Corporate Compliance Semi-Annual Risk Assessment Guide[1]
Table of Contents
Introduction… X
Recovery Audit Contractor (RAC) Audits…X
PEPPER…X
Professional Fee Documentation and Billing…X
Government Audits and State Work Plan…X
Government Investigations…X
Health Care Enforcement Legislation…X
Data Mining…X
Compliance Coding Audits…X
Compliance Non-Coding Audits…X
Voluntary Disclosures…X
Conflicts of Interests…X
Health Insurance Portability and Accountability Act (HIPAA)…X
Compliance Inquiries…X
Summary – Adjustment of Risk…X
X Compliance Risk Profile…X
Exhibit A…X
INTRODUCTION
This semi-annual risk assessment document summarizes adjustments to the January 2021 Risk Assessment Guide by the Office of Corporate Compliance (“Compliance”). These adjustments are the result of continual risk analysis and monitoring by Compliance. Factors influencing adjustments to the current work plan include, but are not necessarily limited to:
-
New or enhanced governmental audit initiatives;
-
Changes in health care laws;
-
Changes in X services and processes;
-
New X entities; and
-
Compliance audit findings related to audits conducted during the first two quarters of 2021.
Compliance monitoring processes continue to indicate that professional fee billing, inpatient billing, Medicaid funded services, and newly-managed or acquired entities remain the largest potential risks to the X. In addition, privacy incidents related to the unauthorized disclosure of patient data is becoming a greater risk because of the government’s increased enforcement focus and the X’s roll- out of additional electronic information systems.
RECOVERY AUDIT CONTRACTORS (RAC) AUDITS
Another potential risk related to the areas listed above is RAC audits. The RAC contractor for the State is DCS Healthcare. Through March 2021 the RAC audits nationwide have detected $162 million in Medicare overpayments and $22 million in Medicare underpayments.
CMS approved audit issues for this region include: transfer of care audits, Medical Severity- Diagnosis Related Groups (“MS-DRG”) validation audits, durable medical equipment audits, other services such as pharmacy supply and dispensing fees, clinical social worker services, urological bundling and ambulance services, and recently added were medical necessity reviews for both inpatient and outpatient hospital services. RAC also intends to audit physician documentation and billing in the future.
To date, $X has been recouped by the RAC. All denials are appealed with mixed results. The X has recovered $X, $X denied and approximately $X is in the process of being reviewed. The X continues to evaluate and prepare appeals for the remaining applicable RAC recoupment dollars at risk. A large percentage of the RAC findings focus on medical necessity compared to routine coding rule errors.
PAYMENT FOR EVALUATING PAYMENT PATTERNS ELECTRONIC REPORT (PEPPER)
PEPPER is an electronic report available from the federal government containing hospital-specific data for target areas that have been identified as high risk for payment areas (i.e., specific DRGs and discharges). It is suggested that anything above the 80th percentile or below the 20th percentile, as compared to National, State and Jurisdiction (i.e., Regional) benchmarks, should be reviewed. Please see Exhibit A for a detailed grid that identifies those areas highlighted in red, green, blue and gray for the X.
Even though a facility may be red (i.e., at or above 80th percentile for National, State or Jurisdiction) for a certain DRG, it does not mean the facility’s coding is inappropriate. A facility could have a high or low ranking because of environmental or geographic reasons.
During the first quarter of 2021, Compliance conducted audits in several of these areas including: X, X, and X. Quality has also reviewed the X. Compliance plans to conduct an audit of X in the third quarter. X are routinely addressed in all DRG audits. To date, there have been no significant findings.
PROFESSIONAL FEE DOCUMENTATION AND BILLING AND NEW PHYSICIANS
The X continues to add employed physicians. The number of employed physicians increased approximately from X to X over the past couple years. As a result, X remains an X risk.
In 2021, X further increased the scope of its monitoring function of the X’s professional coding and billing practices. X plans to conduct coding reviews of X% of its physician community. Monthly reports are submitted to Compliance reflecting physician compliance with accurate coding and billing practices. X has a process whereby any physician with a financial error rate greater than five percent will be educated, and then reaudited. Coding documentation issues were identified in approximately X% of the physicians audited to date.
Compliance continues to conduct retrospective audits on topics that are identified in the industry as relevant and will complete four retrospective audits this year for physician professional fee services and plans to audit the results of several X audits conducted by X.
GOVERNMENT AUDITS AND STATE WORK PLAN
State Work Plan
The State 2020-2021 Annual Work Plan, communicating audit initiatives for the next twelve months, in their efforts to improve and preserve the integrity of the Medicaid program in the State, was released on December 6, 2020.
