Best Practices for

Overseeing an

Internal Audit

KARIE REGO, ESQ.

Sheppard, Mullin, Richter & Hampton LLP

1BACKGROUND

Why should you care about auditing?• Issuesidentifiedinauditscanresultinlargeoverpayments.

• Thegeneralcounsel’sofficeandoftenoutsidecounselwillbebroughtineventuallytoadviseontheauditresults.

• Oftenthereareinherentproblemswiththestructureoftheauditthatcosttimeandmoneytoaddress.

• Thegeneralcounsel’sofficewillbeviewedasresponsibleforanyinterpretationofthelawsthatunderlietheaudit.

Why Audit?

Auditscanraiseissues.TheseissuesmightleadtonewandexpensiveproblemsthatmustbedealtwithimmediatelySo,whyshouldyouevendothem?

Audits do the following:• Serveasapartofaneffectivecomplianceplan• Identifyandcorrectissues• Findissuesbeforetheygetworse• Provideanopportunitytoeducate• Improvefinancialperformance• Improvequalityofcare• PreemptaRACrevieworothergovernmentaudits• Reducewhistleblowerrisk

What you don’t know won’t hurt you.❍True❍False

This presentation provides attorneys with background and insights into the hospital auditing process.

2

CODING RULES

Certified Coder

BILLING RULES

Audit or Compliance Staff

FRAUD AND ABUSE

Non-attorney w/ Attorney Input

PRIVACY AND SECURITY

Audit or Compliance Sta�

COMPLIANCE PROGRAM

Outside Auditors or Attorneys

LeasesMedical DirectorsRecruitment

StructurePoliciesEffectiveness

PoliciesEffectivenessBreech Protection

Non-physician SupervisionOrders and CMNsProvider-Based Rules

E&MsDiagnosis CodingMedical Necessity

TYPES AND FOCUS OF AUDITS

!

Scheduled Internal or Compliance Audit • Annual compliance work plan• Internal audit work plan • DRG validation audits

Unscheduled Internal or Compliance Audit • Hotline call• Part of diligence in an acquisition• Pending government investigation

3STRUCTURE OF AUDITS

Planning

Objective

Audit Protocol

Method

Reporting

Decide what and when to audit

Purpose of the audit e.g. Determine if clinics in the health system billing as

outpatient departments are compliant with the provider-based rules

Tool used to guide the audit and record compliance

Conduct interviews, review records or policies or even make observations.

Orally review findings, make refinements, produce draft and final reports. Make presentations of

findings.

4

PRO:

CON:

Changes can assist fiscally

The Bottom Line

May miss high risk issues

PRO:

CON:

Identifies many issues

OIG Work Plans

Doesn’t identify whether an issue is important

PRO:

CON:

Something the governmentcares about now.

Other Provider Investigations

Your provider might not have a similar issue of the same magnitude.

PRO:

CON:

Reduce future government investigation risk

RAC Issues

The RAC may move on to a to a different area of audit.

PRO:

CON:

Agency thinks it’s a concern,so it must be.

Agency Issuances

Agencies have many concerns that sometimes get too much coverage by the legal and consult-ing industries.

PRO:

CON:

Reduce qui tam potential

Hotline Calls and Questions

Might not be a widespread issue

PRO:

CON:

Risk Assessments

Administrators and staff don’t know which regula-tory requirements are important.

Chance to listen to admin-istrators and staff issues

How To Find Audit Topics

HOW TO FIND AUDIT TOPICS

5

Simple rules and rules that agencies have spent time making clear are riskier. These rules are easier arguments for the government and qui tam relators leading to larger settlements. Rate this from 1 to 5, based on difficulty with 1 being easy and 5 being hard.

Small services that get billed many times are high risk. On the other side of the spectrum, high dollar single items like investigational devices or case rates for entire stays and certi�cation problems. Fraud and abuse issues could impact every service ordered. Rate this from 1 to 5, based on money with 1 being little and 5 being much.

Most Risk: An item or service is having bad outcome for the patient.Less Risk: Something necessary for the patient is not being provided.Lesser Risk: The patient is receiving something that they don’t need (medical necessity)Rate this from 1 to 5, based on impact with 1 being less and 5 being more.

