510 Internal Audit, Risk In Behavioral Health
3/14/2019HCCA Compliance InstituteApril 7-10, 2019Boston, MAInternal Audit’s &Corporate Compliance’sRole in AddressingEnterprise Risk –Behavioral Health ServicesLorrie Oelkers Ghose, CPAChief Audit ExecutiveKimberly Jordan, CHCChief Compliance OfficerAgenda Fairview Health Services Risks / Challenges in Behavioral Health Enterprise Risk Identification Risk Assessment Enterprise Risk Management Role of Internal Audit and Corporate Compliance in Risk Mitigation Activities Executive Oversight Committee Areas of Focus Other Audit Activity Risk Dashboard Ongoing Monitoring – Sustaining Change Governance – Audit and Compliance Committee of the Board of Directors Tools Questions/Answers21
3/14/2019Our Health SystemFairview Health Services University of MN Academic Affiliation33,000 Employees5,000 System Providers12 hospitals and medical centers2,140 staffed beds56 primary care clinics100 specialties70 senior housing facilities40 retail pharmacies327,000 health plan membersBehavioral Health Services 3370 beds12,448 Inpatient Cases Annually42,500 Outpatient Encounters Annually15,528 Outpatient Chemical Dependency CasesAnnuallyAbout Fairview Health ServicesBehavioral Health Services Programs Behavioral HealthHome Services Adult Mental Health Inpatient Care Outpatient Care Senior TreatmentPrograms Young AdultMental HealthServices Adolescent SubstanceUse Disorder / DualDiagnosis Program Compulsive GamblingProgram4 Adult Substance UsePrograms OutpatientTreatment Program Inpatient TreatmentProgram Lodging PlusResidentialProgram Prenatal SubstanceUse DisorderProgram Child Adolescent MentalHealth Children’s DayTherapy Program Inpatient CareAbout Fairview Health Services2
3/14/2019Behavioral Health Services – Risks & Challenges Increasing need (depression, opioid epidemic) Decreasing availability / Inadequate capacity Difficult population Inadequate funding and insurance coverage / Financial risk to providers Quality of care / Variation of practice Staffing shortages Research challenges Billing compliance Violence / Harm to patients, staff and visitors Increased regulatory oversight5Behavioral Health Services: National Crisis3
3/14/2019Behavioral Health Services: National CrisisBehavioral Health Services – Local NewsSexual Assault of Patient byAnother PatientMental Health Patient Rights ViolationsStaff Injured by PatientPatient ElopementsOveruse of Restraints/SeclusionsUse of Ketamine without Patient ConsentImproper Research Consenting of Mental Health Patient84
3/14/2019Risk Assessment – Identifying & Assessing RisksDrives Annual Work Plan / Identified Risks Considered in ERM ExerciseInternal Audit & Corporate Compliance Annual Risk Assessment Process Conduct interviews with executive leadership, management and other stakeholdersacross the enterprise. Survey all members of the management team as well as 20% of non-management staffacross the Fairview enterprise. Evaluate results of prior audit and compliance projects. Evaluate the impact of the current financial, operational and regulatory environmentrelated to Fairview’s key initiatives. Consider top healthcare risks identified by industry experts (e.g. Crowe Horwath, CHANHealthcare, Deloitte) and government and other regulators (e.g. CMS, Department ofHealth and Human Services, Joint Commission, Office of Inspector General).9Tool – Risk Assessment SurveyManagementResponse RateIn your opinion, does the organization demonstrate a commitment toits core values: Dignity, Integrity, Service, Compassion, andInnovation? Yes Employee201920182019201841%46%25%23%96%95%90%90%In your opinion, does leadership demonstrate integrity and ethicalbehavior? Yes Are you aware that the organization has an anonymous reportingtool (hotline) available for all employees, vendors, patients andothers to report ethical or regulatory infractions and other concerns(Compliance Reporting Hotline)? Yes Do you believe you can report a concern without fearing retaliation?Yes Do you know where to find policies and procedures to guide yourwork? Yes Are you confident that the data you utilize to perform your work areaccurate and reliable? Yes How would you rate the organization’s culture of accountability on ascale of 1-5 (with 5 stars being highly accountable)?105
