Compliance and Audits

Back To Search

Compliance and Audits

Business of Medicine
Author Credentials 

Richard Waguespack, MD
Professor of Otolaryngology
Department of Otolaryngology-Head and Neck Surgery
University of Alabama-Birmingham
Birmingham, AL

Lawrence M. Simon, MD
Clinical Assistant Professor of Otolaryngology
Department of Otolaryngology-Head and Neck Surgery
LSU Health Sciences Center
New Orleans, LA

Module Learning Objectives 
  1. Review the concept of practice and coding compliance.
  2. Explain how audits are conducted.
  3. Recognize the potential outcomes of audits.
Practice Compliance
  1. Practice and Institutional
    1. Adequate documentation; See the module CPT Coding and documentation
    2. HIPAA Privacy and Security
      1. Know what information is considered Protected Health Information (PHI)
      2. Have a HIPAA compliance policy and follow it
      3. Be aware of state statues (or facility rules) that are more restrictive
      4. Perform at least an annual HIPAA audit and risk assessment
        1. Designate a HIPAA Security Officer
      5. Educate all staff members at least annually
        1. Documentation of a policy and compliance/education program is critical to mitigating risk exposure in the case of a breach or external audit from CMS
      6. Watch for staff disclosures
      7. Cell phones, email, texts, and other electronic communication should be encrypted if containing HPI
      8. Be careful with patient initiated contact and how you respond
      9. Social media must be carefully managed
      10. Computers may be compromised or not logged off
      11. Deliberate theft
      12. Do not try to hide / cover up a breach
    3. Labs, imaging, and other diagnostic services
      1. CLIA or other laboratory certification
      2. State or local regulators for imaging 
      3. Certification for advanced imaging that may be required by payors
    4. OSHA
      1. Remember that you are, in fact, a business that must comply
      2. Many of the same rules apply as with HIPAA to have a compliance plan and manual and follow it
      3. Provide at least annual training (providers and staff)
      4. Can be outsourced 
      5. Numerous personal and online resources
      6. Pitfalls / things to watch for:
        1. OSHA Form 200 (workplace injury)
        2. Needle stick protocol
        3. Access to protective gear/safety equipment (eye wash)
        4. Fire hydrant/extinguisher
        5. Wires (tripping)
        6. Disposal policy (red bags)
        7. Vaccine protocols for employees and patients
        8. First aid kit
        9. Sterilization policies
    5. Use of medications, including opioid prescribing
      1. Rules if you dispense
      2. Regulations if your practice compounds or mixes allergy vials
      3. Correct usage of Single Use vials (eg, botulinum toxin)
      4. Be aware of state regulations and Prescription Monitoring Programs
    6. Practice compliance strategies
      1. Consider one coding designee and have a dedicated physician Head of Compliance 
      2. Policy for creating, releasing, and retention of medical records
        1. Be aware of contractual and state regulatory requirements
      3. Convince all providers that compliance is necessary and create a culture of compliance
      4. Can mitigate attention from CMS and other regulators
      5. Have a policy manual and use it
      6. Annual education for all patient care providers as well as business office staff
      7. Schedule and perform a self audit at least every 6-12 months
      8. Audit your practice annually- a minimum of 5-10 charts per doctor representing the practice scope in terms of types of visits, services, surgeries, and subspecialties. Redact charts!!!
      9. Consider where and how to discuss results as a group or individually
      10. Disciplinary actions
        1. Leave emotion at the door
        2. Remember that problematic practices put everyone at risk
        3. Consider actual training in conflict resolution
        4. May be easier in larger groups
        5. Fines and other disciplinary action may be required. 
    7. Business activities
      1. Financial activities (eg, safeguarding credit card information)
      2. Maintain appropriate accounting and legal practices
      3. Maintain professional and business liability insurance
      4. Compliance with Federal, state, and local laws governing the medical and general business aspects of practice
      5. Disclose relevant conflicts of interest (potential and actual
  2. Payers, business associates (eg hospitals, etc, at which one practices), and regulators require compliance
    1. Maintenance of licensure and Board certification
    2. Payer and Institutional (eg hospital) Monitoring
      1. Providers are ultimately responsible for the conduct of their practices and for charges submitted for services rendered
      2. Documentation must demonstrate medical necessity of any service provided.
      3. Know how to verify if a service is a covered benefit
        1. Compliance must consistently reflect these concepts (demonstrating medical necessity and meeting payment eligibility criteria)
        2. Many facilities (hospitals, labs, imaging centers, etc) rely on your documentation for their compliance and payment 
      4. Practitioners are often given sequential and increasingly stronger notifications of potential infractions
      5. Repeated violations may result in loss of privileges at facilities or ability to participate with a payer
    3. Civil and criminal prosecution are possible if violations are egregious and/or repeated 
    4. Know what a Business Associate Agreement is and the applicable Federal HIPAA regulations for when one is needed
Who is at risk of being audited: Data Outliers?
  1. Unusual frequency, level, or place of service    
    1. Especially of higher cost services
  2. Prior inadequate level of documentation
  3. Patient complaints
  4. Repeated identification or warnings
  5. Lack of medical necessity
Who performs audits?
  1. Ideally someone in your office or institution who serves as a compliance officer to periodically review practices and charts, identifies problems, and helps correct issues before they escalate
  2. Hospitals and other facilities in which you practice
  3. Payrs and their contractors
  4. Regulators and governmental bodies
    1. HIPAA
    2. Coding/documentation
    3. OSHA
    4. CME/Licensure
How to prepare for a coding audit?

