Best Practices for
Overseeing an
Internal Audit
KARIE REGO, ESQ.
Sheppard, Mullin, Richter & Hampton LLP
1BACKGROUND
Why should you care about auditing?• Issuesidentifiedinauditscanresultinlargeoverpayments.
• Thegeneralcounsel’sofficeandoftenoutsidecounselwillbebroughtineventuallytoadviseontheauditresults.
• Oftenthereareinherentproblemswiththestructureoftheauditthatcosttimeandmoneytoaddress.
• Thegeneralcounsel’sofficewillbeviewedasresponsibleforanyinterpretationofthelawsthatunderlietheaudit.
Why Audit?
Auditscanraiseissues.TheseissuesmightleadtonewandexpensiveproblemsthatmustbedealtwithimmediatelySo,whyshouldyouevendothem?
Audits do the following:• Serveasapartofaneffectivecomplianceplan• Identifyandcorrectissues• Findissuesbeforetheygetworse• Provideanopportunitytoeducate• Improvefinancialperformance• Improvequalityofcare• PreemptaRACrevieworothergovernmentaudits• Reducewhistleblowerrisk
What you don’t know won’t hurt you.❍True❍False
This presentation provides attorneys with background and insights into the hospital auditing process.
2
CODING RULES
Certified Coder
BILLING RULES
Audit or Compliance Staff
FRAUD AND ABUSE
Non-attorney w/ Attorney Input
PRIVACY AND SECURITY
Audit or Compliance Sta�
COMPLIANCE PROGRAM
Outside Auditors or Attorneys
LeasesMedical DirectorsRecruitment
StructurePoliciesEffectiveness
PoliciesEffectivenessBreech Protection
Non-physician SupervisionOrders and CMNsProvider-Based Rules
E&MsDiagnosis CodingMedical Necessity
TYPES AND FOCUS OF AUDITS
!
Scheduled Internal or Compliance Audit • Annual compliance work plan• Internal audit work plan • DRG validation audits
Unscheduled Internal or Compliance Audit • Hotline call• Part of diligence in an acquisition• Pending government investigation
3STRUCTURE OF AUDITS
Planning
Objective
Audit Protocol
Method
Reporting
Decide what and when to audit
Purpose of the audit e.g. Determine if clinics in the health system billing as
outpatient departments are compliant with the provider-based rules
Tool used to guide the audit and record compliance
Conduct interviews, review records or policies or even make observations.
Orally review findings, make refinements, produce draft and final reports. Make presentations of
findings.
4
PRO:
CON:
Changes can assist fiscally
The Bottom Line
May miss high risk issues
PRO:
CON:
Identifies many issues
OIG Work Plans
Doesn’t identify whether an issue is important
PRO:
CON:
Something the governmentcares about now.
Other Provider Investigations
Your provider might not have a similar issue of the same magnitude.
PRO:
CON:
Reduce future government investigation risk
RAC Issues
The RAC may move on to a to a different area of audit.
PRO:
CON:
Agency thinks it’s a concern,so it must be.
Agency Issuances
Agencies have many concerns that sometimes get too much coverage by the legal and consult-ing industries.
PRO:
CON:
Reduce qui tam potential
Hotline Calls and Questions
Might not be a widespread issue
PRO:
CON:
Risk Assessments
Administrators and staff don’t know which regula-tory requirements are important.
Chance to listen to admin-istrators and staff issues
How To Find Audit Topics
HOW TO FIND AUDIT TOPICS
5
Simple rules and rules that agencies have spent time making clear are riskier. These rules are easier arguments for the government and qui tam relators leading to larger settlements. Rate this from 1 to 5, based on difficulty with 1 being easy and 5 being hard.
Small services that get billed many times are high risk. On the other side of the spectrum, high dollar single items like investigational devices or case rates for entire stays and certi�cation problems. Fraud and abuse issues could impact every service ordered. Rate this from 1 to 5, based on money with 1 being little and 5 being much.
Most Risk: An item or service is having bad outcome for the patient.Less Risk: Something necessary for the patient is not being provided.Lesser Risk: The patient is receiving something that they don’t need (medical necessity)Rate this from 1 to 5, based on impact with 1 being less and 5 being more.