Rate the following five issues based on their level of risk:

The longer a rule has been around in its current, unrevised form the greater the risk. Government commentary to regulation, proposed and even newer rules make difficult topics as the rule or inter-pretation could change after you have put the message out. Rate this from 1 to 5, based on age with 1 being new and 5 being old.

NEW OLD

EASY HARD

$ $$$$

LESS MORE

AGE OF RULE: How long has the rule been around?

DIFFICULTY: How hard is the rule to understand?

MONEY: How much government money is involved?

QUALITY IMPACT: How is quality impacted?

1 2 3 4 5

1 2 3 4 5

1 2 3 4 5

1 2 3 4 5

1 2 3 4 5

FREQUENCY: How often is the rule cited?The more times a rule has been cited by agencies, in investigations or internally, the greater the risk. Rate this from 1 to 5, based on citation frequency with 1 being seldom and 5 being often.

OFTENSELDOM

TOTAL RISK SCORE: Add the individual ratings. Use to compare relative risk.

Rating

COMPLIANCE AUDIT TRIAGE

6

What is the risk? – Focus the audit and save limited resources by choosing topics that pose the greatest potential for risk.

The “Q Principal” - when deciding between competing topics, chose “Q”uality based topics and traditional compliance topics that allow for incorporating quality messages through a patient interaction or discussion.

Accept that resources and time might not allow coverage of all topics. It’s worse to plan something and not do it. Look for outside resources to augment your program that you can a�ord or get for free.

RISK

DOCUMENTATION

“Q” PRINCIPAL

Focus on documentation as it can be the reason for half or more of RAC payments and is the basis for showing care was needed (i.e., orders, certi�ca-tions).

HOW TO FILTER AUDIT TOPICS

7INTERPLAY OF PEOPLE IN AUDITS

Auditors Coders

Compliance Counsel

Issues

Minimizeterritorialdisputesbetweenauditingandcompliancebyhavingclearlyde-finedroles.

Understandthatauditorsandcodersaredisinterestedthirdpartieswithbetteraudit-ingskillsanddeepknowledge,butmaylacktheabilitytojudgmentandexperiencetoassessandquantifyrisks.

Decidewhethertheauditwillbedoneunderattorney-clientprivilegeandensurethattheattorneyissufficientlyinvolvedintheaudittowarrantinvokingoftheprivilege.

Regardlessofwhetherattorney-clientprivilegeisused,educatestaffastohowtobesensitivetothefactthattheircommunicationscanbetakenoutofcontextandmisin-terpreted.

Useoutsidecounseleffectivelytoprovideanunbiasedopinionandexpertiseinreduc-ingriskassociatedwithauditingbyreviewingtheauditprotocol.

Oftentaskedwithreviewingdocumentsandconductinginter-

views.

Sameasauditorsifthereisacodingissue

Involvedinsettingaudittopicsasthenau-ditsbecome“credited”underthecompliance

plan.

Typicallybecomeinvolvedinfraud&abuseauditingorwhenthereisaissue,butmaybe

shouldbeinvolvedsooner.

8AUDIT PROTOCOLS

Well drafted audit protocols are key to reducing audit risk.

Poor drafting can:

• Justlikepoorlydraftedpolicies,createstandardsthatarehigherthanwhatislegallyrequired.Anexampleisusingtheterm“referredtoobservation”insteadof“admittoobservation.”TherearesimilarexamplesontheprivatepayerandMedicareAdvantageside.

• Createaproblematicrecordwhenthehealthsystemlatergoesbacktoreviewtheauditfindings.

• Creategulfsbetweenadministrativetypesandclinicianswhochallengetherequire-ments.

• OpentheorganizationuptowhistleblowerclaimsbyitsownauditorsandcompliancepeoplewhostrictlyinterpretguidancefromforexampleaMACthatcontradictstheCMSregulationsorwherecodingguidanceisunclear.

Steps to better drafting:

1. Legalreviewofall“sourcedocuments”fortheauditandashortstatementonwhatthekeyrequirementsandbestpracticeswouldbe.Seeexamplefornon-physiciansuper-visionreview.

