THE RECENT ONSLAUGH T of audits in the healthcare industry,
and the damage they leave in their wake, likely has many health
information management (HIM) professionals fearing for the
day audit requests storm their departments. Though audits may
seem big and scary, proper preparation and the proactive adherence to best practices can protect and prepare HIM professionals.
Just as every story has two sides, so too is every audit a timeless
tale of auditor vs. provider—and among those qualified to tell it
is Elena Miller, MPH, RHIA, CCS, director of coding audits and
education at Carolinas HealthCare System. Prior to joining the
Charlotte, NC-based provider organization, Miller spent several
years auditing claims for a Centers for Medicare and Medicaid
Services’ (CMS) Recovery Audit Contractor (RAC) and then a
commercial payer. “It was always communicated to us during
trainings that the purpose of the audit was to ensure accurate
reimbursement,” she says. “We were expected to make findings,
but it was always for accuracy.”
Now, tasked with handling all diagnosis-related group (DRG),
coding audits and coder education at Carolinas HealthCare Sys-
tem, she admits that auditors sometimes send mixed messages.
She provides the example of sepsis. An auditor might leave sep-
sis on the claim in one case but then deny the diagnosis on an-
other record using the same criteria.
Carolinas HealthCare System has addressed this frustration by
creating diagnosis- and denial-specific templates and checklists
that staff can use to expedite appeals—particularly those that
seem to contradict long-standing coding guidelines. These templates include all supporting Coding Clinic references as well as
references to the Medicare Program Integrity Manual. Miller is
also in the process of creating an internal library of payer-spe-cific rules and policies.
Audits on the Rise with No End in Sight
Experts agree that when it comes to audits, the best defense is a
good offense. This means HIM professionals must prepare proactively to address the inevitable frustrations associated with audits.
And it’s not just payer audits of DRGs, fee-for-service payments, and
risk-adjusted reimbursement. RACs and other auditors are on the
hunt for improper payments. The Office of Inspector General (OIG)
investigates ongoing compliance vulnerabilities, many of which relate to coding and billing. CMS audits the documentation of how
hospitals and eligible providers met the measures and objectives
to support “meaningful use” Electronic Health Record Incentive
Payment Program attestations that yielded financial incentive payments. But not all audits are about reimbursement. The US Department of Health and Human Services’ (HHS) Office for Civil Rights
(OCR) audits covered entities’ (CE) compliance with the Health
Insurance Portability and Accountability Act (HIPAA) Privacy and
Security Rules and breach notification requirements. Then there are
the internal audits conducted by healthcare facilities themselves to
ensure the bills they send out the door include proper coding, and
that coding professionals are up to par on productivity.
Over the last decade, these audits have continued to increase for
a variety of reasons. Healthcare fraud and abuse is one of them.
Others include an uptick in cybersecurity incidents and breaches,
a continued disconnect between physician documentation and
ICD- 10 specificity, and the rise of clinical documentation improve-
ment programs that may falsely inflate patient severity and risk.
Why should every organization pay attention to audits? The answer is simple: Unfavorable audit results jeopardize an organization’s financial viability and possibly even its reputation. Costly
recoupments, for example, place a financial strain on what has
become an extremely slim operating margin. In addition, payers
often consider audit results during contract negotiations. When
audits reveal a pattern of high-cost outliers or non-compliant
billing, providers are at a bargaining disadvantage. Any organization under the watchful eye of OIG must fear the public relations
nightmare associated with publicly announced enforcement actions. Now more than ever, it behooves HIM professionals to give
these audits the attention they deserve by turning frustrations
into opportunities for proactive compliance.
Easing the Administrative Burden
Having a centralized approach can help organizations combat
some of the administrative burden associated with audits, says
April Carlson, MBA, HCISPP, CFE, privacy officer at Mayo Clinic, based in Rochester, MN. When one of Mayo Clinic’s health
system sites was randomly selected for an OCR HIPAA desk audit in July 2016, having a centralized approach helped the entity
comply within OCR’s 10-day timeline. More specifically, Carlson was listed as the privacy contact for all Mayo Clinic locations. When she received the audit request for its La Crosse, WI
site, she immediately contacted the site’s regional privacy officer and worked with a dedicated senior privacy analyst to coordinate with other departments and collect the required documentation (i.e., Notice of Privacy Practices, breach notification
letters, policies/procedures, and more). “The three of us blocked
our calendars for one week to allow time to retrieve, review, and
redact PHI [protected health information], and submit the required documentation by OCR’s deadline,” recalls Carlson.
Carlson also took other preventive steps to expedite the audit process. For example, she created a centralized file storage
location utilizing Mayo Clinic’s secure SharePoint site so she
could store, access, and share audit protocol information with
all privacy officers across the organization. She also recommends working with the information technology department to
prevent OCR emails from being blocked or flagged as junk to
ensure any important correspondence is not overlooked.
Centralized audit management is critical, says Erin Head, MBA,
RHIA, CHDA, CHTS-TR, director of HIM, quality, and medical
staff services at Parrish Medical Center, based in Titusville, FL. At
Parrish Medical Center, the compliance department receives all
correspondence requests and then sends those requests to appropriate departments (primarily HIM). “We communicate to all of
the potential auditors to use this contact to ensure we receive the
request and have adequate time to respond. Otherwise, mail can
get lost in the shuffle throughout the organization,” Head says.
Addressing Inconsistent Audit Findings
As Miller alluded to in the sepsis example above, audit findings
aren’t always consistent or clear. This includes OCR’s latest round
of HIPAA Phase 2 desk audits, says David Holtzman, JD, CIPP,