2023 Edition

Risk Prevention and Management Introduction

Purpose

Comprehensive, systematic, and effective risk prevention and management practices sustain the organization's ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.

Introduction

COA’s Risk Prevention and Management standards require that organizations take a proactive approach to risk by continually improving systems and practices for identifying and mitigating potential risks, and learning from adverse events and challenges when they occur. Proactive, systemic risk prevention and management requires a holistic approach that involves staff throughout the organization and considers all areas of potential risk including, but not limited to: legal compliance, liability exposure, health and safety, human resources, contracting, technology, security of information, client rights and confidentiality, and finances. Such practices contribute to mission fulfillment by protecting the organization’s long-term sustainability.

Note: Please see the RPM Reference List for the research that informed the development of these standards.


Note: For information about changes made in the 2020 Edition, please see RPM Crosswalk.


2023 Edition

Risk Prevention and Management (RPM) 1: Legal and Regulatory Compliance

The organization annually reviews compliance with applicable federal, state, and local laws, codes, and regulations, including those related to:

  1. licensure;
  2. facilities;
  3. accessibility;
  4. health and safety;
  5. finances; and
  6. human resources.
Interpretation: In regards to element (b), organizations that rent facilities should obtain relevant documentation from their landlord. If the organization cannot obtain access to the required documentation from their landlord or from relevant public or private health and safety authorities, the organization may also solicit a recognized expert to verify compliance with applicable laws and safety codes.
Examples: In regards to element (b), examples of relevant regulations and codes can include:
  1. certification of occupancy requirements;
  2. zoning and building codes;
  3. occupational safety and health administration codes;
  4. health, sanitation, and fire codes; and
  5. elevator inspections.
In regards to element (c), relevant requirements can include for example, universal precautions for minimizing exposure to contagious and infectious disease; and storage, cleaning, and disposal of medical waste.

In regards to element (f), it is recommended practice to conduct an annual review of human resource practices to ensure compliance with applicable employment and labor laws. The Human Resource Management field refers to this annual review as an annual "audit". Examples of human resource laws and regulations include:
  1. use of independent contractors;
  2. use of contingent workers such as temporary employees, volunteers, and leased workers;
  3. laws governing fair employment practices, including non-discrimination and harassment;
  4. compensation and benefits;
  5. maintenance of personnel records;
  6. selection and retention practices, including retention of hiring records; and
  7. background checks.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement.
3
Practice requires significant improvement; e.g.,
  • One of the elements has not been reviewed in more than two years; or
  • The organization has been notified of compliance or licensure problems and is working with the relevant authority to remediate deficiencies.
4
Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
  • Two elements have not been reviewed in more than two years; or
  • The organization is under sanction due to noncompliance with legal or regulatory requirements; or
  • The letter certifying compliance with all applicable laws was not signed or was otherwise inadequate.
2023 Edition

Risk Prevention and Management (RPM) 2: Risk Prevention and Management

The organization identifies and reduces potential loss and liability by:
  1. conducting prevention and risk reduction activities; and
  2. monitoring and evaluating risk prevention and management effectiveness.
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 2 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 2 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 2 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 2 Practices standards.
Self-Study Evidence On-Site Evidence On-Site Activities
  • Procedures for quarterly review of immediate and ongoing risks
  • Procedures for investigation and review of critical incidents
  • Quarterly risk management reports
  • Results of independent investigations of critical incidents
  • Governing body and management meeting minutes where risk prevention and management activities are reviewed
  • Interviews may include:
    1. Governing Body
    2. CEO
    3. Relevant personnel

 
Fundamental Practice

RPM 2.01

The organization conducts a quarterly review of immediate and ongoing risks that includes a review of incidents, critical incidents, accidents, and grievances related to the following, as appropriate to the program or service:

  1. facility safety issues;
  2. serious illness, injuries, and deaths;
  3. situations where a person was determined to be a danger to himself/herself or others;
  4. service modalities or therapeutic interventions; and
  5. the use of restrictive behavior management interventions, such as seclusion and restraint.
FEC Interpretation: In credit counseling organizations, only elements (a) through (c) could potentially apply.