3/14/2019Enterprise Risk Management –Identifying Strategic & Enterprise Risks Highest risks and concerns / risk statements are requested from executive leadership. Internal Audit and Compliance facilitate exercise with executive leadership and boardmembers to pare down risks by determining impact, likelihood and velocity. Risks arethen categorized as strategic or enterprise risks. Strategic risks – risks which, if realized, would prevent the organization fromachieving its strategic initiatives and goals. Enterprise risks – risks for which redundant oversight and leadership is appropriatefor some period of time until risk is mitigated to a point where it can be managedlocally. Accountable executive owners are assigned to Strategic and Enterprise risks. Accountable executive owners and their designees are responsible for developinginterventions to mitigate risks. Status of mitigation activities is reported bi-weekly at Strategic Management Teammeetings. Results of mitigation efforts are reported to the Audit and Compliance Committee of theBoard of Directors in June and December.11Tool – Enterprise Risk ManagementImpact: The financial or business impact if the adverse event were to occur.5: Catastrophic Event with a financial impact greater than 100 Million. Significant downgrade in debt. Major enforcement action. Disqualification from participation in government reimbursement program.4: Major Event with a financial impact between 50 and 100 Million. Major adverse events with negative publicity (e.g. infant abduction)3: Significant Event with a financial impact between 25 and 50 Million. Adverse events with high reputational impact (e.g. workplace violence)2: Minor Event with a financial impact between 2 and 25 Million. Published malpractice claim.1: Insignificant Event with a financial impact less than 2 Million.Likelihood: The probability of occurrence given controls in place.5: Almost Certain Event will occur in most circumstances; 90% or more of the time (e.g. snow in MN in January)4: Likely Event should occur; more than 50% probability and up to 90% certainty (e.g. snow in MN in December)3: Moderate Event will probably occur; more than 25% and up to 50% probability (e.g. snow in MN in November)2: Unlikely Event could occur; more than 5% up to 25% probability (e.g. snow in MN in October)1: Rare Event would occur only in exceptional circumstances; 5% probability (e.g. snow in MN in September)Velocity: The speed of onset of the event, should it occur.5: Immediate Very Rapid onset; little or no warning, instantaneous4: Fast Quick onset; several weeks or months to occur3: Moderate Moderate onset; between 6-12 months to occur2: Slow Slow onset; between 13 and 18 months to occur1: Prolonged Very slow; 18 months to occur126
3/14/2019Tool – Enterprise Risk sk IndicatorsStatus ofRiskRiskTrend MitigationPlanRiskRiskTolerance LevelLowRisk DefinitionScoreImpactXLikelihood VelocityCommentsFailure to ensure safety ofbehavioral patients andstaff leads to unacceptablereputational and financialrisk.16National risk trend increasing with regard tosubstance use/abuse and dual diagnosesOversight of Behavioral Health Enterprise Risk –Executive Oversight Committee Purpose – identify and address areas of risk in the Behavioral Health service line;demonstrate appropriate redundant oversight until risk is sufficiently mitigated. Committee Membership Chief Operating Officer, Chair Chief Audit Executive Chief Compliance Officer Chief Nursing Executive Chief Medical Officer Chief Legal Officer Service Line Executives Clinical and Administrative Behavioral Health Leadership Regulatory Response Director Facilities / Security Executive Human Resources Leadership Meeting Cadence Initially every two weeks, changed to monthly147
