COSO Guidance for Healthcare Firms
Fresh news on the guidance front: COSO has released a new guide to help healthcare organizations implement its internal control framework widely used by public companies.
Nonprofit hospitals and related healthcare firms don’t need to use the COSO internal control framework per se, but they do have plenty of internal issues related to system access and integrity, documentation, billing codes, and so forth — which can lead to nasty state and federal regulatory trouble if those issues aren’t handled carefully.
So COSO is publishing this guidance to woo healthcare audit and compliance executives into the COSO camp. Its internal control framework has been available since 2013, and many publicly traded companies already use it to build effective internal control over financial reporting, as required by the Sarbanes-Oxley Act.
The guidance — rather blandly named “2013 COSO Integrated Framework: An Implementation Guide for the Healthcare Provider Industry” — is a 36-page tour of how a healthcare firm might apply the internal control framework to its operations. It’s available for free on the COSO website, although the internal control framework itself is only available for purchase.
COSO developed the guidance in conjunction with advisory firm Crowe and CommonSpirit Health, a Catholic hospital system with $29.2 billion in annual revenue and more than 150,000 employees.
“Effective internal control is vital to successfully weathering the ever-changing healthcare environment, and it can help mitigate many of the risks associated with the complex pressures healthcare organizations confront today,” COSO chair Paul Sobel said in a statement. “Formally adopting the Internal Control Framework facilitates an increased understanding of the internal controls in existence and indicates where improvements should be made, resulting in reduced risk for all stakeholders.”
COSO in Context
This healthcare guidance is the latest missive from COSO trying to put its most important documents — the frameworks for internal control (published in 2013) and enterprise risk management (published in 2017 — into more specific, useful contexts for internal audit and compliance professionals.
For example, last year COSO published a short guide on how to apply its ERM framework to environmental, social, and governance risks. In 2015 COSO also released guides on how to use the internal control framework for cybersecurity and to develop the Three Lines of Defense approach to risk assurance.
That’s exactly in line with what Sobel told me during an interview last year: more focus on practical ways to build internal control and risk management systems, with “a bit of a moratorium” on major frameworks since both existing frameworks are so new.
Meanwhile, it’s not like hospital systems don’t need the help. For example, the rise of electronic health records, technology service providers, and fierce consumer privacy rules bring all sorts of challenges around risk assessment and access control. A great example of that issue happened in December, when a hospital in Portugal was sanctioned by authorities there for granting excessive access to patient data: more than 950 staff had the access rights of a medical doctor, yet the hospital had only 296 doctors on staff.
Sure, that happened in Portugal — but does anyone doubt that U.S. hospitals don’t have similar risks?
Then there are the byzantine billing code rules for Medicare and Medicaid payments, plus expanded reporting under the Physician Payments Sunshine Act going into effect at the start of 2022. (Short version: now physician assistants, nurse practitioners, clinical nurse specialists, and other healthcare professionals will all be swept into Sunshine Act reporting.)
So sure, COSO is publishing this guidance in a bit to stay relevant to the internal audit and compliance professions. Who cares? The guidance is useful, and healthcare compliance professionals have their hands full. They need all the help they can get.