Health Care Compliance Association

Transcription

1 Volume Fourteen Number Two Published Monthly Meet Jenny O Brien UnitedHealth Group s Chief Medicare Compliance Officer page 14 Feature Focus: 2012 OIG Work Plan: Part 2, Additional OIG reviews page 35 Earn CEU Credit see page 64 PQRS reporting: Avoiding the pitfalls page 23 This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888/ with all reprint requests. 1

2 42 How internal controls support compliant business practices, Part 2: Auditing & Editor s note: Kelly Nueske is a Managing Director of Enterprise Risk Services, Internal Audit & Compliance at Sinaiko Healthcare Consulting, Inc., a Reimbursement Services Division of Altegra Health in Los Angeles. Kelly may be contacted at kelly.nueske@ altegrahealth.com. Part 1 of this article appeared in the December 2011 issue of Compliance Today. In Part 1, we discussed an overview of how we progressed to the regulatory environment we operate within today and the fundamentals of internal controls. As a refresher around regulatory expectations related to internal controls and monitoring, the following is the Office of the Inspector General s (OIG s) introduction to the program guidance section, as posted on their website: OIG has developed a series of voluntary compliance monitoring By Kelly Nueske program guidance documents directed at various segments of the health care industry, such as hospitals, nursing homes, third-party billers and durable medical equipment suppliers, to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. (Emphasis added) I have the utmost respect for our federal government, but I feel the need to clarify the emphasized phrase in their website introduction. The statement use of internal control systems to monitor is not exactly how it works. An internal control structure is the foundation of sound business practices, and monitoring is a process to validate the internal control structure is functioning as intended to prevent errors, fraud, waste, and abuse. Monitoring is one of the five elements of the COSO Internal Control Framework. 1 Monitoring Merriam-Webster s Collegiate Dictionary defines monitoring as to watch, keep track of, or check, usually for a special purpose. As it relates to an organization s compliance program, monitoring should be periodic and focus on the organization s compliance risk areas. The OIG Annual Work Plan can be used as one tool to identify potential compliance risk areas, but an organization should not focus on the Work Plan to the exclusion of other risk indicators, such as RAC requests and payer denials, which play an equal role in determining focus areas. Another effective tool used to identify compliance risks is conducting an annual risk assessment involving departments or processes that have experienced a significant amount of change. Change creates some level of risk, because it means new processes, tools, people, or a combination of the three. Common compliance risk areas that could be monitored include physician or focus arrangements, joint ventures, billing and/or coding processes, cost reporting, marketing, physician ordering patterns, or compliance program processes. When an organization decides to monitor a risk area, there should be a foundational monitoring policy which sets parameters for the overall process.

3 The policy would address: n the need for specific and measurable monitoring criteria; n acceptable accuracy thresholds and organizational expectations when a threshold is not met; n reporting requirements, including frequency and escalation, if accuracy thresholds are not met; and n corrective action plan requirements, if accuracy thresholds are not met. A common concern expressed by management is the lack of both time and resources to adequately conduct monitoring activities. The problem with this thought process is that compliance monitoring in health care shouldn t be thought of as an additional task. Monitoring focuses on checking the effectiveness of internal controls and is the foundation of effective operations that were around long before compliance programs existed. The key is to determine what management is already monitoring, to identify the activities that are associated with compliance risk areas, and package it together for reporting. In my experience, when risk areas are identified by Compliance, that same risk area had already been identified by management, and as a result, some level of monitoring is already underway. However, there are times this is not the case, and a new monitoring process needs to be established as a necessary measure. Monitoring data can be overwhelming; therefore, it should be packaged in such a manner that compliance committees, senior management, and the board can easily understand the status of the risk area. What often works well is a dashboard-type illustration of the monitoring results over time. Figure 1 (on page 44-45) is a snapshot example of how monitoring results could be reported to provide a more visual perspective of the results. Another important point to remember is that just because an organization starts monitoring a compliance risk area, that does not mean it should go on indefinitely. If a risk area is stable and demonstrates consistency with achieving the expected accuracy thresholds, then monitoring should be stopped. At this time, management should be able to rely on the internal controls to continue functioning as intended. All departments should be responsible for monitoring their own areas of responsibility. I have found when working with organizations that monitoring activities often focus on the Compliance department s operations and not the organization s operations. Some examples of operational monitoring include: n RAC requests and outcomes n Denial patterns for medical necessity, by provider n Accurate completion of the Medicare Secondary Payor Questionnaire n Completion of the Medicare Assignment of Benefits n Number of unassigned orders in providers in-baskets n Number of privacy or security violations n Compliance scorecard by business unit Examples of Compliance department monitoring include: n Hotline calls received n Hotline call response time to conclusion n Percentage of new employees completing compliance education within 30 days of employment n Pass rate of compliance competency tests, post education When the entire organization takes accountability for the compliance program and monitoring compliance risks areas, the program can achieve the appropriate level of effectiveness. Auditing Merriam-Webster s Collegiate Dictionary defines audit as a methodical examination or review. The financial and internal audit Continued on page 44 43

4 How internal controls support compliant business practices, Part 2: Auditing & monitoring...continued from page 43 industry states that auditing should be done by a person independent of the area under review. Periodic independent auditing of internal controls in high risk areas is prudent practice. The frequency of auditing should be driven by the results and executed in the same manner as monitoring. Auditing should be included in a compliance program, because monitoring is a self-validation process performed by each department, which may have some variability in how the criteria are interpreted. Business office s internal controls. Concurrent reviews don t allow the opportunity to test what the final bill will look like and how it is accepted by the payer. Retrospective audits are performed after the process or transaction is completed. Because the process is complete, the timing allows the auditor to validate internal controls thoroughly throughout the entire process. The downside is that any overpayments identified will need to be refunded and the organization must have a process in place to ensure that occurs. Sampling When an organization identifies a historical pattern or ongoing problem, auditing would help assess the situation. However, don t jump to the conclusion that a statistically valid sample is necessary. The decision whether to select a statistically valid sample should involve legal counsel, along with other key leaders, to complete a thoughtful analysis of the issue(s). 44 There are two types of auditing: ongoing, periodic auditing and what some may call Houston we could have a problem auditing. Ongoing audits can either be concurrent or retrospective. Concurrent auditing is a review performed contemporaneously with the process or transaction to identify potential errors prior to completing that process or transaction. This can be an ideal approach, because errors can be corrected before an over- or under-payment is made. However, concurrent audits can be a challenge, because they need to be performed in a timely manner to avoid a backlog in operations. Implementing concurrent reviews takes a fair amount of planning and coordination with Operations to successfully execute. It also may prohibit auditing the outcome of a process, such as in the case of testing the Figure 1: Sample Dashboards Incomplete Orders Registration orders that are mising signatures or proper diagnosis codes. Non-Monetary Gifts Sales provider NPIs w ho have been provided certain percentages of the $350 non-monetary gifts for the year. The higher NPIs must be monitored closely. Improper DX/Med Nec Billing claims w ritten off for improper diagnoses/medical necessity. Metric 7 - # of Orders Missing Signatures or DX Codes 10% 8% 6% 4% 2% 0% 10% 9% 8% 7% 6% Metric 9 - # of NPIs Using % of Non-Monetary Gift Value ($350) Metric 11 - % of Claim Written Off for Improper DX/Medical Necessity % Inccomplete Orders % 0-19 % of Allotment Used 20-39% of Allotment Used 40-59% of Allotment Used 60-79% of Allotment Used % of Allotment Used Apr-11 Feb-11 Dec-10 Oct-10 4% 6% 7% 8% 9% 10% 0% 2% 4% 6% 8% 10% 12% % of Claims Written Off

5 A number of terms associated with statistical sampling can be confusing, so let s cover some basic terminology. Probe sample: OIG defines a probe sample size as a minimum of 30 samples from the defined universe. A probe sample is commonly used when the organization thinks there might be a problem that needs to be addressed. Accuracy of Orders Registration accuracy of orders on the requisition to the billing system and LIMS and the claim. Metric 8 - % of Accuracy of Orders Apr-11 Feb-11 Dec-10 Oct-10 Discovery sample: OIG commonly defines a discovery sample size as 50 when the organization knows there is a problem and the seriousness needs to be assessed. Full statistical sample: This type is used if the probe or discovery sample identifies an error rate deemed unacceptable and the organization plans on disclosing their monetary liability to the OIG as a result of the error(s). 93% 91% 86% 88% 96% % Accuracy of Orders The full statistical sample size is based on the results of the probe or discovery sample and equals the probe or discovery sample plus an additional number of samples mathematically calculated to reveal a statistically accurate representation of the sample universe tested. The total number selected is driven by the probe or discovery samples error rate, the universe size, (i.e., total number of records, transactions, claims, etc.) the confidence level (i.e., certainty that the sample accurately depicts the universe) and precision (i.e. range of accuracy). The publically available OIG RAT-STATS program ( oig.hhs.gov/compliance/rat-stats/ index.asp) makes it relatively easy to determine the sample size and assist with selecting the sample. Complaints Client Relations accounts w ritten off due to client (MD) or patient complaints. Account Reviews Clinical The accuracy rate of QA Account review s. Metric 10 - % of Accounts Written Off for Client or Patient Complaints % Accuracy Metric 12 - Accuracy Rate of QA Account Review s % Accuracy 96% 88% 86% 96% 88% 86% 91% 93% 91% 93% SPECIAL EXPLANATIONS THIS MONTH: This is where the departments would explain any outliers or special circumstances for the month. Stratified sample: In this type of audit, the universe is divided into buckets based on defined characteristics within the universe. A simple example is if the universe spans over a period of years, then the universe is stratified by year to ensure a representative sample across the years. Another example may be a universe that involves multiple locations, a change in staff, or multiple providers. Before a sample is stratified, there should be some level of analysis and thoughtful discussion to determine the most representative separation in each bucket so that the stratification will increase Continued on page 46 45

6 How internal controls support compliant business practices, Part 2: Auditing & monitoring...continued from page 45 the accuracy of the estimation of the error. For example, let s say we are looking at a claims audit where there are concerns about supporting documentation related to signed physician orders. The universe in question spans over a number of years. During that timeframe, the provider utilized a paper medical record for one year and in the second (and later years) was using an electronic medical record (EMR). The preliminary investigation indicated there were order deficiencies in both years; however, there was a higher accuracy rate of signed orders prior to the implementation of the EMR. Stratifying the sampling may create a more representative precision to the error rate. Although this example is simple, the point is that there needs to be a thoughtful analysis and planning process undertaken prior to identifying the universe, focusing on the concern, and minimizing the variables within it. A number of unique questions can be asked for each situation to help identify the variables or changes that may impact the universe. Ideally, involving legal counsel and key stakeholders who have a thorough understanding of the issue and operations during the timeframe in question is the key to successfully identifying the appropriate universe. It is also wise to involve someone who has a good understanding of statistical sampling, because they often have a different perspective on questions to ask. Conclusion I often wonder if organizations put too much effort into auditing and not enough into monitoring. Auditing is more often done after the fact, where monitoring can more easily be integrated into operational processes. Auditing and monitoring are both good tools to validate that the internal controls structure is working. The approach and effort is unique to each organization s needs and availability of resources. In the end, the goal should be to have a good balance of auditing and monitoring to take the pulse on the effectiveness of the internal control structure. n 1. Committee of Sponsoring Organizations of the Treadway Commission (COSO): Internal Control Integrated Framework: Guidance on Monitoring Internal Control Systems June Available at volumeii-guidance.pdf Health Care Auditing & Monitoring Tools Filled with more than 100 sample policies, procedures, guidelines and forms to enhance your compliance auditing and monitoring efforts. The manual is updated twice a year with new tools. The first two updates are free; an annual subscription can be purchased to continue receiving the updates. If just one tool in this book fills a need in your department, then you ll be adding value to your compliance program! For more information, visit or call