2. Meetwithauditorsandcompliancepersonneltodiscusswhatisactuallyrequiredandwhatisabestpractice.Useoutsidelegalcounseltoreducetension.Createanactualprocesswherebyauditsofcompliancerelatedissuesaremorethoughtfullyconstruct-ed.

3. Attorneysneednotdrafttheprotocolbutcansuggestlanguagechangesthatprovideflexibilityifneeded.Seeprovider-basedrulesandnon-physiciansupervisionauditprotocols.

9

Audit Protocols should be carefully worded.

Regulations and interpretations of regulations can change. Single words could even be the subject of court cases. Using “should” is a strong word and in some dictionaries, no di�erent than “will,” but leaves �exibility for a di�erent interpretation.

When discussing a regulation, be sure to cite the regulation. If the agency interpreta-tion is inconsistent with the regulation, or if you make a mistake in description, you could create a higher standard for your organization.

Regulation

Interpretation

Provider Message

This diagram illustrates what should never happen inadvertantly: provider guidance that extends beyond the requirements of a regu-lation and its interpretation.

AUDIT PROTOCOL WORDING

10DISCLOSURES

The need to refund overpayments within 60 days of discovery should not impact the carefulness of the audit.

Firststepistotraincompliance,auditingandbillingpersonnelthatallbillingandfraudandabuseissuesneedtobeinvestigated.

Second,inbothscheduledandunscheduledaudits,theauditprofileshouldexplaintheprocessoffindingandcalculatingerrors.Probeauditsarerecom-mendedbeforeengaginginawideraudit.

Considerations:sizeofprobeauditandwhethertoexecutemultipleprobe,whatpercentagetriggersanissue,whethertomovetooutsideauditorsifawiderauditisneeded,whethertomakethewiderauditstatisticallysignificantsotheerrorscanbeextrapolatedtotheclaimsuniverse.

Findingsconcerningoverpaymentsshouldbemadeattheendoftheauditeitherthroughafullclaimsrevieworstatisticalextrapolation.Therearesig-nificantlegalissueswithonlyrefundingclaimsintheprobeunlesstheprobe

11AUDIT FINDINGS

Wording here is significant. Audit findings will often need further legal review to determine if there is an historical repayment issue or simply risk of a violation warranting a change in practice.

Original:

OurconcernisthatCPTxxxxxincludesxxxxxandthusnotrecognizingthisinclusionledtoexces-sivereportingofCPTxxxxx.Weencouragexxxxxtoadopttheserecommendations.

Refined:

OurconcernisthatCPTxxxxcouldincludeandthusnotrecognizingthisinclusioncouldhaveledtoexcessivereportingofCPTxxxxx.

Original:

TherecruitingarrangementdoesnotcomplywiththeStarkLawandneedstoberestructured.

Refined:

TherecruitingarrangementmayneedtoberestructuredtocomplywiththeStarkLaw.

12REPORTING TO THE BOARD

PresenttoCommitteeoftheBoardfirsttominimizeconfusionandworryoverauditresults.

Legalcounselshouldbeinvolvedinprovidingadviceastothefindingsandrecom-mendedactionsteps.

ProvideaPowerPointbasedpresentation.Collectanymaterialsprovidedandconsiderpre-draftingaresolutionanddescriptionofthemeeting.ProvidingattachmentstoBoardminutesisnotadvisable.

It’sbettertohaveanalyzedthelegalissuesandcomewitharepaymentrecommenda-tion,ifneeded,thanleaveittotheBoardtodecide.ItisveryriskytohavetheBoarddebatingthevariouslegalrulesrelatingto,forexample,acodingissue.

Forexample,youdon’twantboardminutesthatstate:“Boarddiscussedwhethertheor-ganizationshouldhaveprovider-basedclinicsastheextrareimbursementseemsrisky.”

Betterminuteswouldread:“TheBoarddiscussedtheprovider-basedclinicsandrec-ommendedfurtheranalysis.”

OutsidelegalcounselcanprovideanimportantthirdpartyperspectivethatreassurestheBoard.

Auditors/CodersCounselCompliance

The Board

13FOLLOWING UP ON FINDINGS

Not following up on findings can cause serious issues even greater than what hasn’t been audited. It increases the risk of the government finding your compliance program is ineffective.

