Effective Internal Monitoring and Auditing for Change Management

Change Management

Change management is a formal process by which change is carried out and, therefore, sometimes is thought of as making change more difficult by adding “red tape.” Large healthcare organizations benefit from a properly implemented change management process by establishing various controls over what changes are made at what time. Before any changes are implemented, the organization’s change management process should require the following:

• An evaluation of all proposed changes for benefits and risks, and consideration of all potential impacts;

• A preapproved prioritizing method for any changes so that limited resources are allocated to those changes that produce the greatest benefit based on the organization’s need;

• A thorough testing procedure for all changes prior to deployment; and

• A documentation management archive that reflects any changes and the effects they had on the organization.(1)

Smaller healthcare systems such as clinics and physician practices may employ more efficient and quicker change management processes when they have effective internal monitoring and auditing processes in place. These systems are effective when internal monitoring and auditing follow accepted evaluation standards that streamline the change process and reduce the risk associated with making changes. Generally, these changes apply to routine processes that involve minimal risks when implemented.

In clinics and physician practices, an administrator often has been preapproved to implement routine changes to existing processes without receiving special permission from a Governing Committee or Board of Directors. For example, an administrator’s routine monitoring of a financial report shows an unusual variance in the reimbursement of an established CPT code. The administrator has approval to review the variance and initiate any required changes to resolve the variance.

This type of monitoring and change resolution may occur daily, weekly, or monthly as part of the administrator’s routine duties and responsibilities. However, unless the administrator’s review and resolution of the variance is based on accepted monitoring and auditing processes, the change may be premature or incorrect.

Federal Sentencing Guidelines

A monitoring and auditing process is a requirement of every healthcare organization’s compliance program, regardless of its size. The seven elements of an effective compliance program are outlined in the United States Federal Sentencing Guidelines. Element number five requires the organization to implement compliance monitoring and auditing systems, including a reporting system, so that employees can report misconduct without fear of retribution.(2)

Both the Department of Justice (DOJ) and the Health and Human Services Office of Inspector General (OIG) have emphasized that it is not enough for a healthcare organization to simply implement a compliance program but that it must, rather, conduct ongoing risk assessment, training, and improvement that will be assessed by federal prosecutors, should misconduct be identified. The Federal Sentencing Guidelines make it clear that prosecutors give no credit for merely having a compliance program; consideration for merit in any settlements requires it to be effective.(3)

On February 8, 2017, the DOJ Fraud Section issued a document entitled Evaluation of Corporate Compliance Programs, which includes eleven topics and related questions federal prosecutors may use to assess the effectiveness of corporate compliance programs (hereafter referred to as the “DOJ Resource”).(4) One month later, on March 27, 2017, the OIG, in conjunction with the Health Care Compliance Association (HCCA), issued a document entitled Measuring Compliance Program Effectiveness: A Resource Guide, which provides guidance for designing and implementing company compliance programs.(5) Based on the Federal Sentencing Guidelines, the DOJ may give a healthcare organization credit for having an effective program only provided they meet the following criteria(6):

• The head of the compliance program must report directly to the governing authority or appropriate subgroup;

• The compliance program must discover the problem before discovery outside the organization was reasonably likely;

• The organization must report the problem promptly to the government; and

• No person with operational responsibility in the compliance program participated in, condoned, or was willfully ignorant of the offense.

Although large healthcare organizations have dedicated Compliance Officers and supporting Compliance Analysts who report to a Governing Committee or the Board of Directors, smaller clinics and physician practices often appoint a lead physician or the administrator as the compliance officer.

In many cases, clinics and practices have limited resources to devote to a compliance program and view hiring an external auditing firm as beyond their means. They may have concerns beyond the cost of an auditing firm in terms of their responsibility to fix problems found by an external firm. Finally, in the era of whistleblowers, they might feel vulnerable to exposure by letting an outside firm review their coding and billing documents.