Rate the following five issues based on their level of risk:
The longer a rule has been around in its current, unrevised form the greater the risk. Government commentary to regulation, proposed and even newer rules make difficult topics as the rule or inter-pretation could change after you have put the message out. Rate this from 1 to 5, based on age with 1 being new and 5 being old.
NEW OLD
EASY HARD
$ $$$$
LESS MORE
AGE OF RULE: How long has the rule been around?
DIFFICULTY: How hard is the rule to understand?
MONEY: How much government money is involved?
QUALITY IMPACT: How is quality impacted?
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
FREQUENCY: How often is the rule cited?The more times a rule has been cited by agencies, in investigations or internally, the greater the risk. Rate this from 1 to 5, based on citation frequency with 1 being seldom and 5 being often.
OFTENSELDOM
TOTAL RISK SCORE: Add the individual ratings. Use to compare relative risk.
Rating
COMPLIANCE AUDIT TRIAGE
6
What is the risk? – Focus the audit and save limited resources by choosing topics that pose the greatest potential for risk.
The “Q Principal” - when deciding between competing topics, chose “Q”uality based topics and traditional compliance topics that allow for incorporating quality messages through a patient interaction or discussion.
Accept that resources and time might not allow coverage of all topics. It’s worse to plan something and not do it. Look for outside resources to augment your program that you can a�ord or get for free.
RISK
DOCUMENTATION
“Q” PRINCIPAL
Focus on documentation as it can be the reason for half or more of RAC payments and is the basis for showing care was needed (i.e., orders, certi�ca-tions).
HOW TO FILTER AUDIT TOPICS
7INTERPLAY OF PEOPLE IN AUDITS
Auditors Coders
Compliance Counsel
Issues
Minimizeterritorialdisputesbetweenauditingandcompliancebyhavingclearlyde-finedroles.
Understandthatauditorsandcodersaredisinterestedthirdpartieswithbetteraudit-ingskillsanddeepknowledge,butmaylacktheabilitytojudgmentandexperiencetoassessandquantifyrisks.
Decidewhethertheauditwillbedoneunderattorney-clientprivilegeandensurethattheattorneyissufficientlyinvolvedintheaudittowarrantinvokingoftheprivilege.
Regardlessofwhetherattorney-clientprivilegeisused,educatestaffastohowtobesensitivetothefactthattheircommunicationscanbetakenoutofcontextandmisin-terpreted.
Useoutsidecounseleffectivelytoprovideanunbiasedopinionandexpertiseinreduc-ingriskassociatedwithauditingbyreviewingtheauditprotocol.
Oftentaskedwithreviewingdocumentsandconductinginter-
views.
Sameasauditorsifthereisacodingissue
Involvedinsettingaudittopicsasthenau-ditsbecome“credited”underthecompliance
plan.
Typicallybecomeinvolvedinfraud&abuseauditingorwhenthereisaissue,butmaybe
shouldbeinvolvedsooner.
8AUDIT PROTOCOLS
Well drafted audit protocols are key to reducing audit risk.
Poor drafting can:
• Justlikepoorlydraftedpolicies,createstandardsthatarehigherthanwhatislegallyrequired.Anexampleisusingtheterm“referredtoobservation”insteadof“admittoobservation.”TherearesimilarexamplesontheprivatepayerandMedicareAdvantageside.
• Createaproblematicrecordwhenthehealthsystemlatergoesbacktoreviewtheauditfindings.
• Creategulfsbetweenadministrativetypesandclinicianswhochallengetherequire-ments.
• OpentheorganizationuptowhistleblowerclaimsbyitsownauditorsandcompliancepeoplewhostrictlyinterpretguidancefromforexampleaMACthatcontradictstheCMSregulationsorwherecodingguidanceisunclear.
Steps to better drafting:
1. Legalreviewofall“sourcedocuments”fortheauditandashortstatementonwhatthekeyrequirementsandbestpracticeswouldbe.Seeexamplefornon-physiciansuper-visionreview.
