Auditing a Private Third-Party Claims Processor for Medicare Case background developed by Yan Xiong, Ph.D. and Daniel W. Law, Ph.D.



Similar documents
STATE OF NORTH CAROLINA

When we receive your claim submission, we will assess it and correspond with you further in due course.

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

MEDICARE RECOVERY AUDIT CONTRACTORS AND CMS S ACTIONS TO ADDRESS IMPROPER PAYMENTS, REFERRALS OF POTENTIAL FRAUD, AND PERFORMANCE

SCRIPT FOR PROVIDER/ACO PHONE INQUIRIES. What is an ACO?

Corporate Governance Guidelines. Kenon Holdings Ltd. Adopted as of September 17, 2014

INDEPENDENT CONTRACTOR vs. EMPLOYEE:

Regulatory Compliance Policy No. COMP-RCC 4.32 Title:

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

The Truth About Texas' Prompt Payment Laws For Healthcare Providers

HIPAA NOTICE OF PRIVACY PRACTICES

Real-time Pre and Post Claim Edits: Improve Reimbursement, Compliance and Safety

Auditing in an Automated Environment: Appendix C: Computer Operations

Harris County - Texas HIPAA Notice of Privacy Practices

Billing, Coding and Reimbursement Guide

CENTER FOR ORTHOPAEDICS AND SPORTS MEDICINE, INC. NOTICE OF PRIVACY PRACTICES. Effective Date: April 1, 2003

Coventry receives claims in two ways:

IN AMERICA, HEALTH CARE COSTS

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

Touchstone Health Training Guide: Fraud, Waste and Abuse Prevention

How To Know If You Can Test For A Mental Health Test On A Medicare Card

Principal Investigator and Sub Investigator Responsibilities

The HIPAA Audit Program

HIGHMARK BLUE CROSS BLUE SHIELD DELAWARE NOTICE OF PRIVACY PRACTICES PART I NOTICE OF PRIVACY PRACTICES (HIPAA)

Third Party Administrators of Health Benefits and Third Party Billing Services

BORIS RUBASHKIN, MD DONNA EDWARDS, RN, MSN, PMH- NP BERNADATTE WILLIAMS, PMH-NP

Healthcare Services Agreement

CLINICAL PSYCHOLOGIST PROVIDER FILE APPLICATION

HITRUST CSF Assurance Program

Professional Coders Role in Compliance

WORKERS COMPENSATION RETURN TO WORK PROGRAM

HIPAA Privacy Notice

Third Party Relationships

August 2014 Report No

John Keel, CPA State Auditor. An Audit Report on Inspections of Compounding Pharmacies at the Board of Pharmacy. August 2015 Report No.

Jerry M. Ruhl Ph.D. Clinical Psychologist (Texas #34359) 5200 Montrose Blvd. Houston, TX 77006

4.05. Drug Programs Activity. Chapter 4 Section. Background. Follow-up on VFM Section 3.05, 2007 Annual Report. Ministry of Health and Long-Term Care

By and Courier. April 18, 2016

Transitional reinsurance program results in significant new costs for group health plans

Licensed Counselors (LPCC)

DEPARTMENT OF CIVIL SERVICE HEALTH INSURANCE PREMIUMS FOR PARTICIPATING EMPLOYERS. Report 2007-S-83 OFFICE OF THE NEW YORK STATE COMPTROLLER

Connecticut Carpenters Health Fund Privacy Notice

A A E S C. Albuquerque Ambulatory Eye Surgery Center NOTICE OF PRIVACY PRACTICES

HEALTH INSURANCE UTILIZATION REVIEW, APPEALS AND GRIEVANCES YOUR RIGHTS AS A HEALTH INSURANCE CONSUMER

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

A Student Health Insurance Plan Customized for You! Deadline sensitive. Brought to you by Tulane University and Aetna Student Health

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

AmeriHealth Casualty Services

Final. National Health Care Billing Audit Guidelines. as amended by. The American Association of Medical Audit Specialists (AAMAS)

AMA NSW AND ASMOF NSW Submission on Health Practitioners Regulation National Law

The employee s files contained a post office box number instead of a street address.

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

Consultants Services, Lump-Sum Remuneration

Notice of Privacy Practices

How To Protect Your Credit Card Information From Being Stolen

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

Privacy Notice. The Plan s duties with respect to health information about you

NEW HEALTH CARE CHOICES FOR Key Resources for DuPont Medicare-Eligible Retirees and Dependents

Table of Contents. Transmittal Letter...2. Background Objectives and Approach TPA Claim Audit Results

Patient or Guardian Signature

Process Safety Management Program

Connecticut Pipe Trades Health Fund Privacy Notice Restatement

General IT Controls Audit Program

EB 5 Briefing Paper: USCIS Immigration through Investment Program

NOTICE OF PATIENT RIGHTS AND PRIVACY PRACTICES

mywcb Online User Guide

Transcription:

