In this episode, we are joined by Rob Senska, General Counsel and Director with LW Consulting, to explore whether or not your documentation can stand up to an audit.
Highlights of this episode include:
- Discussing the purpose of an audit, internal or third-party.
- The various types of audits that providers should be aware of.
- Ways that a third-party audit can be triggered.
- How practices can mitigate risk of a third-party government audit.
Mike Passanante: Hi, this is Mike Passanante. And welcome back to the Hospital Finance Podcast.
Rob has nearly 20 years of legal compliance and regulatory experience in the healthcare field focusing on both the payer and provider side.
Rob has held senior level hospital legal and compliance leadership roles at both community hospitals and major national health systems. He’s also worked at top New Jersey and New York law firms in their health and hospital practice groups.
Rob holds a JD from Brooklyn Law School, an MBA from Union University, a Bachelor of Science from Union College, and a Lean Six Sigma Black Belt certification from Villanova University.
Rob, welcome to the podcast!
Rob Senska: Good morning, Mike. Thanks for having me.
Mike: So, today, we are going to explore whether or not your documentation can stand up to an audit.
So first, what’s the purpose or role of an audit, internal or third-party?
Rob: I appreciate the question. I think, overall, Mike, the purpose is to provide additional information to the healthcare provider as to its documentation, billing and coding practices as well as any other operational or risk areas.
Now, stepping back from that, there’s really two ways of achieving this information. And it’s through monitoring and internal audit and external third-party audit.
So, if we step back to what that means really, Mike, I think we can gain perspective from the Office of Inspector General (OIG) Guidance in this area. And one of the key or essential elements of an effective compliance program as set forth in the OIG Compliance Program Guidances for Healthcare Providers is the “monitoring and auditing function.”
Now, for hospitals, the Compliance Program Guidances of the OIG were issued initially in 1998; and then, it was supplemented in 2005. But the OIG has also put out other guidances for other healthcare providers.
In all of these guidances, the essential element of monitoring and auditing is essentially the same.
So, if we break that up a little bit, Mike, it’s important to have your internal audit and monitoring function be really your day-to-day assessing of the effectiveness of your compliance program and reviewing constantly what your company is doing, investigating any alerts or red flags, following the “smoke” to see if there are on-the-fly and day-to-day operational adjustments, changes and improvements that your business can make.
Now, in addition to that ongoing monitoring piece, a company, a healthcare provider really needs to have external third-party objective and independent auditing performed. Now, this can be done in a variety of ways. But the OIG has made it clear that it’s important to have some level of third-party, independent assessment by experts in the field.
For instance, we do a lot of work in this space to come into, really, some mature, some not so mature, compliance programs where there is the ongoing monitoring and auditing done in-house by the provider, but we provide another level of services to do the external audit components of this to really be in full compliance of this one, essential element of an effective compliance program.
But again, the overall purpose of all these functions is to provide additional information to the client as to its documentation, billing and coding practices and really any other risk areas that require or necessitate further inquiry.
Now, sort of separating out the different concepts, the concept of an external third-party audit done by a payer is really a different concept. It’s not driven proactively by the provider. It’s really what we consider CMS through the RAC’s or the UPIC’s or a private insurance company looking at, because of their own triggers or data, certain aspects of what a provider is doing.
Now, in my opinion, if your internal monitoring/internal auditing and your external independent objective third-party auditing are working properly, you’re going to catch most things through one of those nets. And you’ll be in really good shape as a provider to withstand these other third-party payer, be it CMS or the government or an independent private carrier. Their recruitment activities, you’re going to cover those because you’re already going to have some information from your really healthy audit and monitoring processes as to what they’re looking at.
Mike: So, let’s talk about potential other types of audits. Are there various types of audits that providers should be aware of, whether they be HIPAA or Meaningful Use, medical records, things like that?