EAP Interpretation: In employee assistance programs, only elements (a) through (c) could potentially apply.
Example: The organization can examine critical incident data that disaggregates incidents by race and ethnicity to identify trends in service equity, such as disproportionate use of restrictive interventions.
Note: Results of the quarterly reviews may inform the annual insurance needs assessment in RPM 3.01.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Reviews are conducted quarterly but one of the elements is not fully addressed.
3
Practice requires significant improvement; e.g.,
  • The organization conducts reviews less than quarterly; or
  • Two elements are not fully addressed; or
  • One element is not addressed at all.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 
Fundamental Practice

RPM 2.02

The organization conducts a review of each incident, serious occurrence, accident, and grievance that involves the threat of or actual harm, serious injury, or death; and review procedures:
  1. require that the investigation be initiated within 24 hours of the incident and/or accident being reported and establish timeframes for completing the review;
  2. require solicitation of statements from all involved individuals;
  3. ensure an independent review;
  4. require timely implementation and documentation of all actions taken;
  5. address ongoing monitoring if actions are required and assessing their effectiveness; and
  6. address applicable reporting requirements.
Examples: Root cause analysis can be a useful approach to reviewing serious incidents and accidents. Root cause analysis is a term used to describe a variety of techniques used by organizations to identify the cause of a problem and determine how to prevent that problem from recurring.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Review procedures need strengthening; or
  • One of the elements is not fully addressed; or
  • Documentation could be improved.
3
Practice requires significant improvement; e.g.,
  • One of the elements is not addressed at all; or
  • While reviews are generally conducted, documentation is consistently missing; or
  • There is evidence that at least one serious incident was not reviewed.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.
2023 Edition

Risk Prevention and Management (RPM) 3: Insurance Protection

The organization is adequately insured.
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 3 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 3 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 3 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the RPM 3 Practice standards.
Self-Study Evidence On-Site Evidence On-Site Activities
Networks Only
  • Procedures for identifying and verifying provider insurance
  • Current insurance policies with descriptions, amounts, and dates of coverage
  • Results of most recent annual assessment of insurance needs
Networks Only
  • Documentation of insurance verification
  • Copy of written communication to providers regarding required insurance
  • Interviews may include:
    1. Governing Body
    2. CEO/CFO
    3. Relevant personnel
Networks Only
  • Interviews may include:
    1. Provider Representatives

 
Fundamental Practice

RPM 3.01

The organization annually assesses insurance needs in consultation with insurance professionals or experienced legal counsel, and obtains coverage that is commensurate with the scope and complexity of its services.
Examples: Relevant types of insurance can include:
  1. general liability;
  2. worker’s compensation;
  3. disability;
  4. fire and theft;
  5. medical;
  6. indemnification;
  7. professional liability;
  8. officer’s or director’s liability;
  9. automobile liability;
  10. property and casualty;
  11. malpractice;
  12. cybersecurity orcyberliability; and
  13. bonding or other forms of employee theft insurance, for all staff and governing body members who sign checks, handle cash or contributions, or manage funds.
1
The organization's practices reflect full implementation of the standard.
The organization obtains professional consultation about appropriate coverage.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Insurance needs are reviewed annually, however coverage may be insufficient in some areas.
3
Practice requires significant improvement; e.g.,
  • Insurance needs have not been reviewed for more than two years; or
  • Coverage is clearly inadequate in one key area.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 3.02

The organization:
  1. provides written notification to the governing body and personnel of the amount and type of insurance coverage related to the scope of their activities performed on the organization’s behalf;
  2. advises the governing body and personnel of the extent and limits of liability coverage; and
  3. provides and assumes the cost of legal assistance to personnel against whom claims are made related to lawful, authorized actions taken within the course and scope of their duties.
Interpretation: All personnel and governing body members must receive this information at the initiation of their association with the organization and when any changes to the level and/or type of insurance coverage occur.
 

Interpretation: This standard does not require the organization to provide assistance to personnel who commit unlawful acts or acts that are not conducted in the course of, or in furtherance of, their employment. In addition, this standard does not require the organization to provide legal assistance to personnel if the organization’s legal counsel determines that doing so would constitute a conflict of interest.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • The organization generally provides a written description but on occasion the disclosure is verbal and informal.
3
Practice requires significant improvement; e.g.,
  • The organization provides information only upon request or provides partial disclosure.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 3.03

The network annually verifies that provider insurance coverage is current and meets the organization's requirements stated in the contract.
Related Standards:

NA The organization is not a network management entity and is not assigned the Network Administration (NET) standards. 