3/14/2019Oversight of Behavioral Health Enterprise Risk –Executive Oversight CommitteeMeeting Expectations / Ideal Behaviors Honest and constructive discussion is necessary to resolve issues. Have the courage to speak up and challenge things that need to be challenged. No “meetings after the meeting.” Challenge hypotheses. Support resolution with data. Seek to understand. Be prepared. Be transparent, honest and forthcoming. Be willing to discuss the difficult issues. Be open to change. Acknowledge an recognize the value of dissension; work towards agreement.15Oversight of Behavioral Health Enterprise Risk –Executive Oversight Committee Assessment History Multiple Internal Audit Reviews Compliance Coding and Provider Documentation Review Issues Reported to Compliance Office Focus / Priorities Address Open Internal Audit and Compliance Findings Incorporate Auditing / Monitoring Activities in Other Audits Report on Areas of High Risk – Monitoring and Auditing Activities168
3/14/2019Oversight of Behavioral Health Enterprise Risk –Areas of Focus Restraints/seclusionStaffing, including Physician CoverageLeadership CommunicationHealing Milieu / Care ModelEMR DocumentationScope of Practice – Face to Face AssessmentsUse of Occupational TherapistsPhysical Environment Ligature Risks Safety Patient Elopement17Incorporate Risks in “Other” Audits189
3/14/2019Tool – Risk DashboardRisk DashboardDefinition:Process/risk owner:BHS Service Line ExecutiveRiskCategoryRoot Causes / Risk DriversBoard governance:Audit CommitteeMitigation action plansLigature Risk AssessmentLigature RiskLigature Risk Remediation(Pediatrics)Nurse Staffing RatiosPatient SuicideBehavioral1:1Management governance:BHS Executive Oversight CommitteeExecutive Compliance Risk and Control CommitteeTargetDateProject%Status CompleteKey accomplishments/challenges Completed Assessment of AdultUnit Completed Assessment ofPediatric Unit Created Standard Roles Obtained Budget approval foradditional FTEsPatient elopementEgress Point Control Trained all staff in elopementriskPatient/Staff ViolenceNurse Call System Completed System RiskAssessment Identified areas of focusedtrainingSample Ongoing Monitoring Activity –Restraints / Seclusion20About Fairview Health Services10
3/14/2019Governance – Audit & Compliance Committeeof the Board of DirectorsUpdates on Behavioral Health Services Internal Audit Activity Compliance Audit Activity Compliance Hotline Reports Areas of Particular ConcernEnterprise Risk Management Updates Bi-Annual End of Year Close-out of ERM Risk or Carry Forward for Consideration for NextYear Risk Inventory21About Fairview Health ServicesTools Heat Map Risk Tolerance Guiding Principles Operational Action Plan Ligature Risk Requirements ChecklistPlease note that additional tools are embedded in the presentation: Risk Assessment Survey – slide 10 Enterprise Risk Management – slides 12, 13 Risk Dashboard – slide 192211
3/14/2019Tool – Heat MapBehavioral Health Risks9Number6Likelihood Probability of Occurrence857112635412108197Risk - Condensed1Patient Suicide2Clinical Documentation3Healing Milieu4Employee Harm5Emergency Department(ED) Boarding6Ligature Risk47Patient Elopement38Inadequate Staffing9Behavioral HealthResearch Consent10Use of 12Patient/Patient Violence9Impact Level of SeverityTool - Risk Tolerance Guiding PrinciplesPrincipleExamplesToleranceRisks in the pursuit of innovative, breakthrough research thatimproves the health of our patientsHigh/Moderate/Low/ZeroRisk taking that enhances our health care deliveryHigh/Moderate/Low/ZeroRisks for rewarded financial gainHigh/Moderate/Low/ZeroRisks arising