surgical or nonsurgical procedures. But, as set forth in this chapter, such liability may be minimized by competent risk
management. Likewise, medical staff membership without clinical privileges can be an effective risk
management tool for healthcare organizations.
The Joint Commission defines credentialing as the collection, verification, and assessment of
information regarding three critical parameters: current licensure; education and relevant training; and
experience, ability, and current competence to perform the requested privilege(s).2 The Joint Commission further provides that: Experience, ability, and current competence in performing the requested
privilege(s) is verified by peers knowledgeable about the applicants professional performance. This
process may include an assessment for proficiency in six areas of General Competencies adapted
from the Accreditation Council for Graduate Medical Education (ACGME) and the American Board of
Medical Specialties (ABMS) joint initiative.3 The National Committee for Quality Assurance(NCQA),
The Joint Commission, Hospital Accreditation Standards, Introduction to Standard MS 06.01.03, Oakbrook Terrace,
IL: 2009.
Id. These six areas are:
Patient care: Practitioners are expected to provide patient care that is compassionate, appropriate, and effective for the
promotion of health, prevention of illness, treatment of disease, and care at the end of life.
Medical/Clinical Knowledge: Practitioners are expected to demonstrate knowledge of established and evolving biomedical, clinical, and social sciences, and the application of their knowledge to patient care and the education of others.
Practice-Based Learning and Improvement: Practitioners are expected to be able to use scientific evidence and methods
to investigate, evaluate, and improve patient care practices.
Interpersonal and Communication Skills: Practitioners are expected to demonstrate interpersonal and communication
skills that enable them to establish and maintain professional relationships with patients, families, and other members of
healthcare teams.
Professionalism: Practitioners are expected to demonstrate behaviors that reflect a commitment to continuous professional
development, ethical practice, an understanding and sensitivity to diversity, and a responsible attitude toward their patients,
their profession, and society.
Systems-Based Practice: Practitioners are expected to demonstrate both an understanding of the contexts and systems in
which healthcare is provided, and the ability to apply this knowledge to improve and optimize healthcare.

Integrating these concepts into the standards allows the organized medical staff to conduct a more comprehensive evaluation of a practitioners professional practice.
The second new concept is Focused Professional Practice Evaluation. This concept allows the organized medical
staff to focus evaluation on a specific aspect of a practitioners performance. This process is used in the following two

When a practitioner has the credentials to suggest competence, but additional information or a period of evaluation is needed to confirm competence in the organizations setting.

If questions arise regarding a practitioners professional practice during the course of the Ongoing Professional
Practice Evaluation.
The third new concept is the Ongoing Professional Practice Evaluation. Traditionally, the credentialing and privileging
process has been a procedural, cyclical process in which practitioners are evaluated when privileges are initially granted,
and every two years thereafter. The process outlined in these credentialing and privileging standards is designed to continuously evaluate a practitioners performance. The process requires the medical staff to conduct an ongoing evaluation
of each practitioners professional performance. This process not only allows any potential problems with a practitioners

Enterprise Risk Management for Healthcare Entities, First Edition

Peer Review and Credentialing in an Era ofEnterprise Risk Management

a private, not-for-profit organization which assesses and reports on the quality of managed care plans,
requires that practitioners have verified credentials, including a valid license to practice medicine,
education and training, malpractice history and work history.4
Proper peer review and credentialing must be tailored to fit the specific needs of each healthcare
organization, whether a hospital, a managed care organization (MCO), an integrated delivery system
(IDS), an independent practice association (IPA), or some other type of delivery system. Tailoring can
be accomplished by including peer review and credentialing processes in bylaws, rules and regulations, and policies and procedures, as applicable. However, facilities should not attempt to cut costs
by blindly adopting another organizations bylaws, rules and regulations, or policies and procedures
to their own operations. This practice can result in the application of inappropriate and inconsistent
policies that can negatively affect accreditation status and the quality of care provided.
Peer review and credentialing standards ensure the uniform treatment of all staff members being
considered for appointment and reappointment and provide the individual staff member with a fair,
known, and systematic information collection process. Further, strict adherence to a clearly delineated
peer review and credentialing system can protect a facility in disputes. Healthcare institutions should
not fall prey to the mistaken belief that only large organizations with plentiful resources can afford to
scrutinize applicants credentials carefully and discipline errant practitioners in a uniform and systematic manner. No organization, large or small, should underestimate the importance of the peer review
and credentialing functions.

Federal Law on Credentialing and Peer Review

Enterprise risk management strives to stay current with federal and state laws concerning peer
review, credentialing and accreditation standards specific to the healthcare delivery system in which
they will be applied. For example, on the federal level, the Medicare Conditions of Participation for
Hospitals provide that [t]he medical staff must examine credentials of candidates for medical staff
membership5 They also require the periodic appraisals of the members of the medical staff.6 The
Medicare Conditions of Participation for Long Term Care Facilities provide that [p]rofessional program staff must be licensed, certified, or registered, as applicable, to provide professional services by
the State in which he or she practices.7 The Conditions of Participation for Home Health Agencies
provide that [p]ersonnel practices are supported by appropriate, written personnel policies. Personnel records include qualifications and licensure that are kept current.8 The Medicare Conditions of
Participation for Comprehensive Outpatient Rehabilitation Facilities provide that [p]ersonnel that
provide service must be licensed, certified, or registered in accordance with applicable State and local
performance to be identified and resolved as soon as possible, but also fosters a more efficient, evidence-based privilege
renewal process.
Joint Commission Hospital Accreditation Standards, MS.06.01.01.
The second and third new concepts should be included in Medical Staff Bylaws and/or policies and procedures to be compliant with Joint Commission standards.
National Committee for Quality Assurance. Standards for Health Plan Accreditation [hereinafter NCQA Standards for
Accreditation], CR3, Washington, DC: 2009.
42 CFR 482.22(a)(2).
42 CFR 482.22.
42 CFR 483.430(b)(5).
42 CFR 484.14(e).
Enterprise Risk Management for Healthcare Entities, First Edition