Auditing a Private Third-Party Claims Processor for Medicare Case background developed by Yan Xiong, Ph.D. and Daniel W. Law, Ph.D., CPA Medicare is a federally funded program in the United States that covers the cost of medical care for the elderly and disabled. Medicare is divided into two parts: 1) Medicare Part A, which provides basic protection against the costs of inpatient hospital and other institutional providers, and 2) Medicare Part B, which covers the costs of doctors and other healthcare practitioners that are not covered under Medicare Part A. Bob works as a senior auditor of Information Systems (IS) for the U.S. Department of Health and Human Services (HHS), which administers the Medicare program. HHS maintains contracts with several private health care organizations across the country to process Medicare electronic and paper claims from health care providers, including individual physicians, clinics, and hospitals. The private processors are granted exclusive rights to process medical claims from providers within broad geographic regions, which consist of several states. One of these companies, Medicare Southwest (MSW), processes Medicare claims from providers within four states in the American southwest. MSW is a relatively small organization with approximately 80 employees. However, its parent company, Acme Corporation, consists of one of the largest affiliations of health-care plans in the southwest. The vast majority of Acme s $5 billion in revenue is composed of private health care premiums that are collected and processed for other private subsidiary organizations. Only a relatively small portion of Acme s revenue (approximately $100 million/year) comes from MSW. MSW is located on the campus of Acme s Houston, Texas facility. In addition to the 80 MSW employees, approximately 1,200 Acme employees work at the site. These Acme

employees provide direct and indirect support for all of the subsidiaries, including MSW. Approximately 60 Acme employees are assigned to provide direct support for MSW. Most of these employees are data entry personnel and managers, although a few make up a small, dedicated Information Technology (IT) staff. Other Acme staff members who support the entire Acme facility provide indirect support, including some IT and building security. Claims Processing As the senior federal IS auditor, Bob and the three lower-level auditors have just started to examine the claims processing system. Bob has learned that Acme provides a wide variety of services related to claims processing for its subsidiaries, including MSW. For example, Acme maintains a large data center to process all electronic claims, including those from MSW. Acme s staff also processes paper claims. During the initial tour of Acme s claims processing and data center areas, Acme s IT Security Officer and MSW s internal auditor provided Bob and his staff with an overview of MSW s entire claims process. Health care providers, including individual doctors, clinics, and hospitals, submit MSW claims to the Houston facility either electronically, or through hard copies sent via U.S. mail. As electronic claims are received, they are automatically screened by Acme s computer system for errors and discrepancies, such as missing information and incorrect amounts claimed for particular medical procedures. If the claims do not contain any apparent errors, they are automatically processed by Acme s computer system, and a check is created and mailed to the health care provider. If errors are discovered, the claims are automatically forwarded to Acme s onsite adjudication department for further review. The adjudication staff attempts to correct the information by contacting the provider or by adjusting the amounts to 2

match the procedure performed. After correction, the adjudication staff submits the claim back through the electronic processing system without further review. Paper claims are received and sorted in the mailroom, along with all other mail for all subsidiaries. Paper claims are then delivered to Acme staff members who enter the claims data into the system. Prior to final submission, the data that is entered into the system is checked and approved by the single data entry manager on duty. The manager is able to correct any errors prior to submission. After submission, the claims are processed and paid. All claims contain confidential data, including names, social security numbers (government identification numbers), and specific health care treatments provided to patients. Bob noticed that most of the Acme adjudication and data entry personnel are actually temporary employees hired through agencies. Acme prefers to use the services of temporary agencies to allow more flexibility and to reduce hiring costs in these high-turnover positions. Bob also noticed that the data entry personnel who support MSW shared their facility with the data entry personnel from the other private subsidiaries. In fact, some of the data entry personnel who support MSW also work on claims from other private Acme subsidiaries. The manager of the claims processing staff explained that a separate facility was not available, and that a shared facility and workload allows for more flexibility to adjust for changes needed in staffing levels. Since employees dedicated to several different subsidiaries share the data entry area for paper claims, the manager said that no one owns the space. Consequently, no single manager is responsible for approving, deleting, and reviewing all physical access to the data entry area. Instead, each individual manager is responsible for initiating requests to grant and delete physical access for their own temporary and permanent employees by notifying the facilities manager. 3

The facilities manager can only print lists of everyone with access to the facility. Therefore, the lists are never reviewed, because individual managers are only familiar with their own employees. The facilities manager did state, however, that the individual managers of any employees who were terminated promptly notified him. As part of the audit procedures, Bob and his staff examined a sample of twenty incoming electronic claims. The claim amounts were then compared with the amounts actually processed and paid by the computer system. Bob and his staff noted that the amount claimed exceeded the amount paid by the computer system by five cents for every third claim. They further observed that several of the lead programmers for the computer system had access in the production environment and the ability to make changes to payment amounts. Also, fraudulent claims have been a frequent concern in the Medicare program, including: Multiple claims for medical procedures that are usually not performed on the same patient more than once within a particular period of time (i.e. organ transplants). Claims for medical procedures that cannot be performed for a particular patient (i.e. physical therapy coma patients). Claims for deceased individuals. 4

Please develop a comprehensive written response to the below items, with a maximum of 10-15 pages. CASE STUDY QUESTIONS 1. Develop a process diagram/flowchart of MSW s current claims processing system (current state as-is process flowchart). 2. Discuss the top risks present at MSW. Risks may include information technology risks (i.e. physical and logical security) or business process risks; including: financial, operational and/or compliance risks. 3. What types of tests could auditors conduct to ensure that MSW s operations are properly controlled? 4. For each of the risks identified, recommend appropriate internal controls to address these concerns by drafting an internal audit report to MSW management, with recommendations on how to mitigate the identified risks. Be sure to include: background, observations, risks, and recommendations. 5. Modify the process diagram/flowchart in question 1, by inserting the recommended internal controls into the process (recommended to-be process flowchart). 6. If you were a potential client considering using MSW s services, list the top issues that you would want to discuss with MSW management prior to entering into a 3 rd party agreement with them. 5