from discharge of management responsibilities andaccountabilityHigh/Moderate/Low/ZeroRisks that undermine actual safety (patient and employee) or theperception of safety, at our hospitals, clinics and other facilitiesHigh/Moderate/Low/ZeroRisks for behavior that puts our patients at harmHigh/Moderate/Low/ZeroRisks resulting from variation in processHigh/Moderate/Low/ZeroRisks that inhibit care system integrationHigh/Moderate/Low/ZeroRisk resulting from non-compliance with laws or regulationsHigh/Moderate/Low/ZeroRisk resulting from HR related actions or processesHigh/Moderate/Low/Zero2412
3/14/2019Tool – Operational Action PlanAreaArea ofFocusBehavioralHealthUnitsBehavioralHealth UnitsSignage /process /SignageprocessBehavioralHealth UnitsSafety / spaceStaff Protection- indications thatsome staff felt unsafeUse of the charting rooms assheltersGemba walks withstaff- identifyBehavioral Healthegress / shelterLeadershipareas7/1/2018BehavioralHealth UnitsSafetyTrainingStaff Protection- indications thatsome staff felt unsafe in SecurityAlert level Code 21Video, training and awareness.Additional Code 21 and/or ClinicalEducation designated training.Tools in the LMS Behavioral Healthprogram and unitLeadership /specific pilotsEducation7/1/2018Develop consistent standard forAccessUMMC West lobby Behavioral HealthAlignment with campus accessvisitor screening and access controlControl /project; align withLeadership /control practices; consistent visitorto all behavioral health units,VisitorSecuritySJH projectmanagementUMMC and systemmanagement6/1/2018BehavioralHealth UnitsDetailRecommendationRemediation /Action PlanResponsiblePerson(s)Elopement Prevention- physicalAssessment of ligature risk,Inventoryof ligaturerisk across ofallBehavioral Healthwork, includingthe installationreplacementequipmentbased onSignage,of("Ownthis door"),serviceandcare areas.LeadershipBehavioralHealthsallyportsor patient"man-traps"at eachrisk ratingcriteriaawareness,limitingstaff accessSignage creationLeadershipBH unit. Many elopements are dueauthority and related technologyto the inattention or carelessness ofstaff entering or leaving.Due Date7/1/20187/1/201825Tool – Ligature Risk Requirements ChecklistAir Exchange VentAlcohol-Based Hand RubAppliancesBadge ReaderBed - MedicalBed - PlatformBed - StretcherBlindsCeiling TypeChairClockCloset / Storage Unit RodCloset / Storage Unit ShelvesCords (appliances, lamps, calllights, TV, telephones)Small Perforations that are Secured in Place with Tamper Resistant FastenersNot Mounted or Located in Patient Access AreasLigature-Resistant; Securely AnchoredTight to the Wall; SlopedNo Open Side Rails; If Open Side Rails Needed, 1:1 ObservationSecurely Anchored, No Storage Drawers1:1 ObservationMounted Between Layers of Safety Glass & Pull Cord / Opener UnattainableHard Lid; If Not Hard Lid, Clips Required for Dropped CeilingsArmless Chairs, HeavyIn Protective EnclosureNone on UnitBuilt-In or Securely Anchored with Tamper Resistant ScrewsWired into Wall or Table; Shortest Exposure Possible; Cord Less than 6 to 8 InchesDecorative Picture(s)Polycarbonate or Acrylic Glazing Over Picture; Screwed to the Walls with a Minimum of One Tamper-ResistantScrew Per Side; Pick-Resistant Sealant on TopMounted on the Corridor Side of the Door, Away from Rooms Where Patients will be Alone or in GroupsDoor ClosureDoor HandlesDoor HingesDoor MaterialDoor View Windows toCorridorsDoors Barricade ResistantDrapesElectrical Device Cover PlatesLigature-ResistantClosed Sloped Top and Continuous GearsImpact Resistant or Soft- Foam BreakawayNo Ligature-Resistant on OpenerExit SignsExposed Piping(sink, toilet, & shower)Faucets (sink & shower)26Fire EnunciatorTight to the Ceiling with a Full-Length Mounting BracketAll Must be Enclosed / Sloped, Ligature-ResistantRefer to FGI GuidelinesBreakaway with Minimum Force if GatheredAttached With Tamper Resistant ScrewsAll Must be EnclosedTight to the Wall; Sloped13