The State is also placing more emphasis on trustee and senior management’s responsibilities with regard to overseeing hospitals’ Compliance programs. Most recently, the State, stated that the Board’s most significant role in compliance is to become “sufficiently educated about the topic to ask appropriate questions and determine whether management has the expertise, the will, and the metrics to provide a reasonable assurance of compliance, and for the Board members to review intelligently the responses and submissions of management.”
Another area that State plans to focus on is evaluating the effectiveness of provider Compliance programs. It is recommended that providers perform an annual self assessment to evaluate and detect areas for improvement. The provider’s self assessment will be reviewed to help State assess Compliance Program effectiveness and may also be a required submission during the audit and investigative process.
Since May 20, 2020, State has finalized and published 289 audit reports for all State health care providers and suppliers. Hospitals remain a primary focus. The areas audited are represented in the chart below:
The active government audits in 2021 throughout the X are represented in the grid below. The number of audits increased from X audits in 2020 to X audits in 2021.
|
Agency |
# |
Percent of Agency |
Percent of Total |
Notes |
|---|---|---|---|---|
|
Medicare Audits | ||||
|
OIG |
X |
X |
X |
|
|
CERT |
X |
X |
X |
|
|
NGS |
X |
X |
X |
|
|
DOH |
X |
X |
X |
|
|
CMS |
X |
X |
X |
|
|
NGS Pre Pay Probe |
X |
X |
X |
|
|
Sub Total - Medicare Audits |
X |
X |
X | |
|
Medicaid Audits | ||||
|
OMIG |
X |
X |
X |
|
|
DOH |
X |
X |
X |
|
|
HMS/PCG |
X |
X |
X |
|
|
Sub Total - Medicaid Audits |
X |
X |
X | |
|
Total |
X |
X |
To date, none of these government audits have detected any significant overpayments or triggered any formal government investigations.
GOVERNMENT INVESTIGATIONS
The United States government is currently conducting some investigations that involve the X’s coding and billing practices. The government’s reviews focus on X.
HEALTH CARE ENFORCEMENT LEGISLATION
The federal government is still in the process of implementing several of the health care enforcement provisions signed into law last year as part of the Patient Protection and Affordable Care Act (PPACA). This law increased the risk level of all health care providers, including our X, given the vast amount of resources and enforcement weapons created by the bill.
The legislation came on the heels of the OIG having its best year ever in recovering inappropriate federal claims submissions – $4 billion. Notwithstanding, new federal legislation (i.e., The Fighting Fraud to Protect Taxpayers Act) has been proposed to further increase funding for computer fraud and identity theft and calls for approximately an additional $15 million a year to be reinvested in anti-fraud efforts.
In addition, The Medicare Spending Transparency Act was proposed to make summary level Medicare data publicly available and enhance the ability of qualified outside organizations to access more detailed data. A recent investigation conducted by leading newspapers illustrated how outside groups can provide a valuable complement to the government’s own fraud detection research when provided access to hospital and physician billing data.
Also, a new bill called the Strengthening Medicare Anti-Fraud Measures Act was introduced. The legislation expands the authority of the OIG to allow it to ban corporate executives from doing business with Medicare if their companies were convicted of fraud. It also gives the OIG the ability to exclude parent companies that may be committing fraud through shell companies.
CMS also published a notice of proposed rulemaking to implement a provision of PPACA giving qualified entities access to Medicare claims data for use in evaluating the performance of health care providers.
DATA MINING
The government utilizes sophisticated data mining tools to target health care providers whose claims are not in full compliance with all applicable regulations. Both the federal government and State plan to further invest millions of dollars to continue to ramp up its ability to effectively data mine aberrant claim patterns.
Compliance is currently working with a data mining software vendor, which affords Compliance the ability to effectively analyze large quantities of data for inpatient hospital, emergency department, and outpatient surgery claims. The goal of this analysis is to allow a heightened focus on identified risk areas that will be audited through the optimization of existing resources. Thus, the areas that the software identifies through complex information system algorithms are more likely to be areas at risk.
Compliance has successfully been able to utilize this tool to monitor coding and billing in several areas of the X in 2021. These areas include: X, X, X, X, and X. Currently, X data mining reviews are in progress and more reviews will take place throughout the rest of the year. During the past year, data mining has detected X, but has not detected any systemic coding or billing issues.
COMPLIANCE CODING AUDITS
Each year Compliance reviews the Office of Inspector General (OIG) and State Work Plans, internal and industry trends to compile an Audit Work Plan that is representative of the potential risks that the X may face. As the process of risk assessment is ongoing, the work plan may change throughout the year when new potential risks arise and other identified potential risk areas are mitigated. The graph below depicts the status of all of the planned 2021 coding audits, but does not address all of the special coding projects which might arise during the year.
