Check out the full compliance risk assessment series here:

1. Integrating basics into your compliance plan
2. Integrating tools into your compliance plan
3. How reliable data improves your compliance plan
4. Preparation and use of action plans


This is the second blog in the “Risk Assessment” series. While the first blog addressed basic definitions and considerations in conducting risk assessments for healthcare providers and organizations, this blog addresses different types of tools and methods to use in risk assessments, as well as the pros and cons of using those tools.

Compliance risk assessments are analyses of risk level that some specific source of concern (SOC) might occur and are corresponding measurements of its potential effects. Risk assessments can be conducted to address different SOCs in many ways and on various scopes within an organization.

After identifying the organizational risk and the SOC to assess, (whether it encompasses a large or small scale) determine the most effective tools to use for the risk assessment. Decisiveness of which tools will be the most effective may vary. Such as:

  • the size (scope) of the risk assessment to be conducted,
  • the immediacy of need for the risk assessment (any time constraints or deadlines that you may have),
  • the number of people who might have relevant knowledge about the specific area of risk or SOC, 
  • the level of potential bias you can tolerate (understanding that it is not possible to be certain of the lack of bias in a risk assessment), and
  • the form of the data you would like to result from the risk assessment.

The questions you outlined to ask in this process (as suggested in the first blog) may naturally lead you to a narrower scope than anticipated (e.g., a specific department or function, or smaller group of people with potential knowledge of the SOC) or to a broader scope (e.g., organization-wide assessment).

Side Note: the security risk assessment was dictated by 45 CFR Parts 160 and 164, the Final Rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health (HITECH) Act is an example of a risk assessment tool that is broad in terms of the size of the “pool” to include (organization-wide), but fairly narrow as to the subject matter (data security and privacy).

Risk Assessment Tools:

There are a number of different ways to create risk assessment tools and to obtain responses to ascertain potential compliance risks. Some methods include written surveys, group discussions and individual interviews. Below are summaries and examples of those tools:

Individual Interviews:
– 1 on 1 (most honest/reliable responses)
– time-consuming

Group Discussions or Workshops:
– facilitator with identified groups of individuals
– allows brain-storming/interactive discussion
– less likely than individual interviews to produce complete honesty in responses

Written Surveys:
– develop questions that will produce answers based on SOCs to identify specific risks (i.e., what are you      concerned about?)
– should be specific to provider-type
– determine whether anonymity will be allowed (e.g., provide only department identification, no identifiers, etc.)
– if identification possible, least likely that responses will be completely honest
– instructions for completion and deadline for return
– participation will likely be much lower than desired

Data Mining or Internal Data Audits:
– can use internal resources, where possible
– can use audits already conducted, if applicable, and likelihood of bias or error is low
– may need to establish new parameters for separate audits

There are other tools for you to utilize in your healthcare compliance plan, such as policy review, but the aforementioned examples are a good place to start.

The New York State Office of Medicaid Inspector General Bureau of Compliance “Compliance Program Assessment Tool – Focused Reviews” is an excellent example of a thorough risk assessment tool that can guide a particular assessment or review. 

What risk assessment tools does your organization use? Comment Below!

You might also enjoy:
The Differences between the OIG-LEIE and GSA Exclusion List
5 Things you should know about OIG Exclusions
Sanction Screening Deep-Dive
Human Resource Compliance – One and the Same

Guest Author, ALLISON K. LUKE, JD, CHC
Allison has more than 22 years of Healthcare Law and Compliance Experience. She received her Juris Doctor in 1990 from University of Georgia School of 
Law, Athens, Georgia. She has been certified in healthcare compliance (CHC) since 2009.Ms. Luke has served as a Corporate Compliance Officer, in-house Legal Counsel and a Privacy Officer and has provided healthcare compliance consulting services for many healthcare providers, large and small. 

Ms. Luke’s experience includes representation of hospitals, healthcare systems, home health agencies, mental health organizations, dental practices, physician practices, rehabilitation service providers, long-term care facilities, MCOs, and other healthcare providers in compliance matters, including, but not limited to, investigations before federal and state authorities. Some of Ms. Luke’s strengths include risk assessments, corporate compliance program development, policy review and development, external compliance investigations, privacy and security process review, and compliance audit program development.