Corporate Compliance Semi-Annual Risk Assessment Guide
Table of Contents
Introduction X
Recovery Audit Contractor (RAC) Audits X
PEPPER X
Professional Fee Documentation and Billing X
Government Audits and State Work Plan X
Government Investigations X
Healthcare Enforcement Legislation X
Data Mining X
Compliance Coding Audits X
Compliance Non-Coding Audits X
Voluntary Disclosures X
Conflicts of Interests X
Health Insurance Portability and Accountability Act (HIPAA) X
Compliance Inquiries X
Summary – Adjustment of Risk X
Compliance Risk Profile X
Exhibit A X
Introduction
This semiannual risk assessment document summarizes adjustments to the January 2021 Risk Assessment Guide by the Office of Corporate Compliance (Compliance). These adjustments are the result of continual risk analysis and monitoring by Compliance. Factors influencing adjustments to the current work plan include, but are not necessarily limited to:
-
New or enhanced governmental audit initiatives,
-
Changes in healthcare laws,
-
Changes in services and processes,
-
New entities, and
-
Compliance audit findings related to audits conducted during the first two quarters of 2021.
Compliance monitoring processes continue to indicate that professional fee billing, inpatient billing, Medicaid-funded services, and newly managed or acquired entities remain the largest potential risks to the organization. In addition, privacy incidents related to the unauthorized disclosure of patient data are becoming a greater risk because of the government’s increased enforcement focus and the organization’s rollout of additional electronic information systems.
Recovery Audit Contractor (RAC) Audits
Another potential risk related to the areas listed earlier is RAC audits. The RAC contractor for the state is DCS Healthcare. Through March 2021, RAC audits nationwide have detected $162 million in Medicare overpayments and $22 million in Medicare underpayments.
Centers for Medicare & Medicaid Services (CMS)–approved audit issues for this region include transfer of care audits, Medical Severity Diagnosis Related Groups (MS-DRG) validation audits, durable medical equipment audits, other services such as pharmacy supply and dispensing fees, clinical social worker services, urological bundling and ambulance services, and the recently added medical necessity reviews for both inpatient and outpatient hospital services. The RAC also intends to audit physician documentation and billing in the future.
To date, $[X] has been recouped by the RAC. All denials were appealed, with mixed results. The organization has recovered $[X], $[X] was denied, and approximately $[X] is in the process of being reviewed. The organization continues to evaluate and prepare appeals for the remaining applicable RAC recoupment dollars at risk. A large percentage of the RAC findings focus on medical necessity compared to routine coding rule errors.
Program for Evaluating Payment Patterns Electronic Report (PEPPER)
PEPPER is an electronic report available from the federal government containing hospital-specific data for target areas that have been identified as high risk for payment errors (i.e., specific DRGs and discharges). It is suggested that anything above the 80th percentile or below the 20th percentile, as compared to national, state, and jurisdiction (i.e., regional) benchmarks, should be reviewed. Please see Exhibit A for a detailed grid that identifies those areas highlighted for the organization.
Even though a facility may be “red” (i.e., at or above 80th percentile for national, state, or jurisdiction) for a certain DRG, it does not mean the facility’s coding is inappropriate. A facility could have a high or low ranking because of environmental or geographic reasons.
During the first quarter of 2021, Compliance conducted audits in several of these areas, including three-day admissions to skilled nursing facilities, septicemia, and one-day inpatient stays. Quality has also reviewed readmissions. Compliance plans to conduct an audit of two-day stays in the third quarter. Surgical DRGs are routinely addressed in all DRG audits. To date, there have been no significant findings.
Professional Fee Documentation and Billing and New Physicians
The organizations continues to add employed physicians. The number of employed physicians increased, approximately, from 1,500 to 9,000 over the past couple years. As a result, this area remains a high risk.
In 2021, the organization further increased the scope of its monitoring function of the professional coding and billing practices. The organization plans to conduct coding reviews of 25% of its physician community. Reports reflecting physician compliance with accurate coding and billing practices are submitted to Compliance monthly. The organization has a process whereby any physician with a financial error rate greater than five percent will be educated and reaudited. Coding documentation issues were identified in approximately five percent of the physicians audited to date.
Compliance continues to conduct retrospective audits on topics that are identified in the industry as relevant and will complete four retrospective audits this year for physician professional fee services.
Government Audits and State Work Plan
State Work Plan
The State 2020–2021 Annual Work Plan, communicating audit initiatives for the next year, in its efforts to improve and preserve the integrity of the Medicaid program in the state, was released December 6, 2020.