Peer Review and Credentialing in an Era ofEnterprise Risk Management

laws.9 Medicare also prescribes similar Conditions of Participation for Critical Access Hospitals,10
and for Clinics, Rehabilitation Agencies, and Public Health Agencies as Providers of Outpatient Physical Therapy and Speech-Language Pathology Services.11

The Health Care Quality Improvement Act of 1986 (HCQIA)

The HCQIA has played a significant role in the development of current peer review and credentialing practices. If a healthcare entity complies with certain credentialing procedures, HCQIA affords
monetary immunity, under both state and federal law, for claims arising out of such credentialing activities. There can be serious consequences for conducting a peer review that does not comply with the
requirements of HCQIA. For example, in 2004, a Texas federal court jury awarded a Dallas cardiologist
$366 million after determining that the hospital and the physicians who had participated in his summary
suspension were not immune from damages under HCQIA.12 The judgment was reversed by the U.S.
Court of Appeals for the Fifth Circuit in 2008. Nonetheless, the jurys verdict serves as an important
warning of the serious consequences for failing to conduct peer review in compliance with HCQIA.
HCQIA, perhaps more than any other body of law, has substantially shaped current peer review
and credentialing practices. The financial liability of not complying with HCQIA can be detrimental
42 CFR 485.54(b).
42 CFR 485.604.
42 CFR 485.705.
In Poliner v. Texas Health System, the jury, after the trial judge had determined the defendants were not entitled to
complete immunity under HCQIA, found them liable for breach of contract, defamation, interference with contractual relations, and intentional infliction of emotional distress arising out of the summary suspension of Dr. Lawrence Poliner. The
facts of this case are that on May 12, 1998, a patient presented to the emergency room of Presbyterian Hospital of Dallas
complaining of chest pains. Dr. Poliner, an interventional cardiologist, performed a procedure to open the patients artery.
However, he made a diagnostic mistake and missed the patients blocked artery. The patient latter suffered postprocedure
complications, and there were problems contacting Dr. Poliner afterwards. This patients case and other cases were brought
to the attention of Dr. James Knochel, the chairman of the hospitals Internal Medicine Department. The cases were also
submitted for review to the Internal Medicine Advisory Committee, also chaired by Dr. Knochel. Dr. Knochel, in consultation with other physicians at the hospital, decided to seek a temporary restriction of Dr. Poliners cath lab privileges in
order to allow for an investigation pursuant to the Medical Staff Bylaws. After a conversation with Dr. Knochel, Dr. Poliner
agreed to the temporary abeyance of his privileges and an ad hoc committee was appointed to review a sample of his
cases. This temporary abeyance lasted 29 days. Upon review of the cases, the ad hoc committee formally unanimously
agreed that Dr. Poliners cath lab and echocardiography privileges should be suspended, which they were. Dr. Poliner
requested a hearing pursuant to the Medical Staff Bylaws. The Hearing Committee concluded the suspension should be
upheld, but that Dr. Poliners privileges should be reinstated with conditions.
Thereafter, Dr. Poliner filed a lawsuit in federal court claiming that these events defamed him and constituted antitrust and
deceptive trade practices. The U.S. District Judge granted the defendants motions for summary judgment under HCQIA as
to the formal summary suspension, holding that the immunities applied to the facts of this case. However, the judge allowed
the case to go forward to a jury trial with regard to the initial 29-day temporary abeyance. The jury awarded Dr.Poliner
$366 million in damages. On March 27, 2006, the U.S. District Judge upheld the jurys finding but ordered the parties to
mediation to determine the proper amount of damages. Thereafter, on September 18, 2006, the judge granted the motions
of the hospital and one of the doctors to reduce the amount of damages to $22.5 million. Poliner v. Texas Health System,
No. Civ. A.3:00-CV-1007-P (N.D. Tex. 2006). On appeal. the Fifth Circuit set aside this judgment completely. Poliner v.
Texas Health Systems, 537 F.3d 368 (5th Cir. 2008). The appeals court held that immunity under HCQIA precluded any
monetary recovery. In reversing the judgment, the court adopted an objective standard for finding a reasonable belief that
the action was in furtherance of quality healthcare, as required for statutory immunity.
The recent case of Johnson v. Christus Spohn is also instructive regarding how important it is for organizations to properly
handle credentialing practitioners in light of the fact that there is no immunity under HCQIA for federal claims involving
racial discrimination. Johnson v. Christus Spohn, 2008 U.S. Dist. LEXIS 10058 (S.D. Tex. 2008). The reality is that it is
quite simple for a plaintiff to allege racial discrimination even in the absence of facts that suggest such discr