for DR. SAMUELSON only!!!!
MHCM 6320 Corporate Compliance and Legal Issues in Healthcare
Chapter 10: The Internal Audit
Chapter 11: External Audit
Week 7 Lecture Notes
There are a number or indications recognized as clues of fraud in compliance. These
are the first and most important things to look for through internal audits. Statistical
comparisons of rejections/denials of claims that indicate a high number of such
rejections is a very strong indicator of non-compliance. On the opposite side, too high a
rate of approved/paid claims may indicate underbilling or undercoding. Finally, there
may be activities that don’t show up in a statistical analysis that require internal audit
procedures to uncover.
Internal audits are those that are instigated and performed within the organizations own
structure. External audits are those which are required and performed by outsiders to
the organization. There is also a separation between audits that are carried out
simultaneously with the continuing performance of the business, called “concurrent”,
and those that look back at business that has been carried out and completed – called
“retrospective”. Both of these may be done both internally and externally.
Then there are levels of comprehensiveness for audits, called sampling or
comprehensive. When the sampling method is used it is imperative that a large enough
sample be pulled to reflect the realities of the situation.
Audit scope is determined by the policy, law or element of compliance sought to be
investigated. Such scope should be clearly determined and stated at the beginning of
the process.
The audit framework must be determined, along with a time frame, and team members
should be informed of a deadline for reporting at the outset. Then a reporting format or
template needs to be defined so that the audit team can be certain to gather all
necessary information to complete all aspects of the report.
In actually conducting the audit, the issue of concurrent or retrospective timing has a
substantial affect. Both approaches have pros and cons that should be weighed for
desired testing. Concurrency provides more of a sense of responsibility in current
activities, while retrospective audits tend to provide “warning” periods where personnel
may be tempted to alter outcomes due to a need for “survival”. Choices should be
made with these factors, as well as others, in mind.
Exit interviews provide an added form of audit, with the employee now free to confess or
criticize in a different environment. “Suggestion” or “Complaint” boxes provide yet
another opportunity for a form of audit.
Finally, no audit produces fruit until it has been completed and appropriately analyzed
and reported. Such analysis and reporting benefits from a familiarity with statistical
methodology, drawn from any available source.
The Health Care Fraud and Abuse Control program recovered about $1.1 billion per
year during the eight years from 1997 to 2005.
While that can be no doubt that the most affected entities are Medicare and Medicaid,
yet they are not the only payers that are affected by fraudulent claims. State
governments, Blue Cross and Blue Shield, Aetna, Prudential, United and all of the other
insurers and payers are also affected.
Because of this there are a large number of investigative agencies, a list of which is in
the Text, that are each empowered to review a provider’s claims. Blue Cross Blue
Shield Association states that in 2005, 70% of their corporate and financial
investigations were begun as a result of a report called in to their fraud hotline. The
agencies mentioned also have the ability to program their computers to review claims
and gather particular stats that will expose trends of possible illegal activities.
Often, an investigation will begin with a request for documentation, in which the agency
may request either a random sampling of case files or the request may be very specific.
HIPAA rules specifically allow for the sharing of information with health oversight
agencies for their legitimate purposes.
Such requests for information should bed responded to promptly but with care.
Information should be provided only when the identity of the individual or organization
requesting it has been verified. When supplying the information, care must be taken
that it is complete and accurate, and that originals are never sent. Response should
always be within the time limit stated in the request and the documents sent by a
method that provides for tracking.
Subpoenas are orders from a court of law demanding evidence be provided. The two
types of subpoenas used in healthcare documentation are a subpoena duces tecum,
which requires delivery of specific documents, and a subpoena ad testificandum,
requiring an individual to appear in court to testify. Failure to respond may result in a
finding of Contempt of Court which can result in fines and imprisonment. Again, HIPAA
specifically allows for these responses.
The organization may expect to receive a notice of the results of the audit of the
provided information. This notice may take the form of a notification of underpayment,
or a notice of improper payment. This latter notice provides three different levels of
responsibility that may be assessed: Negligence; reckless disregard for the law; or
criminal intent.
After findings of overpayment or improper payment, penalties assessed may include:
denial of payment; return of overpayment; criminal action;initiation of civil monetary
penalties; administrative sanctions.
None of these findings need be the end result, as there is the right of appeal where you
or your staff feel that there has been a misevaluation. Each organization has its own
appellate process, and it is up to the appealing organization to determine the proper
course of action and to follow it.