To date, Compliance has completed X planned audits and is on target to complete over 50 coding audits. In 2020, Compliance completed X coding audits. These audits assess the accuracy of documentation to support coding and billing at the X and are conducted in the following categories: X, X and X. To date, there have been minor issues identified in regards to physician documentation, X and X, but none of these issues have been systemic and the findings are not material in nature. One area that has been identified through these audits is that the X’s could be further improved. Compliance is providing assistance to X, X and X in this area.
COMPLIANCE NON-CODING AUDITS
In 2021, Compliance plans to complete at least X non-coding audits. These audits focus on X, X and X, X. Many of the audits are ongoing and will be conducted throughout the year. The chart below lists the 2021 non-coding audits and provides the status of each as of May 31, 2021.
|
AUDIT/REVIEW TOPIC |
FACILITY(S) |
STATUS |
|---|---|---|
|
X |
All X Facilities |
Ongoing |
|
X |
Facility A |
Completed |
|
X |
Facility B |
Completed |
|
X |
Facility C |
Ongoing |
|
X |
Facility D |
Ongoing |
|
X |
Faculty Practice |
Completed |
|
X |
All X Facilities |
Completed |
|
X |
Faculty Practice |
Delayed |
|
X |
Faculty Practice |
Ongoing |
|
X |
All X Facilities |
Ongoing |
|
X |
All X Facilities |
Ongoing |
|
X |
All X Facilities |
Ongoing |
|
X |
All X Facilities |
Completed |
|
X |
All X Facilities |
Completed |
|
X |
All X Facilities |
Ongoing |
|
X |
All Relevant X Facilities |
Ongoing |
|
X |
All X Facilities |
Ongoing |
|
X |
Faculty Practice |
Completed |
|
X |
Faculty Practice |
Completed |
|
X |
All X Facilities |
Completed |
|
X |
All X Facilities |
Ongoing |
|
X |
Faculty Practice |
Delayed |
Below is a description of the completed non-coding audits:
Review Face-to-Face Physician/Patient Encounter Requirements for DME and Home Health Services
As part of the PPACA, home health services or durable medical equipment under Medicare, physicians must document that they have had a face-to-face encounter with the individual during the 6-month period preceding such certification, or other reasonable timeframe (as determined by the Secretary) as of January, 1, 2020.
Compliance verified that the appropriate procedures are in existence and are consistent with these new “face-to-face” requirements, and staff is aware of these new requirements.
Review New National Provider Identifier (NPI) Requirements
As part of the PPACA, Medicare and Medicaid providers and suppliers must include their national provider identifier on all program applications and claims as of January 1, 2021. Compliance verified that X’s standard operating procedures comply with the new requirements, and staff is trained to ensure compliance.
Examine New In-Office Ancillary Exception Requirements
As part of the PPACA, new requirements were enacted that related to the Stark law that goes into effect in 2021. The PPACA requires physicians claiming protection of the in-office ancillary services exception to satisfy new disclosure requirement such as informing patients that certain imaging services are available elsewhere and providing patients with a written list of alternate suppliers.
Compliance in partnership with Legal determined that no facilities were impacted by this new regulation.
Review of Compliance Policies
The government recommends that Compliance Programs continually review their compliance policies to ensure they are updated to reflect the latest regulatory directives. Compliance reviewed all of its applicable polices to ensure they reflect any regulatory and internal changes.
Review of Physician Practices Coding Procedures
Each year the government makes several coding changes that impacts physician practices. The non- adoption of even one coding change can have a material financial impact on a physician’s practice. Compliance surveyed various physician practices to ensure the physician practices are aware of the applicable coding changes and their procedures reflect all applicable regulatory updates.
Verify Education on Teaching Physician Rules
The government continues to focus on hospital’s compliance with the Medicare teaching physician rules. Compliance verified with X that it has appropriate educational materials that are distributed to applicable clinicians on these rules.
Verify Education on Supervision Requirements for Outpatient Services
In 2020, the government revised the supervision requirements for outpatient services. Compliance verified with X that it has appropriately educated the applicable facilities on the changes in this rule.
VOLUNTARY DISCLOSURES
The OIG, State, and Medicare’s fiscal intermediaries have processes for health care providers to voluntarily disclose and rectify overpayments received. The benefits of self disclosure include forgiveness or reduction of interest payments, extended repayment terms, waiver of penalties and/or sanctions and possible preclusion of a subsequently filed State False Claims Act “qui tam” action based on the disclosed matter.
To date, there has been X formal voluntary disclosure for the X. As a result of this technicality, we refunded to the government approximately $X.
There are also some other issues under review that may result in a voluntary disclosure in the coming months. Please note that this does not include routine overpayments we identify and repay as a result of routine government audits, payor reconciliation or internal reviews.
CONFLICTS OF INTERESTS
The new health care legislation includes the Physician Payment Sunshine Act, which requires drug, medical device, biological or medical supply manufacturers to disclose direct payments or transfers to physicians and teaching hospitals that are $10 or more (or total over $100 in a calendar year). It also requires that those manufacturers disclose any non-public ownership or investment interests of physicians and their immediate family members in the manufacturers. Those reporting requirements do not take effect until March 31, 2023 and the information will be available online to the public.
