Compliance Risk Management · 2012-04-24 · KPMG Forensic is a service mark of KPMG International....

Compliance Risk Management

The importance of compliance risk assessments in the

current regulatory environment

FORENSIC

A D V I S O R Y

1© 2009 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. KPMG and the KPMG logo are registered trademarks of KPMG

International. KPMG Forensic is a service mark of KPMG International. Service offerings are subject to legal and regulatory restrictions. Some service offerings may not be available to KPMG’s audit or other attest service clients.

Agenda

1. The importance of performing compliance risk assessments and

addressing new regulatory trends in the risk assessment process

2. How to develop organizational support and sponsorship

3. How to conduct a compliance risk assessment

4. Utilizing data analytics in the risk assessment process

5. Reporting the results: leadership and the Board

6. Corrective action planning and implementation



Chapter 1

The importance of performing a compliance risk assessment and

addressing new regulatory trends in the risk assessment process

The learning objective is to provide an understanding of why the

current regulatory and competitive landscape requires

organizations to undertake a compliance risk assessment

Regulatory influences - more now than ever

An overview of government capabilities

The benefit of being proactive

The risk of being complacent



Why Perform a Formal Compliance Risk Assessment?

Regulatory Influences

CMS national strategy to combat waste, fraud & abuse in Medicaid program (www.cms.hhs.gov)

State Program Integrity Units

HHS-OIG Medicaid Audits

CMS-Perm Auditors & MIP Auditors

Medicare ZPICS & RACS

U.S. Federal Sentencing Guidelines requirement

Strongly recommended by OIG/AHLA guidance for healthcare boards

Thompson and McNulty memos

Boards have a heightened awareness and liability post Enron/Worldcom/SOX

NY State – Office of the Medicaid Inspector General – compliance program effectiveness – what is the board doing?



Convergence of Regulatory Challenges:A Time Line

U.S. Department of Justice Enforcement Guidance

(Holder Memo)1999

1980s1980s 1990s1990s 20002000 20012001 20022002 20032003 20042004 20062006

U.S. Sentencing Guidelines

1999

COSO1992

CaremarkCase1996

USA PATRIOT Act2001

Sarbanes-OxleyAct of 2002

U.S. Department of Justice

EnforcementGuidance

(Thompson Memo 2003)

NYSE andNASDAQ Listing

Standards2003

Revised U.S.SentencingGuidelines

2004

McNulty Memo

HHS OIG Healthcare Compliance Program Guidance Documents

1998 - 2005

2007 & 82007 & 8

CMS first nationalStrategy to combat Medicaid fraud &

abuse

State Program Integrity Units

HHS-OIG Medicaid Audits

CMS – Perm Auditors & MIP Auditors

MedicareZPICS & RACS



Medicaid & Medicare Providers

HHS OIG

State Pay and Chase

Program (if separate

from Single State

Agency):

State Auditor,

Comptroller or IG

Single State

Agency:

Program

Integrity Unit

State MPI & AG PLUS NEW DRA/CMS:PERM/MIP/ZPIC, RACS, QIOs and CPC

New Implementation for 2009-2010

HHS-Secretary

Federal Regulation & Enforcement

CMS

State Regulation & Enforcement

AG Medicaid

Fraud Control

Units: funded by

OIG

Run by states

Investigate and

audit

Federal

Investigators/auditors/

contractors

*NEW:

+$25 Million to

enforce and audit

Medicaid

33221B1B1A1A

Medicaid Integrity Group (MIG)

Medicaid Integrity

Program (MIP) CMS-OFM

*NEW:

PERM Auditors-23

month Cycle-

Identify overpayments-

state MUST collect them

Sets State/Program Error

Rate

*NEW:

MIP Auditors-

HIGH ROI-Project

Based for MIP

Division

44 55 6, 76, 7 8,98,9

Medicare

ZPICS & RACS,

QIOs and CPC

*The Deficit Reduction Act of 2005*The Deficit Reduction Act of 2005*The Deficit Reduction Act of 2005



If You Are Still in Doubt…

U.S. Federal Sentencing Guidelines Culpability Score and resulting

fines/penalties may increase significantly if your organization is deemed

to not have an effective compliance program

You should be able to answer “Yes” to the following questions:

Did your organization incorporate and follow applicable industry practices?