Encourage your system to take on high risk issues that it has the ca-pacity to impact.

ChangingClinicianBehavior

ClinicianChampions

$ Incentivesfor

Better Coding*

$ Penaltiesfor

Poor Coding

Public Relations and Education

Nominal Rewards:

lunches, prizes

*Incentives should include safeguards to show improved care.

14AUDIT / EDUCATION CYCLE

EDUCATION ➤ AUDIT

S ➤

The best way to document an effective compli-ance plan is to tie the major activities of auditing and education together.

This is done by choosing fewer issues and taking a more concerted attempt to show improvement through auditing combined with education ef-forts throughout several quarters.

15CONCLUSION

Input of both outside and inside legal counsel before and during the audit process is key to creating a sound audit that reduces, rather than increases, the organization’s risk.

Steps to a Better Audit Process:

1. Meetwithcomplianceandinternalaudittodevelopataskforceforimprovedcomplianceaudits.

2. Seekthehelpofoutsideexpertstodiscusstherisksassociatedwithauditing.

3. Developanauditprotocolthatincludesfeedbackearlyintheprocessfromlegalcounsel.

4. Identitysubjectmatterexpertsfromoutsidelegalcounsel.

5. Considerpartnershipopportunitieswithothersystemsorwithinassociationstodevelopbestpracticesauditmaterials.

16

NON-PHYSICIAN SUPERVISION

Whenaphysicianormid-levelbillsthetraditionalMedicareprogram,non-physiciansmayprovidepartoftheserviceifthenon-physicianissupervised.

Thephysicianormid-levelthatbillsfortheserviceshouldbeintheofficeandimmediatelyavailable.Beingavailablebypagerorphoneisnotsufficient.

Ifanotherphysicianormid-levelinthegroupsupervisestheservices,thenthebillgoesoutundertheirnameandnottheorderingphysicianormid-level.

Thebillingphysicianormid-levelalsoshouldparticipateinthemanagementofthecourseoftreatment.Newproblemsshouldbetreatedbythem.

Theregulationsapplyonlywhenthephysicianormid-levelisbillingforsomeoneelse’sservices.NPs,PAsanddieticianscanalsobillontheirown.

Theregulationsneverapplytoradiologyandlabservicesthathavetheirownsupervisionrules.

SourceMedicareBenefitPolicyManual,Chapter15,60.1to60.3

ATTACHMENT 1: NON-PHYSICIAN SUPERVISION

17

Audit ProtocolNon-Physician SupervisionPhysician Clinic (non-hospital setting)

First Level – Initial Review

Determinewhatnon-physicianpractitionersatthepracticeseepatientsforpurposesofexamsandtreatment.DeterminewhethertheNPsorPAsinthepracticebillindependentlyor“incidentto.”

ReviewtwentymedicalrecordswhereitisdocumentedthataNP,PAorothernon-physicianprovidedservicesandtheserviceswerebilled“incidentto”.

Reviewthedateandtimeofthemedicalrecordagainstthesupervisingphysicianorphysicianinthegroup’sothermedicalrecordentriesorschedulestoverifythattheywereintheofficesuiteatthesametimethattheserviceswereprovided.

Determineifpossiblethroughtherecordreview,ifanon-physicianwasseeingpatientsfornewcomplaintswithoutthepatientseeingaphysicianinthegroupduringthatsamevisit.

Reviewtherecordstodetermineifthemedicalrecorddocumentsthephysicianormemberofhisorhergroupwasinvolvedinthecourseoftreatment.

Interviewnon-physicianpractitionerstoseeiftheyareawareoftherequirementthat:(1)thephysicianbeintheofficesuite;and(2)thattheyaddressnewcomplaints.

Interviewphysicianstoseeiftheyareawareoftherequirementthatthephysicianorotherphysicianinthegroupbeintheofficesuite;and(2)thattheyaddressnewcomplaints.

Second Level Claim Review

Additionalprobeauditsorstatisticallysignificantauditsifneeded.

