Healthcare Compliance Audits – more and more variety!

healthcare compliance audit

Healthcare compliance audits are coming in several shapes and sizes these days.  Recently the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) released the results of HIPAA Privacy and Security Audits it conducted under the provisions of the HITECH Act.  Now comes information on audits CMS has started to scrutinize the documentation supporting claims by Eligible Providers and hospitals for Meaningful Use Incentive payments.  And the OIG is looking carefully at the issue of physician providers who use “auto-generated data” in their medical records documentation to see if there is some billing fraud and abuse angle they can identify.  It’s almost enough to make you think about giving up patient care and going into consulting or administration!

So let’s take a look at what a few of the more popular healthcare compliance audits are …

HIPAA Audits

We covered the issue of HIPAA Audits in a blog last month.  The audits are thorough, no providers subject to the HIPAA regulations (and that’s pretty much all of you!) are exempt, and providers should be sure they are in compliance with the HIPAA Privacy and Security Rules.

Meaningful Use Attestation Audits

The CMS EHR Incentive Program Audits are new, but were always planned as part of the program.  In order to make payments promptly to providers who met and attested to meeting Meaningful Use Objectives, CMS relied on an attestation approach.  This allowed providers to obtain their incentive payments by attesting – certifying – in an online application that they met all 15 of the Core Objectives (or qualified for an exemption to one or more) and met at least 5 of 10 Menu Objectives.  Now CMS is sending notices to providers asking for documentation that supports the attestation.  Most of that documentation would consist of reports from your EHR system, or possibly internal audits a provider conducted to establish they were meeting an objective.  One type of audit, of course, is the HIPAA Security Rule Risk Assessment that each provider must complete as part of the Core Objectives.  CMS and its contractors will perform audits for providers receiving incentive payments under the Medicare criteria; states will audit providers who received payments under the Medicaid criteria.

For now, providers who fail the audit will have the payment recouped.  In the future, it is conceivable that providers who might fail multiple audits could be found to be submitting false claims when seeking incentive payments – a very serious situation indeed.

Medical Record Audit

The final healthcare compliance audit program to mention is actually one of the oldest.  For several years, CMS and its Medicare Administrative Contractors (MACs) have conducted audits of medical record documentation to determine if the documentation supports the service billed.  These audits are now also considering the issue of so-called “auto-generated data” produced as part of medical record documentation in EHR systems.  When MAC reviewers who ask for a sample of records see what looks like cookie cutter documentation produced by a medical record auditprovider with an EHR system, they may begin to wonder how much does the documentation reflect the specific patient, and how much reflects some type of standard description the physician always uses, regardless of how appropriate it is to this particular patient.  Of course, EHR systems are designed, in part, to make it easier for physicians to document their medical records, and it should not be surprising that documentation describing patients with similar conditions is similar.  But provider must take care to ensure each note they compose, whether by completing a template or even “cutting and pasting” some information from previous notes, accurately reflects the history, assessment and plan for each patient at the time of the visit.

Then there are the traditional ways physicians come to the attention of MACs or CMS for potential medical record documentation audits: their CPT coding practices.  We recently compiled samples of medical records for different medical groups for a documentation audit for each group.  The pattern of CPT code usage was revealing.  One provider who saw only office patients used only two CPT codes: 99203 for new patient visits and 99214 for existing patient visits.  Is it really possible every patient fell into one of those two coding categories?  Another provider who saw mostly hospital patients used CPT code 99232 for virtually all of his visits – out of hundreds of patients he saw.  A third provider saw almost twice as many hospital patients as his other full-time partners, while covering hospitals a similar amount of time.  Each of these situations invites scrutiny to see if the medical record documentation supports the number and type of services billed.

Healthcare Compliance Audits are Here to Stay

Audits have been a fact of life for healthcare providers for a long time now.  Additional audit programs for incentive payments are to be expected.  For instance, we should expect some kind of audit program related to accountable care organizations eventually.  And it seems no previous audit program ever goes away, e.g., medical record documentation audit.  All these efforts reinforce the same principle: just like in clinical care, there is no substitute for doing right the first time!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.