Rather than forgo any monitoring and auditing, clinics and practices should take advantage of what their physician compliance officer or administrator may currently be doing. By establishing some structure for the administrator’s routine monitoring and auditing, the practice may be able to demonstrate it has an effective compliance program without needing to make a large output of money or additional time.

Auditing Versus Monitoring

The administrator may have some basic questions on how to implement an auditing and monitoring process that supports an effective compliance program and helps to identify needed changes in their practice. He or she may ask questions such as:

• Do I monitor or audit?

• Is there a law or rule that requires one or the other?

• Can the process be efficiently monitored?

• How effective are the control processes?

• What is the magnitude of risk if the control process fails?

Monitoring, defined as “something that serves to remind or give warning;” and “to watch closely for purposes of control, surveillance, etc.; keep track of; check continually”(7) is the first line of defense. Monitoring is the observing and reporting of a process that is evaluated consistently over time. It is the concurrent, real-time trending of a process.

Auditing is the second line of defense: “an official examination and verification of accounts and records, especially of financial accounts;” “to make an audit of; examine (accounts, records, etc.), for purposes of verification.”(7) Auditing involves a more formal, systematic, structured approach to the process using a set of recognized, accepted professional standards.

A person or practice may monitor itself, but an audit is an independent examination. For example, your daily blood pressure check is a monitoring process; your annual physical is an auditing process. The internal work processes and resources of a clinic or practice can successfully meet the compliance plan’s monitoring and auditing requirements. Although a person cannot audit him- or herself, another employee in the practice may perform an independent audit of a process that he or she does not personally perform.

With routine weekly or monthly monitoring, problems can be immediately detected, reviewed, and resolved.

Billing and coding audits often are a topic of discussion at conferences or professional meetings. However, these functions are particularly well-suited for monitoring rather than auditing. With routine weekly or monthly monitoring, problems can be immediately detected, reviewed, and resolved. Too often, the marketing literature from external audit companies and consultants suggests that a healthcare organization must do at least an annual audit of your billing or coding. Although a baseline assessment may be helpful, it is not a legal requirement. Similarly, many healthcare organizations audit 10 E/M services per physician each year or twice a year. Yet after years and years of these E/M audits, whether conducted by internal staff or by an external vendor, the results are the same and nothing has changed to improve the accuracy of the E/M codes selected. When this is the pattern, it is evidence that an appropriate corrective action process (CAP), or a change management process, is lacking in the organization. As a result, the annual E/M audit process is increasing rather than decreasing the practice’s risk. Likewise, if the routine E/M monitoring or even the external audit shows a high level of accuracy for certain physicians, the healthcare organization may choose to discontinue monitoring them for the rest of the year or even multiple years. Again, there is no law that requires any healthcare organization, regardless of size, to conduct their monitoring and auditing in a specific manner—that is, unless the organization is under a DOJ/OIG settlement that stipulates a specific type of audit.

In addition to setting up a routine monitoring process for your billing and coding items rather than contracting for an expensive external audit, it is important to consider topics and areas beyond E/M. Any topic in the OIG’s Work Plan that relates to your specialty would be beneficial to monitor. Start by selecting a few services that apply to that topic and review them for accuracy. If a function or topic cannot be effectively monitored, then an audit may be necessary. Several types of audits, from probe reviews to statistically random samples, can be done. Deciding what is best for the situation may require consulting with your legal counsel.

Before the audit, agree to the purpose in writing and decide on the scope of the audit. Documentation of the audit process in the audit work papers proves both that the audit was independent and that the audit captured the facts, analyzed the data, and reported the findings and conclusions. The audit report communicates the audit results to the clinic or practice. The audit CAPs outline how to mitigate or eliminate any risks found in the audit report.

In short, auditing involves samples for a set period and is a retrospective review of a well-defined topic. Monitoring is continuous, may include automated reports (e.g., variances from this month to last month or this year to last year), and is prospective or concurrent.