Rob: That’s a great segue. And it sort of catapults off of what I just stated. And really, yes, the answer is yes. There are several types of third-party audits that, in my opinion, need to be very high on all provide radars. So let’s get into some of these.
But before I do that, let me just step back and sort of speak generally about the types of third-party audits you generally see on the provider side.
Number one, you generally see a post-payment review or what’s called a retrospective review by a payer. And then, also, you see on the provider side these pre-payment audits where they actually hold payments sometimes and review the documentation to bill elements of the provider. So, you really see both in the industry.
Now, getting a little more drilled down as to the types of audit areas that should be high on the radar for providers across the industry, we’ve seen a huge increase the last few years with our risk adjustment or Hierarchal Condition Coding, a.k.a. HCC audits. This is generally in the context of Medicare Advantage.
This is really a hot area right now and a hot button topic. Our auditors, our lead auditors, in our company at LW Consulting are getting certified in this area because we see a growing need in this area and we really see it as the way of the future.
You also have commercial audits which I’ve alluded to where health plans and private payers are conducting audits to make sure the medical record documentation validates the claims data. And these, I call sort of the typical run-of-the-mill recovery recruitment type audits.
Another set of audits are the Health Effectiveness Data and Information Set, a.k.a. HEDIS reviews. HEDIS audit review are really reviewing a sub-section of a health plan group with a focus on specific measures—for instance, diabetes monitoring. And the information from a HEDIS audit is reported to the National Committee for Quality Assurance or NCQA where a quality report card about a health plan is then generated.
Additionally, CMS will use HEDIS data to rank health plan performance for Medicare Advantage Plans. Now, CMS can penalize payers for decreasing quality scores. So it’s very important, these types of audits and the data they pull out.
Providers can benefit from HEDIS performance rankings because they can be used to gauge the quality of health plans during contract negotiations or as part of an ACO or accountable care organization arrangement.
So, again, the information pulled from these types of audits is used in many ways and is very valuable. So it’s important to be on your toes.
Now, some of the other areas of audits or typical audits we see—and I think most folks are aware of these—are Medicare Fee for Service Recovery Audit programs or the infamous RAC’s. Now, the Medicare Fee for Service Recovery Audit Program’s mission is simply to identify incorrect Medicare improper payments through efficient detection and collection of over-payments made on healthcare claims provided to Medicare beneficiaries.
So, again, the goal here is for them to pull back anything they don’t think is properly paid. And that’s done in all 50 states, these RAC’s, and throughout the country.
Also, another government or CMS program is the UPIC or Unified Program Integrity Contractor. Again, the Centers for Medicare and Medicaid Services, they do audit, and they oversee any anti-fraud, waste and abuse efforts. So the UPICs, which are organized geographically by jurisdiction, again, are charged with maintaining CMS integrity by detecting and proactively preventing healthcare fraud, waste and abuse.
So, you really see audits in all these areas. Again, it’s not one area. I think providers need to be paying attention to all these areas.
I think another thing, Mike, if I may, is just to give some of the providers that are listening in some of what we see across the nation in our client base as, I’ll call them “hot button topics,” where really across government and private payers, these types of areas are being investigated.
One area is for adding a Modifier 25 to a procedure. That’s where we’re seeing a lot of audit activity just as a flag for providers listening in.
Another area is any place where Medicare has a prolonged E&M service that Medicare is investigating those prolonged E&M services in the higher levels. So, any time, you’re again in a level four or five or have a prolonged E&M service visit, Medicare is flagging those as potential outliers and looking into them through investigation and/or audit.
Now, also, we’re seeing a lot of activity in the Medicaid MCO space. Any time there’s a Modifier 25 or 59 on a claim, they’re auditing almost all of those in some instances—so again, things for providers to be paying attention to.
And finally, we’re seeing a lot of audit in the out-patient physical therapy or PT service arena. These are currently being targeted as really ripe areas for audit. The government really has good data nowadays. So all these little hot button audit areas that we’re seeing across the nation I think are coming from the government sharing information better than the last five to ten years and doing some really good data mining as to where they see outliers or areas of concern for potential fraud and abuse.
