Annual Audits for Healthcare Entities

Annual Audits for Healthcare Entities

One common refrain I try to express to all of my healthcare clients is the importance of not letting the perfect be the enemy of the good. When dealing with healthcare compliance, government agencies and commercial insurance special investigative units have done a wonderful job of scaring the bejeezus out of everyone so that no one wants to deal with the risk.

Here’s a secret:  government agencies and private insurance companies do consider the size and scope of the practice when conducting their audits. Yes, you will get dinged on some items (it is very hard for a small practice to keep up with all of its compliance obligations), but unless the violations are egregious, what government agencies are going to be looking for is PROGRESS. The questions agencies and SIUs ask often in the vein of “show me your recent internal audit results, show your improvement plan, show me the progress you have been making.” These agencies are looking for improvement, not perfection.

In other words, are you being self-critical enough and do you have a plan to get better?

So, what are some internal steps that should be taken? My advice to clients in the healthcare realm, particularly those dealing with health information broadly defined is to engage in the following seven internal audits every year.

1. HIPAA Privacy Audit. This audit is actually required by HIPAA to be conducted annually. You can conduct this audit by using some of the information and material provided by the US Department of Health and Human Services and following the information provided by the National Institute of Standards and Technology which, while hard to understand and follow, is the standard the HHS uses. Essentially, this audit is looking at your privacy practices, documentation, and procedures for handling protected health information. A question that might come up in this context is, Do you have HIPAA business associate agreements for all vendors who could have access (even accidental access) to PHI?

2. HIPAA Security Audit. Again, this is an annual audit that is required by HIPAA. The HIPAA Security Rule requires a covered entity to have adequate technical, physical, and administrative safeguards in place to ensure that Protected Health Information is not impermissibly disclosed. Some examples of issues I have seen are: the failure of a covered entity to get a terminated employee’s keys to the office back, the failure of offices to have the passwords for computers be different from the passwords to access the electronic medical record system, and lack of policies regarding closing the EMR when away from the desk. This is one audit that should be done in chunks, but one that can easily be managed to show progress.

3. Revenue Cycle Audit. Because most practices rely on the payment of claims from government and commercial payors, understanding the risk factors that can impact the speed and number of reimbursements is vital, not just the billable amounts. Questions in this sphere might be: What percentage of claims are rejected on first submission? Why are claims rejected? What is our process for addressing a rejected claim? How do we make changes when payors change their policies and procedures?

4. Coding Audit. Most medical practices require the providers enter the initial coding for patient visits. There are habits that providers may develop that can negatively impact billing and claims and thus the revenue cycle. Habits like the notes carry forward function, copy and paste, over-coding (which can lead to waste, fraud, and abuse allegations), under-coding, which can lead to lower revenue, and failure to close the charts in a timely fashion. Conducting an audit by a certified coding specialist should be coupled with ongoing education. It is not just about coding the right diagnosis and developing a treatment plan, it is about accurately describing the patient encounter to get a good treatment plan and getting good reimbursement.

5. Provider Quality Audit. Government and private payors use data analytics (probably now supplemented by AI models) to determine coding and billing practices. That is all well and good for coding and billing, but what is the process for determining healthcare quality? Are providers accurately diagnosing patients, are they ordering the proper tests, is there a process for chart review and provider education about the medicine? Annual employment performance reviews are actually the worst times to conduct this kind of audit. Reviewing provider skills, knowledge, and yes accuracy data, is important to the overall function of the practice. Additionally, the growing emphasis on value-based care means that not only are providers being asked to be consistent in their evaluation, diagnosis, and management of a given patient, but the payors are also looking for ways to improve the health of whole patient populations. The result is that providers who are improving the overall health quality of patients and populations are receiving better reimbursements.

6. Contract Audit. Nearly all medical practices accept multiple government and private insurances. Those relationships are managed by a complicated set of documents, both a contract and the provider/practice manuals for private insurance as well as regular updates to the provider/practice manuals. What I have seen is that many of the contracts with private insurance companies just auto-renew after one or two years. The problem with auto-renew is that you don’t get updated reimbursement rates, you get no credit for quality improvements, and so you get stuck with less revenues. Annual or bi-annual renewals should be tracked to see if the practice can negotiate better terms with the insurance companies.  Other contracts to be worried about include provider contracts, your lease, and vendor contracts. Do you know when these contracts expire or auto-renew?

7. Financial Audits. A good friend of mine who coaches business owners says you should know your numbers. What is your top-line revenue per month? What are your labor costs per month? What is your other overhead per month? How often do you delay paying vendors? What do your current accounts receivable and payable look like? What percentage of your revenue comes from what sources? What is your coding accuracy? Doing this “audit” once a year when you do your taxes is a bad time to do a financial audit. You should know your numbers at least quarterly.

Now, I know this looks like a lot of audits to be done in a given year. Particularly since some of these audits will involve other vendors, like a qualified IT company (with experience with HIPAA-covered entities and a business associate agreement), coding specialists, accountants, lawyers, and the like. It is impossible to quantify the benefits of these audits, but if you get an investigation from a government agency (federal or state) or an insurance special investigative unit, spending a couple thousand dollars on a coding or revenue cycle audit will seem like a steal.

Call us if you want to have a conversation about these audits and develop a schedule to conduct these audits, and or suggest vendors for conducting the necessary audits.