What’s Your Risk Appetite and Tolerance?
- By Robert Blizzard
- In Compliance
- February 1, 2022
- 1 Comment
Guard against lost revenue by knowing where you and your practice stand on compliance-related issues.
If you were to conduct a poll of 100 people and ask them to describe healthcare compliance in one word, it’s possible you’d get 100 different answers. Some would undoubtedly use words such as law, adherence, or regulation. There are two more words that are used far less but are equally important to compliance: appetite and tolerance. What are your appetite and tolerance levels for risk? In this article, we’ll define the terms and explain their role in compliance.
Evaluate What Qualifies as Risk
When we refer to appetite in terms of healthcare compliance, we are referring to how you or your organization qualifies the risk your organization is willing to engage in. Every one partakes in this principle on a daily basis, whether it’s deciding to exceed the posted speed limit or cross a street somewhere other than a designated crosswalk. We decide that those activities qualify as acceptable practice given the environment in which they occur and feel that we could defend our actions as reasonable if we had to. And if questioned, we revert to what we did as children — point to our peers and their behaviors as justification for our decision-making processes. If everyone else is doing 85 miles an hour on the interstate, why shouldn’t you?
Where to Draw the Line
Risk tolerance is the quantification of your risk appetite. Using the speeding on the interstate metaphor, once you decide that you have an appetite to exceed the speed limit, you must then determine your tolerance for the behavior. Popular belief is that you can drive up to five miles an hour above the posted speed limit and never get pulled over. Assuming you subscribe to that idea, your risk tolerance for speeding is five miles an hour over the posted speed limit. If you drive on the interstate regularly, the variance in risk tolerance is abundantly apparent, with some people buzzing by you doing 90 plus miles an hour while others are strictly adhering to the speed limit. It’s no different in healthcare. Often, the scope of risk appetite and tolerance from organization to organization is just as apparent.
No Consequences, No Big Deal?
Let’s apply this theory to medical coding by contemplating your personal risk appetite and tolerance for an issue that affects practices and organizations nationwide. As healthcare business professionals, we know that overcoding services we bill to insurers is a bad idea on multiple levels. There is little debate that overcoding wastes valuable resources, creates hardship for the patient population, and is either abusive or fraudulent behavior.
What about undercoding healthcare services? Many organizations use risk stratification techniques to assess the risk of coding infractions. This generally results in undercoded services being viewed as lower-risk due to the diminished risk associated with a payback to insurers. In many cases, this means that undercoded services are not considered coding errors as much as revenue maximization opportunities. Based on that thought process, how much concern should be given to an issue that may not result in a penalty from the payer?
Do the Right Thing
On the other side of that debate is the argument that wrong is wrong. While the risk of a payer payback is diminished with undercoded services, it’s still incorrect coding. And the risk of an external auditor uncovering some other known or unknown issue during their investigation simply can’t be quantified.
Think of it in these terms: If you were to be personally audited by the Internal Revenue Service, would you be more concerned with them finding what you know to be tax issues or finding something you didn’t know was an issue? I would hope that the unknown would induce more anxiety. From a compliance perspective, the level of concern should elevate the moment that an external source enters your space, regardless of what prompted the visit. The idea is that with every passing moment, the ramifications of the visit may change because of something completely unrelated to the initial inquiry.
Where Do You Stand?
This ideology requires you to ask yourself: Are you more comfortable with focusing every dollar of your limited resources on mitigating the risk of a payer-induced payback or are you focused on attaining the highest level of accuracy possible to minimize the risk of an audit? And is your preference to drill down to the causes of what you deem to be the highest-level offenses or to uncover and address a broad set of issues that have reciprocal effects on other areas?
For many organizations, these questions rival whether the chicken or the egg came first. Organizations with established, long-standing compliance plans tend to have the luxury of focusing on more specific items of interest, while less advanced entities are left to figuratively do five miles an hour over the speed limit and pray they don’t get pulled over for an unknown taillight malfunction that may uncover an expired license and registration, as well.
- What’s Your Risk Appetite and Tolerance? - February 1, 2022
Hello Mr. Blizzard,
I enjoyed this article about risk tolerance and the depiction of speeding 5 miles over the speed limit being our amount of risk tolerance. Apparently, I’ve heard CMS allows for a 5% error rate (risk tolerance). What are your thoughts when auditing records for the payer and dealing with poor provider documentation that we don’t like but we will accept the bare minimum documentation to validate a condition since we can not query retrospectively for that encounter? For instance, when you can tell the provider is copying and pasting multiple HCC identified conditions to the Assessment and enters the same standard templated statement that is included on all patients with that condition. How about the patient having a temporary, transient abnormal lab result without a definitive diagnosis and instead of using an abnormal lab result code from Chapter 18 using a Chapter 3 definitive lab diagnosis, for instance Neutropenia, Thrombocytosis and then continues to copy and paste it every time they see the patient saying stable, continue to monitor when the lab result finding is now normal and the condition no longer exists but we can’t query so we are told we must validate it because the provider added it under Assessment. Is that considered just having a higher risk tolerance or coding compliance issues? What are your thoughts on this?