Mike: Rob, what are some of the things that can trigger a third-party audit?
Rob: Sure! Billing only one code across the board for each patient is going to send flags out to the regulators or the provider insurers;
Being an outlier, as I’ve suggested, as compared to your peers on the bell curve. If you’re compared to your peers as to what you’re billing in terms of your E&M levels or some other procedure or service, and you’re billing it too frequently, you’re going to set yourself apart in the data analytics, and it’s going to send out a flag, a red flag, for the government;
Another common thing that we see in our practice is unbundling, billing for services that are included and are already in the primary code. If we’re going to be doing those types of things, you’re going to set yourself up for an audit;
Billing an insurance company more claims per day than is really feasible. As a former lawyer defending and working with providers, I’ve seen cases where the provider billed 200+ patients in a day. Obviously, logic dictates, impossible! Obviously, that’s going to be a huge red flag for any government agency;
As I touched upon, use of Modifiers 25 and 59 are being investigated across the board; also, high usage of any high level, as I’ve mentioned, E&M codes;
Critical care codes are things that right now are a hot button topic; And then, in addition to all of this, Mike, you have your whistle blower or qui tam cases. So, any internal areas that the provider is not addressing can really create additional risk and subject you to qui tam actions.
Being an attorney, I know for a fact that the qui tam bar, meaning the number of attorneys practicing in this area, has risen drastically the past decade. That means the lawyers are following the money. There’s huge recruitments and huge monetary incentives for qui tams and whistle blowers to come to the government or file even their own private qui tam action.
Mike: What can practices do to mitigate risk in case of a third-party government audit?
Rob: Great question! Great follow-up question, Mike. I think, very simply, some tips for the providers listening in, document appropriately, encode correctly based on the guidelines. I know it sounds over-simplistic. But in operational standpoints, it is difficult to do and requires a lot of effort and focus;
Hire the right experts both internally and externally. Make sure you have the right people on the project;
Continue to be diligent with your compliance program. Mine your own data and make adjustments prior to billing things. Don’t bury your head in the sand. You really need to be paying attention to your own data. See if you can find your own benchmarks through revenue cycle analytics or other data mining internally.
Know your own data. CMS and other payers are looking at your data. So know your own data.
And then, constantly train your providers and staff. I can’t emphasize this enough. Again, we do a ton of training and educating. And I see companies still not providing the level of constant updating that is needed in this area to really stay apprised of all the risks and all the changes.
Mike: Rob, are practices typically notified in advance of an audit?
Rob: I would say, generally, yes, Mike, there’s some letter or notice that goes along with a request for medical records, giving a certain amount of time to reply. With most of the audits that I indicated, the RAC’s and UPIC’s, you get some sort of notice letter indicating what records they need and what they’re looking at.
You might not always know the exact issue with what they’re looking at, but there is some sort of due diligence or due process, I should say, with respect to the audit process.
Now, with that, I will make the exception that it may not always the case if the OIG or DOJ are already investigating you. That means you’ve already crossed the line and it’s gone up the food chain, so to speak, at a higher level. Now, that might blindside you. And I’ve been internal at a provider where we received a HIPAA criminal/civil subpoena for records. And I’ll just say that’s not fun at all.
So, practices and providers are generally aware that their documentation will be scrutinized. But for being in the industry for so long, they sometimes don’t truly realize all of the downside risk completely.
So oftentimes, there’s a gap between proactive and reactive fixing. And I think it makes a lot more fiscal sense long run-wise for the providers to put the spend upfront into getting the right people on projects and getting the information before you elevate to a more critical state where it’s costly and damaging.
Mike: What are some of the mistakes physicians make during third-party audits?
Rob: Well, we see a lot of mistakes across the board depending on the practice and the maturity of the practice. Some common mistakes that we see are missing critical dates, not hiring the right experts, not getting on the ball fast when they’re dealing with the audits.