The state is also placing more emphasis on trustee and senior management’s responsibilities with regard to overseeing hospitals’ Compliance programs. Most recently, the state stated that the Board’s most significant role in compliance is to become “sufficiently educated about the topic to ask appropriate questions and determine whether management has the expertise, the will, and the metrics to provide a reasonable assurance of compliance, and for the Board members to review intelligently the responses and submissions of management.”
Another area that the state plans to focus on is evaluating the effectiveness of provider compliance programs. It is recommended that providers perform an annual self-assessment to evaluate and detect areas for improvement. The provider’s self-assessment will be reviewed to help the state assess compliance program effectiveness and may also be a required submission during the audit and investigation process.
Since May 20, 2020, the state has finalized and published 289 audit reports for all state healthcare providers and suppliers. Hospitals remain a primary focus. The areas audited are represented in the Figure 1.
The active government audits in 2021 throughout the organization are represented in the Table 1. The number of audits increased from 120 audits in 2020 to 180 audits in 2021.
|
Agency |
# |
Percent of Agency |
Percent of Total |
Notes |
|---|---|---|---|---|
|
Medicare Audits | ||||
|
Office of Inspector General (OIG) |
X |
X |
X | |
|
Comprehensive Error Rate Testing (CERT) |
X |
X |
X | |
|
NGS |
X |
X |
X | |
|
DOH |
X |
X |
X | |
|
CMS |
X |
X |
X | |
|
NGS Pre-Pay Probe |
X |
X |
X | |
|
Subtotal, Medicare Audits |
X |
X |
X | |
|
Medicaid Audits | ||||
|
Office of the Medicaid Inspector General |
X |
X |
X | |
|
DOH |
X |
X |
X | |
|
HMS/PCG |
X |
X |
X | |
|
Subtotal, Medicaid Audits |
X |
X |
X | |
|
Total |
X |
X |
To date, none of these government audits have detected any significant overpayments or triggered any formal government investigations.
Government Investigations
The United States government is currently conducting some investigations that involve the organization’s coding and billing practices. The government’s reviews focus on medical necessity.
Healthcare Enforcement Legislation
The federal government is still in the process of implementing several of the healthcare enforcement provisions signed into law as part of the Patient Protection and Affordable Care Act (PPACA). This law increased the risk level of all healthcare providers, including our organization, given the vast amount of resources and enforcement weapons created by the bill.
The legislation came on the heels of the OIG having its best year ever in recovering inappropriate federal claims submissions—$4 billion. Notwithstanding, federal legislation (i.e., The Fighting Fraud to Protect Taxpayers Act) has been proposed to further increase funding for computer fraud and identity theft and calls for approximately an additional $15 million a year to be reinvested in anti-fraud efforts.
In addition, The Medicare Spending Transparency Act was proposed to make summary-level Medicare data publicly available and enhance the ability of qualified outside organizations to access more detailed data. An investigation conducted by leading newspapers illustrated how outside groups can provide a valuable complement to the government’s own fraud detection research when provided access to hospital and physician billing data.
Also, a bill called the Strengthening Medicare Anti-Fraud Measures Act was introduced. The legislation expands the authority of the OIG to allow it to ban corporate executives from doing business with Medicare if their companies are convicted of fraud. It also gives the OIG the ability to exclude parent companies that may be committing fraud through shell companies.
CMS also published a notice of proposed rulemaking to implement a provision of PPACA to give qualified entities access to Medicare claims data for use in evaluating the performance of healthcare providers.
Data Mining
The government uses sophisticated data mining tools to target healthcare providers whose claims are not in full compliance with all applicable regulations. Both the federal government and the state plan to further invest millions of dollars to continue to ramp up their ability to effectively data mine aberrant claim patterns.
Compliance is currently working with a data mining software vendor, which affords Compliance the ability to effectively analyze large quantities of data for inpatient hospital, emergency department, and outpatient surgery claims. The goal of this analysis is to allow a heightened focus on identified risk areas that will be audited through the optimization of existing resources. Thus, the areas that the software identifies through complex information system algorithms are more likely to be areas at risk.
Compliance has been able to successfully use this tool to monitor coding and billing in several areas of the organization in 2021. Currently, data mining reviews are in progress, and more reviews will take place throughout the rest of the year. During the past year, data mining has detected mistakes, but has not detected any systemic coding or billing issues.
Compliance Coding Audits
Each year Compliance reviews the OIG and state work plans, as well as internal and industry trends, to compile an Audit Work Plan that is representative of the potential risks that the organization may face. As the process of risk assessment is ongoing, the work plan may change throughout the year when new potential risks arise and other identified potential risk areas are mitigated. Figure 2 depicts the status of all of the planned 2021 coding audits but does not address all of the special coding projects that might arise during the year.
