Authors: Carrie Walters-Derksen and Susan Horahan
In a recent survey of Chief Audit Executives, an increased focus on risk management was named the top initiative by 60% of respondents. The continuing growth of regulatory compliance demands in the healthcare industry – and the heightened risk that comes with it - is placing an enormous strain on auditing resources in most organizations. Deploying those resources in the most effective way means narrowing audit focus to those areas that pose the greatest risks.
The growing adoption of this type of approach explains why risk-based auditing is such a hot topic in healthcare circles today. With only so much time available for auditing, it’s critical for organizations to target specific areas of interest and not devote time to areas with little or no significant impact. Moving from an annual risk assessment program to a risk-based audit plan can be one of the most important moves a healthcare organization can make.
What is risk-based auditing?
There are a number of definitions of risk-based auditing but most center on the concept of targeting perceived or known areas of risk. Traditionally, organizations develop plans for a period of time that involve scheduled, routine audits. For example, many will conduct audits of all their providers reviewing a set number of cases over a fixed period of time. There is some risk focus involved because based on results, the organization may audit some providers more frequently. However the overall goal is getting through the list so all providers are ultimately audited over a one or two year period.
A true risk-based audit targets particular practices and codes based on specific concerns. Instead of taking a rigid, provider-by-provider or area-by-area approach, a risk-based program allows the audit team the flexibility to devote auditing resources to areas or providers that may be displaying potential negative issues. Risk-based audits are performed on an ad-hoc, unscheduled basis and are not tied to any particular provider or practice. In most cases, they audit a cross section of providers, zeroing in on trouble areas regardless of location.
In the end, all audits are technically risk-based in that the goal is to review controls to determine how effectively they are ensuring proper coding and billing. The key difference with risk-based audits comes down to scope and methodology.
Identifying areas of risk
The first step in risk-based auditing is to identify where the greatest risks to the organization lie. There are several ways to develop these targets.
Internal. There could be chatter or rumors of something going on that should be looked at within the organization that could be perceived as risk areas. Results of prior internal audits are also an excellent source for identifying potential risk areas. If you are using up-to-date analytics software, you can mine your billing data to uncover trends that could be troubling over time.
External. Staying in tune with agencies that regulate Medicare or Medicaid can be a source for identifying risk areas. The annual OIG workplan outlines what federal regulators will be focusing on when they monitor organizations and offers a solid blueprint for identifying risk targets. You may also discover risk areas by monitoring provider questions, payor requests, and hotline submissions.
In a risk-based program, auditors tend to look for outliers. Particular areas include high-level E&M billing, teaching physician modifiers, and specialty procedures. Auditors can then turn their focus to any of these areas where potential trouble may be lurking.
For example, Modifier 25 is a particular target audit area according the OIG Workplan. If an organization begins to see issues in that area, they may pull claims data that spans multiple providers or an entire practice to try to get a broader look at the problem. They can then take corrective action to minimize or eliminate the risk of investigation by third party entities.
How technology can help
Targets of risk-based audits shouldn’t be selected solely in terms of total revenue at risk. Although some of these areas may have the greatest financial impact potential, because of their significance, they also will likely have the most effective controls in place to guard against negative outcomes. A more effective method to establish focus areas for a risk-based audit is to analyze claims and billing data that may reveal trends that could actually lead to problems. These areas may not have the same total value as higher profiled areas, but may, in fact, present a higher risk.
Unfortunately it’s virtually impossible to conduct full chart review audits on every potential risk. You need to be able to leverage billing and remit data to monitor key hospital and provider risks and hone in on provider billing patterns that stand out when compared to peers.
That’s where technology comes into play.
An integrated software solution enables continuous monitoring and analysis of your billing and claims data. This enables you to deal with issues in real time, as opposed to doing post mortems after the fact. Once you see an area trending out of the norm, you can easily call up a random sample for review, something that is time consuming and resource draining with a manual process. You can then easily compile and report results for easy retrieval at a later date. Analyzing this data systemically is much more effective and productive than laboriously combing through Excel spreadsheets manually. A robust software solution helps you prioritize your audit focus and extend the number of risk areas you can monitor.
Benefits of risk-based audits
Risked-based audits can be more effective for organizations because they proactively seek out areas that could be problems allowing earlier, faster resolution before any damage is done. They provide more frequent education for those who need it and offer more frequent reporting, keeping compliance in the forefront rather than making it simply an annual presence. This keeps compliance awareness at a higher level throughout the organization.
Implementing a risk-based audit program can also alter provider mindsets. Since they will be audited according to their level of risk, providers begin to understand the consequences of their actions. They soon realize that improved behavior will result in less frequent audits.
The key benefit of risk-based audits is that it allows you to stay ahead of third party entities that are trying put a magnifying glass on your organization.
There’s a fine line between traditional and risk-based audits, but more organizations are transitioning scheduled provider audits from annually to once every two years. This leaves room for audit teams to do more education and risk-based auditing. Traditional provider-based auditing will likely always be with us, but as compliance demands grow and resources become strained, a risk-based audit program may prove to be your most effective option.
For more information on the OIG Workplan or how to reduce risk for your organization, feel free to download our Road Map
Reduce Your Risk: Operationalize the OIG Work Plan
 Executive Perspectives on Top Risks of 2015, report from NC State Poole College of Management and Protiviti Consulting.