Other items we see are not sending the entire document or sending the wrong date of service as part of the audit or the response, sending a document that was not signed, not sending test results, with respect to incident 2 billing, not having the criteria that’s required under the regulations and rules, not documenting time when the code was time-driven, again not appealing in a timely manner, or sometimes not even appealing at all or putting up any fight which is just oftentimes losing money.
Mike: Rob, do you find that the use of EHR’s make audit outcomes more favorable for the providers? What I mean is are you finding that the documentation is more accurate when they’re using an EHR?
Rob: I would say yes and no. I think EHR, they’ve gotten better. They’ve really matured, and people have gotten more sophisticated with using them. But I think, in general, they can be very helpful for providers to share information, collect information, and to make sure that they’re documenting the right information.
That said, there are certain risks associated with using EMR if the process, the operations, in a training was not implemented well. If those things are done well, I think they are very beneficial. But if they’re not, you have a lot of additional risks because people aren’t trained properly or the system isn’t set up properly.
Let me give you one example. And this has been heavily discussed in the literature by providers—the cloning of a note.
In many of the EMR systems, it’s very easy to copy or “pull forward” information from a last patient visit. Now, that can be great, but for the fact, if you don’t make any changes to that last patient visit, this new visit which you’ve cloned now is inaccurate.
So now, you have improper or inaccurate coding and documentation. That can lead to all the things we’ve talked about—risk of audit, other potential fraud claims, et cetera.
So, although the intent is to make things more efficient, you really need to have safeguards and internal controls built into the system that protect you from some of these other things where fast and loose can become part of the game and you really need to protect yourself.
Mike: You’ve kind of emphasized, Rob, that education is key here. And in your opinion, what can practices do to ensure key staff are up-to-speed and in the know on new regulations, best practices and documentation requirements?
Rob: Sure, it’s an excellent question. Number one—again, I don’t want to over-simplify—but have a good compliance program in place, one that’s really bought in at the board level and senior leadership level. Irrespective of what type of provider you are, you need to start there.
Hire the right educators, internal and external. Have the right education systems in place, be it software, a compliance program, your code of ethics. And make sure everybody is trained upon hire and ongoing from that point on. Have ongoing training.
You really need to have a dedicated internal compliance personnel who are responsible for training and educating. You need to have people who are overseeing and really shepherding the process here.
And really, you need to have a constant platform for education and tracking that. There are many software products out there.
Sometimes, that can be cost prohibitive if we’re talking about a small provider. With some very small providers that don’t have the capital to invest, we’ll design some less software-based compliance programs with them and ongoing education.
You can get most of the data you need and information right offline. It takes a little bit of culling and a little bit of pulling the information offline. But with the right experts guiding you, that can be done as well.
Mike: So, who should take on the responsibility of overseeing training and education of staff?
Rob: Yeah, it’s a great follow-up question to what I was speaking about. You should have a compliance contact or a compliance officer appointed and acknowledged really at any level entity even if the person wears multiple hats. Sometimes that’s not idea given the size of the provider. But sometimes, it’s just really a resource requirement. You can’t pay a compliance officer if you’re a very small provider.
For the bigger providers, I say you absolutely have to have compliance-trained expert professionals who do compliance, managing and overseeing the training and education as part of the compliance program. For the smaller companies, they might wear more than one hat. But I think you still need to designate the resource.
And at the end of the day, Mike, it’s really the ownership and the leadership of any provider that’s responsible. So if you’re not going to invest in these resources, you’re going to have some of the issues or scares or risks that we’ve talked about.
Mike: Well, thanks for coming by today and helping us understand more about documentation and what we need to help stand up to an audit.
Rob, if anyone wanted to find out more about you or LW Consulting, where can they go?
Rob: Sure, Mike. Direct them to LW-Consult.com. I’d be happy to speak with them.
Mike: Thanks again, Rob.