Regional Health CORPORATE RESPONSIBILITY Auditing and Monitoring Standard Operating Procedure FY11 Contents Section 1: Introduction ................................................................................................................... 3 Section 2: Objectives and Responsibilities .................................................................................... 3 2.1 Objectives of the CR Department ......................................................................................... 3 2.2 Auditing Standards................................................................................................................ 3 Section 3: Nature of Audits and Audit Selection ........................................................................... 3 3.1 Nature of Audits .................................................................................................................... 3 3.2 Audit Selection...................................................................................................................... 3 3.2.1 High Risk……………………………………………………………………………..4 3.2.2 Medium Risk…………………………………………………………………………4 3.2.1 Low Risk……………………………………………………………………………..4 Section 4: Audit Development & Process ..................................................................................... 4 4.1 Pre-Audit Discussion ............................................................................................................ 5 4.2 Initial Research and Pre-Audit Preparation .......................................................................... 5 Section 5: Audit Methodology and Procedures ............................................................................. 5 5.1 Fieldwork and Work Papers.................................................................................................. 5 5.3 Retention of Records............................................................................................................. 5 5.4 Audit Sampling ..................................................................................................................... 5 5.4.1 OIG Claims Review ....................................................................................................... 6 5.4.2 Statistical Sampling ....................................................................................................... 6 5.4.3 Non-statistical Sampling ................................................................................................ 6 5.4.4 Sampling Definitions & Plans ....................................................................................... 6 Section 6: Reporting ...................................................................................................................... 7 Section 7: Communication ............................................................................................................. 7 7.1 Exit Conference .................................................................................................................... 7 7.2 Monitoring ............................................................................................................................ 7 Addendum A: Financial Audits ..................................................................................................... 8 Addendum B: Medical Services .................................................................................................. 10 Addendum C: Privacy and Security............................................................................................. 12 Addendum D: Research Audits ................................................................................................... 13 Addendum E: Audit Checklist ..................................................................................................... 15 Addendum F: Audit Report Template ......................................................................................... 16 2 Final Version 9-03-10 Corporate Responsibility’s Auditing and Monitoring Standard Operation Procedure Section 1: Introduction The Standard Operation Procedures Manual is a reference tool for the Corporate Responsibility (CR) department in the performance of its duties under established standards. The Regional Health Compliance & Audit Committee of the Board of Trustees shall review and approve the annual Audit Plan, the results of audits as well as related recommendations for improvement in accordance with the Corporate Compliance Plan, Code of Conduct and the Articles of Incorporation for Regional Health. Section 2: Objectives and Responsibilities 2.1 Objectives of the CR Department The CR department provides an independent analysis through auditing and monitoring performed based on the following objectives: a) To determine activities are in compliance with system policies, procedures and goals, contractual obligations, state and federal laws, regulations; as well as, ethical business practices. b) To recommend improvements in management controls, practices, and procedures to mitigate risk. c) To evaluate the accuracy, timeliness, and effectiveness of information supplied to management and external organizations. 