Managing Claims Audits Effectively
Experience to date shows that practices are getting hit hardest
by Medicare Administrative Contractors (MACs)—specifically
prepayment reviews—and there has also been a steady ramp-up in Recovery Audit Contractor (RAC) activity. The MAC audits are more onerous than the RACs because they are “
pending claims” and withholding payments. There is no limit on the
number of claims they can review, which can have serious financial implications for a physician practice.
To complicate matters, the majority of physician practices and
clinics operate in a manual mode and use simple spreadsheets
to track audit activity. As audit volumes increase, practices and
clinics will require audit tracking and management software to
keep up.
Electronic health record (EHR) systems will also help practices manage and minimize audit risk. Many EHRs have clinical
decision support and health maintenance modules to stop improper billing of bundled procedures prior to billing, a common
mistake caught by auditors. EHRs also monitor medically unlikely procedures and other billing edits. By catching potential
billing problems early in the process, practices prevent future
Common Audit Concerns
x Practice and hospital bill for the same service
x Improper bundling and unbundling of services
x Medically unlikely procedures
x Timed codes (e.g., services that can only be billed
once a year)
x Injection billing that lacks documentation (e.g., for
influenza)
x Mandated procedure combinations
Hospitals may be the low-hanging
fruit, but auditors are steadily
working their way to practices
and clinics.
audits as well as identify new process and workflow changes.
Secondly, many audit issues are related to poor quality of
clinical documentation. As in hospitals, clinical documentation improvement programs are critical in minimizing audit red
flags and providing quick justification for medical necessity and
reimbursement.
Finally, practices must ensure they avoid the common errors
identified in current audit programs. This can be done online
by determining which RAC target lists are also physician-based
RAC problems. In addition, practices can reference resources
such as the Medical Group Management Association, which
provides information on audits. Diligent awareness, education,
and auditor monitoring takes human resources, but it can pay
for itself in fewer take-backs.
whose data was breached. The average cost of breach in healthcare was $301 per patient in 2010, which included costs related
to detection, investigation, notification, and possible services
offered to affected individuals. 1
Carelessness and forgetfulness are common causes of breach
in practices and clinics. Most of the 30,521 “small” data breaches reported to the Office for Civil Rights in the 15-month period
ending December 31, 2010 (breaches involving fewer than 500
individuals) resulted from clinical or claims records that had
been sent to the wrong person. 2 Consistent, thorough education
is central to reducing human error at the root of such mistakes.
Further breaches occur when medical records leave the office. Laptop computers pose a major risk. Encryption—at the
drive-level, not the file level—is a simple step practices can take
to better protect their patient information. HIPAA requires that
data be secure both in transit and at rest. If electronic PHI is lost
or stolen in an encrypted format, it is not considered a breach
under federal regulation.
When it comes to security, an ounce of prevention is worth a
pound of cure. Practices that invest in prevention reduce their
exposure to breach. And if they do experience a breach, practices that can demonstrate they took reasonable steps to prevent
unauthorized disclosures may receive reduced fines or perhaps
avoid fines altogether.
Security efforts should include:
x Detailed security policies and procedures
x Regular staff training
x Ongoing internal audits
x A documented response plan for incidents
x Detailed risk assessments
x Detailed records of the facts surrounding disclosures,
particularly the dates of events
Reducing Risk of Breach
The risk of data breach in physician practices varies greatly.
Some practices have a considerable risk due to a lack of automation, education, and subject matter expertise on staff.
All healthcare providers have a professional obligation to safe-
guard the privacy and security of their patient data. Federal and
state law imposes regulatory requirements and monetary pen-
alties. Security lapses can result in fines, administrative costs,
and more. Federal fines can reach $1.5 million for each patient
The key is to know where patient information is stored and
where it flows throughout the organization, whether it is in pa-
per or electronic format. That understanding must then be ap-
plied to policies and procedures that are routinely taught and
monitored.
