Audits, Audits and More Audits: Life in the Healthcare Industry

Healthcare suppliers and service providers live in a regulated world. They are constantly under audit scrutiny. Sometimes federal agencies (i.e private contractors) conduct the audits; other times state agencies conduct the audits. The audits also vary in focus – claims, coding, privacy, and compliance. The industry is constantly being audited.
For the next four years, healthcare companies can expect more audits, more risks and potentially more penalties. Companies need to respond in two ways: (1) increase the number of proactive internal audits to identify potential issues in advance; and (2) establish internal procedures for how to handle auditors when they show up at your company.Medicare Audits – The Tax Relief and Health Care Act of 2006 made permanent the Medicare Recovery Audit Contractor (RAC) program to identify improper Medicare payments (overpayments and underpayments). For three years (2005-2008), the RAC program operated as a demonstration program. CMS awarded contracts to four regional RACs. RACs are paid on a contingency fee basis, receiving a percentage of the improper overpayments and underpayments they collect from providers. The Centers Medicare and Medicaid Services (CMS) has now implemented Medicare recovery auditing in all states.RAC audits are limited to those particular claims approved through CMS’ "new issue review" process, which are posted in advance on each of the four RAC websites. RACs may review the last three years of provider claims for a wide range of services and medical equipment. The RACs use software programs to identify potential payment errors focusing on duplicate payments, fiscal intermediaries' mistakes, medical necessity and coding. RACs also conduct medical record reviews.


HIPAA Privacy and Security Audits – The HITECH Act requires HHS to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The office of Civil Rights (OCR) has performed 115 audits as part of this pilot program which concluded in December 2012.
The HIPAA Privacy Rule protects the privacy of patients' medical records and other health information maintained by covered entities. The HIPAA Security Rule establishes national standards for the security of electronic protected health information.OCR released in July 2012 an audit protocol which basically outlines the documentation auditors will want to review during an audit. The audits will focus on 168 performance criteria — 78 for security, 81 for privacy and 10 for breach. As part of the pilot program, OCR initiated a number of enforcement actions against providers. Covered entities and business associates have to prepare in advance for an aduit which can be initiated on 15 days’ notice. Auditors focus on documentation to meet the protocol and establish compliance.OCR has identified a number of common deficiencies from its audit pilot program:- smaller providers had more deficiencies than larger providers
- a large number of subjects did not have policies or procedures in place
- larger entities had greater security risks
- many subjects never conducted a security risk assessment
- business associate contracts were not on file