Checktheclaimsfortheservicesinquestiontoseeofthenameofthesupervisingphysicianisonthebillandwhetherthenameofnon-physicianisidentifiedaswell.(EducationPurposesOnly).

ATTACHMENT 2: AUDIT PROTOCOL #1

18

**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.

PROVIDER BASED RULES AUDIT PROTOCOL

This simple audit is useful for hospital-based entities, departments and remote locations. The provider-based rules are not applicable to ASCs, HHAs, CORFs, SNFs, labs and ESRD facilities.

1. Operating Under the Same License

Do the entities operate under the same license (unless otherwise required by the state)? Yes_____ No_____

2. Financial Integration**

Is there shared income and expenses between the entities? Yes_____ No_____

Are the costs of the provider-based entity reported in a cost center of the main provider? Yes_____ No_____

Is the provider-based entity easily identifiable in the main provider’s trial balance? Yes_____ No_____

3. Clinical Integration**

Do the entities have an integrated medical staff? Yes_____ No_____

Do the entities have integrated medical records? Yes_____ No_____

Is quality monitoring the same? Yes_____ No_____

Do patients at the provider-based facility have access to the main provider services? Yes_____ No_____

4. Public Awareness**

Is the main provider name included on:

Outside signage Yes_____ No_____ Advertising Yes_____ No_____ Patient Bills Yes_____ No_____ Registration Forms Yes_____ No_____ Medical Records Yes_____ No_____

ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 1)

19

**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.

Additional Rules For Off-Campus Providers (located 250 yards from main buildings)

1. Ownership

Is the provider-based entity 100% owned by the main provider (if not, must be located on main campus of the provider that bills for its services)? Yes_____ No_____

2. Control**

Do the entities have the same governing body? Yes_____ No_____

Do the entities have common bylaws? Yes_____ No_____

Does the main provider’s governing body have final approval over administrative decisions, contracts and personnel policies? Yes_____ No_____

2. Administration and Supervision**

Is the provider-based entity is under the same monitoring and oversight as any other department of the main provider? Yes_____ No_____

Does the provider-based director maintain a reporting relationship to the main provider and accountability to the governing body just like any other department? Yes_____ No_____

Do the entities share, contract out together or have the main provider manage the provider-based entities:

Billing services Yes_____ No_____ Records Yes_____ No_____ Human resources Yes_____ No_____ Payroll Yes_____ No_____ Employee salary structure Yes_____ No_____ Employee benefit package Yes_____ No_____

Purchasing services Yes_____ No_____

ATTACHMENT 1: AUDIT PROTO-COL (PAGE 1)

ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 2)

20

**Not meeting a few of the examples cited by CMS wouldn’t necessary mean that the entity is not provider-based. However, going forward, it would be prudent to consider why examples and not met and then meet as many as possible so payment to the main provider will not be questioned.

3. Location

a. Does the main provider have a disproportionate share adjustment of greater than 11.75%, and is it owned or operated by: (a) a unit of state/local government; (2) a public or non-profit corporation granted governmental power; or (3) a private entity with a state/local contract that includes operating the off-campus clinic? Yes_____ No_____

b. Is the main provider a children’s hospital that: (1) has intensive care units that accept newborn infants; (2) is in a rural area at least 35 miles from other neonatal intensive care units; and (3) is located within a 100-miles of the hospital-based clinic? Yes_____ No_____

c. Is the provider-based clinic a rural health clinic and does the main hospital have fewer than 50 beds and is it located in a rural area? Yes_____ No_____

IF NONE OF THE ABOVE:

During a 12-month period are 75% of the provider-based entities patients from the same zip code as 75% of the main provider’s patients? Yes_____ No_____

During a 12-month period did 75% of the provider-based entities patients that needed inpatient care receive it from the main provider? Yes_____ No_____

If the provider-based entity was not in operation for 12 months, is it in the same zip code area as at least 75% of the patients served by the main provider? Yes_____ No_____

ATTACHMENT 3: AUDIT PROTOCOL #2 (PAGE 3)

21QUESTIONS

Karie Rego, Esq.Sheppard, Mullin, Richter & Hampton LLC

Four Embarcadero CenterSeventeenth Floor

San Francisco, CA 94111Tel: (530) 219-0135