Note See RPM 6.04 for more information on establishing and communicating insurance requirements to network service providers.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures for identifying/specifying level and type of insurance or for annually verifying coverage need strengthening.
3
Practice requires significant improvement; e.g.,
  • Annual verification not documented for all providers; or
  • Some providers did not meet insurance requirements yet continue to provide network services.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.
2023 Edition

Risk Prevention and Management (RPM) 4: Technology and Information Management

The organization's technology and information systems have sufficient capability to support operations, service delivery, strategic planning, and quality improvement activities.
Interpretation: The standards in this section address the management of all types of paper and electronic information maintained by the organization including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resources records; and
  4. performance and quality improvement data and reports.
Related Standards:
Examples: Implementing a controlled document system is one way an organization can organize, track, store and ensure the use of the most current version of documents. These systems address, for example, processes for:
  1. updating, creating, and deleting documents;
  2. notifying users of changes;
  3. identifying documents; and
  4. maintaining a master list of documents.
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 4 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 4 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 4 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 4 Practice standards.
Self-Study Evidence On-Site Evidence On-Site Activities
  • Information management procedures/guidelines
  • Agreements with third parties (e.g., information technology vendors, business associates, etc.), when applicable
  • Interviews may include:
    1. Information Systems manager
    2. Relevant personnel
  • Observe Information Systems

 

RPM 4.01

The organization assesses its technology and information management needs including a review of:
  1. current technology and information systems in use by the organization;
  2. short- and long-term goals for utilizing technology; and
  3. current technical skills of staff and need for staff training.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • One of the standard's elements was not fully addressed.
3
Practice requires significant improvement; e.g.,
  • The assessment is very basic and provides minimal guidance to staff; or
  • One of the elements was not addressed at all.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 4.02

The organization has an information management system that:
  1. gives personnel consistent, timely, and appropriate access to all types of electronic and paper records; and
  2. supports continuity and integration of care across programs and services by giving timely access to information about persons served to practitioners across the organization, as appropriate.
Interpretation: Organizations moving to electronic systems may need to develop procedures for maintaining both electronic and paper records including procedures for maintaining consistency between the two file types and ensuring the electronic record is comprehensive and complete. If there are components of paper records that cannot be accommodated electronically, the organization should consider how it will retain and document the existence of supplemental, paper-based portions of records.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • A formal system is in place, but is not fully implemented so locating records may sometimes be time consuming or difficult.
3
Practice requires significant improvement; e.g.,
  • The system is informal and unsystematic; or
  • Records are occasionally misplaced.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 4.03

The organization's electronic information systems are capable of:
  1. capturing, tracking, and reporting financial, compliance, and other business information;
  2. longitudinal reporting and comparison of performance and outcomes over time; and
  3. the use of clear and consistent formats and methods for reporting and disseminating data.
Interpretation: “Electronic information systems” are used for collecting, storing, analyzing, and disseminating information electronically. An electronic information system may consist of a single desktop or larger network of computers, laptops, and/or devices. Organizations are not required to implement robust electronic information systems; rather they must have systems that are appropriate for supporting their administrative operations and service delivery.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspects of the system need further development.
3
Practice requires significant improvement; e.g.,
  • The system is basic and minimally supports the organization’s data needs.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.
2023 Edition

Risk Prevention and Management (RPM) 5: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.
Interpretation: The standards in this section address security of all types of paper and electronic information maintained by the organization, unless otherwise noted, including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resources records; and
  4. performance and quality improvement data and reports.
Related Standards:
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 5 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 5 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 5 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 5 Practice standards.
Self-Study Evidence On-Site Evidence On-Site Activities
  • Data security policies
  • Data security procedures, including HIPAA complianceas applicable
  • Policies on the use of social media, electronic communications, and mobile devices
  • Procedures on the use of social media, electronic communications, and mobile devices
  • Procedures for managing data interruptions/disaster recovery plan
  • Agreements with third parties (e.g., information technology vendors, business associates, etc.), when applicable
  • Results of HIPAA compliance review
  • Interviews may include:
    1. Relevant personnel
  • Observe case record room/files and information system accessibility