3/14/2019Tool – Ligature Risk Requirements ChecklistFire Extinguisher CabinetFire Extinguisher SignsFloor Pads / MatsFloorsFlush Mechanism on ToiletGas Valves, Flow MetersGrab BarsHandles / PullsContinuous Hinges, Recessed Pulls (if any), and Polycarbonate GlazingTight to the CeilingNo Zippers, Seams SealedNon-PatternedPush ButtonCovered with Lockable Panels or Panels Attached with Tamper-Resistant ScrewsFilled Gap Solid Grasp Only Bar, Flush to WallRecessed, with No Protruding Openings, or of a Closed Ligature-Resistant TypeHooksHVAC Grilles / RegistersIV Pole / TubingLampsLight SwitchesLightingMattress / PillowMirrorCollapsibleSmall Perforations that are Secured in Place with Tamper-Resistant FastenersIf Medical Need, 1:1 ObservationNone on UnitTamper-ResistantTamper-Resistant Securely Fixed in the Frame with Covers that are Firmly Secured w Tamper ResistantScrewsNo springs, No Zippers, Seams SealedNon-Glass Mirror; Firmly Secured with Tamper-Resistant Screws; If Flat Surface, Tapered Strip PresentNight LightsOutletsPaper Towel DispensersPlastic BagsPrivacy CurtainPull CordsScrewsSharps ContainerSheets / CoversShower Curtain & RodShower StoolsShower WandsSoap Dispensers27Sprinkler HeadTamper Resistant- Not RemovableHospital-Grade, Tamper-Resistant TypeRecessed ShelfNone on UnitBreakaway with Minimum Force if GatheredPush Button; No Longer than 4” and as Light Weight as PossibleTamper-Resistant, Flush Mounted Set ScrewsSecurely Mounted; Ligature-ResistantNo Additional Supplies in Room; No Fitted SheetsBreakaway with Minimum Force if GatheredLigature-ResistantLigature-Resistant, Quick-Disconnect Fitting that Allows Removal of the Head and Attached HoseLigature-ResistantInstitutional HeadsQuestions / AnswersThank you!Lorrie Oelkers Ghose612-672-7888lghose1@fairview.orgKimberly Jordan612-672-6996kjordan1@fairview.org2814
3/14/2019 2 Our Health System 3 About Fairview Health Services Fairview Health Services University of MN Academic Affiliation 33,000 Employees 5,000 System Providers 12 hospitals and medical centers 2,140 staffed beds 56 primary care clinics 100 specialties 70 senior housing faciliti
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
based focus to a risk based focus requires that the internal audit activity be carried out by an experienced multidisciplinary team using risk-based internal audit (RBIA) methodology. 1.2.The objective of this Guide is to provide guidance to the members of the Institute, as to the concepts and steps involved in risk-based internal audit
GTAG Global Technology Audit Guides HoA Head of Agency HoIA Head of Internal Audit IA Internal Audit / Internal Auditor IA-CM Internal Audit Capability Model IAS Internal Audit Service . Audit, the Code of Ethics for Internal Auditors and the Auditing Standards. The only way
INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S
audit committee and internal audit is fundamental to internal audit's success. 1.2. Securing the appropriate resources for internal audit to meet expectations In many organisations, the audit committee is responsible for approving the internal audit budget, and this approval is typically based on management's recommendation.
An internal audit must be planned in advance and a schedule created for each internal audit process. The Management Meetings can be used to plan the audit and to record the results of each internal audit process. When planning the internal audit, consideration to following criteria shall be included when planning an internal audit:
6. QMS 9001:2015 internal Audit It covers internal audit process, audit question techniques and guidelines for internal audit as well as auditor criteria. 7. Steps for QMS Internal Audit It covers steps to carry out Quality management system internal audit
The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit
