HCCA 2002 Compliance Institute Practical Tools for Auditing & Monitoring

Sheryl VaccaDirectorDeloitte & Touche, LLPHealth Care Regulatory Practice

Vickie McCormickHalleland, Lewis, Nilan, Sipkins & Johnson, PAvmccormick@halleland.com

2

Auditing & Monitoring Plan! Consider integration with

Internal Audit plan! Resources available to execute

plan! Timeframes! Prioritization of risk areas! Ability to flex with “crisis” ! Communication

3

Internal Audit Plan! Maximize your internal audit’s

focus and resources for compliance efforts

! Collaborate/integrate as much of the two efforts as possible

! Communicate related findings jointly to senior management/audit committee

4

Risk Areas

Hospitals - need to look at entire claim development and submission process! Admitting & Registration (MSA)! Patient care (documentation)! Medical necessity (physician

orders), ie: ancillary services! Billing (non-covered/unallowable

items)

! Coding documentation! Cost Reporting! Customer Service! OIG Guidance/Work

plan

5

Risk Areas

Hospitals! 3-Day Window (IP)! Self-administered meds (IP)! Pneumonia Upcoding (IP)! Disposition codes (IP)! Observation Status! Transfers/discharges! Medical necessity! ABN

IP = Inpatient OP = Outpatient

! Credit balances/refunds! Resident supervision! Funded depreciation (CR)! Unallowable costs (CR)! Discounts-patients, supplies,

equipment ! Physician/referral

relationships

CR = Cost Report

6

Risk Areas

Clinics! Documentation, documentation,

documentation! E&M Coding! Service characterization! Covered vs. preventative

services

! Encoder supervisor! Provider identification! Billing, ie: “incident to”

7

Risk Areas

Home Health Agencies! Case mix indices generated by

Oasis! Upcoding ICD-9! Documentation matching Oasis! Physician Orders

! Adverse Events – OBQI (Outcomes Based Quality Improvement)

! ABNS

8

Risk Areas (cont) - Hospice! Certificate of

Terminal Illness! Physician Orders! Diagnosis

! Kickbacks! Same level of care for

patient’s place of residence, ie: SNF

9

Risk Areas (cont) - Lab

Laboratory! Medical necessity! Diagnosis/ICD-9! Physician orders

! ABN! Requisition Design! Reflex Testing

10

Risk Areas (cont)

Ambulance Companies! Medical necessity! Origin/destination codes! Mileage

Skilled Nursing Facilities! Quality of Care! Ancillary Services! Medical Necessity

! Supplies! Level of Care by practitioners! ABN

11

Managed Care Organization Risk Areas

! Sources for identifying MCO Risk Areas◆ State MCO licensure requirements and Market Conduct Exam

areas◆ Accreditation standards (NCQA, JCAHO and URAC)◆ CMS Medicare+Choice Monitoring Guide

(http://www.hcfa.gov/medicare/2001guide.htm)◆ Managed Medicaid contract and regulatory requirements

! Significant overlap among the sources◆ Develop comprehensive list of issues appropriate for testing within

organization based on lines of business! See Sample Controls Review and Testing Matrix! Break out by subject matter and/or departmental responsibility! Identify schedule and/or frequency for review and testing

12

Sample MCO Risk Areas

! Underwriting and rating◆ Rate filings◆ Cancellations and non-renewals◆ Non-discrimination◆ Small Group◆ Individual◆ Mandated benefit

! Provider Contracting◆ Regulatory requirements◆ Filing and approval of form agreements◆ Use of approved agreements◆ Physician Incentive Plan

13

Sample MCO Risk Areas (cont)! Enrollment and Billing (cont)

◆ Disenrollment◆ Reinstatements◆ Timely and accurate billing◆ Timely and accurate billing reconciliation and

refunds◆ M+C institutionalized member status,

disenrollment, demographic information, etc.! Utilization Management/Care Coordination

◆ Appropriate reviewer level and independence ◆ Timely decisions and notices◆ Notice content, including appeal rights◆ Expedited appeals

14

Sample MCO Risk Areas (cont)

! Member Services◆ Timely and accurate member notices, i.e.,

provider directories, Certificates of Coverage, etc.! See Member Handbook Review! See Provider Directory Review

◆ Complaints, Appeals and Grievances◆ Emergency room coverage

15

Can’t do it all -- Prioritize

! Establish criteria for determining risk areas ◆ Risk Assessment◆ Business Risk Management Profile◆ OIG Work Plan◆ State regulatory environment◆ Competitors’ risk areas -- identified by reported

deficiencies and fines◆ Compliance hotline cases◆ Litigation◆ Instinct

16

Controls Review + Testing! Limiting activity to testing is a lost opportunity

◆ Already talking with the staff, why not find out their controls at the same time

◆ Q: Limited resources? A: Controls Self-Evaluation ! Develop standard tool to be completed by affected area prior to

review! Limit amount of time compliance/internal audit spends

identifying controls! Allows advance review by compliance/internal audit

◆ Preliminary and advance controls identification and review may impact whether and how to proceed with the testing -- and will result in more focused, effective and efficient testing.

17

Controls Review + Testing (cont)

! Controls review -- then test, maybe.◆ If controls are adequate/strong, proceed with testing◆ If controls are absent/weak -- two possible approaches

! Test after implementing corrective action plan to improve controls

! Why test before appropriate controls in place! Recommendation will include new controls and ! Will have to test again after controls are implemented to

ensure they work! Test prior to implementing corrective action plan to improve

controls! Verifies problems and may help identify necessary controls -- why

develop controls until you know what they need to be on the basis of testing

! Limit to probe testing only?

18

Testing Size

! Testing size needs to be meaningful, but based on risk assessment and compliance exposure◆ If risk assessment and/or compliance exposure is

high -- standard sampling size! Want to make sure have an accurate understanding

about compliance◆ If risk assessment and/or compliance exposure is

low -- consider a probe sample! Use a probe sample for quick picture of whether risk area

requires additional resources.! If probe sample testing indicates compliance -- move

on to other risk areas.! If probe sample testing indicates non-compliance,

then prioritize with other risk areas

19

DisclosuresDisclosure (cont)

Benefits of Disclosure◆ reduction in fines & penalties◆ reduced risk of prosecution◆ ability to frame issue◆ reduced cost◆ build record of compliance

20

Disclosures (cont)Disclosure (cont)

Risks◆ Create an obligation to fix◆ Will trigger repayment obligations◆ Could result in investigation that

identifies other issues

21

Disclosures (cont)Disclosure (cont)

Options for Disclosure◆ Fiscal Intermediaries & Carriers

(HCFA Voluntary Refund)◆ Office of Inspector General◆ United States Attorney’s Office◆ State Attorney General

22

Disclosures (cont)Disclosure (cont)

Selecting the Option◆ Medicare or Medicaid◆ Criminal or Civil◆ Isolated or pattern◆ Intentional or innocent

23

Disclosures (cont)Disclosure (cont)

Requirements:! HCFA! OIG Provider Self Disclosure Protocol

" Format" Investigation" Self -Assessment