Turning briefly back to E/M reviews, many consultants and auditing firms have been advocating prospective audits to change the E/M code, if deemed necessary by the audit, prior to billing. When E/M coding accuracy is deemed subpar in an annual prospective audit, it does not absolve the practice from looking back over the past year to see if there is a trend of incorrect reporting. Thus if the goal is to mitigate potential paybacks, the best approach is ongoing in-house monitoring.

Monitoring and Auditing for Change

To assess the effectiveness of the monitoring and auditing effort, we must consider the relevance, sufficiency, and competence of the process. The following guidelines can help define these attributes:

• Objectivity: Is the process objective or subjective? If two or more independent auditors are likely to arrive at the same result, it is objective evidence. (Thus most E/M audits are subjective, because research has found that two or more reviewers may not assign the same level).(8)

• Documentation: Documentation evidence, such as records, provides proof of compliance to procedures and is more reliable than verbal evidence. To support the effectiveness of your internal monitoring, the administrator should keep a file on the potential issues and what action was initiated.

• Timeliness: Timely evidence typically is more reliable than evidence produced after a delay (e.g., knowing that the E/M level is wrong today is better than knowing it a year from now).

To accept a change found through your internal monitoring and auditing, the process owner (e.g., physician or biller) must “buy in” that your monitoring and auditing is effective. The resulting changes, whether from monitoring or auditing or whether conducted with internal or external resources, must be followed and documented. Also, there should be documentation of the success of the CAPs or the process to readdress the item in the future. Change management also requires a degree of accountability for repeated errors. The clinic or practice can help the CAP process by automating fixes to address the problem when possible. They also may want to incorporate new or revised metrics to help with future monitoring of the process. When the CAP is ineffective or there is no means to measure its execution and success, the process has failed.

An effective internal monitoring and auditing process verifies the corrective action.

A meaningful CAP will stop any high-risk activity as soon as possible. This is a plus when practices are conducting their own internal monitoring and auditing, because they do not have to wait for an annual external audit report. The practice can move quickly to fix the problem without queuing up with the other priorities, approval sign-offs, and delays that commonly are found in large healthcare systems. In addition, an effective internal monitoring and auditing process verifies the corrective action. Whether this involves a refund, a rebill, a corrected report, a revised contract, a necessary disclosure to Federal or State officials, or something else, it must be done.

Clinics and practices should consider building or strengthening their internal monitoring and auditing processes to support the effectiveness of their compliance program and to validate the effectiveness of their change management processes. Much of what an administrator routinely performs falls within these processes, allowing the clinic or practice to meet its needs in a more cost-effective manner.

References

1. Creasey T, Taylor T. Best Practices in Change Management. Prosci; 2014. www.prosci.com/change-management/thought-leadership-library/change-management-maturity-model .

2. U.S. Federal Sentencing Guidelines §8B21(5). www.ussc.gov/sites/default/files/pdf/guidelines-manual/2011/manual-pdf/2011_Guidelines_Manual_Full.pdf .

3. U.S. Federal Sentencing Guidelines §8A1.2. www.ussc.gov/sites/default/files/pdf/guidelines-manual/2011/manual-pdf/2011_Guidelines_Manual_Full.pdf .

4. U.S. Department of Justice, Criminal Division, Fraud Section Evaluation of Corporate Compliance Programs. February 8, 2017. www.justice.gov/criminal-fraud/page/file/937501/download .

5. HCCA/OIG . Measuring Compliance Program Effectiveness: A Resource Guide. https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf .

6. U.S. Federal Sentencing Guidelines 8B2.1(b)(5)(A). www.ussc.gov/sites/default/files/pdf/guidelines-manual/2011/manual-pdf/2011_Guidelines_Manual_Full.pdf .

7. Monitoring for compliance: a strategic approach. corporate compliance insights. www.corporatecomplianceinsights.com/compliance-monitoring-strategic-approach/ .

8. Field T. E/M coding: benefit or burden? Healthcare Business Monthly, February 2017:24-27.