To date, Compliance has completed 23 planned audits and is on target to complete more than 50 coding audits. In 2020, Compliance completed 42 coding audits. These audits assess the accuracy of documentation to support coding and billing and are conducted in the following categories: medical necessity, coding accuracy, and documentation. To date, there have been minor issues identified in regard to physician documentation, but none of these issues have been systemic, and the findings are not material in nature. One improvement area that has been identified through these audits is clinic coding. Compliance is providing assistance to our clinics in this area.
Compliance Non-Coding Audits
In 2021, Compliance plans to complete at least 22 non-coding audits. These audits focus on physician financial transactions, clinical documentation, and clinical research. Many of the audits are ongoing and will be conducted throughout the year. Table 2 lists the 2021 non-coding audits and provides the status of each as of May 31, 2021.
|
Audit/Review Topic |
Facility/Facilities |
Status |
|---|---|---|
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
Facility A |
Completed |
|
[X] |
Facility B |
Completed |
|
[X] |
Facility C |
Ongoing |
|
[X] |
Facility D |
Ongoing |
|
[X] |
Faculty practice |
Completed |
|
[X] |
All [X] facilities |
Completed |
|
[X] |
Faculty practice |
Delayed |
|
[X] |
Faculty practice |
Ongoing |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
All [X] facilities |
Completed |
|
[X] |
All [X] facilities |
Completed |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
All relevant [X] facilities |
Ongoing |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
Faculty practice |
Completed |
|
[X] |
Faculty practice |
Completed |
|
[X] |
All [X] facilities |
Completed |
|
[X] |
All [X] facilities |
Ongoing |
|
[X] |
Faculty practice |
Delayed |
Completed non-coding audits are described in the following sections.
Review Face-to-Face Physician/Patient Encounter Requirements for Durable Medical Equipment and Home Health Services
As part of the PPACA, to certify home health services or durable medical equipment under Medicare, physicians must document that they have had a face-to-face encounter with the individual during the six-month period preceding such certification, or other reasonable time frame (as determined by the secretary) as of January 1, 2020.
Compliance verified that the appropriate procedures are in existence and are consistent with face-to-face requirements, and staff is aware of these new requirements.
Review New National Provider Identifier Requirements
As part of the PPACA, Medicare and Medicaid providers and suppliers must include their national provider identifier on all program applications and claims as of January 1, 2021. Compliance verified that the organization’s standard operating procedures comply with the new requirements, and staff is trained to ensure compliance.
Examine New In-Office Ancillary Exception Requirements
As part of the PPACA, new requirements were enacted that related to the Stark Law that goes into effect in 2021. The PPACA requires physicians claiming protection of the in-office ancillary services exception to satisfy new disclosure requirement such as informing patients that certain imaging services are available elsewhere and providing patients with a written list of alternate suppliers.
Compliance in partnership with Legal determined that no facilities were affected by this new regulation.
Review of Compliance Policies
The government recommends that compliance programs continually review their compliance policies to ensure they are updated to reflect the latest regulatory directives. Compliance reviewed all of its applicable polices to ensure they reflect any regulatory and internal changes.
Review of Physician Practices’ Coding Procedures
Each year the government makes several coding changes that affect physician practices. The nonadoption of even one coding change can have a material financial impact on a physician’s practice. Compliance surveyed various physician practices to ensure the physician practices are aware of the applicable coding changes and that their procedures reflect all applicable regulatory updates.
Verify Education on Teaching Physician Rules
The government continues to focus on hospitals’ compliance with the Medicare teaching physician rules. Compliance verified that it has appropriate educational materials that are distributed to applicable clinicians on these rules.
Verify Education on Supervision Requirements for Outpatient Services
In 2020, the government revised the supervision requirements for outpatient services. Compliance verified that it has appropriately educated the applicable facilities on the changes in this rule.
Voluntary Disclosures
The OIG, state, and Medicare’s fiscal intermediaries have processes for healthcare providers to voluntarily disclose and rectify overpayments received. The benefits of self-disclosure include forgiveness or reduction of interest payments, extended repayment terms, waiver of penalties and/or sanctions, and possible preclusion of a subsequently filed state False Claims Act qui tam action based on the disclosed matter.
To date, there have been two formal voluntary disclosures from the organization. As a result, we refunded the government approximately $150,000.
There are also some other issues under review that may result in a voluntary disclosure in the coming months. Please note that this does not include routine overpayments we identify and repay as a result of routine government audits, payer reconciliation, or internal reviews.
Conflicts of Interests
The new healthcare legislation includes the Physician Payments Sunshine Act, which requires drug, medical device, biological, or medical supply manufacturers to disclose direct payments or transfers to physicians and teaching hospitals that are $10 or more (or total more than $100 in a calendar year). It also requires that those manufacturers disclose any nonpublic ownership or investment interests of physicians and their immediate family members in the manufacturers. Those reporting requirements do not take effect until March 31, 2023, and the information will be available online to the public.
