Healthcare suppliers and service providers live in a regulated world.  They are constantly under audit scrutiny.  Sometimes federal agencies (i.e private contractors) conduct the audits; other times state agencies conduct the audits.  The audits also vary in focus – claims, coding, privacy, and compliance.  The industry is constantly being audited. 

For the next four years, healthcare companies can expect more audits, more risks and potentially more penalties.  Companies need to respond in two ways: (1) increase the number of proactive internal audits to identify potential issues in advance; and (2) establish internal procedures for how to handle auditors when they show up at your company.

Medicare Audits – The Tax Relief and Health Care Act of 2006 made permanent the Medicare Recovery Audit Contractor (RAC) program to identify improper Medicare payments (overpayments and underpayments).  For three years (2005-2008), the RAC program operated as a demonstration program.  CMS awarded contracts to four regional RACs. 

RACs are paid on a contingency fee basis, receiving a percentage of the improper overpayments and underpayments they collect from providers.  The Centers Medicare and Medicaid Services (CMS) has now implemented Medicare recovery auditing in all states. 

RAC audits are limited to those particular claims approved through CMS’ “new issue review” process, which are posted in advance on each of the four RAC websites.  RACs may review the last three years of provider claims for  a wide range of services and medical equipment.   The RACs use software programs to identify potential payment errors focusing on duplicate payments, fiscal intermediaries’ mistakes, medical necessity and coding.  RACs also conduct medical record reviews.

In September 2012, Attorney General Holder and HHS Secretary Sebelius warned hospitals that the government would investigate an increase in fraud from use of electronic health system records.  In addition, CMS (and RACs) are focusing on health record documentation and coding for possible abuse.  CMS is already assigning providers to risk categories based on past investigations. 

CMS Electronic Health Record Incentive Program Audits (“Meaningful Use”)  – More than 100,000 healthcare providers (hospitals and professionals) received federal incentive payments as part of the Medicare and Medicaid Electronic Health Record Incentive Programs.  CMS has begun retrospective audits for those providers paid under the “meaningful use” EHR incentive program; CMS contracted with the firm of Figliozzi and Company to conduct the audits. The auditors are issuing letters of inquiry and not conducting on-site inspections.

CMS relied on providers to certify to meeting “meaningful use objectives.”  Providers were given incentive payments by certifying online that they met all 15 of the core objectives (or qualified for an exemption to one or more) and met at least 5 of 10 menu objectives.  CMS has sent notices to providers asking for documentation that supports the certification. 

EHR audits focus on proof that the provider has a certified technology as part of its  EHR system; the method used to report emergency department admissions; documentation of how the provider has met the core set and measures of the EHR program.  EHR professional audits are limited to Medicare and Medicare Advantage programs, while hospital audits are for Medicare only and dual eligible patients. 

CMS has started to review responses to the audits and the documentation supporting claims by eligible providers for meaningful use incentive payments.  The OIG is focusing on physician providers who use “auto-generated data” in their medical records documentation for possible billing fraud and abuse.

Providers who fail the audit will have the payment recouped.  In the future, it is conceivable that providers who might fail multiple audits could be found to be submitting false claims when seeking incentive payments.

HIPAA Privacy and Security Audits – The HITECH Act requires HHS to conduct  periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  The office of Civil Rights (OCR) has performed 115 audits as part of this pilot program which concluded in December 2012.

The HIPAA Privacy Rule protects the privacy of patients’ medical records and other health information maintained by covered entities.  The HIPAA Security Rule establishes national standards for the security of electronic protected health information.

OCR released in July 2012 an audit protocol which basically outlines the documentation auditors will want to review during an audit.  The audits will focus on 168 performance criteria — 78 for security, 81 for privacy and 10 for breach.  As part of the pilot program, OCR initiated a number of enforcement actions against providers. 

Covered entities and business associates have to prepare in advance for an aduit which can be initiated on 15 days’ notice.  Auditors focus on documentation to meet the protocol and establish compliance.

OCR has identified a number of common deficiencies from its audit pilot program:

• smaller providers had more deficiencies than larger providers
• a large number of subjects did not have policies or procedures in place
• larger entities had greater security risks
• many subjects never conducted a security risk assessment
• business associate contracts were not on file

The audit pilot program is only the second of three phases of OCR’s health information privacy and security compliance program. OCR plans to conduct complete audits starting this year.  Covered entities have to begin preparing for these audits. 

The HIPAA Privacy and Security Rules have been around for a number of years.  Many providers have adopted minimal policies and procedures.  Under the new audit program, providers have to adopt more robust compliance programs.