Was the Compliance program given adequate resources?

If your organization is large did you devote more formal operations and greater resources in meeting the requirements than a small organization?

Did your organization perform a periodic risk assessment and develop a risk assessment tool which is re-evaluated on a regular basis to assess whether you are addressing specific industry high risk areas?




You should be able to answer “Yes” to the following question:

Did your organization incorporate and follow applicable industry

practices?

Industry practice is moving towards utilizing data analytics to

identify trends/outliers




You should be able to answer “Yes” to the following questions:

Did your organization incorporate and follow applicable industry

practices?

Was the Compliance program given adequate resources?

Do your compliance peers have what appears to be a more

effective program with less resources because they are using

technology to aid in identifying risks via data mining/analysis




You should be able to answer “Yes” to the following question:

Did your organization perform a periodic risk assessment and

develop a risk assessment tool which is re-evaluated on a regular

basis to assess whether you are addressing specific industry high

risk areas?

This is the key. What if the regulators are utilizing data analysis to

identify specific industry high risk areas and you are not?



Who Is Currently Mining Your Data?

The following entities may be mining your data:

MIP – Medicaid Integrity Program

QIO – Quality Improvement Organization

MAC – Medicare Administrative Contractor

PSC – Program Safety Contractor

OIG – Office of Inspector General

RAC – Recovery Audit Contractor

OMIG – Office of Medicaid Inspector General

PERM – Payment Error Rate Measurement

ZPIC – Zone Program Integrity Contractor



Who is Currently Mining Your Data?

MIPs, MACs, OIG, PSCs, RACs, OMIGs, PERMs and ZPICs

Inpatient admissions v. outpatient observation services

Diagnosis Related Group (DRG) outliers

Short-stay targeted DRGs

Other targeted DRGs (e.g., debridement, septicemia, etc)

Inpatient-only procedures in hospital outpatient settings

Medical necessity

Consultations

Evaluation and Management (E/M) services

Time-based E/M services



Who is Currently Mining Your Data?

QIOs

Hospital Acquired Conditions (HAC)

Medically Unlikely Edits (MUEs)

Infections

Pressure ulcers

Care transitions

Chronic kidney disease – kidney failure

Diabetes (e.g., self-management education activities)



Chapter 2

How to develop organizational support and sponsorship

The learning objectives are to provide understanding of key

organizational dynamics that enhance or serve as obstacles to

getting this process approved and implemented

Past experiences

Timing

Available resources

Alignment with key organizational objectives

Budgeting & other considerations



Developing Organizational Support

Past Experiences to Consider

Is this the first risk assessment?

What is the organizational appetite for risk assessment?

When was the last risk assessment?

How was the last one received?

Were you the person that initiated the last one?

Is the same management team at the helm?

Did the organization effect necessary change?

Do you sense organizational resistance?



Make or Buy?

Short Answer – Both

Buying

Good business practice is to periodically have outside objective advisors perform a compliance risk assessment which provides:

Objectivity may lend more credibility with the Board and top management

Multiple, objective and varied knowledgeable resources – a fresh look

Results - auditing and monitoring compliance plan

Make

In interim periods, use the methodology and format used by the outside advisors to perform annual compliance risk assessments with internal compliance personnel

Tag-along with the outside advisors during the formal risk assessment to understand how they conduct the interviews

Take advantage of knowledge that you may acquire through the use of outside resources




Timing

Where are you in the fiscal year?

Are there competing initiatives?

Are there other outside initiatives?

Are key players going to be available?

What is the attention span of the organization?

When are the next board meetings?

Are there any significant internal inquiries ongoing?




Available resources

What is the availability of internal participants?

The Board, CEO, CFO, COO, GC, Med Director, others

If performing the assessment internally, do you have:

Self-regulating objectivity?

Knowledge to establish a broad risk profile?

An understanding of the relative risks?

The familiarity of a regulations resource?

A methodology that has been validated?

The time to perform the assessment?

The organizational presence?

The interview skills?

The facilitation skills?




Alignment with key organizational objectives

Where is the organization from a strategic perspective?

Is the organization pro-active or re-active?

