When the HHS Office of Inspector General (OIG) put out a report on the growth in hospital billing for inpatient stays at the highest severity level, which it called “vulnerable to upcoding,” the compliance team at SSM Health dug into its own data.[1] What would it reveal about the nine MS-DRGs, including sepsis and chronic obstructive pulmonary disease, named by OIG as fueling an increase in Medicare spending nationally? To answer the question, “we pulled data for inpatient claims billed with high-severity-level DRGs,” said Shanna McKellip, senior data scientist in the SSM corporate responsibility department. “We also took it a step further and reviewed the length of stay and discharge dispositions to give it some context.” The data dive yielded some surprises. For example, sepsis DRGs had a short length of stay. “Typically, if you come into the hospital with sepsis you would expect a longer length of stay,” McKellip said. It turned out the shorter stays stemmed from either the deaths of patients or their discharges, which could put them at risk of readmission. “We determined we needed to do a full audit on these DRGs.”
But the data analysis, which is a core part of SSM’s compliance program, could have pointed in another direction. Sometimes it indicates an audit is unnecessary or that monitoring is an appropriate response, said Brigitte Doleshal, senior director of corporate responsibility at SSM, which owns 23 hospitals, physician offices, post-acute care centers and other entities in Missouri, Wisconsin, Illinois and Oklahoma.
“We run pretty lean as a compliance program. We want to spend time on the areas of highest risk,” Doleshal said. “We have always conducted a thorough risk assessment process, but this allows us to focus on areas of the highest risk to the organization.” Karye Morgando, system director of corporate responsibility, noted that risk assessment is now “a continuous cycle.”
McKellip, Doleshal and Morgando described the use of data analytics in developing risk assessments and work plans Feb. 25 at the Health Care Compliance Association’s virtual regional conference.[2] “Our goal is to review the data the way CMS does before CMS does,” McKellip explained. “It’s like having the answers to an open-book test.” The risks are described on risk briefs and rated by likelihood and impact on a heat map for senior leaders.
SSM’s compliance team starts its “data journey” with external sources, including Medicare-specific information generated by the comprehensive error rate testing (CERT) contractor. McKellip focused recently on the CERT’s 2020 Medicare fee-for-service supplemental improper payment data, specifically the 20 DRGs with the highest improper payments.[3] The CERT data was historical (July 2018-June 2019), and the report included the reasons for the errors—no documentation, insufficient documentation, medical necessity, incorrect coding and other. Armed with this information, she created an SSM version of the CERT report on the same DRGs, but updated the data through 2021. The DRGs include major hip and knee joint replacement or reattachment of lower extremity; heart failure and shock; psychoses; extracorporeal membrane oxygenation or tracheostomy with mechanical ventilation greater than 96 hours or principal diagnosis except face, mouth and neck with major operating room procedures; and simple pneumonia and pleurisy with major complications and comorbidities.
Peeling Back the Data ‘Like the Layers of an Onion’
“I like to look at digging into the data like the layers of an onion. I keep peeling the layers back to get to the center,” McKellip said. The data is mined using data-mining tools and programs. It’s then put into an Excel spreadsheet and PivotTable for the compliance team to review. “When we look at the data this way, it helps us determine the highest-dollar DRGs, as well as the highest-volume DRGs. I also take the total dollars for each DRG and compute what the potential improper payment amount would be per the CERT table. This just gives us an idea of the dollars associated and adds some context to discussions,” she explained. After reviewing and validating the data, McKellip took it to the SSM Corporate Responsibility Group to see if anything jumped out about the top 20 DRGs. Then they looked more closely at the top 10 DRGs by dollars and volume and whether audits of them were already planned or underway. “If we identify any DRGs where there may be some areas of risk, we conduct a deep dive into the data,” McKellip said.
For example, a decision was made to review the coding of simple pneumonia and COVID-19, with an eye on potential undercoding of simple pneumonia and overcoding of COVID-19.