2. Meetwithauditorsandcompliancepersonneltodiscusswhatisactuallyrequiredandwhatisabestpractice.Useoutsidelegalcounseltoreducetension.Createanactualprocesswherebyauditsofcompliancerelatedissuesaremorethoughtfullyconstruct-ed.
3. Attorneysneednotdrafttheprotocolbutcansuggestlanguagechangesthatprovideflexibilityifneeded.Seeprovider-basedrulesandnon-physiciansupervisionauditprotocols.
9
Audit Protocols should be carefully worded.
Regulations and interpretations of regulations can change. Single words could even be the subject of court cases. Using “should” is a strong word and in some dictionaries, no di�erent than “will,” but leaves �exibility for a di�erent interpretation.
When discussing a regulation, be sure to cite the regulation. If the agency interpreta-tion is inconsistent with the regulation, or if you make a mistake in description, you could create a higher standard for your organization.
Regulation
Interpretation
Provider Message
This diagram illustrates what should never happen inadvertantly: provider guidance that extends beyond the requirements of a regu-lation and its interpretation.
AUDIT PROTOCOL WORDING
10DISCLOSURES
The need to refund overpayments within 60 days of discovery should not impact the carefulness of the audit.
Firststepistotraincompliance,auditingandbillingpersonnelthatallbillingandfraudandabuseissuesneedtobeinvestigated.
Second,inbothscheduledandunscheduledaudits,theauditprofileshouldexplaintheprocessoffindingandcalculatingerrors.Probeauditsarerecom-mendedbeforeengaginginawideraudit.
Considerations:sizeofprobeauditandwhethertoexecutemultipleprobe,whatpercentagetriggersanissue,whethertomovetooutsideauditorsifawiderauditisneeded,whethertomakethewiderauditstatisticallysignificantsotheerrorscanbeextrapolatedtotheclaimsuniverse.
Findingsconcerningoverpaymentsshouldbemadeattheendoftheauditeitherthroughafullclaimsrevieworstatisticalextrapolation.Therearesig-nificantlegalissueswithonlyrefundingclaimsintheprobeunlesstheprobe
11AUDIT FINDINGS
Wording here is significant. Audit findings will often need further legal review to determine if there is an historical repayment issue or simply risk of a violation warranting a change in practice.
Original:
OurconcernisthatCPTxxxxxincludesxxxxxandthusnotrecognizingthisinclusionledtoexces-sivereportingofCPTxxxxx.Weencouragexxxxxtoadopttheserecommendations.
Refined:
OurconcernisthatCPTxxxxcouldincludeandthusnotrecognizingthisinclusioncouldhaveledtoexcessivereportingofCPTxxxxx.
Original:
TherecruitingarrangementdoesnotcomplywiththeStarkLawandneedstoberestructured.
Refined:
TherecruitingarrangementmayneedtoberestructuredtocomplywiththeStarkLaw.
12REPORTING TO THE BOARD
PresenttoCommitteeoftheBoardfirsttominimizeconfusionandworryoverauditresults.
Legalcounselshouldbeinvolvedinprovidingadviceastothefindingsandrecom-mendedactionsteps.
ProvideaPowerPointbasedpresentation.Collectanymaterialsprovidedandconsiderpre-draftingaresolutionanddescriptionofthemeeting.ProvidingattachmentstoBoardminutesisnotadvisable.
It’sbettertohaveanalyzedthelegalissuesandcomewitharepaymentrecommenda-tion,ifneeded,thanleaveittotheBoardtodecide.ItisveryriskytohavetheBoarddebatingthevariouslegalrulesrelatingto,forexample,acodingissue.
Forexample,youdon’twantboardminutesthatstate:“Boarddiscussedwhethertheor-ganizationshouldhaveprovider-basedclinicsastheextrareimbursementseemsrisky.”
Betterminuteswouldread:“TheBoarddiscussedtheprovider-basedclinicsandrec-ommendedfurtheranalysis.”
OutsidelegalcounselcanprovideanimportantthirdpartyperspectivethatreassurestheBoard.