Is your program a “real” program?

Is your organization obsessed with growth?

Are you included in key strategic planning sessions?

Do you really have support from the top?

Do you really have the resources you need?

Are your compliance committee meetings well attended?




Budgeting and other considerations

Make or Buy?

How much can you spend on external consultants?

You get what you pay for – make sure you get what you

need

Do you have the resources you need to do it internally?

Regulatory resource / internal counsel / access to counsel

Be careful what you ask for….you may find it!

Now what?

Is the organization ready for required next steps?



Chapter 3

How to conduct a compliance risk assessment

The learning objective is to provide an understanding of key steps to designing and implementing an effective risk assessment

Planning and kick off

Document review

Conducting management interviews

Utilizing data analytics ( Covered in Chapter 4 )

Rating and ranking methodologies

Compiling the risk profile

Analyzing and sharing the data

Prioritizing the risk profile



How Are You Assessing Risk?

Are you conducting an “effective” risk assessment?

Compiling a list vs. identifying risk vs. assessing and prioritizing risks

What type of risk assessment process are you utilizing:

OIG Workplan

Check the box

Interview based

Who completes the current risk assessment?

Who participates in the process?

Do you use data analytics ?



Conducting the Risk Assessment

Planning and kick off

Scheduling interviews

How much time do you need and when do you need it?

Targeting the right areas (80/20)

Effectively communicating the objectives

Who, what, why, where, when

What do you need me to do?

What is your plan and how are you staying on plan?

Consistent treatment across the board

Ensuring people are prepared when you arrive

Privilege or not privilege?

If external – how should you be involved?




Document review

Why do you need to review documents?

What documents do you need?

Previous audits

Hotline reports

External evaluations

Previous risk assessment reports

Documentation of controls

Corrective action plans

Policies and procedures

Detail or high level review?




Conducting management interviews

Who do you need to speak with?

Alone or assisted?

Communicating the objectives

Ensuring the interviewee is prepared

A level playing field....if you build it they will come

Are you a capable interviewer?

What are you going to ask?

Asking the tough questions

Getting a tough answer

Keeping the conversation on track and meaningful




Rating and ranking methodologies

Consistency is critical

Likelihood of the risk

Significance or impact if the risk occurs

Mitigating factors to consider

Red, Yellow, Green

One through Ten

High, Medium, Low

Embracing the organizational vernacular




Compiling the risk profile

How to organize the data

By functional area

By risk categories

By High, Medium, Low

All of the above?

None of the above?




Analyzing and sharing the data

Understanding the data

Anticipating the reaction to the data

Is this really what you said?

Is this really what you meant?

Who needs to see the results (at this point)?

Avoiding data overload




Prioritizing the risk profile

So many risks…so little time

Which high risks are really high risks ?

Why is THAT a high risk ?

What does high risk really mean ?

He said low risk, she said high risk…now what ?

Understanding your vulnerabilities

Protecting the innocent



Chapter 4 – Utilizing Data Analytics

The learning objective is to provide an understanding of some initial

planning and execution factors related to data analytics, to provide

some samples of data analytics topics/issues, and to describe how the

information obtained from your data analytics activities can be

incorporated into your risk assessment process.

Factors to consider in undertaking data analytics

Samples of data analytics topics/projects

Incorporating data analytics into the risk assessment process



Data Analytics - Factors to Consider

Data availability

Data integrity

Ability to effectively and accurately review data

Ability to develop algorithms/models

Ability to identify the baseline/outliers

Ability to energize necessary resources (e.g., IT, human, etc.)

Ability to design useful/accurate reports

Ability to incorporate results into the risk assessment/risk profile

Ability to immediately correct (or address) identified problems/issues



Data Analytics Targets

Research

Effort reporting/activity confirmation

Cost transfers

Cost allowability

Salary caps

Procurement

Indirect costs

Conflicts of interest




Hospital Quality/Patient Safety Issues

Wrong-site surgeries

Never events

Patient falls

Infections

Hospital-acquired conditions

Other Quality Improvement Organization (QIO) targets




Hospital and MD Billing

Hospital inpatient and corresponding physician

payments

Inpatient admissions/outpatient observation services

Diagnosis Related Group (DRG) ratios/complication

rates

Identified DRG outliers

Targeted Short-stay DRGs

Evaluation and Management (E/M) services

Consultations



Data Analytics Targets – Hospital/MD Billing

Inpatient-only procedures in hospital outpatient setting

Other medical necessity issues

Wrong setting/site-of-service issues

Payment denials

Readmissions within 30 days

Invalid CPT codes

Demographic errors/issues

Hospital-Acquired Conditions (HACs)