2.2 Auditing Standards Audits are conducted according to generally accepted standards; as well as, state and federal regulations using audit programs, techniques, and procedures necessary in the circumstances specific to each assigned area (e.g., finance, coding, privacy, information security, or research). Section 3: Nature of Audits and Audit Selection 3.1 Nature of Audits Audits performed by the CR department are grouped into the following categories: a) Financial (Addendum A) b) Medical Services for Documentation and Coding (Addendum B) c) Privacy and security (Addendum C) d) Research (Addendum D) 3.2 Audit Selection The CR department establishes audit activities from several areas: the Office of Inspector General (OIG) work plan, risk assessments, requests from a facility/department, trends in privacy issues, etc. The level of risk is established based on the following guidelines: 3 Final Version 9-03-10 3.2.1 High Risk a) Potential noncompliance to state or federal regulations b) Government agency communication/correspondence c) Allegation of abuse and/or neglect to a patient d) Noncompliance to standards of care and/or quality indicators e) Breach of protected health information (PHI) f) Potential severe penalties g) Cash loss and/or dollar value to include non-routine overpayments h) Hotline calls and/or trends identified with a potential violation of code of conduct, policy and/or regulations. i) Identified materiality with a conflict of interest j) Documentation and/or coding error rate less than 80% accurate k) Overpayments greater than $100,000 l) Reputation capital 3.2.2. Medium Risk m) Exit interviews alleging noncompliance to items in High Risk category n) Potential violations of policy o) Documentation and/or coding error rate less than 90% p) Known problem areas based on nature of the problem, previous audits and outcomes. q) Turnover of key personnel, addition of new functions, or significant increases in activities. r) Management concerns s) Significant lapse of time since a high risk area was audited 3.2.3 Low Risk t) Routine overpayments less than $25,000 u) Monitoring results based on previous audits. v) Release of one individual record containing protected health information with limited risk of further disclosure Section 4: Audit Development & Process 4.1 Pre-Audit Discussion The Vice President of CR or designee will assign audits appropriately to CR staff within their area of expertise. Prior to the audit or review, members of the CR team, including management and the assigned CR Auditor will define the objectives, general scope and background information for the audit and record this information on the appropriate document. The objective defines the purpose of the audit, while the scope defines the timeframe, population, and methodology (statistical or non-statistical) needed for the audit. The background provides any information involved that identified the issue, including any person(s) and the regulations pertaining to the issue, if applicable. The CR Auditor will then initiate the Audit Checklist (Addendum E). It is also their responsibility to initiate and maintain contact with the individuals from the facility/department(s) being audited. Effective communication at the beginning of the audit can materially influence the atmosphere in which the audit is conducted. 4 Final Version 9-03-10 4.2 Initial Research and Pre-Audit Preparation The CR auditor will collect and consider the following as he/she develops the audit: a) Previous internal and external audits and/or reports. b) Questionnaires or surveys c) Policies and procedures d) Contracts and/or Business Associate Agreements e) Regulations, statutes, bylaws f) Subject matter experts, e.g. coders, auditors, technical experts and/or legal g) Research seminar materials or handbooks h) Disclosed conflicts of interest Section 5: Audit Methodology and Procedures 5.1 Fieldwork and Work Papers Fieldwork is the process of gathering information for measurement and evaluation. Work papers document the work the CR auditor has prepared and should be complete, accurate, clear, legible, logical and support observations, testing, conclusions and recommendations. Work papers will be maintained in an electronic format and filed in the subdirectory created and titled for the audit project on the CR Intranet Hub page. The naming file convention for the work papers is as follows: facility, mmddyyyy, “file description” (e.g., OIG Correspondence). All created documents should have the electronic file name as a footer at the bottom of the paper. Information that is protected by privacy laws should not be included in the work papers. Personnel records and student records are protected by privacy laws. When these types of records are reviewed in an audit; names, social security numbers, and other identifying information should be expunged from the work papers. Avoid including multiple choices of an item in the work papers or any item that is not necessary to support the work performed and the findings and conclusions in the audit report. 5.2 Attorney-Client Privilege The attorney-client privilege may be invoked and directed by internal or external legal counsel. The definition of A/C privilege is to protect the privacy of the information exchanged between an attorney and a client. Its objective is to encourage open and honest conversations that enable an attorney to provide the best possible representation to the client. 5.3 Retention of Records All correspondence, memoranda, and work papers will be maintained in accordance with the Regional Health Document Retention Policy COC 8217-21. A permanent electronic copy of all audits will be maintained in the appropriate folder on the CR Hub Page. 5.4 Audit Sampling The type of sampling used is determined by the audit. 5 Final Version 9-03-10 5.4.1 OIG Claims Review The OIG Claims Review procedures require a Discovery Sample of 50 sampling units to be randomly selected for review. If the net financial error rate of those 50 sampling units equals or exceeds 5%, then a Full Sample must be reviewed and a Systems Review must be conducted. The Full Sample must include a sufficient number of sampling units to yield results that estimate the overpayment in the population within a 90% confidence and 25% precision level. 