2E-‐1 DEVELOP RISK ASSESSMENT SURVEYS
Risk assessments, or risk analyses, are defined in many venues. For example, Investopedia defines a risk assessment as follows. “The process of determining the likelihood that a specified negative event will occur. Investors and business managers use risk assessments to determine things like whether to undertake a particular venture, what rate of return they require to make a particular investment and how to mitigate an activity’s potential losses.”101
Wikipedia defines “risk” as “ … the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).”102 In any venue a risk assessment provides objective standards in which to judge whether an action or activity will result in a positive or adverse outcome.
The purpose of the task is to examine a discrete aspect of a department or program to provide
information in support of development of the overall compliance plan. An accompanying benefit is that the analysis may provide current data concerning the status of the program.
Risk analysis requires viewing the program from a variety of angles. Not only should the auditor understand the culture of the company and experience of employees in the reviewed department, i.e. internal knowledge, the auditor must also be familiar with the multitude of rules, regulations and audits that affect the assessment, or external knowledge. Then, the task is to blend the information to develop a cohesive document.
First, develop a checklist for information to be analysed if your company does not provide that resource. The checklist will be a reminder of all the areas to examine during the time of the current and future assessments. Additionally, a checklist will provide consistency in the approach and process of the assessment. Develop a risk assessment template to use in all risk assessments. Standard documents will support a “culture of compliance” claim and enable reviewers to understand the process.
During the course of the assessment, examine OIG audits, webinars and court decisions regarding your subject area. If, for example, the subject area is compliance with the requirement to provide a “primary care provider” for a beneficiary in a Medicare plan, failure to review case law which better defines a plan’s obligation will negatively impact ability to accurately assess risk.
Also, carefully document the process. A completed risk assessment may be accurate and supported by facts, regulation and company policies, but not defensible. Assure that supporting documents are easily retrievable. Save all emails and other records. They are a reminder not only of the process for the auditor but will support the observations in the report.
On a practical level, review all policies and procedures related to the program or department.
Consideration should be given to two major issues. One, do current policies and procedures conform to the mandates of regulations? As part of this analysis, check for consistency of language. Is a Medicare beneficiary referred to as an enrollee or a member? For employees who may not be familiar with this terminology, consistent wording is crucial. Second, does the department or program have a complete list of policies and procedures sufficient to show compliance and advise employees on a course of action?
102 http://en.wikipedia.org/wiki/Risk
The purpose of sufficient policies and procedures is two-‐fold. Policies and procedures are the law of the company. Second, risk assessments must be approached with the view that external review is likely. Policies and procedures that are lawful, clear and applied will assure less scrutiny.
2E-‐2 CONDUCT DUE DILIGENCE AND COMPLIANCE AUDITS USING SET RULES, POLICIES AND PROCEDURES
Much of the same process discussed above concerning risk assessments should be followed in an audit. The auditor must review Medicare and/or Medicaid Manuals, sections of the Code of Federal
Regulations, OIG audits, CMS enforcement actions, contracts, state law and results of related litigation. The significant difference between a risk assessment and compliance audit is that in a risk assessment, the focus is a high level view, while in a compliance audit, the auditor will review the organization’s performance in a discrete area, such as Part C claims turnaround time or timeliness in making organization determinations, Part D coverage determinations, redeterminations or appeals. That said, predetermined parameters assure consistent results. Prior to the initiation of the audit, create an audit report template. The intent, as with a risk assessment, is to have a tool that is a
snapshot of the work. Part of the set procedure should be contemporaneous record. During the course of the audit, record methodology chronologically. Record observations at the time of discovery. Add legal references at the time of review. Remember that the audit is a document that should be reviewed by senior management. Suggested areas to include in the audit report are the executive summary, objective and scope, methodology, observations, requestor’s response, action plan and anticipated completion date, recommendations, conclusion and implementation of recommendations.
The project should be a collaborative effort, part of the basic procedure. Discuss the scope of the audit with a supervisor. Assure understanding of the objective at the inception. Audits often review the operation of another department. Review of policies of that department and asking questions from employees in that department may become relevant.
With a supervisor’s assistance, establish a working relationship with the department by meeting with the manager. Inform the manager of the audit. During the audit, questions about the categories to search in a spreadsheet, understanding a department process, or other issues will need answers. Ask the department manager for a contact within the department to assist.
2E-‐3 PREPARE AUDIT WORK PAPERS AND REPORT FINDINGS
Work papers are foundational to the preparation of a compliance audit. Each audit’s work papers will contain the facts and law that led to the development of the report and associated findings. The two crucial components to a quality audit are finding and understanding the pertinent standards and careful analysis of the facts. Then, the auditor melds the two to document observations, prepare a conclusion and provide recommendations. Following the recommendations in the prior section regarding following set rules, policies and procedures will assist the auditor in preparing the work papers and report.