Last year, the X significantly revised its employee conflicts of interest disclosure form to make it more robust and rolled out an electronic conflicts of interest tracking system. This year, the X added two new questions. One question addresses X. The second question requires X.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
Since the beginning of 2021, reportable breaches that have occurred at X facilities include the following:
-
X
-
X
-
X; and
-
X.
Compliance is currently in the process of launching the 2021 employee training which heavily emphasizes HIPAA. Two recent cases provide a roadmap for action. A hospital was fined one million dollars and ordered to enter into a government imposed corrective action plan because an employee commuting to work accidentally left copies of 192 medical records on a train. All the records contained PHI and some records contained HIV information. In another case, the government issued a penalty in the amount of $4.3 million to a health plan for not providing 41 patients with a copy of their medical record on a timely basis.
In addition, Compliance recently completed a privacy risk assessment with collaboration with Information Services and Legal to further address any privacy or security gaps and will be adding more resources to focus on this area of scrutiny. Compliance also has implemented HIPAA awareness activities to further educate employees on this important topic.
COMPLIANCE INQUIRIES
Compliance received inquiries and reports on a wide variety of issues during the first half of 2021. The Compliance HelpLine, which is accessible by telephone or on the Web, and the Compliance office received approximately X inquiries to date. While many of the reports received concerned X, many others were focused on X, X and X. All reports received by Compliance are investigated and resolved. Material compliance investigations in 2021 include X, X and X.
|
Issue |
Cases |
% of Total |
|---|---|---|
|
1. Coding, Billing & Contracts |
X |
X% |
|
2. Conflict of Interest |
X |
X% |
|
3. HIPAA/Confidentiality |
X |
X% |
|
4. Human Resources |
X |
X% |
|
5. Other |
X |
X% |
|
6. Patient Care/Quality |
X |
X% |
|
7. Question/Violation of Policy |
X |
X% |
|
8. Research |
X |
X% |
|
9. Theft |
X |
X% |
|
Total |
X |
SUMMARY- X ADJUSTMENT OF RISK ANALYSIS
The 2021 semi-annual compliance risk assessment utilized numerous internal and external resources to help determine which risk areas should be evaluated. Each year, governmental enforcement agencies release an audit work plan which provides a roadmap of their planned audit activities. Two important data resources are the Office of the Inspector General for the United States Department of Health and Human Services’ (OIG) FY 2021 Work Plan and the State SFY 2020- 2021 Work Plan. It is an industry standard for healthcare providers to review the OIG and State Work Plans annually and to evaluate their own entities for these potential risk areas. In addition, Compliance continues to evaluate financial data for reimbursement trends, prior X audit data, government data trends, State and federal enforcement agencies’ audit reports, and internal surveys on various topics to identify other areas of potential risk. A description of the key risk areas are identified in the graph on page 13.
X and X have been placed at a “X” risk category. There are internal processes that have been implemented by X to mitigate the risk of X.
X is placed in a “X” risk category. This is because X.
Based upon the recent regulatory environment, X is placed at a “X” risk. This is because X.
X in the “X” risk category since the volume within the organization is great and the government scrutiny related to medical necessity in increasing. Specifically, RAC auditors have started to focus more on medical necessity issues which are resource intensive for health care providers to defend. In addition, X.
X was moved from a “X” risk category to an “X” risk category. This area is expected to remain a greater risk in the future as the government plans to invest more enforcement resources into this area and the government has begun to levy more significant fines for X violations. As hospitals’ electronic medical records systems expand, the risk of potential data breaches also has increased significantly. In addition, X can cause significant reputational damage and the costs to pay for credit-monitoring to patients can be significant as well. To address this risk, the X will be dedicating more resources to further focus on controls to mitigate potential risk.
X risk was moved to the “X” risk category as the government plans to devote more resources in this area. Both federal and State regulators are moving towards quality-type audits resulting in multi-million dollar settlements based on various quality and medical necessity issues. Boards, Administrators and Compliance Officers are following this trend and reevaluating their risk exposures. Given these factors plus the increased focus on “never events” and “present on admission” indicators, this risk was moved into the “X” category. The X is working on ways to further collaborate between Quality and Compliance.
Last, there has been an increase in whistleblower lawsuits coupled with the new amendments to the False Claims Act that make X even a greater threat. As a result, this area has remained an X risk category.
Impact to the Organization
The purpose of this graph is to provide a visual depiction of high risk issues which may impact the X based upon our analysis. The graph does not include all proposed audits, initiatives or risks, but provides a high-level overview of the compliance risks that may impact X.
EXHIBIT A