5.4.2 Statistical Sampling The objective of statistical sampling is to employ random selection procedures to eliminate the risk of bias and to permit quantification of sampling confidence. Statistical sampling methods should be used when any of the following criteria apply: Cost/benefit analyses support the additional costs and time required. The use of the government approved RAT-STATS statistical software designed to assist in the selection of random samples and evaluating the audit results. Risk of a sampling error must be quantified. 5.4.3 Non-statistical Sampling The objective of non-statistical sampling, also referred to as, a snapshot audit, is to review a focused area that is non-statistical or judgment sampling. a) If a system has weak controls that cannot be relied upon, it would also be wasteful to spend a great deal of time performing extensive substantive tests. b) The audit objectives are met by a non-statistical sample. c) The population has no variability. 5.4.4 Sampling Definitions & Plans Attributes: To estimate the attributes or characteristics of a population--obtaining "yes or no" answers--with a measurable degree of reliability. Variables: To estimate the value of a population--dollars, weights, time spans, or other variables--with a measurable degree of reliability. Discovery: To identify, through sampling, at least one suspected item and discontinue sampling when the item is identified. Judgment: To use samples for the purpose of obtaining information that need not be attributed to the entire population with measured reliability. In deciding which selection technique or sampling plan to use, the auditor should consider these applications: a) Random Numbers: Each of the items in the population is, or can readily be, numbered. b) Interval: Items are not or cannot be numbered or where random sampling would be excessively expensive. 6 Final Version 9-03-10 c) Stratification: The population is composed of items that vary considerably in value or in other characteristics of interest. Section 6: Reporting The Audit Report (Addendum F) will be completed after the audit examination fieldwork is finished. The audit report includes: a) A cover page with the title, fiscal year, date of report, and distribution list (template located on the CR Intranet Hub. b) Subsequent pages that contain the objectives, scope, background and findings/recommendation summary. c) Individual findings that address all recommendations to the finding. d) Conclusion. The Audit Report will be reviewed with the Vice President of CR or designee before distribution to pertinent individuals and/or review at the exit conference. The Audit Report should have the following characteristics: a) Accuracy: the Audit Report should be completely factual with supportive references whenever possible. Statements of fact must carry the assurance the CR auditor personally observed or validated each fact in the report. b) Clarity: the Audit Report should accurately express ideas that result in a thorough understanding of that idea by the reader. c) Conciseness: the Audit Report should eliminate anything that is superfluous, irrelevant, or immaterial. d) Tone: the Audit Report should have a positive tone and written courteously. Negative situations presented in a positive manner usually produce positive results. e) Tense: the Audit Report should be written in the past tense. Section 7: Communication 7.1 Exit Conference The Exit Conference is intended to formally present all of the audit findings and recommendations to the Management of the audited department/facility. Management should carefully review each finding to determine the accuracy of the facts presented. An agreement should be reached to the facts presented and a clear understanding of the recommendations as well as follow-up responsibility. Audit findings will be presented formally in the audit report. 7.2 Monitoring The CR department will conduct follow-up monitoring on the recommendations and/or corrective action plans made for each finding. The nature of the follow-up is dictated by the seriousness and complexity of the deficiencies noted and as appropriate, will be report to executive management. 7 Final Version 9-03-10 Corporate Responsibility Audit Manual Addendum A Financial Audits Items for potential review: The efficiency and effectiveness of all operations associated with the audit issue may include a review of the following: 1) Departmental fiscal and operational procedures, 2) Controls and responsible recording of activities in such areas as, but not limited to: a. the receipt, recording, deposit, and security over all cash receipts, b. the write-off allowance of patient charges, c. the procurement, receipt and payment of inventory and supplies, d. interfaces between systems, and e. the accuracy of internal and external reports. 3) Contracts with external entities and organizations 4) Security and control of equipment and facilities, 5) Recommendations and implementation from prior audits, 6) Compliance with system policies and procedures. Approach to test and evaluate controls and procedures: CR will review all pertinent information provided, including policies and procedures; interview necessary personnel; and verify procedures. Testing procedures are designed to verify the control’s existence and operational effectiveness. The following table provides a summary of the types of tests that may be employed to verify the control environment: Audit stage Type of procedure Manual methods of gathering evidence include: Control testing Tests of control Observation, inspection, inquiry, re-performance and application as prescribed by policies, procedures, rules, regulations and sound business practice. (SAS 1, Section 320.55) Tests of detail Substantive testing Transaction testing, physical examination, inquiry of employees, recalculation, confirmation, vouching, cut-off test. Analytical procedure Reasonableness test, ratio analysis, scanning, roll-forward procedure, comparison, benchmarking. Flowcharts: A flowchart is a method for documenting and understanding the flow of a system and for identifying its control points. It is a pictorial description of how transactions flow through a system. It visually communicates procedures and controls and the sequence in which they occur. Processes can be easily analyzed for appropriate internal controls by documenting activities chronically. The following guidelines should be followed in preparing flowcharts. 