Auditors/CodersCounselCompliance
The Board
13FOLLOWING UP ON FINDINGS
Not following up on findings can cause serious issues even greater than what hasn’t been audited. It increases the risk of the government finding your compliance program is ineffective.
Encourage your system to take on high risk issues that it has the ca-pacity to impact.
ChangingClinicianBehavior
ClinicianChampions
$ Incentivesfor
Better Coding*
$ Penaltiesfor
Poor Coding
Public Relations and Education
Nominal Rewards:
lunches, prizes
*Incentives should include safeguards to show improved care.
14AUDIT / EDUCATION CYCLE
EDUCATION ➤ AUDIT
S ➤
The best way to document an effective compli-ance plan is to tie the major activities of auditing and education together.
This is done by choosing fewer issues and taking a more concerted attempt to show improvement through auditing combined with education ef-forts throughout several quarters.
15CONCLUSION
Input of both outside and inside legal counsel before and during the audit process is key to creating a sound audit that reduces, rather than increases, the organization’s risk.
Steps to a Better Audit Process:
1. Meetwithcomplianceandinternalaudittodevelopataskforceforimprovedcomplianceaudits.
2. Seekthehelpofoutsideexpertstodiscusstherisksassociatedwithauditing.
3. Developanauditprotocolthatincludesfeedbackearlyintheprocessfromlegalcounsel.
4. Identitysubjectmatterexpertsfromoutsidelegalcounsel.
5. Considerpartnershipopportunitieswithothersystemsorwithinassociationstodevelopbestpracticesauditmaterials.
16
NON-PHYSICIAN SUPERVISION
Whenaphysicianormid-levelbillsthetraditionalMedicareprogram,non-physiciansmayprovidepartoftheserviceifthenon-physicianissupervised.
Thephysicianormid-levelthatbillsfortheserviceshouldbeintheofficeandimmediatelyavailable.Beingavailablebypagerorphoneisnotsufficient.
Ifanotherphysicianormid-levelinthegroupsupervisestheservices,thenthebillgoesoutundertheirnameandnottheorderingphysicianormid-level.
Thebillingphysicianormid-levelalsoshouldparticipateinthemanagementofthecourseoftreatment.Newproblemsshouldbetreatedbythem.
Theregulationsapplyonlywhenthephysicianormid-levelisbillingforsomeoneelse’sservices.NPs,PAsanddieticianscanalsobillontheirown.
Theregulationsneverapplytoradiologyandlabservicesthathavetheirownsupervisionrules.
SourceMedicareBenefitPolicyManual,Chapter15,60.1to60.3
ATTACHMENT 1: NON-PHYSICIAN SUPERVISION
17
Audit ProtocolNon-Physician SupervisionPhysician Clinic (non-hospital setting)
First Level – Initial Review
Determinewhatnon-physicianpractitionersatthepracticeseepatientsforpurposesofexamsandtreatment.DeterminewhethertheNPsorPAsinthepracticebillindependentlyor“incidentto.”
ReviewtwentymedicalrecordswhereitisdocumentedthataNP,PAorothernon-physicianprovidedservicesandtheserviceswerebilled“incidentto”.
Reviewthedateandtimeofthemedicalrecordagainstthesupervisingphysicianorphysicianinthegroup’sothermedicalrecordentriesorschedulestoverifythattheywereintheofficesuiteatthesametimethattheserviceswereprovided.
Determineifpossiblethroughtherecordreview,ifanon-physicianwasseeingpatientsfornewcomplaintswithoutthepatientseeingaphysicianinthegroupduringthatsamevisit.
Reviewtherecordstodetermineifthemedicalrecorddocumentsthephysicianormemberofhisorhergroupwasinvolvedinthecourseoftreatment.
Interviewnon-physicianpractitionerstoseeiftheyareawareoftherequirementthat:(1)thephysicianbeintheofficesuite;and(2)thattheyaddressnewcomplaints.
Interviewphysicianstoseeiftheyareawareoftherequirementthatthephysicianorotherphysicianinthegroupbeintheofficesuite;and(2)thattheyaddressnewcomplaints.
