Jan Elezian (jan.elezian@sunhawkconsulting.com) is a consultant and Director at SunHawk Consulting LLC.
Just as your compliance department compiles an annual road map for work projects engineered to minimize risk to the organization, the federal government requires an annual road map from the Office of Inspector General (OIG). Its road map, or Work Plan, is tactical in nature and designed to outline the federal government’s expectations for upcoming management. Projects are gleaned from information received from a variety of sources, including the OIG’s fraud, waste, and abuse hotline; departmental and Government Accountability Office and Department of Justice referrals; billing data; Congressional requests; and referrals from whistleblower disclosures. Projects are planned to be addressed during the fiscal year and beyond by the OIG’s Office of Audit Services and the Office of Evaluation and Inspections. The OIG Work Plan thus becomes an important resource and reference for healthcare compliance programs when developing their internal and external auditing plans.
Projects in the Work Plan include the Centers for Medicare & Medicaid Services (CMS), public health agencies such as the Centers for Disease Control and Prevention and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families and the Administration for Community Living. Work related to state and local governments’ use of federal funds and the functional areas of the Office of the Secretary of the U.S. Department of Health & Human Services (HHS) are included in relevant Work Plan items.[1]
Through its mission to protect the integrity of HHS programs and the health and welfare of the people served by those programs, OIG includes legal and investigative efforts in its plan. Efforts include investigating fraud, waste, and abuse; facilitation of compliance in the healthcare industry; and efforts to exclude bad actors from participating in federal healthcare programs.
To meet rising priorities, the OIG planning anticipates emerging issues and adjustments that must be made throughout the year. In the past, the Work Plan was adjusted once or twice each year. Now, effective June 15, 2017, the OIG updates the plan monthly on its website. Visit the OIG website to see a sample of the latest updates, active audits, and archive.[2]
The monthly update places newly initiated items on the “Recently Added” page. Completed plan items remain on the active Work Plan for one month, then move into the archive. Table columns are separated into:
-
Status (completed, revised, active, and date announced),
-
Agency (i.e., CMS, Indian Health Service, Office of the Secretary, Health Resources and Services Administration, Centers for Disease Control and Prevention, etc.),
-
Title of audit (with summary of audit intent available through a hyperlink),
-
Component (i.e., Office of Audit Services, Office of Evaluation and Inspection),
-
Report number(s), and
-
Tags (e.g., quality, COVID-19, public health issues, emergency preparedness, financial stewardship, children and family grants).
Download the Work Plan Excel file from the “Active Work Plan Items” page.[3] See the “What’s New” page for recently completed reports.[4]
OIG Work Plan structure
OIG audit statistics expect billions of dollars to be returned to the program based on the number of audit findings in 2021.[5] And, in 2020, compliance professionals and business risk owners experienced a 58% increase in OIG audit activity as compared to 2019.[6] To stay on top of federal scrutiny, compliance professionals must be nimble in effective analysis and evaluation of OIG audit work and findings. Let’s take a deeper look into how the Work Plan is constructed, its sections, and how it is updated. Work Plan audit intent, progress, and results can be reviewed in full by clicking the link on the Work Plan update page, or by simply searching the item number, such as OEI-02-20-00720 or W-00-21-35862. OEI stands for Office of Evaluation and Inspections. OEI conducts national evaluations of HHS programs from a broad issue-based perspective. The evaluations offer practical recommendations to improve the efficiency and effectiveness of HHS programs.[7] The Office of Audit Services conducts independent audits of HHS programs and/or HHS grantees and contractors.[8] Its Work Plan items begin with a W or A.
Each monthly update contains a section for the various providers with issues hitting the work list. Most prominent providers are hospitals, long-term care facilities, home health services, hospice, medical equipment and supplies, physical and other therapies, behavioral health, laboratory, prescribers, telehealth services, and the catchall other providers and supplies. Medicare Part A (inpatient) and Part B (outpatient) issues are equally represented.
To evaluate the risk an audit issue poses to their program, compliance professionals should compare OIG Work Plan initiatives to each service and potential service offered in their organization. One issue emerging during the COVID-19 pandemic is telehealth services—both inpatient and outpatient—which have skyrocketed. The inadequately understood, highly contagious virus caused crowded emergency departments and waiting rooms, thus creating fear and urgency for use of expanded telehealth services. “During the first quarter of 2020, the number of telehealth visits increased by 50%, compared with the same period in 2019.”[9] New CMS waivers added dollars to provider payments billed for Medicare/Medicaid beneficiaries using telehealth services.[10]
OIG is concerned that a rapid expansion of telehealth could prompt more fraudulent billings. Earlier last year, the Work Plan announced targeted audits of various federal, state, and commercial payers, including:
-
Audits of Medicare Part B Telehealth Services During the COVID-19 Public Health Emergency (W-00-21-35862)[11]
-
Audit of Home Health Services Provided as Telehealth During the COVID-19 Public Health Emergency (W-00-21-35864)
-
Medicare Telehealth Services During the COVID-19 Pandemic: Program Integrity Risks (OEI-02-20-00720)
-
Use of Medicare Telehealth Services During the COVID-19 Pandemic (OEI-02-20-00520)
-
Examine the use of telehealth services in Medicare Part B and Part C (managed care) during the pandemic.
-
-
Medicaid – Telehealth Expansion During COVID-19 Emergency (W-00-20-31548)
-
Determine whether Medicaid agencies and providers complied with federal and state requirements under the national emergency declaration and whether the states gave providers adequate guidance on telehealth requirements.
