Improve Corporate and Regulatory Compliance with QA Reader

QA Reader helps users stay compliant with organizational, regulatory, and other third-party requirements.

Endorsements to improve compliance HUD-232

QA Reader is compliant with HUD’s risk management guidelines.

For those of you who are with organizations financed or partially financed by HUD, then your organization is required to meet stringent risk management guidelines. The HUD Section 232 Handbook outlines risk management requirements for loan recipients. Here are some excerpts:

Operators must implement and maintain a risk management program which incorporates a real-time incident reporting and tracking system that informs Operator’s senior management of all incidents with the potential to expose the Operator to liability for personal injury or other damages. Each incident must be reviewed by the Operator’s appropriately-trained professional staff, and such staff must follow-up on incidents as necessary. The risk management program must include appropriate training for Operator’s staff.

The risk management program, which must be reviewed and approved by ORCF prior to closing, is expected to be maintained for the life of the loan.

  • Internal. Operator has the capacity to administer risk management that includes developing and documenting a risk management plan, incorporating a comprehensive software-based risk management program and have designated staff positions to implement the risk management program. In this approach, a highly experienced long-term care risk manager develops the company’s risk management program, tracks incidents, analyzes incident trends, trains/re-trains front line staff as needed, works with the professional liability insurance carrier, etc. This could be implemented across multiple projects. This would be acceptable if the Operator has the capacity and track record as demonstrated through appropriate quality of care indicators.
  • External. Operator contracts with an experienced third party provider of electronic risk management. This would be required if the Operator does not have the capacity to develop and implement an internal program or if the quality of care indicators are below an acceptable level. This level of risk management provides the highest degree of confidence, accuracy and follow-through on reducing incidents and claims. The statement of work must include, at a minimum, the following:
    • Access and use of an electronic incident tracking and reporting system
    • Project incident reporting and tracking with the third party provider’s data processing/risk management center
    • Clinical specialists to review all incidents and trends and train staff accordingly
    • Assist the project in developing, implementing and maintaining appropriate risk prevention initiatives


QA Reader is a QAPI-compliant quality assessment solution. Our dashboards, analysis, root cause analysis tools, resident intervention tools, and risk manager feedback systems allow your team to comply with elements of QAPI.

  • Element 1 – Design and Scope
  • Element 2 – Governance and Leadership
  • Element 3 – Feedback, Data Systems and Monitoring
  • Element 4 – Performance Improvement Projects (PIPs)
  • Element 5 – Systematic Analysis and Systemic Action


The Agency for Healthcare Research and Quality (AHRQ) is one of twelve agencies within the US Department of Health and Human Services. It’s the smallest of all the governmental agencies represented in this document, with an annual budget of only $440 million. The AHRQ’s stated mission is to “produce evidence to make health care safer, higher quality, more accessible, equitable, and affordable, and to work within the US Department of Health and Human Services and with other partners to make sure that the evidence is understood and used.”

The AHRQ coordinates the development of common formats for patient safety event reporting and analysis. The Patient Safety Act of 2005 establishes Patient Safety Organizations (PSOs) as legal data collection (and protection) entities. PSOs require risk management data to be transmitted in the AHRQ common format. As you may know, if your data is in a PSO, it cannot be subpoenaed in a civil case. That’s really good news for long-term care providers.

What’s the takeaway here? QA Reader has event-specific categories consistent with the AHRQ, including:

  • Device or supply
  • Fall
  • Healthcare-associated infection
  • Medication or other substance
  • Pressure ulcer

For each of these event types, the AHRQ lists three “circumstances” that should be identified for each.

  • Incident
  • Near miss
  • Unsafe condition

Not only is this good practice for compliance with PSOs and Health and Human Services, it also makes sense. You want to identify near misses and unsafe conditions in order to drive better risk management outcomes.


QA Reader personal health information is encrypted per HIPAA standards and complies with the HIPAA Privacy Rule that protects most “individually identifiable health information held or transmitted by a covered entity” (you) or its business associate (us).

Protected health information (PHI) is any information which relates to your resident’s past, present, or future physical, or mental health or condition and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes information like name, address, birth date, social security number, etc.

HIPAA also requires the software to create an audit trail, which is a chronological record of when and how long users were logged in, what they were doing, and what PHI they were looking at. An audit trail is an automated set of chronological records of system activities that enable the reconstruction and examination of a sequence of events and/or changes in an event.

In our research, most healthcare risk management systems do not maintain a fully compliant audit trail or audit logs. If you dig deep into HIPAA like we did, you’ll find a link to the actual compliance document ASTM E2147-01(2013). Per ASTM: “The purpose of audit access and disclosure logs is to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential health care information in order that health care providers, organizations, and patients and others can retrieve evidence of that access to meet multiple needs. Examples are clinical, organizational, risk management, and patient rights’ needs.”


HUD-232 & QAPI Compliant

QA Reader automatically identifies serious events and notifies corporate and facility staff immediately. QA Reader risk managers review each serious event and provide feedback to the facility staff in compliance with HUD-232 risk management guidelines and the elements of QAPI.

HIPAA Compliant

QA Reader is fully HIPAA compliant. We encrypt all resident-identifying records, and create separate data stores for every client.

HIPAA-Compliant Mobile Access

QA Reader is mobile-enabled and optimized for Android and IOS devices. QA Reader is HIPAA compliant and all resident identifying information is encrypted inline, isolated in separate data stores, and combined on your dashboard only after login credentials are validated.