 

RPM 5.01

The organization protects confidential and other sensitive information from theft, unauthorized use or disclosure, damage, or destruction by:
  1. limiting access to authorized personnel on a need-to-know basis;
  2. using firewalls, anti-virus and related software, and other appropriate safeguards;
  3. monitoring security measures on an ongoing basis;
  4. having the ability to remotely wipe or disable mobile devices, if applicable, in the event that a device is lost, stolen, repurposed, or discarded; and
  5. maintaining paper records in a secure location when not in use by authorized staff.
Examples: In regards to element (a), the organization may limit access to authorized personnel by:
  1. limiting access based on staff role within the organization;
  2. ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect login attempts, and automatically times out after a period of inactivity and prompts reauthentication;
  3. disabling the equipment, passwords, and access of former employees; and
  4. ensuring the system is capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
In regards to element (e), secure storage of paper records can include:
  1. locked file cabinets;
  2. a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
  3. a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.
 Other important considerations can include procedures related to information taken off-site by staff.

Note: Please see the Facility Observation Checklist for additional guidance on this standard.

1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspect of the organization's data security procedures needs strengthening; or
  • With few exceptions, procedures are understood by staff and are being used.
3
Practice requires significant improvement; e.g.,
  • There is a major deficiency in at least one of the listed elements resulting in risk to the organization; or
  • There have been instances of unauthorized access to confidential or sensitive information; or
  • Procedures are not well-understood or used appropriately.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 5.02

Proper safeguards protect confidential information when transmitted electronically.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement.
3
Practice requires significant improvement.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 5.03

The organization has policies and procedures addressing the use and monitoring of:
  1. social media;
  2. electronic communications; and
  3. mobile devices, including staff-owned devices, if applicable.
Examples: “Social media and electronic communications” include a variety of applications and websites used to create and share content, for example:
  1. the organization’s own website;
  2. external websites;
  3. email;
  4. texting;
  5. blogs;
  6. social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
  7. wikis; and
  8. discussion forums.
Risks associated with the use of social media and electronic communications may include:
  1. unauthorized or prohibited contact between staff and service recipients;
  2. unauthorized or inappropriate use of organization logos or trademarks;
  3. personal comments or opinions that can be misconstrued as representing the views of the organization, or that present the organization in a negative light;
  4. inadvertent or deliberate disclosure of confidential or proprietary business information; and
  5. inadvertent or deliberate disclosure of confidential or protected information about service recipients.
Examples: A social media policy typically addresses:
  1. the organization’s definition of “social media”;
  2. responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
  3. prohibited forms of communication;
  4. the appropriate use of social media including confidentiality and privacy considerations; and/or
  5. consequences for failure to follow the policy and/or related guidelines.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspect of the procedures need further development.
3
Practice requires significant improvement; e.g.,
  • Procedures are very basic and provide minimal guidance to staff; or
  • Procedures are not well-understood by staff or are frequently not being followed; or
  • Procedures are still under development and have only been partially implemented.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 5.04

The organization is prepared for planned and unplanned interruptions of data and limits the disruption to its operations and service delivery by:
  1. maintaining procedures for managing data interruptions and resuming operations;
  2. backing up electronic data regularly, with copies maintained off premises; and
  3. regularly testing the organization’s back-up plan including data restoration processes.
Related Standards:
Interpretation: This standard applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency.
Examples: A disaster recovery plan is a set of procedures put in place to protect and recover an organization’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the organization’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred.