-
-
Use of telehealth to provide behavioral health services in Medicaid managed care (OEI-02-19-00400 & OEI-02-19-00401)
-
Review of selected states’ monitoring and oversight of managed care organizations behavioral health services provided via telehealth and identify practices on how to maximize the benefits and minimize the risks of providing behavioral health via telehealth.
-
Completed audits
Sticking with emerging issues, the Work Plan update of October 2021 included additional new COVID-19 items from completed audits.[12]
-
Medicare Beneficiaries Hospitalized with COVID-19 Experienced a Wide Range of Serious, Complex Conditions (OEI-02-20-00410)
-
Understanding the types of conditions Medicare beneficiaries are being treated for and who is more likely to be hospitalized adds study value for provider preparedness.
-
-
CMS’s COVID-19 Data Included Required Information from the Vast Majority of Nursing Homes, but CMS Could Take Actions to Improve Completeness and Accuracy of the Data (A-09-20-02005)
-
OIG’s objective was to determine whether CMS’s COVID-19 data for nursing homes was complete and accurate.
-
-
Six of Eight Home Health Agency Providers Had Infection Control Policies and Procedures That Complied with CMS Requirements and Followed CMS COVID-19 Guidance to Safeguard Medicare Beneficiaries, Caregivers, and Staff During the COVID-19 Pandemic (A-01-20-00508)
-
Quality-of-care issue.
-
Other completed audits regarding ongoing accuracy and compliance in billing practices found in the October update include:
-
Hospitals Did Not Comply with Medicare Requirements for Reporting Cardiac Device Credits (A-01-18-00502)
-
Audit encompassed calendar years 2005–2016. 6,558 claims were reviewed for accuracy of reporting.
-
-
Audit of Outpatient Outlier Payments (A-06-18-04003)
-
Provider did not properly bill 82 of 100 claims. The billing errors primarily occurred because the provider “did not have adequate controls to prevent errors related to overcharged observation time, charge errors, and coding errors.”[13]
-
Audit report includes OIG recommendations, usually asking the provider to refund payments for inaccurately billed claims within the reopening period and corrective actions for future claims.
-
Revised audits: Active Work Plan items
OIG may introduce an audit at an entrance conference and state its objectives for the engagement. Determinations may change during the initial audit work, or a follow-up of the original audit may be required. When this happens, an announcement of revised audit objectives is published in the Work Plan. Some samples include:
-
Follow-up Review on Medicare Claims for Outpatient Services Provided During Inpatient Stays (W-00-21-35861)
-
“A prior OIG review (A-09-16-02026) identified that Medicare inappropriately paid acute-care hospitals for outpatient services they provided to beneficiaries who were inpatients of other facilities.”[14] Those facilities included long-term care hospitals, inpatient rehabilitation facilities, inpatient psychiatric facilities, and critical care hospitals. Common working file edits were not applied, or they were not working. The objective of this audit is to determine whether CMS corrected the common working file edits and whether the edits are working properly. The expected issue date for this report is 2022.
-
-
NIH-Funded Clinical Trials Reported to ClinicalTrials.gov (W-00-21-51020)
-
“NIH is required to post the results of [specified] trials on Clinical Trials.gov within 30 days of receiving them. [OIG] will conduct an audit at NIH to determine whether NIH ensured that NIH-funded intramural and extramural clinical trials complied with Federal reporting requirements.”[15] The expected issue date for this report is 2022.
-
Recently added audits: Active Work Plan items
Several new items added to the “Recently Added” list in November 2021 included another hot topic of risk to the Medicare program—cybersecurity.
-
Network Cyber Threat Hunting Audit of the HHS Trusted Internet Connection and Select Operating Division Networks (W-00-22-42039)[16]
-
Intent is to perform a series of information technology audits at HHS and selected operating divisions to determine whether their network cybersecurity defenses are effective. The expected issue date for this report is 2023.
-
-
Audit of Unaccompanied Children Data Cybersecurity Controls (W-00-22-42038)[17]
-
Intent is to determine whether the Administration for Children and Families has addressed findings identified during a previous audit and implemented controls to ensure cybersecurity of sensitive data in accordance with federal requirements. The expected issue date for this report is 2023.
-
-
Cybersecurity Testing of HHS and Consumer Mobile Applications (W-00-22-42040)[18]
-
OIG will perform a series of penetration test audits of mobile applications in use by HHS staff to determine whether security controls protecting the applications are effective in preventing cyberattacks. The expected issue date for this report is 2022.
-
The above samples describe the five phases the OIG follows when auditing for the Work Plan. These are the same steps compliance professionals must follow when designing audits for their yearly work plan. They are:
-
The selection phase,
-
The planning phase,
-
The execution phase,
-
The reporting phase, and
-
Follow-up.
The samples give you an idea of the breadth and flexibility of Work Plan items selected for audit and the depth of execution and reporting performed. Compliance professions should take the time monthly to review new items, revised items, and completed audits to learn the OIG hotspots and its recommendations for actions to take to ensure a solid compliance program.
Takeaways
-
Your compliance department compiles an annual road map for work projects engineered to minimize risk to the organization. The federal government also requires an annual road map from the Office of the Inspector General (OIG).
-
The OIG Work Plan is an important resource and reference for healthcare compliance programs when developing their internal and external auditing plans.
-
Effective June 15, 2017, OIG updates its work plan on its website monthly.
-
OIG audit statistics in 2020 revealed that OIG activity is ever-increasing. Compliance professionals and business risk owners experienced a 58% increase in OIG audit activity compared to 2019.
-
To evaluate the risk an audit issue poses to their program, compliance professionals should compare OIG Work Plan initiatives to each service and potential service offered in their organization.