Second Level Claim Review
Additionalprobeauditsorstatisticallysignificantauditsifneeded.
Checktheclaimsfortheservicesinquestiontoseeofthenameofthesupervisingphysicianisonthebillandwhetherthenameofnon-physicianisidentifiedaswell.(EducationPurposesOnly).
ATTACHMENT 2: AUDIT PROTOCOL #1
18
**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.
PROVIDER BASED RULES AUDIT PROTOCOL
This simple audit is useful for hospital-based entities, departments and remote locations. The provider-based rules are not applicable to ASCs, HHAs, CORFs, SNFs, labs and ESRD facilities.
1. Operating Under the Same License
Do the entities operate under the same license (unless otherwise required by the state)? Yes_____ No_____
2. Financial Integration**
Is there shared income and expenses between the entities? Yes_____ No_____
Are the costs of the provider-based entity reported in a cost center of the main provider? Yes_____ No_____
Is the provider-based entity easily identifiable in the main provider’s trial balance? Yes_____ No_____
3. Clinical Integration**
Do the entities have an integrated medical staff? Yes_____ No_____
Do the entities have integrated medical records? Yes_____ No_____
Is quality monitoring the same? Yes_____ No_____
Do patients at the provider-based facility have access to the main provider services? Yes_____ No_____
4. Public Awareness**
Is the main provider name included on:
Outside signage Yes_____ No_____ Advertising Yes_____ No_____ Patient Bills Yes_____ No_____ Registration Forms Yes_____ No_____ Medical Records Yes_____ No_____
ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 1)
19
**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.
Additional Rules For Off-Campus Providers (located 250 yards from main buildings)
1. Ownership
Is the provider-based entity 100% owned by the main provider (if not, must be located on main campus of the provider that bills for its services)? Yes_____ No_____
2. Control**
Do the entities have the same governing body? Yes_____ No_____
Do the entities have common bylaws? Yes_____ No_____
Does the main provider’s governing body have final approval over administrative decisions, contracts and personnel policies? Yes_____ No_____
2. Administration and Supervision**
Is the provider-based entity is under the same monitoring and oversight as any other department of the main provider? Yes_____ No_____
Does the provider-based director maintain a reporting relationship to the main provider and accountability to the governing body just like any other department? Yes_____ No_____
Do the entities share, contract out together or have the main provider manage the provider-based entities:
Billing services Yes_____ No_____ Records Yes_____ No_____ Human resources Yes_____ No_____ Payroll Yes_____ No_____ Employee salary structure Yes_____ No_____ Employee benefit package Yes_____ No_____
Purchasing services Yes_____ No_____
ATTACHMENT 1: AUDIT PROTO-COL (PAGE 1)
ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 2)
20
**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.
3. Location
a. Does the main provider have a disproportionate share adjustment of greater than 11.75%, and is it owned or operated by: (a) a unit of state/local government; (2) a public or non-profit corporation granted governmental power; or (3) a private entity with a state/local contract that includes operating the off-campus clinic? Yes_____ No_____
b. Is the main provider a children’s hospital that: (1) has intensive care units that accept newborn infants; (2) is in a rural area at least 35 miles from other neonatal intensive care units; and (3) is located within a 100-miles of the hospital-based clinic? Yes_____ No_____
c. Is the provider-based clinic a rural health clinic and does the main hospital have fewer than 50 beds and is it located in a rural area? Yes_____ No_____
IF NONE OF THE ABOVE:
During a 12-month period are 75% of the provider-based entities patients from the same zip code as 75% of the main provider’s patients? Yes_____ No_____
During a 12-month period did 75% of the provider-based entities patients that needed inpatient care receive it from the main provider? Yes_____ No_____
If the provider-based entity was not in operation for 12 months, is it in the same zip code area as at least 75% of the patients served by the main provider? Yes_____ No_____
ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 3)
21QUESTIONS
Karie Rego, Esq.Sheppard, Mullin, Richter & Hampton LLC
Four Embarcadero CenterSeventeenth Floor
San Francisco, CA 94111Tel: (530) 219-0135