Factors that increase the effectiveness of a disaster recovery plan include:
  1. training staff on response procedures; 
  2. practicing procedures/conducting downtime drills; 
  3. testing disaster recovery systems on an ongoing basis; and
  4. monitoring plan implementation.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspects of the procedures need further development.
3
Practice requires significant improvement; e.g.,
  • Procedures are very basic and provide minimal guidance to staff; or
  • Procedures are still under development and have only been partially implemented.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 5.05

The organization ensures its electronic system for managing health records or protected health information limits access to information in accordance with confidentiality rules and the person's privacy preferences to the greatest extent possible.
Interpretation: If the electronic health record system employed by the organization is not able to meet all client privacy preferences and/or all of the necessary confidentiality rules, the organization informs the service recipient of the system’s limitations and obtains consent for the exchange of electronic health information based on those restrictions.
NA The organization does not electronically manage health records or protected health information.
Examples: The HIPAA Security Rule and Meaningful Use criteria provide strong guidance to organizations regarding the capabilities of electronic health record (EHR) systems. Using a certified EHR is the best way to meet the Meaningful Use criteria. Organizations that are unable to acquire a certified EHR are encouraged to still strive to meet Meaningful Use recommendations in their selection and use of EHR systems.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures for monitoring and maintaining legal compliance require greater clarity or specificity.
3
Practice requires significant improvement; e.g.,
  • The organization is aware of compliance problems and is working to remediate deficiencies.
4
Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
  • The organization is aware of compliance problems and is not working to remediate deficiencies.
2023 Edition

Risk Prevention and Management (RPM) 6: Contracts and Service Agreements

The pursuit of contracts and service agreements is:
  1. consistent with the organization’s mission;
  2. aligned with, and supportive of, the organization’s service array and resource development goals; and
  3. responsive to the needs and desired outcomes of persons served.

Interpretation: These standards apply to all contracts entered into by the organization in which it acts as a purchaser or vendor of social and human services as well as to contracts for the purchase of support services, such as maintenance or transportation services. These standards are not applicable to contracts with individual consultants and independent contractors, which are addressed in Human Resources Management (HR 7).  

1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 6 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 6 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 6 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 6 Practice standards.
Self-Study Evidence On-Site Evidence On-Site Activities
  • Contracting procedures
  • List of contracts/service agreements/memoranda of understanding (MOU)
  • Contracts/service agreements/MOUs
  • Board meeting minutes of governing body review of significant contracts from the previous 12 months
  • Interviews may include:
    1. Governing Body
    2. CEO/CFO
    3. Contract manager(s)
    4. Vendors
Networks Only:
  • Interviews may include:
    1. Provider CEO/CFO
    2. Provider contract manager(s)

 

RPM 6.01

The organization:

  1. establishes a system of standardized contracting practices;
  2. pursues contracts that serve the organization’s and service recipient’s best interests, not private interests;
  3. seeks opportunities to source goods and services from diverse suppliers;
  4. conducts due diligence in contracting activities including review of possible risks;
  5. uses competitive bidding, when applicable; and
  6. ensures governing body review of significant contracts.
Related Standards:
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • One of the elements needs strengthening.
3
Practice requires significant improvement; e.g.,
  • Two of the elements need strengthening; or
  • One element is not addressed at all; or
  • The governing body does not review significant contracts.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 
Fundamental Practice

RPM 6.02

Written contracts:
  1. are reviewed by legal counsel or another qualified individual prior to signing; and
  2. contain all significant terms and conditions in accordance with applicable law.
Interpretation: “Significant terms” should include, as appropriate to the type of contract:
  1. roles and responsibilities of participating organizations;
  2. services to be provided;
  3. clearly defined performance goals;
  4. measurable outcomes;
  5. service authorization, including eligibility criteria;
  6. provisions for training and technical support, as necessary;
  7. duration of contract, including delineation of follow-up services;
  8. policies and procedures for sharing information;
  9. methods for resolving disputes;
  10. a plan and procedure for timely payment, and consequences for failure to pay;
  11. necessary documentation and means of reporting to, funding or oversight bodies; and
  12. conditions for termination of the contract.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Though all contracts are reviewed, contracting procedures do not address the standard.
3
Practice requires significant improvement; e.g.,
  • Terms and conditions of contracts are often general, nonspecific, or unclear; or
  • There is evidence that some contracts have not been reviewed as required by the standard.
4
Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.
  • Contracts are totally inadequate in specification of terms and conditions; or
  • Contracts are not routinely reviewed as required.