As the auditor progresses through the analysis, which may occur over time due to other responsibilities, saving copies of the raw data, samples pulled from the raw data, findings based on the samples,
including outliers, regulations reviewed and analysed is crucial. The auditor must be prepared to support observations and findings upon review. No document, email or other snippet of information is too minor such that it may be disposed of. Develop a logical and searchable system. Consult other auditors. Prepare a proposed format to save your material and review it with your supervisor.
Devise logical categories are facts from certain time frames, i.e. Q1 CY 2011. Use descriptive material to help access the data. Name a folder ABC Medicare Health Plan Non Contract (or use K) unclean Q2 2011. Save copies of case law, manual provisions and regulations that apply to the audit. Develop a folder and use descriptive terms to easily find the regulations at a later time. Develop simple tables to abstract data for reviewers.
Since the audit may be written over a period of time, the work papers and preliminary report will assist in reviewing data, law and preliminary findings. Additionally, the audit process will be more efficient, saving time to review data or law yet once again.
2E-‐4 DEVELOP COMPLIANCE PLANS
Compliance plans are developed for the needs of the organization, depending on the identified strengths and weaknesses of the company, including both positive and negative recent events and the status of the compliance department leadership and staff. Some of the major purposes to take into account in developing a compliance plan are that it is required, that no company can know where it is compliant or non-‐compliant unless it does careful evaluation and to aid in the “culture of compliance”. The federal sentencing guidelines provide general categories to review to develop a compliance plan. Additionally, review of the current Office of Inspector General Work Plan, OIG audits, CMS enforcement action letters and recent court decisions will provide a basis for the general outline of a plan.
Carefully structured surveys may be useful. Depending on the confidence in the results of a survey, auditors and compliance officers may choose to emphasize certain issues.
Review results of mandatory company training. If a particular training shows a weakness in
understanding a crucial compliance issue, that information may be used in evaluating a department’s compliance.
Risk assessment and audit findings form part of the basis for developing a compliance plan. They will provide guidance to the auditor and compliance officer about areas that seem to be compliant or non-‐ compliant.
CMS letters related to organization noncompliance support including those issues in a compliance plan. One may picture a compliance plan as a wheel and spokes situation. The plan is the centre portion of the wheel out of which the spokes emanate. Information passes back and forth from various spokes as
the wheel and spokes rotate. The point is that different speeds, conditions, and inputs may modify your well-‐planned and executed compliance plan.
Thus, the plan must be both structured and flexible. It must be able to keep the forward looking view of evaluating and increasing compliance at the organization, while it maintains flexibility to adapt to new situations.
2E-‐5 INVESTIGATE COMPLIANCE REPORTS AND ISSUES
Much of the material discussed above will guide investigation of compliance reports and issues. Develop an objective fact and law-‐based procedure to enable clear memory and document all the steps taken. Thus, apply set rules, policies and procedures. Contemporaneously document all interviews, research and thoughts. Utilize learning based on experience from prior compliance department “investigations”.
In an investigation of a compliance report, what are normally denominated “soft skills” are of paramount importance. While developing trusting relationships with co-‐workers is important for all assessments, audits and planning, it is even more crucial in compliance report investigation.
Effective investigation is, then, developed over a course of time. Co-‐workers and colleagues must perceive that the investigator is approachable, objective, an active listener and non-‐judgmental. Remember, one possible outcome for your organization is that someone inside your organization does not perceive that the company is ethical, supportive and protective. Numerous qui tam, or more well known as False Claims Act whistle blower cases, arose from employees telling their company about unethical behaviour and receiving either no reaction or untoward consequences. Another potential negative situation is that an external auditor or other agency may identify an issue that an employee knew about, but chose not to disclose.
Auditors must, then, actively encourage the “culture of compliance”. Certainly, no organization will find or know about the issues, but cultivating the atmosphere such that co-‐workers follow their duty to expose issues and are supported in the process is crucial.
Compliance reports may also be initiated by members in the plan, employees of other organizations, cooperative government entities, i.e. Department of Human Services. Employ the same process as above in investigating. Realize, too, that some of these reporters may assist or hinder in future investigations.
2E-‐6 RECOMMEND / MONITOR DISCIPLINARY AND CORRECTIVE ACTION PLANS
A portion of the auditor’s role may be to become involved in recommending or monitoring disciplinary corrective action plans. Use care, however, in stepping too far into that arena.
It is likely that the auditor will uncover facts during audits, assessments or investigations that lead to potential disciplinary action for co-‐workers, colleagues, members or others involved with the
organization. For example, an audit could reveal issues that indicate a need for training of an employee. While the auditor’s role is to investigate and illuminate, the perception of objectivity requires that the auditor carefully navigate moving too far into the “disciplinary” realm.
The auditor’s investigation may reveal noncompliance by an external entity. Often, the noncompliance may not be identifiable to an individual. The proper course of action, then, is as above. Carefully document the process, interviews, documents and law for presentation to a manager.
