Internal Auditing Within a Revenue Integrity Program

A version of this article was previously published in the March 2019 edition of  New Perspectives, the quarterly journal of the Association of Healthcare Internal Auditors.

For health care entities, the concept of revenue integrity is simple: Maintaining compliance with federal regulations while obtaining legitimate reimbursement for services. It isn’t just about the financial result or getting cash in the door.

Most health care entities implement some kind of a revenue integrity (RI) program. However, for many organizations, the Chargemaster (CDM) committee—disguised as the RI program—isn’t focused on the integrity of revenue. Instead, it’s focused on the net bottom line of the financial statements.

As organizations strive to achieve operational efficiencies and improvement, there are several factors that create challenges. These factors include constantly changing regulations, reimbursement models, people, processes, and systems. To address these challenges and improve operational efficiencies, an organization’s RI program should be consistently audited and monitored.

A strong and focused RI program presents a remarkable opportunity for a health care entity to significantly improve financial results and bolster compliance program efforts, while increasing visibility and accountability across its entire system.

Why Revenue Integrity Matters

Health care entities often lose a significant amount of revenue as a result of work flow issues within the revenue cycle department and related departments. Documentation, coding issues, lack of communication among staff, inaccurate and inadequate pricing, and several other common system- and process-related problems are often the cause of missed revenue opportunities.

While revenue cycle management (RCM) programs look to reduce these errors—specifically in accounts receivable—they generally don’t take into account other compliance issues that may span across an organization and impact the accuracy of the financial results and the integrity of its revenue stream.

To help bridge this gap, effective RI programs combine a health care entity’s RCM functions and the regulatory compliance responsibilities under one integrated and collaborative set of internal controls. This effectively ties together the internal controls of multiple departments, offering a detailed view of how revenue affects each. It also helps entities verify the revenue they’re billing and collecting is accurate and complete, and that the right people are performing the work to comply with regulations.

For all these reasons, an internal audit of an organization’s RI program functions provides an opportunity not only to address specific revenue cycle problems, but also to break outside of a typical revenue cycle work flow change and assess how it will affect other departments. RI internal audits also often uncover duplicate efforts between departments, potentially reducing overhead and creating efficiencies moving forward.  

Revenue Integrity Program Goals

Effective RI programs provide consistent actions, values, methods, principles, expectations, and outcomes within an entity’s revenue cycle. The RI program will also work toward achieving operational efficiency, regulatory compliance, and consistent, legitimate reimbursement by establishing the proper processes, tools, and related expertise.

These process improvements allow an entity to effectively price, charge, and submit documentation to payers for services related to patient care, accomplishing the following:

  • Reducing accounts receivable (A/R) and unbilled days
  • Reducing manual intervention in the claims process
  • Prioritizing and managing high dollar claim follow-up
  • Allowing cash flow improvements by reducing lag in submission of claims
  • Improving workflow process
  • Eliminating repetitive problems by tracking claim edits or denials
  • Capturing charges accurately
  • Allowing for continuous improvement of revenue cycle processes through monitoring, auditing, and education

Government Involvement

Aside from the financial and operational benefits that come with maintaining a strong RI program, the federal government is also significantly invested in ensuring organizations submit accurate and ethical billing.

Noncompliance with the regulations can result in significant monetary penalties and other corrective actions—potentially even the loss of Medicare billing privileges. For many healthcare entities, this could result in millions of dollars in lost revenue each day.

National Fraud Prevention Program

The 2010 Affordable Care Act provided additional resources and tools to enable the Centers for Medicare and Medicaid Services (CMS) to expand its efforts preventing fraud, waste, and improper payments.

Under the National Fraud Prevention Program, CMS has used a multifaceted approach, ranging from provider screening to the use of predictive modeling technology that’s similar to what’s used by credit card companies. This includes extensive mining of hospitals’ accounts-receivable data.

The Fraud Prevention System

The CMS Fraud Prevention System (FPS) is technology that automatically analyzes claims across the health care industry to identify health care providers with suspect billing patterns. Program integrity contractors get leads from the system to pursue fraud investigations.

CMS launched an updated version of the Fraud Prevention System in March 2017, which, according to CMS, is designed to provide an ability to identify bad actors and potential savings.

Maintaining an effective RI program can help health care entities stay compliant with government regulations and help them avoid, or at least better manage, audits from government programs.

Identify Where to Complete Internal Audits

An organization’s internal audit plan should be risk based. The revenue cycle is very complex, involving multiple processes and different departments. This means RI can occur during multiple stages in the cycle.

By identifying and measuring potential risk areas—and understanding the control environment mitigating those risks—an organization can focus its internal audit plan on high-risk and high-value areas. Process improvements within these identified areas can potentially enhance RI tremendously and lead to increased patient satisfaction, eliminated revenue leakage, and enhanced compliance.

The Risk Profile

An organization can also develop a risk profile utilizing the same data the government is referencing to detect potential violations. For example, if government agencies are mining claim data to detect patterns that represent a high risk of fraudulent activity, an organization should be looking at the same information.

This information can also help identify where to focus internal audit efforts. Ideally an organization develops a risk profile or data analysis related to specific, focused risk areas of concern. The analysis or risk profile could include concerns regarding aggressive resolution of denied claims or the appropriateness of write-off procedures to verify timeliness of adjustments and accurate classification of contractual allowances, charity, or bad debt.