 

RPM 6.03

Non-contractual service agreements include, as appropriate:
  1. services exchanged or provided, and/or the goals and objectives of such collaborations;
  2. roles and responsibilities of each organization including reporting responsibilities;
  3. procedures for sharing information;
  4. confidentiality protections including signed written consent forms;
  5. assignment of case coordination responsibilities;
  6. service authorization procedures including accepting or rejecting cases; and
  7. how to resolve communication difficulties.
Interpretation: This standard applies to non-contractual arrangements, also known as Memorandums of Understanding (MOUs), in which organizations collaborate with service providers to deliver specific services to a person or persons. This could include, for example, a service in which a service provider voluntarily comes into the host organization’s facility to provide weekly smoking cessation classes.
NA The organization does not enter into non-contractual service agreements.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures need strengthening; or
  • One element is not addressed at all.
3
Practice requires significant improvement; e.g.,
  • Terms and conditions of service agreements are often general, nonspecific, or unclear; or
  • At least two of the elements are not addressed at all.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 
Fundamental Practice

RPM 6.04

Contracts for the provision of network services also include:
  1. the network's requirements regarding provider participation in network quality improvement activities;
  2. access to case record provisions;
  3. utilization management protocols;
  4. required levels and types of insurance; and
  5. agreement to participate in network training.
Related Standards:

NA The organization is not a network management entity and is not assigned the Network Administration (NET) standards. 

Examples: Regarding element b, network management entities could require access to case information in order to conduct utilization management activities, verify billing, provide care coordination, and other network management activities.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures need strengthening; or
  • One of the elements is not fully addressed.
3
Practice requires significant improvement; e.g.,
  • The terms and conditions of contracts are often general, nonspecific, or unclear; or
  • At least two of the elements are not fully addressed; or
  • One element is not addressed at all.
4
Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
  • Contracts are totally inadequate in specification of terms and conditions.
2023 Edition

Risk Prevention and Management (RPM) 7: Quality Monitoring of Contracted Social and Human Services

The organization monitors and evaluates the quality and effectiveness of social and human services purchased from other provider organizations.
Interpretation: These standards only apply to contracts entered into by the organization in which it purchases social and human services from another organization, such as when a shelter program purchases vocational rehabilitation services for its clients. They do not apply to contracts where the organization acts as a vendor of social and human services or to contracts for the purchase of support services, such as maintenance or transportation services. These types of contracts are addressed in RPM 6
 
The standards in this Core are also not applicable to contracts with individual consultants and independent contractors, which are addressed in Human Resources Management (HR 7).



Network Interpretation: These standards apply to services purchased from all service providers including owner and partner organizations, and individual practitioners, as applicable.
NA The organization does not purchase social and human services from other organizations.

Currently viewing: QUALITY MONITORING OF CONTRACTED SOCIAL AND HUMAN SERVICES

Viewing: RPM 7 - Quality Monitoring of Contracted Social and Human Services

VIEW THE STANDARDS

1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 7 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 7 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 7 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 7 Practice standards.
Self-Study Evidence On-Site Evidence On-Site Activities
  • Contract monitoring procedures
  • Contracts
  • Contractor progress reports
  • Documentation of contract remediation as appropriate
  • Interviews may include:
    1. Governing Body
    2. CEO/CFO
    3. Contract manager(s)
Networks Only:
  • Interviews may include:
    1. Provider CEO/CFO
    2. Provider contract manager(s)

 
Fundamental Practice

RPM 7.01

Contractors who provide human or social services:
  1. have sufficient human and financial resources to fulfill the terms of the contract; and
  2. are licensed or otherwise legally authorized to provide the contracted services.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures need strengthening.
3
Practice requires significant improvement; e.g.,
  • Documentation is poorly maintained or some documentation is missing; or
  • The organization has not conducted the required due diligence in some instances.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 7.02

The organization routinely monitors contractor progress toward fulfilling the terms of the contract.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Monitoring procedures need strengthening.
3
Practice requires significant improvement; e.g.,
  • Monitoring is not consistently done.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

RPM 7.03

Contracts for social and human services include:
  1. service quality, client satisfaction, and outcomes that accord with the organization’s expectations;
  2. criteria for evaluating vendor performance;
  3. a process for remediating performance issues; and
  4. protocols for routine communication of related data.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Monitoring procedures need strengthening.
3
Practice requires significant improvement; e.g.,
  • One of the elements has not been implemented.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.
Copyright © 2024 Council on Accreditation