Check out the full compliance risk assessment series here:

1. Integrating basics into your compliance plan
2. Integrating tools into your compliance plan
3. How reliable data improves your compliance plan
4. Preparation and use of action plans


This is a follow up to the three-part series of the “Risk Assessments” blogs. As a reminder, the blogs addressed considerations in conducting risk assessments for healthcare providers and organizations, different types of tools and methods that can be used in these assessments, and what to do with the information obtained from the assessments, including reporting results of the assessments and mitigating identified risks.

The next step in the compliance risk assessment process is developing and implementing action plans needed from the results of the assessments.

What to do with the identified risks?

Risks identified that need remediation, as determined by your organization’s Board, will be the focus of your action plans. You should develop and implement action plans into your compliance plan or the most imminent risks first, then other identified risks, in descending order of significance.

Remediation and the reduction of risks requires identification of desired potential outcomes. It may not be possible to completely remove a compliance risk, but only reduce the likelihood of occurrence or potential impact of the occurrence. Desired outcomes should be listed and categorized based on your risk assessment report, specifically: 

  • Immediacy of concern,
  • Financial impact,
  • Reputational Impact and
  • Likelihood of occurrence.

One outcome objective must be compliance with the specific requirements of all applicable laws, rules or regulations. Guidelines for determining how to fully comply with such laws, rules or regulations should include, at a minimum:

  • the review of any previous failed action plans addressing the risk or source of concern, including the determination of how it failed,
  • the review, revision and/or development of organizational policies and procedures to address each issue/identified risk area,
  • the identification of the responsible (and accountable) organizational department or functional area, including titles for specific tasks identified, and
  • the development of audit tools needed to measure amelioration of risks. 

Action Plans – put into motion:

After determination of appropriate action plans to reduce the identified healthcare compliance risks, the action plans should be implemented with specific timelines for deliverables (e.g., new or revised policies and procedures, staff education and/or training, audits, etc.). Timelines should be followed strictly by the persons identified to accomplish the action steps. The person responsible must be held accountable in order for action plans to be successful. Your organization’s corporate compliance plan committee should prioritize the review and monitoring of action plans on its agendas. Any setbacks or problems should be addressed as quickly as possible, and should be reported to executive management.

After the successful completion of action plans, you should conduct routine follow-ups to ensure the continued successful remediation of risk. Such follow-ups may include adding the issues to future annual audit plans, annual training, and policy and procedure review.

Finally, don’t forget to share with the Board and Management:

Action plan updates should be included in routine reports to your organization’s Board. The Board should be informed of the progress of action plans, including any follow-up audits. Board awareness and ownership of compliance risk remediation efforts is an essential piece to demonstrate an effective corporate compliance plan. It is important to be in lock-step with both your Board and your management. IF compliance is the tone from the top, you will be performing on all cylinders and utilizing best practices in your organization. Plus, it not only adds value, but is also the kind of work environment you and your staff will be excited to work in and will gain the ultimate satisfaction of achieving healthcare compliance.

You might also enjoy:
5 Not-So-Obvious Things you should Know about OIG Exclusions
Top Healthcare Blogs Every Compliance Officer Should Read – 2015
Top Healthcare Compliance Software Tools
OIG exclusion vs. Termination

Guest Author, ALLISON K. LUKE, JD, CHC
Allison has more than 22 years of Healthcare Law and Compliance Experience. She received her Juris Doctor in 1990 from University of Georgia School of 
Law, Athens, Georgia. She has been certified in healthcare compliance (CHC) since 2009. Luke has served as a Corporate Compliance Officer, in-house Legal Counsel and a Privacy Officer and has provided healthcare compliance consulting services for many healthcare providers, large and small. 

Luke’s experience includes representation of hospitals, healthcare systems, home health agencies, mental health organizations, dental practices, physician practices, rehabilitation service providers, long-term care facilities, MCOs, and other healthcare providers in compliance matters, including, but not limited to, investigations before federal and state authorities. Some of Luke’s strengths include risk assessments, corporate compliance plan development, policy review and development, external compliance investigations, privacy and security process review, and compliance audit program development.