Last year, the organization significantly revised its employee conflicts of interest disclosure form to make it more robust and rolled out an electronic conflicts of interest tracking system. This year, the organization added two new questions. One question addresses financial conflicts. The second question requires additional disclosures.
Health Insurance Portability and Accountability Act (HIPAA)
Since the beginning of 2021, reportable breaches that have occurred at four facilities.
Compliance is currently in the process of launching the 2021 employee training, which heavily emphasizes HIPAA. Two recent cases provide a road map for action. A hospital was fined one million dollars and ordered to enter into a government-imposed corrective action plan because an employee commuting to work accidentally left copies of 192 medical records on a train. All the records contained protected health information, and some records contained HIV status information. In another case, the government issued a penalty in the amount of $4.3 million to a health plan for not providing 41 patients with a copy of their medical records on a timely basis.
In addition, Compliance recently completed a privacy risk assessment in collaboration with Information Services and Legal to further address any privacy or security gaps and will be adding more resources to focus on this area of scrutiny. Compliance also has implemented HIPAA awareness activities to further educate employees on this important topic.
Compliance Inquiries
Compliance received inquiries and reports on a wide variety of issues during the first half of 2021. The Compliance Helpline, which is accessible by telephone or online, and the Compliance office received approximately 85 inquiries to date. While many of the reports received concerned human resources, many others were focused on HIPAA, coding, and policy violations. All reports received by Compliance are investigated and resolved.
|
Issue |
Cases |
% of Total |
|---|---|---|
|
1. Coding, Billing, and Contracts |
[X] |
[X]% |
|
2. Conflict of Interest |
[X] |
[X]% |
|
3. HIPAA/Confidentiality |
[X] |
[X]% |
|
4. Human Resources |
[X] |
[X]% |
|
5. Other |
[X] |
[X]% |
|
6. Patient Care/Quality |
[X] |
[X]% |
|
7. Question/Violation of Policy |
[X] |
[X]% |
|
8. Research |
[X] |
[X]% |
|
9. Theft |
[X] |
[X]% |
|
Total |
[X] |
Summary-Adjustment of Risk Analysis
The 2021 semiannual compliance risk assessment used numerous internal and external resources to help determine which risk areas should be evaluated. Each year, governmental enforcement agencies release an audit work plan that provides a road map of their planned audit activities. Two important data resources are the OIG Fiscal Year 2021 Work Plan and the State Fiscal Year 2020–2021 Work Plan. It is an industry standard for healthcare providers to review the OIG and state work plans annually and to evaluate their own entities for these potential risk areas. In addition, Compliance continues to evaluate financial data for reimbursement trends, prior audit data, government data trends, state and federal enforcement agencies’ audit reports, and internal surveys on various topics to identify other areas of potential risk. A description of the key risk areas are identified in the graph on page [X].
[X] and [X] have been placed in the low-risk category. There are internal processes that have been implemented by [X] to mitigate the risk.
[X] is placed in the medium-risk category. This is because [X].
Based upon the recent regulatory environment, [X] is placed in the high-risk category. This is because [X].
[X] is in the high-risk category since the volume within the organization is great and the government scrutiny related to medical necessity in increasing. Specifically, RAC auditors have started to focus more on medical necessity issues, which are resource-intensive for healthcare providers to defend.
Privacy breach was moved from the medium-risk category to the high-risk category. This area is expected to remain a greater risk in the future as the government plans to invest more enforcement resources into this area and has begun to levy more significant fines for violations. As hospitals’ electronic medical records systems expand, the risk of potential data breaches also has increased significantly. In addition, privacy violations can cause significant reputational damage, and the costs to pay for credit monitoring to patients can be significant. To address this risk, the organization will be dedicating more resources to further focus on controls to mitigate potential risk.
Quality risk was moved to the high-risk category as the government plans to devote more resources to this area. Both federal and state regulators are moving toward quality-type audits resulting in multi-million-dollar settlements based on various quality and medical necessity issues. Boards, administrators, and compliance officers are following this trend and reevaluating their risk exposures. Given these factors, plus the increased focus on “never events” and “present-on-admission” indicators, this risk was moved into the high-risk category. The organization is working on ways to further collaborate between Quality and Compliance.
Lastly, there has been an increase in whistleblower lawsuits coupled with the new amendments to the False Claims Act that make [X] an even a greater threat. As a result, this area has remained an [X] risk category.
Impact to the Organization
The purpose of this graph is to provide a visual depiction of high-risk issues that may affect the organization based on our analysis. The graph does not include all proposed audits, initiatives, or risks but provides a high-level overview of the compliance risks that may affect the organization.
Exhibit A