First, the SSM compliance team pulled the coding data for simple pneumonia and plotted it on a graph, keenly aware it has seasonal ups and downs, with an expected spike in winter, for example. For the years they reviewed, 2018 through 2021, pneumonia coding was predictable. Then they did the same for COVID-19 coding data. “This data is a bit more erratic,” McKellip said. While it doesn’t show the same seasonality as pneumonia, “we can start to see some typical peaks and valleys. We also need to keep in mind surge times and locations when looking at COVID data.” Finally, McKellip overlaid the pneumonia data on the COVID-19 data.
The findings: there were no significant decreases in pneumonia cases with contemporaneous increases in COVID-19 cases. In other words, SSM is not overcoding COVID-19 and undercoding pneumonia. That’s a relief partly because of the 20% add-on payment for COVID-19 MS-DRGs, which has made it a target of auditors. Because of the reassuring results, there won’t be a full-blown audit, but the two DRGs will be monitored for a year in case things change, Doleshal said.
SSM’s compliance team also used OIG’s 2021 Medicare provider compliance audit of an unrelated facility, Sunrise Hospital & Medical Center in Las Vegas, as a data source.[4] OIG concluded the hospital was overpaid an extrapolated amount of $23.6 million in 2017 and 2018, which the hospital refuted. OIG identified 10 areas of risk and, for data analysis purposes, SSM focused on a few. For example, they looked at outpatient claims paid in excess of $25,000 and inpatient claims paid in excess of $25,000. “We didn’t see anything out of the ordinary,” McKellip said. “This is an area we would monitor to keep a pulse on our information.”
Tracker Helps With OIG Work Plan Items
While McKellip is pulling data, Morgando works in tandem to gather information from CMS, OIG and other sources. The OIG information is put on a tracker, which is essentially a spreadsheet that indicates whether the compliance team should respond to new items on OIG’s Work Plan, Doleshal said. The tracker states the Work Plan items, the date they were added, the OIG division performing the work, and how SSM will respond:
-
No action needed—low risk.
-
Additional information needed or follow-up.
-
Immediate action needed.
-
Defer action to later work plan.
-
No action needed—does not apply.
-
Report to regulatory change management committee, which is the internal committee that helps distribute regulatory and compliance updates throughout the organization.
Morgando and her team also generate a monthly compliance update with CMS developments, such as MLN Matters articles, and other information that’s shared with the corporate responsibility team. “Hospital leaders in St. Louis may need different information than medical group leaders in Wisconsin, for example,” Doleshal said.
When all the data is in and the compliance team has received feedback from leadership, it moves into the next phase of crafting the quarterly risk assessment, Doleshal said. “We create a summary of the risk analysis in an Access database, using a custom form we created called a risk brief,” she said.[5] The risk brief describes the risk, factors that drive the risk, and current activities or leadership concerns related to the risk, Doleshal said. “Using this format, we can gather information from multiple sources and multiple regions for the same risk area all in one place. As we move along that journey, we want to make sure each risk area is also tied to the enterprise level risks identified by our enterprise risk management process.”
Two Paths for Audit Findings
Then it’s time for audits on the risk areas that made the final cut, and the data is turned over to the auditors. They will pull samples for the audits. “There is no way we can audit every claim, so we have a validated sample,” Morgando said. When the results come in, they’re shared with operational leaders.
There are two potential paths with final audit findings, Morgando said. “We go both forward and backward on our audit,” Morgando said. SSM does a six-year lookback audit for the relevant claims, extrapolates any error rate and refunds the overpayment. At the same time, it monitors corrective actions to ensure they take root. “We will wait a specific time frame so that we have enough claims and then audit a sample based off the population. At this point, if all corrective actions have taken hold, we will share our findings with leadership and close the audit,” Morgando explained.
The data analytics are a hallmark of SSM’s moving from a “managed level of maturity” to an “enhanced” compliance program, Doleshal said. An enhanced program means “we are monitoring and measuring program metrics, continually improving our processes, and using data analytics to anticipate trends and compliance risks.”
Contact McKellip at shanna.mckellip@ssmhealth.com, Doleshal at brigitte.doleshal@ssmhealth.com and Morgando at karye.morgando@ssmhealth.com.