1) Prepare or update a flowchart for each audit, as applicable. 8 Final Version 9-03-10 2) Use appropriate design and flowchart symbols for the activity being analyzed. 3) Identify and document control points and respective sub-routines. 4) Prepare a narrative on control activities based on interviews with the auditee. Space Requirements: Communicate the on-site office space needed, access to computers and departmental staff with the auditee. Time Required: Advise the auditee of a tentative start and finish dates which should include the turn-around-time from the draft report to the exit conference. Documentation Requests: Consider the need for access to financial, medical records, research records, job descriptions, etc. and request the items well in advance. Open communication: CR will work closely with designated personnel from the department to ensure awareness of any concerns that might arise during the audit process. 9 Final Version 9-03-10 Corporate Responsibility Audit Manual Addendum B Medical Services Corporate Responsibility’s Medical Services staff are responsible for the Professional Services Monitoring audits, Claim Review audits and Probe audits. A. Professional Services Monitoring Audits 1. The standard audit process will ensure audits are completed in an efficient and timely manner in accordance with the schedule established by CR. Audit services will include, but are not limited to, the following: Assess the coding accuracy as reflected in the medical record. Assess whether medical records are being completed correctly and in a timely manner. Evaluate services or items provided for reasonableness and medical necessity. Determine if medical records contain the required documentation to support the charges billed. Identify areas of documentation that require education or improvement. Assess whether education provided resulted in improved documentation standards. Identify risks based upon regulatory and/or industry standards and develop recommendations to mitigate the risks. 2. Audit Process CR will audit 10 encounters per provider on a retrospective basis and include Clinic and Hospital Evaluation and Management (E/M), and consultation services. Audits will be coordinated with the Clinic Administrators and facility Coders to be conducted within their respective facility where possible, and keep inconveniences to a minimum. Followup audits will be based upon the provider’s accuracy rates in accordance with the following table: Audit Score 100 - 90% 89 - 70% 69% below Follow-up Audit One year 6 months Within three months 3. Audit Report and Communications CR will provide audit reports and supplemental data to Regional Health Physicians (RHP) in accordance with the following guidelines: 3.1 Audit Score of 90% or Greater Audit review meetings will not be scheduled with Physicians whose Audit Score is 90% or greater. Audit reports will be emailed to RHP for their review and use. 3.2 Audit Score Less than 90% CR Auditors will provide a draft copy of the audit report to RHP for review and allow two business days to respond with questions. Immediately following the review period, a meeting will be scheduled with the Clinic Administrator, 10 Final Version 9-03-10 Provider, Coder and RHP representative to review the audit report and provide education as appropriate. In the event the audit results cannot be reviewed in a timely manner with the provider due to unavailability within three weeks after the audit has been completed, the Audit Report will be given to Dr. Reyno. B. Claims Review Audits The OIG Claims Review procedures require a Discovery Sample of 50 sampling units to be randomly selected for review. If the net financial error rate of those 50 sampling units equals or exceeds 5%, then a Full Sample must be reviewed and a Systems Review must be conducted. The Full Sample must include a sufficient number of sampling units to yield results that estimate the overpayment in the population within a 90% confidence and 25% precision level. The purpose of conducting a Discovery Sample as part of the Claims Review is to determine the net financial error rate of the sample that is selected. If the net financial error rate equals or exceeds 5%, the results of the Discovery Sample are used to determine the Full Sample size. The Full Sample size is based on an estimate of the variability of the overpayment amount in the population from which the sample was drawn. The results of the Discovery Sample allow the reviewer to estimate how many sample units need to be reviewed in order to estimate the overpayment in the population within certain confidence and precision levels (e.g., generally, a 90% confidence and 25% precision level). C. Probe Audits Probe audits are performed to identify potential issues reported by Regional Health staff, audit contractors or any other agency. In the event an issue is identified through the probe review, the audit process will be followed according to the Audit Manual. D. Reviews with Multiple CPT Codes It is important when performing audits where multiple CPT/ICD codes are used to help identify any potential issues or risks to compile a report that will separate per year and per CPT/ICD code. Utilizing RatStats, the sample would be selected utilizing the 90% confidence and 25% precision level or a statistical valid sampling. 