Developing and Implementing an Audit Program for Physician Practices

The word “audit” generates fear in any situation. In medical practices, this involves fear of lost revenue, fear of change in processes, and the potential impact to staff. The unknowns sometimes can be more worrisome than the reality that becomes known after auditing commences.

Many practices do not audit—sometimes because they are so overwhelmed with just the day-to-day management, but sometimes because they would rather not know of issues that they do not wish to confront. However, not knowing of a problem does not absolve the practice of liability for coding errors and false claims. Practices also may avoid auditing because they just do not know where to begin. They may have no source for guidance with coding issues and no idea of the consequences they face. Yes, auditing will likely lead to more work, to change, and to confronting wrongdoers, either innocent or intentional. The reality is that a minimal amount of time, money, and effort spent auditing today could save maximum amounts of money in the future.

Even practices that currently audit may be auditing with the wrong focus. Some of the common errors in auditing include performing internal audits only, choosing the wrong auditor, auditing based on the wrong parameters, not repaying or resubmitting after an audit, not performing followup education, and thinking that attorney–client privilege provides unlimited protection.

Although practices should perform some internal auditing, if this is the only auditing done, there is the risk of the “fox watching the henhouse” effect. It is difficult to find your own errors if they are based on misunderstandings of coding guidelines or regulations. Physicians may listen more attentively to an outside consultant. And outside auditors can bring experience and ideas from other clients. It is expertise that the practice likely cannot afford on a daily basis. In choosing an outside auditor or consultant, practices should take care to choose someone with experience in their specialty or specialties and familiarity with the payers.

For a claim to be judged false, no proof of intent to defraud is required.

Before beginning the audit process, the practice should determine why it is auditing. This helps determine the scope, the sample, the methodology, and the reporting to be performed. Practices may audit as part of the compliance plan. This type of audit will have no particular focus but will review a range of claims of documentation. Audits performed concurrent with a payer review will audit the same claims the payer is reviewing.

Arguably the overriding reason to audit is the Federal False Claims Act. Filing a claim that you knew or should have known was “false” could result in recoupment, fines, and penalties. At its simplest definition, a false claim is one in which the codes billed do not match the documentation and do not comply with coding guidelines, federal regulations, and payer policies. For a claim to be judged false, no proof of intent to defraud is required. The penalties for violations of the Federal False Claims Act have recently been increased from $5,500 to $11,000 per claim, plus treble damages and paying attorneys’ fees for whistle blowers from $10,781 to $21,563 per claim. A “claim” for these purposes may be identified as one line or as the entire claim. Practices may consider not refunding overpayments identified in an audit, choosing rather to use the audit results merely as an education tool. However, the Health Information Technology for Economic and Clinical Health Act (HITECH) defines not refunding overpayments within 60 days as a false claim. Many states have False Claims Acts that may be even more stringent.

The basis for false claims is found on the back of the CMS-1500 claim form, which reads:

I certify that the services shown on this form were medically indicated and necessary for the health of the patient and were furnished by me, or were furnished incident to my professional services by my employee under my immediate supervision. NOTICE: Anyone who misrepresents or falsifies essential information to receive payment from Federal funds requested by this form may upon conviction be subject to fine and imprisonment under applicable Federal laws.

The physician’s signature in block 31 of this form, either on paper or electronically, establishes that the codes billed represent the services performed.

False Claims Act cases also are pursued on the basis medical necessity. The Medicare Claims Processing Manual, Section 30.6.1, states:

. . . Medical necessity of a service is the overarching criterion for payment in addition to the individual requirements of a CPT code. It would not be medically necessary or appropriate to bill a higher level of evaluation and management service when a lower level of service is warranted. The volume of documentation should not be the primary influence upon which a specific level of service is billed. Documentation should support the level of service reported. . . .

There should be someone within the practice who is qualified and empowered to discuss issues of medical necessity documentation with the providers.

In determining the scope of the audit, the practice may consider several things: the Office of Inspector General (OIG) Work Plan, Comprehensive Error Rate Testing (CERT) issues, Recovery Audit Contractor (RAC) issues, top 10 denials for the practice, top 10 services billed for the practice, and specific issues brought to attention. The OIG Work Plan is released yearly and outlines the focus of audits for this agency for the coming year. OIG audit results will lead to increased scrutiny of those services by Medicare and other payers. For 2017, the issues reviewed in physician billing are the reasonableness of physician home visits and the reasonableness of prolonged services. CERT is CMS’ review of the performance of Medicare Administrative Contractors. Claims are reviewed for correct payment, and recoupments are made from the practice. It is valuable to review the CERT reports to determine issues that have been identified as payment errors. (For more information, see www.cms.gov/CERT/Downloads/CERT_Report.pdf .)

RACs have received much attention in the last few years, and practices should be aware of the issues being reviewed. The list of issues is available from the RAC website at https://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Medicare-FFS-Compliance-Programs/Recovery-Audit-Program/ .
In the past, many practices ignored diagnosis coding in audits because it had no direct impact on the amount of physician payment. However, this is changing with new payment methodologies. Diagnosis codes should be reviewed for specificity and sequencing. ICD-10-CM has brought more focus to this documentation and coding.