Prepare to Audit the RI Program

As an organization designs their approach to RI, they should identify what’s been done to change workflow and reduce risk or what could trigger an audit. As you design the internal audit of RI, you should have a piece of the following three areas:

  • Review process flow and control design—manual and application controls. Perform a walkthrough and observe how transactions are processed to determine if the process is efficient. Identify and assess the design of the key controls to determine if they were properly designed to mitigate the risks. It’s important to observe how things are performed because actual practice might not follow the organization’s policies and procedures. For example, workflow related to denials may include ability for revenue-cycle staff to edit or change diagnosis coding without approval. If the staff doesn’t have approval or requests a review from a certified coder, they can impact revenue inappropriately.
  • Benchmarking and data analysis. Using standard key performance indicators (KPIs), analyze your data and benchmark against similar organizations. This can help a company focus on areas in the revenue cycle that need additional review and have a greater likelihood of control gaps. Examples include:
    • Number of claims being stopped by edits
    • CDM-sourced edits
    • Bill holds resolution and compliance with timely filing deadlines
    • Denials resolution and backlog
    • Payment variances
  • Regulatory compliance. Compliance risks should always be considered because a workflow change may trigger an incident or create revenue that’s inaccurate, unsupported, or has integrity issues.

Perform the Internal Audit

To complete internal audits of the revenue cycle and achieve RI, an organization should spend considerable time planning and scoping the audit. Similar to when performing the revenue cycle risks assessment, key risk areas within the process should be identified and measured—and a company should gain an understanding of how those risks are mitigated. Without a thorough planning and scoping process, the audit might not be as effective and could miss the highest risks areas.

Following is an overview of the steps an entity can take to perform RI internal audits:

Define the Need

An internal audit should have an objective, which a company can identify by determining and clearly defining its reasons for performing the audit. Articulate these reasons to all stakeholders to gain their buy-in. For example, and audit may be necessary if your company identifies any of the following:

  • Concerns or reported activity based on the risk assessment
  • Current status or lack of work plans developed by RI committee, including how the plans were accomplished
  • The presence of risks items on the OIG work plan that the RI department should be monitoring or correcting, or for which the department should be developing new work flows

Determine Internal Audit Focus Areas

After determining if an audit is necessary, a company can prioritize the internal audits to be performed starting with the highest risk areas. For example, based on your risk assessment, you identified the areas that have the greatest potential impact in improving revenue cycle, and RI is the admissions process surrounding intake questions related to Medicare Secondary Payer (MSP).

Defining the scope allows for improvement, but also helps ensure integrity by adhering to regulatory requirements. Other common risk areas that can yield high impact include:

  • Denial management
  • Charge capture
  • Billing and claim submission
  • Patient collections

Schedule the Audit

Determine how often your organization will perform the internal audit—whether monthly, quarterly, annually, or biannually. A high volume of cases may warrant more frequent audits, and problematic specialties determined by a random internal audit may also warrant a more focused and frequent auditing protocol.

In addition to timing, an organization should also define if a set error rate warrants a specific timing for a follow-up internal audit.

Complete the Internal Audit

The procedures for completing the internal audit should include reviewing relevant documents, such as policies and procedures, protocols and work flows. It should also include interviewing key business-process owners and performing a walkthrough of the process to confirm your understanding.

The internal audit team should then assess if the process flow is efficient and compliant with regulations. Based on the assessment, the controls should be tested to determine if they’re properly designed and functioning as management intended. Here are some guidelines to consider before and while performing the internal audit.

Role-Specific Guidelines

During the internal audit of the RI components, the team should also be aware of the regulatory risk and how the regulatory components are mitigated. Risk for an organization can increase when work flow is redesigned, including role-specific internal controls. For operations, this change makes sense to increase efficiency, but scope of license could create risk for the organization. For example, issues could arise if a noncertified staff member completes tasks Medicare or Medicaid require be completed by the physician or midlevel provider.

Federal and State Guidelines

A company should be aware of the federal and state guidelines associated with the internal audit scope. Before beginning the audit, the internal audit team should inquire for situations where the health care entity has interpreted and applied the methodology of we’ve always done it this way. The internal audit team should research federal or state guidelines to determine if the control or step is appropriate and has RI.

For example, if an entity performs an internal audit of the sleep center and its vendor representative suggests billing the sleep center as a hospital, it may need to adhere to additional state or federal guidelines. The internal audit team may determine that the sleep center is in a space that’s not under their control outside of the room where the study is completed.

Training and Education

In addition, the internal audit should include a review of training materials related to the workflow change. The review should validate the training material to the workflow. It’s also important to validate attendance to determine if all departments affected are included in the education.

Prepare a Summary of Findings

A summary of findings should be drafted and prioritized based on high, medium, and low risk. Within the findings, there should be discussion related to the root cause of the issue, potential regulatory cites, recommendations, and a management action plan to correct the issues.

For example, you might note an issue related to the CDM. If so, your recommendations should address the root cause of the issue—such as CPT codes added to the CDM without approval, due to change in management or lack of access controls. In this circumstance, the recommendation would be to perform a workflow change that ensures CPT codes are added accurately, in a timely manner, and with proper approval. The recommendation should also include steps related to training and monitoring.

Report Your Findings

After all issues have been validated and management action plans obtained, a health care entity issues the final report to management and the RI committee. The management’s action plan items should be tracked and monitored to determine if corrective action plans are implemented and issues are corrected as anticipated.

Next Steps

The internal audit plan and audit procedures outlined above will help entities assess their current RI environment and make it significantly easier to navigate and proactively manage the audit in the future. If you have questions about the RI audit process or if you’d like help assessing your organization’s RI program, contact your Moss Adams professional.