11 Final Version 9-03-10 Corporate Responsibility Audit Manual Addendum C Privacy and Security Audit Privacy and Security Audits are conducted to oversee Regional Health’s (RH) compliance with the HIPAA Privacy and Security Rules. Audit Types: A. Electronic Audits: Monitor access to RH patient’s protected health information(PHI) or confidential business information. 1. Access Audits a. Random access audits may be conducted on electronic applications. Areas of interest may include but are not limited to: 1. VIP patients as identified in Meditech by Admissions 2. Confidential patients b. Focused access audit will be conducted on an “as needed” basis. Audit areas include, but are not limited to: 1. 2. 3. 4. 5. Patient/Employee complaints Hotline/Reports High profile/media patients Information Security audits Breach Notification Complaints c. Procedure: See Addendum C.1 - Security and Privacy Access Audit Flowsheet B. Physical Audits: Monitor RH’s physical and technical safeguards for protecting patient’s PHI and business data by conducting walk-thru audits. Reporting: As appropriate, audit results will be reported to Human Resources and/or Legal Services. Breach logs must be reported annually to the Office of Civil Rights. 12 Final Version 9-03-10 Corporate Responsibility Audit Manual Addendum D Research Audits As a means of evaluating responsible conduct of research compliance, the Research Compliance Analyst will conduct internal audits, which are designed to identify standards of excellence and potential areas for improvement in order to promote a solid foundation for the conduct of human subjects’ research. Internal audits may be conducted on a routine basis or as requested by Principle Investigators (PIs), Research Staff or the Institutional Review Board (IRB). PI/Staff or IRB requests for audit are to be submitted directly to the Research Compliance Analyst via phone, e-mail or written correspondence. All human research approved by the IRB and conducted at Regional Health (RH) may undergo internal audit in order to assure the protection of human research participants and compliance with Federal regulations, state and local law, IRB policies and procedures, and RH’s FWA with OHRP. The purpose of an internal audit is to: Assess adherence to Federal regulations as defined by OHRP and FDA. Assess adherence to RH IRB policies and procedures. Assess adherence to local and state laws and regulations. Determine that the rights and safety of human research participants have been properly protected. Provide education to investigators. The focus of the audit may be range from a complete review of the study (full) or specific elements of the research process (partial). Requested audits may be full or partial dependent upon the specificity of the request. Routine audits will be conducted monthly and will be subject to a full study audit. The study(ies) chosen for routine audit will be randomly selected from the IRB Agenda. Studies eligible for routine audit selection shall include non-sponsored studies, studies subject to full IRB review, and studies having had at least one continuing review. At least one study will be selected for routine audit each month. Time allowed, additional studies may be chosen. As sponsored research studies are already heavily monitored, they will be eliminated from routine audit selections. The Corporate Responsibility Department requests that all external monitoring activity be reported to the Research Compliance Analyst. The Research Compliance Analyst will compile the findings from the external audit(s) and review for potential trends. Specific trends identified will result in partial audits being conducted; however, if warranted by external audit findings, full study review may be required. Topics to be reviewed during a full study audit, are included in (but may not be limited to) the Research Integrity Audit Checklist. IRB files will be retrieved from the Integrated Research Informational System (iRIS) program. Additional study documentation and participant files will be obtained at the research sites. Based upon the study’s enrollment count, the sample size of participant file to be reviewed will be chosen using the RAT-STATS statistical software. 13 Final Version 9-03-10 The IRB office and member activities will be audited annually. A retrospective audit will be conducted on the activities included within the convened meeting minutes of a randomly selected month. The audit will include, but may not be limited to, the topics included with the Research Integrity Audit Checklist. 14 Final Version 9-03-10 Corporate Responsibility Audit Manual Addendum E Corporate Responsibility Audit Checklist Date Completed Initials Planning (Plan) Pre-audit discussion Initial research and pre-audit preparation Develop audit methodology Opening Conference (as applicable) Distribute “You’re Having an Audit” Q&A sheet to the department (as applicable) Fieldwork (Do) Complete audit procedures Complete working papers Tie-out (Check) Walk through audit concerns with V.P. or designee Update Permanent File With Current Working papers and Correspondence Reporting (Act) Draft audit report Review with V.P. or designee Exit Conference (as applicable) Revisions, if Necessary Final Report Need for monitoring 15 Final Version 9-03-10 Addendum F Title FY10 INITIALS OF PREPARER DATE CONFIDENTIAL Distribution List: Names of persons Shawn DeGroot, Vice President of Corporate Responsibility Carla Texel, Director of Corporate Responsibility 16 Final Version 9-03-10 AUDIT REPORT OBJECTIVE: SCOPE: BACKGROUND: Findings and recommendations A.1: Finding A.1: Recommendation A.1: Monitoring A.1: A.2: Finding A.2: Recommendation A.2: Monitoring A.2: A.3: Finding A.3: Recommendation A.3: Monitoring A.3: CONCLUSION: 17 Final Version 9-03-10