The U.S. Sentencing Commission Guidelines Manual and OIG support auditing and internal monitoring as vital components of an effective compliance program. The joint publication by the HHS OIG and American Health Law Association—The Health Care Director’s Compliance Duties—affirms the importance of auditing and monitoring, stating that, “Monitoring and auditing provide early identification of program or operational weaknesses and may substantially reduce exposure to government or whistleblower claims.” Additionally, the COSO risk management model places monitoring as one of five principal components of good risk management and control practices. COSO looks to monitoring to help ensure “that internal control continues to operate effectively.”
Auditing and internal monitoring are processes to measure program effectiveness and detect criminal conduct. While auditing is a formalized independent approach to measuring effectiveness, monitoring is not. Internal monitoring can be daily reviews of a process by an employee at any level throughout the organization, and the individual performing the monitoring does not have to be independent of the activity. Monitoring is needed to ensure controls are in place and operating effectively. Monitoring also assures accountability by steering behavior toward compliance, alerting management to potential concerns (such as a breakdown in controls so that corrective action may be taken), highlighting areas of risk within the organization, and allowing management to report on the overall effectiveness of the compliance program. The compliance department may be responsible for some monitoring activities, but the function primarily depends upon management to report internal monitoring results based on a predetermined schedule. All internal monitoring activities should be well documented. The results should be captured, and any action taken should be memorialized. It is through documentation of monitoring activities as part of the seven elements that the compliance function demonstrates program effectiveness.
Internal monitoring will assist an organization in exposing potential issues before they become a compliance risk requiring investments of time and money to determine the nature and extent of the problems. An analysis of risks within an organization should begin with a prioritized list of regulatory exposures and can be delegated by department or functional area. As previously noted, any employee within the organization can be assigned a monitoring activity depending on their subject matter expertise. Once the risks for the organization have been assessed, the auditing and monitoring plan is developed. Internal monitoring should be woven into the fabric of the organization and used to promote an ethical culture from the top down. All levels of management should be involved in monitoring activities for their assigned areas based upon the high risks within their area. Monitoring can be as simple as an employee reviewing the work of a new employee for three to six months to verify that new employee’s education is appropriately applied to the job.
Other examples of internal monitoring activities include the following:
A coding supervisor reviews five accounts per week that have been coded by a new inpatient coder to ensure appropriate application of coding rules and understanding of medical terminology.
A compliance employee monitors physician timecards for medical directorship payments to ensure all required fields are completed and the time submitted to accounts payable is within the contract limits.
A registration supervisor monitors a number of new patient registrations per week using a checklist to verify that the required acknowledgment for the Notice of Privacy Practices has been scanned and also that other required registration documents are present.
Another example of internal monitoring is establishing internal controls that alert the organization to variants in their processes. Again, an employee of the functional area can be assigned to monitor the internal controls and report on any skews or trends in the data.
It is important to note that monitoring does not replace auditing. The two are very distinct processes. The ongoing auditing of operations needs to be performed by parties independent of those operations. This will ensure objectivity in performing the audits. The audit objectives are to determine whether the monitoring program is operating as it should and that adopted policies, procedures, and internal controls are adequate and their effectiveness is validated in reducing errors and risks.
Remember, monitoring is a form of self-assessment that can be performed at any level within any healthcare organization to strengthen the culture of compliance with the policies, procedures, rules, and regulations that govern the healthcare industry.