DO

  • Get personally involved
  • View the review as educational, not punitive
  • Remember your rights and appeals processes
  • Copy all office, facility, or other records requested: 
  • Progress/therapy notes (current and earlier, if helpful to explain)
  • Nursing notes, clinical observations, and any consult notes, if explanatory
  • Lab & diagnostic tests, if related to service
  • Change in diagnosis, meds, or in the current condition
  • When in doubt send more, rather than less, to support medical necessity of service
  • Check for correct patient dates & names
  • Submit in a timely fashion to specified address on the request letter
  • Keep record of individual asking for your records and why they are asking
  • Check for legibility – can retype notes to clarify or correct, if also include the original!
  • Call if any questions – the local contractors probably have answer

DO NOT

  • Panic
  • Hand off to others and ignore the process
  • Ignore requests for information—reviewers will not go away
  • Create new progress notes or documentation that clearly did not exist before, but one can:
  • Send corrections
  • Clarify with original documentation
  • Delay beyond due dates specified in request
  • Call medical director and swear or behave in an unprofessional manner

Dealing with mistakes

  • Physicians & their offices do sometimes make honest mistakes
  • If challenged, check your coding and billing processes
  • Check your CPT and ICD coding with your colleagues or with expert coders
  • Acknowledge mistakes; if you correct problems, many reviews will stop there
  • Be respectful of reviewers; they are doing their jobs.  And their role is important to protect both physicians and patients from truly egregious behaviors
  • Humility never hurt any review situation
  • Make sure your coders and billing personnel understand what you actually did
  • If you have a special type of practice, be able to demonstrate & document why it is so
  • Medicare and other payers cannot tell you how to practice, but they can refuse to pay and/or demand money back 
  • Know your rights and the appeals process
  • You have the right to get out of Medicare / Medicaid or any payer based on the nature of your contract
  • Alter practice, but engage expert, reputable coding and/or business consultants to help ensure changes are correct; the auditing entity may be a resource
  • Engage an experienced, knowledgeable attorney
What are the potential outcomes of audits?
  1. No or minimal findings of non-compliance and no requirement to alter practice or return fees
  2. Requirement to alter one’s practice (eg, improved documentation) to come into compliance (referred to as a Corrective Action Plan, or CAP)
  3. Returning reimbursement for services deemed not in compliance
  4. Appeal process and possible periodic re-audits to monitor continued compliance
  5. Removal from payer network, whether commercial or governmental
  6. Civil or criminal prosecution, particularly if there is an allegation of fraud
Resources 

AAO-HNS/F Resources:  

Learner must Sign In or Create account to access AAO-HNSF education activities

  1. Annual Meeting Webcast (AMW):
  2. eCourses (eC):

AMA Resources:

CMS Resources:

OSHA:

ACS Resouces