How to Conduct Your Own Risk Assessment and Build an Auditing and Monitoring Plan Karen Voiles, Senior Manager Compliance, QHR Agenda Define your organization s highest areas of risk Key elements of a hospital-wide risk assessment How to measure and prioritize risk Steps to monitor and audit identified risk How to use information obtained from audit and monitoring 2
Which Comes First Risk Assessment or Auditing Plan? NEW AROUND THESE PARTS, STRANGER? AND YET THE QUESTION REMAINED: WHO CAME FIRST? 3 How Do You Define R I S K? R Relative I Intuitive S Significant K Kinetic RISK Something that involves uncertain dangers RISK ASSESSMENT Identifying, measuring, and prioritizing events or risks that may have consequences on an organization s ability to achieve its objectives 4
What Are the Benefits of Risk Assessment? Strategic planning (proactive vs. reactive) Reduce financial loss Improve awareness Improve decision making Improve regulatory compliance Improve risk identification Improve processes Better resource allocation 5 What Are Some Elements to Consider? Operational changes New personnel New information systems Rapid growth New technology New products/service lines Organizational restructuring 6
What Are Some Other Types of Risks? Operational Financial Human Strategic Legal/regulatory Technology 7 What Are Some Hospital Risks to Consider? Billing for services not rendered, duplicate charges, unbundling, billing discharges rather than transfers (RACs) Medical necessity (RACs) Upcoding (RACs) Credit balances Stark and anti-kickback statute False claims HIPAA/HITECH 8
What Other Hospital Risks Should Be Considered? CMS Conditions of Participation (COPs) Conflicts of interest (especially important for 501C3) Wage and Labor Laws EMTALA 72-Hour Rule (3-day window or 1 day if not PPS; does not apply to CAH) Information technology Wireless penetration User access Vendor management Password management 9 What are Some Data Sources? Surveys Interviews OIG Workplan Hotline calls Reports of suspected non-compliance 10
Other Data Sources? Reports: RAC, MIC, and ZPIC PEPPER (www.pepperresources.org) CERT (Community Emergency Response Teams disaster preparedness) OIG OAS (Office of Audit Services) 11 What Should You Look for When Conducting a Hospital Wide Risk Assessment? Tour all hospital departments ED o EMTALA o HIPAA o Signage (NPP, Patient Rights, EMTALA) o P&Ps NPP Financial assistance o Training and education o Billing and coding compliance o Auditing and monitoring 12
What Should You Look for in Registration Areas? Identity theft HIPAA EMTALA Signage (NPP, Patient Rights, Financial Assistance) P&Ps NPP Financial assistance Education and training Auditing and monitoring 13 What Should You Look for in the MedSurg Area? HIPAA P&Ps Education and training Auditing and monitoring Drug diversion 14
What About Other Areas of the Hospital? 15 What Questions Should You Be Asking? 16
Risk Ranking Reputation Financial Legal Likelihood of risk Detectability Controls Score 1-5 (5 highest level of risk) 17 What is Auditing and Monitoring? Reliable systems and controls to review various aspects of operations A system that is practical, workable, and not overly complex auditing functions are performed across many disciplines and departments Data accuracy and consistency Procedures on how the process will work and who is responsible for getting it done Review process regularly to see if it is working/accomplishing the effectiveness standard expected by the OIG Specific, targeted, and prioritized risk areas 18
Why is Auditing and Monitoring Important? 1. Identify risk 2. Implement pe e internal controls os 3. Audit/monitor Process that assesses the quality of the internal controls, which you implement as a result of the risk assessment Risk assessment and auditing and monitoring plan should be completed and approved by your Board annually 19 19 Measuring Risk Must be able to quantify the risk Example: # physician contracts that meet criteria out of total # physician contracts reviewed Establish benchmarks CMS Professional associations o HFMA o TJC 20
Measuring Risk Specific steps for monitoring the particular risk you are auditing Timeframe # of records Record reviewers Patient specific attributes/diagnoses Criteria/checklist/worksheet Location of key components in the record o be reviewed 21 Contracts Medical records What Source of Information Will You Need for the Audit? Explanation of benefits Remittance advice Policies and procedures 22
What Processes are You Going to Use to Review the Risks You are Auditing? Staff interviews Staff observations Medical record reviews What else? 23 How Will You Gather and Report Findings and to Whom Will You Report? 24
How Often Do You Audit? How frequently will you audit the particular risk area identified? Monthly, quarterly, annually Results of audit may dictate frequency of audit or increase in the number of data point reviewed 25 Who is Responsible for What? Who will be responsible for the periodic monitoring of the given risk area? Typically not the compliance officer 26
Auditing & Monitoring Do you know how to build an annual Compliance Auditing and Monitoring Plan? USING THE INFORMATION OBTAINED FROM YOUR AUDITING & MONITORING PROGRAM 27 To Whom Do You Report the Info? Reporting Compliance committee Department level Medical staff committees as appropriate Hospital committees as appropriate 28
What are the Next Steps? Determine the need for further auditing based on error rate and benchmarks Re-file claims Issue overpayments as appropriate Involve counsel as appropriate Update policies, procedures, and training materials 29 30
Thanks for Attending! Intended for internal guidance only, and not as recommendations for specific situations. Readers should consult a qualified attorney for specific legal guidance. 31