However, the auditor must distinguish between discipline and corrective action plans. Corrective action plans are more focused on action, process or procedure that is non-‐compliant and is not oriented toward a particular individual. The plan records the action or inaction that led to the failing; the standard not met timeline for response and alleviation of the error and follow up.
2E-‐7 COLLABORATE / COOPERATE WITH EXTERNAL AND REGULATORY AUDITORS Auditors should collaborate and cooperate with external and regulatory auditors as directed.
Depending on the situation, auditors may have little time to be fully ready to participate in an external or regulatory audit.
Remember that an auditor acts in a discrete function within a department. The role is to be an objective reviewer of facts who is aware of the law and then synthesizes that information into a cogent document written to a particular audience.
As such, the auditor is not the sole employee or responder to review of company actions. Many employees of the organization will provide details to the authorities. However, the auditor should review past reports as time allows and seek guidance from management concerning the limits of areas and depth of material to be discussed.
Certainly, the auditor should cooperate, exercising wisdom in choice of words and amount of explanation.
2E-‐8 MONITOR / APPLY OIG AND GENERAL SERVICE ADMINISTRATION SANCTIONS LIST The U.S. Government publishes lists of excluded individuals and parties who may not participate in Federally funded programs such as Medicare. The Office of Inspector General (OIG) and the General Services Administration provide two of the most pertinent listings. These exclusion listings can be found at:
• OIG: http://exclusions.oig.hhs.gov/
Per the OIG website, exclusions can occur for a number of reasons.
• “Mandatory exclusions: OIG is required by law to exclude from participation in all Federal health care programs individuals and entities convicted of the following types of criminal offenses: Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare, Medicaid, SCHIP, or other State health care programs; patient abuse or neglect; felony convictions for other health care-‐related fraud, theft, or other financial misconduct; and felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances.”
• “Permissive exclusions: OIG has discretion to exclude individuals and entities on a number of grounds, including misdemeanour convictions related to health care fraud other than Medicare or a State health program, fraud in a program (other than a health care program) funded by any Federal, State or local government agency; misdemeanour convictions relating to the unlawful manufacture, distribution, prescription, or dispensing of controlled substances; suspension, revocation, or surrender of a license to provide health care for reasons bearing on professional competence, professional performance, or financial integrity; provision of unnecessary or substandard services; submission of false or fraudulent claims to a Federal health care
program; engaging in unlawful kickback arrangements; and defaulting on health education loan or scholarship obligations; and controlling a sanctioned entity as an owner, officer, or managing employee.”103
CMS began providing Medicare plans access to its Medicare Exclusions Database (MED) in the summer of 2011. The benefit of utilizing that database is that it allows searching by more categories than LEIE and EPLS.
States have begun providing their own exclusion lists. If a potential employee has worked on other states, it is prudent to determine if each state has a distinctive exclusion list and to determine what information, if any, appears. Additionally, on-‐going monitoring of relevant lists is normative. Postings to state lists may be delayed for a variety of reasons.
CMS began providing Medicare plans access to its Medicare Exclusions Database (MED) in the summer of 2011. The benefit of utilizing that database is that it allows searching by more categories than LEIE and EPLS.
States have begun providing their own exclusion lists. If a potential employee has worked on other states, it is prudent to determine if each state has a distinctive exclusion list and to determine what
information, if any, appears. Additionally, on-‐going monitoring of relevant lists is normative. Postings to state lists may be delayed for a variety of reasons.
The exclusions listing must be reviewed by the Healthcare facility or organisation to ensure they do not employ or do business with an excluded party. Should they fail to do this they may be subject to civil monetary penalties and will be required to return paid claims.
As part of the monitoring, the organization should determine how often it will perform the monitoring and who will do the monitoring, if not the organization itself. The frequency of monitoring is a risk assessment; how much risk does the company want to assume by deciding to check yearly as opposed to monthly. Senior leadership should be advised of the issue and provide guidance on frequency.
Complying with the monitoring task can be time consuming. Companies should evaluate whether performing the monitoring in house as opposed to engaging a service is more prudent. Remember, however, that the company remains ultimately responsible for its employees and contractors. Review of any service for its attention to detail and accurate information is required on a systematic basis.
2E-‐9 INTERPRET / APPLY / DISSEMINATE LAWS, ACCREDITATION, LICENSURE AND CERTIFICATION MANDATES
Auditors may be called upon to understand and share implications of legal issues within their organization. One of the first considerations is that unless the auditor is a licensed attorney, the information provided must not be couched as containing legal advice. If an auditor becomes aware of legal issues or assesses a possible legal issue, seek a supervisor or meet with legal counsel.
With experience in the organization, an auditor may become more comfortable in identifying and sharing legal issues. Remember, though, that the task is not to provide advice on a course of action, but