To ensure meaningful, useful results, the practice must choose the audit sample carefully. This will depend on the type of audit. If there is no specific problem being investigated, 10 encounters per provider may be sufficient for a proactive or compliance audit. This can be chosen from one day’s visits, first 10 encounters on an Explanation of Payment, or some similar method. This cannot be considered a truly random sample, however, without employing statistical analysis. This would be considered a judgment sample, which cannot be extrapolated to a larger population since it is not truly random. The OIG recommends reviewing five encounters per provider per federal payer per year. If investigating a specific problem that may result in self-disclosure or refund, the practice should consider a statistically valid random sample, which involves a probe sample followed by larger sample with a targeted confidence and precision. For these cases, CMS requires that the sampling methodology be reviewed by a statistician or someone with equivalent experience. There are software programs available to help in choosing a statistically valid random sample. RAT-STATS is the software program used by the OIG to identify statistically valid random samples. (It is available at https://oig.hhs.gov/compliance/rat-stats/index.asp .)

The time frame to be reviewed also will depend on the reason for the audit. If it is being performed as a proactive or compliance audit, it may be more helpful to choose recent claims. If the purpose is education, it may be better to work with recent visits that the provider may remember. There may have also been recent changes in documentation or billing patterns. When auditing for a specific problem, the audit must reflect the time frame for which the problem is suspected.

A practice may find some assistance in developing its audit plan by reviewing existing Corporate Integrity Agreements (CIAs). CIAs are forced compliance plans established when an organization enters into a settlement for fraud allegations. CIAs require periodic audits to ensure that the coding/billing problems are resolved and require 95% accuracy.

When an audit is being performed, the practice will need to review the following:

• Documentation of the encounter or service;

• Any superbills, encounter forms, or charge capture documents;

• The claim forms submitted;

• Explanations of Payment or Remittance Advice; and

• Applicable payer policies.

Depending on service audited, the practice may also need to review other documentation. For example, for incident-to services, the practice will need to review the entire chart for the plan of care and ongoing care by the supervising physician, along with the supervising physician schedule and employment documentation.

Some protection may be provided by auditing under attorney–client privilege; however, the practice must understand what this entails. Attorney–client privilege requires that the attorney is acting in the capacity as the practice attorney, communication is made in confidence between the attorney and client, and the communication is for the purpose of securing legal advice. An attorney–client privilege audit requires that the auditor or consultant contract with the attorney and communicate results to him or her. Communication between the auditor and the practice is made only at the discretion of and with the approval of the attorney. Routine audit reports may not be protected, and everything reviewed or discovered prior to the audit being put under privilege is discoverable. Simply marking a report attorney–client privilege does not make it protected.

Several questions should be resolved before an audit is undertaken to ensure that the results are going to be relevant and valuable to the practice. Some of these questions are:

• What will be considered to be an error? Will the practice consider just overpayments, or any deviation from correct coding, such as undercoding?

• Will the audit be performed prospectively or retrospectively? Prospective audits involve holding claims for review so that incorrect claims are not filed at all. This has an impact on the timing of payments, but it means that errors are identified before they result in overpayments that would then have to be refunded. However, any pervasive errors identified here must generate a retrospective review as well. Retrospective audits are performed after the claim has been filed and paid. Refunds would need to be made within 60 days of the discovery to avoid liability as a false claim.

• What will be the acceptable error rate? CMS has not made any official statement as to an acceptable error rate. For practices under a CIA, the allowed error rate is 5%.

• What will the practice do with the results? Will there be education and follow-up auditing? Will there be penalties for noncompliance?

Coding, especially E/M coding, has many gray areas. How will the practice interpret these in audits? Some of these areas may be answered by the Medicare Administrative Contractor, but the practice must decide if these definitions should be extended to all payers. Examples of gray areas include:

• Which components are accepted or mandatory for established patients?

• Is “non-contributory” acceptable documentation?

• What is a detailed examination under the 1995 CMS Documentation Guidelines?

Electronic medical records present issues that must be considered in addition to the requirements of a particular code. An audit must be able to identify who entered the information in the record, including proper signatures with dates and times of information entered. Contradictions in information entered must be resolved. This often may occur between information entered in the history of present illness and templated information in the review of systems. Wording or grammatical errors and anomalies and medically implausible documentation also should be identified and resolved.

A compliance and auditing program is a waste of time and money if the providers are never given follow-up education.

Finally, the practice must decide what to do with the results of the audit. A compliance and auditing program is a waste of time and money if the providers are never given follow-up education. Education should be timely and targeted but may be given in a group or individual setting. In a group setting, providers may interact and share ideas, while an individual review of the results may allow for more specific identification of issues.

Although there are many considerations in establishing an audit program for physician practices, the benefits outweigh the costs by mitigating repayment risk and improving documentation and coding.