May 2018

Audit Alley: Strategies to Help Providers Respond to Audits
By Jonathan Farr; Charles Cortez, MPH; and Pedro Oliveira
For The Record
Vol. 30 No. 5 P. 30

Fraud, abuse, upcoding, unbundling, and compliance have become the prevailing lexicon to describe the challenges facing today's health care providers. Eliminating health care fraud and abuse has become a top priority for the federal government, as well as hospitals and clinics. With government investigations on the rise, every provider is feeling the pressure.

Corporate compliance programs can be an effective mechanism to ensure compliance with regulations and minimize the risk of fraud. In fact, a coding compliance program should be a key component of any corporate program, complementing, not conflicting with, corporate compliance.

In developing a coding compliance program, leaders must be proactive about its development rather than letting it fall to someone who may be unqualified to tackle this important issue.

Taking the First Steps
Begin with a risk assessment that includes provisions within the compliance plan and specifies weak areas exposed by the assessment. This will ensure that special attention is given to functions and processes that are particularly prone to putting the organization at risk.

Next, convene a multidisciplinary team to address areas of the compliance plan that require cooperation from entities outside of the department, including experts in policies and procedures that address physician documentation or updating the chargemaster. The federal government recommends the inclusion of key elements that must be addressed in a coding program.

Auditing and Monitoring
Auditing and monitoring are among the most important components of a compliance program—and probably the most complex. Furthermore, they can be extremely resource intensive.

The following are a few tips on how to respond to audits and voluntary disclosure, which provide a glimpse into the scope of the resources required:

• Do not create a plan with 30 indicators. Most organizations make futile attempts to include too many indicators, which then must be prioritized. Understaffed organizations can only scratch the surface.

• If possible, examine the issues the competition is dealing with as a way to forecast future focus areas. Often, if one facility has a problem, the government will scrutinize other area facilities for the same problem.

• Keep in mind senior management's frame of reference. When it comes to sharing the results of auditing and monitoring, consider what business risks will make the biggest impact on the bottom line and quality of care.

• Don't forget about customer service. If someone gets a bill for services that he or she did not receive, be prepared to resolve the issue.

• Do remedial work on the problem and then integrate the issue into the auditing and monitoring processes.

• Don't isolate a problem area—it's likely to be impacting other areas in the facility as well.

Working Together
The roles of the compliance and audit departments often overlap. Auditors examine the risks that could prevent an organization from meeting its strategic and financial objectives, while the compliance officer focuses on compliance and regulatory issues.

When auditors need to fix a problem, they shouldn't go it alone; they can find better solutions more quickly by joining forces with those who are closest to the problem. The team must draw a flow chart of the process in question to help members understand each other's roles and create a clear definition of hierarchy.

Limiting the auditing and monitoring plan to testing results is a lost opportunity. Evaluating the controls used to achieve the desired results, which can often be performed simultaneously, will help the team focus on testing results and identify the corrective actions necessary to address problems.

Understandably, this involves being close to data for both monitoring and auditing functions. Accessing these kinds of data usually means pairing up with someone in the information services department. With the right access, it's possible to obtain any report necessary from the system, break it down, and analyze it in a variety of ways.

Self-Auditing
When it comes to voluntary disclosures, self-auditing is critical. The focus should be on prevention and having the proper methodologies supported by tools that help identify and elaborate a disclosure prior to any formal investigation. Also, self-auditing should be part of day-to-day activities.

Writing voluntary disclosures is a sensitive but critical topic in the scope of Medicare and Medicaid. A potential violation of the health care fraud and abuse laws can lead to criminal culpability if the circumstances are discovered later through a government investigation.

At the same time, voluntary disclosures represent one of the most challenging issues facing today's providers, especially considering the uncertainty surrounding when to disclose evidence of criminal or unlawful activities, which is legally required.

Therefore, prevention is necessary to ensure that the organization is not in violation. In this case, time is of the essence in terms of having the proper audit enablers and tools in place. With so much to monitor and consider, it's easy to ignore or even misidentify these occurrences.

Identifying, Measuring, and Monitoring
The first step is identification, meaning a strategy of voluntary disclosure should be considered as a matter of risk management. This doesn't mean that the provider should immediately engage in self-audit to check for liabilities in past claims. Rather, providers should use it when there is a suspicion of wrongdoing. For instance, improper receipts of reimbursement cannot be ignored.

This makes it important for self-audits to occur continuously. A protocol should be in place to ensure that all claims submitted during a certain period are valid, or a valid statistical sample should exist as proof of validity.

To ease the audit effort, all procedures that compose the reimbursement process should be clearly identified and measured and monitored regularly. This will help to gather the needed information when writing voluntary disclosures as part of day-to-day activities.

These elements should include a detailed description of the affected corporate departments or branches, along with all the health care programs and providers, including any government contractors.

Also, the root-cause analysis of the incident should be clear. This is a risk management issue; therefore, it impacts risks to health, safety, or care quality, and must be quantified and disclosed.

Audit protocols, tools, and processes should make it possible to retrace the issues, providing a detailed chronology of the self-assessment and identifying the parties involved, including a list off the persons interviewed.

If any disciplinary action was taken, that should also enrich the voluntary disclosure.

Furthermore, if a potential violation is detected, the correction should be immediate. The ability to identify the violations and proceed with immediate correction, prior to a voluntary investigation, can make the difference in resolving criminal and civil penalty culpability.

Automation Technology Solutions
If possible, organizations should consider using automation technology solutions to help respond to audits and monitor compliance. For example, there are solutions available that allow hospital systems and integrated delivery networks to retrieve, review, and compare massive amounts of operational, clinical, and financial data across their total enterprise no matter the size, data incompatibility, or platform complexity. Using customizable, exception-based triggers to identify deviations from norms, users can reduce errors and denials, improve efficiency and productivity, meet compliance requirements, and ensure financial viability.

Powered by unique actionable analytics, an operating platform can overlay existing transactional and operational systems, functioning as a permanent, protective 24/7 auditing and reporting "umbrella" that makes data comparable and enables leaders to take action and conduct follow-ups.

A solution of this sort should be able to perform the following tasks:
• collect and analyze data;
• detect problems, define the variance, and trigger alarms;
• drill down to analyze, guide, and advise leaders on what they need to do;
• provide integrated workflow to organize actions to fix the problem; and
• continue to monitor, ensuring corrective actions have been taken.

With substantially lower upfront costs, health care organizations can devise rapid interventions for correcting inefficiencies, including revenue leakage that impacts the bottom line and noncompliance.

— Jonathan Farr is senior vice president North America at EFFY.

— Charles Cortez, MPH, is senior vice president of business development at EFFY.

— Pedro Oliveira is a senior architect at EFFY.