Medically Unlikely Edits (MUEs)

Time-based CPT codes



Data Analytics Targets – Hospital/MD Billing

♦ Instances in which the physician's/provider's claim was paid, but the

involved hospital's charges were denied, as well as the opposite (i.e.,

hospital claim paid, physician's claim denied).

♦ Instances in which the hospital billed an inpatient admission, but the

physician reported an outpatient observation (as well as the opposite).

Observation services billed during an inpatient stay.

Respiratory infection v. simple pneumonia.

Short stays (up to 48 hours) in which the patient should have been

outpatient/observation status, and not an inpatient.

Excisional debridement.

Surgical Procedures in the wrong setting (i.e., hospital outpatient

claims for inpatient-only codes).



The results of your data analytics activities should be used to make your annual compliance risk assessments:

More precise (i.e., target the real issue/problem)

More accurate (in terms of identifying the risk score)

More effective (in terms of developing more effective mitigatingfactors/corrective action plans)

Once you begin the process, data analytics must become an ongoing activity.

Conducting data analytics, along with performing an annual risk assessment, should lead to the development of more effective and/or precise monitoring plans.

Data analytics can also assist an organization in more effectively allocating limited resources.

Incorporating the Results into the Process



Chapter 5

Reporting the results: Leadership and the Board

The learning objective is to understand how to properly lay the

groundwork for presenting the findings

Understanding potential pitfalls

Reporting to interviewees

Reporting to your compliance committee

Reporting to executive leadership

Reporting to the Board

Selling the message to the Board

Obtaining necessary endorsements and resources



Reporting the Results

Understanding potential pitfalls

Vetting the data – “I didn’t say that”

Changing of the guard

The messenger

You can’t “unring the bell”

I am trying to run a business here

Now what do you want me to do ?




Reporting to interviewees

When will I see the report?

You may or may not

What do you need me to do next?

Please stand by

Keeping constituents appropriately informed

Big picture objective

Probable next steps

Specific responsibilities




Reporting to your compliance committee

Vetting the data

Distilling key information

Strategic planning of next steps

What are realistic objectives?

What are you trying to achieve?

How are you going to get there?

Setting time frames for next steps




Reporting to executive leadership & the Board

Understanding the dynamics

Understanding the big picture

Understanding your obligations and responsibilities

Real life examples

What are the implications?

What do you need me (us) to do?

What if it does not go well?

What’s your back up plan?

Educating the Board

Getting commitment on next steps



Chapter 6

Corrective action planning and implementation

The learning objectives will be to provide an understanding for

necessary steps to manage the identified risks

Establishing accountability

Trust but verify….What’s your corrective action plan?



Corrective Action Planning and Implementation

Establishing accountability

Who owns it?

Who controls it?

Understanding “upstream and downstream implications”

Where is it broken?

Documenting the ownership



Corrective Action Planning and Implementation

Trust but verify …. What’s your corrective action plan?

Where is it broken?

Policy and procedure development

Developing and delivering effective training

Developing and implementing auditing and monitoring plans



Questions?



Contact Information

Ken ZekoDirector

KPMG LLPDallas, TX

[email protected]

214-840-6497

Ken ZekoDirector

KPMG LLPDallas, TX

[email protected]

214-840-6497

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Dieter LehnorttInstitutional Compliance Officer

UT Southwestern Med. Cntr.Dallas, TX

[email protected]

214-648-6108

Dieter LehnorttInstitutional Compliance Officer

UT Southwestern Med. Cntr.Dallas, TX

[email protected]

214-648-6108

Joel DziengielewskiDirector

KPMG LLPNew York, NY

[email protected]

Joel DziengielewskiDirector

KPMG LLPNew York, NY

[email protected]

Date post:	02-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times