The Office of Inspector General (OIG) originally published Compliance Program Guidance (CPG) for the hospital industry on February 23, 1998, to help prevent financial fraud, waste and abuse within the healthcare community. Over the last 25 years, there have been significant changes in the ways healthcare providers deliver—and are reimbursed for—the services they render. With evolving healthcare practices, new payment systems/technology and new regulations, providers are constantly faced with new risks. However, today there are more tools in place to help identify and correct risks before they spin into a larger problem. A valuable but overlooked tool among these is a compliance risk assessment. One of the seven designated elements of a legally effective corporate compliance program (auditing and monitoring), a risk assessment is critical in proactively detecting inappropriate behavior or billing practices.
The 7 Elements of a Corporate Compliance Program:
Compliance policies and procedures
Designate a corporate compliance officer
Appropriate employee training and education
Open lines of communication
Auditing and monitoring
Enforcement of disciplinary standards
Response to suspected deficiencies
Are You in Need of a Risk Assessment?
To ask whether a risk assessment is worthwhile for your organization is like asking whether an insurance policy is a good business decision. Without it, the business is not fully protected when unexpected events occur. As much as one can plan for the future, issues can and will occur that are beyond your control (i.e., a pandemic, theft), and one single instance can leave the entire operation in a very vulnerable situation.
Building routine risk assessments into your organization’s calendar not only helps to uncover risks before they become irreversible problems; it supports a good faith effort to comply with healthcare laws and regulations. Why is this important? If an organization is faced with misconduct allegations, whether accidental or intentional, proof of an effective compliance program (which includes auditing and monitoring) can lessen their culpability score, thus mitigating applicable fines and penalties.
What to Expect During a Risk Assessment
The thought of a risk assessment might seem daunting initially, but we are here to tell you why it is important—and how easy it can be when you enlist the help of a qualified third-party consultant such as Richter. Let’s break down the process into four simple steps:
1. Discovery call
The first step in a risk assessment is a discovery call where Richter (the “auditor”) will ask probing questions to gather information about areas of the organization that are suspected to be problematic. These can include MDS reporting accuracy, records and billing, HIPAA, or quality care concerns. For example, if a provider is experiencing a high proportion of denied claims, this would be good reason to investigate since providers with a history of billing errors can easily become targets for Medicare and Medicaid billing audits. In addition to pinpointing high-risk areas of focus, this call should be used to define clear objectives for the audit, and discuss whether legal counsel needs to be involved in the process.
2. Remote virtual audit
Once a specific high-risk area of the operation is identified and the appropriate employees have been notified, the next step is a remote virtual audit to review system records. This can typically be conducted without any administrative burden or interference to the business or its employees. Richter utilizes proprietary audit forms and tools that we continually hone, and we begin with a random sample of 5-10% of records within a 3-6-month lookback. Depending on what is uncovered, the sample size may be incrementally increased. Additionally, certain policies, procedures and workflows will be evaluated.
3. Presentation of findings
After sufficient information is collected and assessed, findings will be consolidated and presented in a manner that can be easily interpreted, and with specific examples for reference. It is beneficial for senior leadership to be present for the results, not only because they are ultimately accountable, but because their involvement and actions set the tone for the entire operation.
4. Recommendation for actions
No risk assessment would be complete without actionable recommendations for improvement. After all, the goal is to detect and correct gaps and inconsistencies before they grow into larger widespread problems. Potential outcomes of a compliance risk assessment may include:
Further analysis: The initial risk assessment may uncover a larger issue that requires a more in-depth study than the original objectives defined.
Additional training: Many areas of risk can be minimized with increased education and training for employees. All mandated training assignments should be thoroughly documented.
Policy development: If loopholes exist in the current workflow, new policies will need developed or existing policies will need to be revised.
Monitoring plan: For a set period of time (daily, weekly, monthly or quarterly), monitoring may occur until the issue can be resolved. Even then, depending on the severity of the problem, this may need to be an ongoing effort.
Self-reporting: If misconduct is found, organizations may be legally required to report the offense. However, this is why it is so important to make the effort towards an effective compliance program. Self-reporting, cooperation with the investigation, acceptance of responsibility and remediation efforts will all be taken into consideration under the culpability scoring system that is used to determine fines and penalties.
Selecting a Qualified Risk Consultant
A risk assessment conducted by an external third party is an investment in your organization. It is a key component of an effective compliance program and it allows for early identification of compliance and ethical issues—before regulators, investigators, potential buyers and the media become involved. An experienced industry consultant will ask the right questions during the discovery process to identify areas where you may be struggling, will help ease any fears about the process, and will guide you through execution of recommended changes.
With team members who are Certified in Healthcare Compliance (CHC), Richter offers comprehensive risk management solutions including policy development, staff education, monitoring and analytics, and risk mitigation strategies. To learn more about our proactive and dedicated approach to compliance in your clinical operations or revenue cycle, contact us here or call us at 866.806.0799.