GRC Technologies: A Hedge Against Recovery Audits

In previous posts, we’ve discussed the possibilities for automating the various components of governance, risk, and compliance (GRC), and the benefits such automation can provide to organizations. Now, let’s move from the theoretical to the tangible and discuss how automation can help organizations in an industry with particularly complex data and compliance environments: healthcare.

Like financial services and energy, healthcare operates within a regulatory landscape so byzantine it would boggle the Byzantines. Almost every aspect of the sector is overseen by at least one and sometimes several regulatory authorities, and staying in compliance with those various regimes imposes a substantial burden of time and expense on providers. In this atmosphere, where regulation intersects literally with issues of life and death, the need for compliance reporting is critical, and it’s illogical and impractical to try and accumulate and integrate the volume of data involved using ad hoc methods such as spreadsheets or makeshift applications.

To drill down to a manageable topic, let’s focus on just one aspect of healthcare regulation: the Medicare Recovery Audit Contractor (RAC) program. Established as part of the Medicare Modernization Act of 2003, the RAC program was designed to fight fraud, waste, and abuse in the Medicare program by identifying and reducing improper payments on fee-for-service claims. The Department of Health and Human Services, through its Centers for Medicare & Medicaid Services (CMS), awarded contracts to four permanent recovery audit contractor firms, which were empowered to conduct audits of healthcare providers’ records to identify both overpayments and underpayments. The mission of the RACs is to recoup overpayments; prevent future improper payments to safeguard the Medicare Trust Fund; lower CMS’s error rate; and promote process improvements at CMS, among Medicare administrative contractors, and among providers.

All in all, the program is very similar to that of the Defense Contract Audit Agency (DCAA), which provides audit services to the Department of Defense and other federal entities. As such, the steps healthcare organizations can take to get out ahead of the auditors through automation and process improvements can be illustrative for organizations in other industries subject to heavy regulation and/or government contract audits.

The burden RAC audits place on providers is obvious: the time and effort of complying with records requests, and the potential monetary loss from identification of overpayments. The question, then, is how can healthcare organizations leverage GRC technology tools to reduce those efforts and exposures?

First, an organization needs to understand its claims system so it can define the areas and indicators on which RACs are concentrating in their audits, then assess whether its claims system has the capability to flag those transactions. Areas and indicators could include issues related to coding of medical records (e.g., incorrect coding of principal diagnosis, leading to inappropriate reimbursement), issues related to suspicious diagnoses based on patient demographics (e.g., uterine or ovarian surgery for a male patient), or indicators of potential duplicate payments for a single service, such as identical or similar claims made for the same patient on the same date or by the same doctor.

Flagging these items would launch a workflow into a GRC technology tool that would assign an auditor to review the transaction to determine that the payments are correct in accordance with the medical documentation, and that there are no errors in payment or potential incidents of fraud. The workflow would contain the key follow-up audit process, specify the people responsible, lay out a timeline for the review, and provide a “container” to store and report the documentation of the review. The technology would also function as the dashboard report for the compliance department, enumerating the scope of claims that are likely to be audited by the organization’s RAC and providing a view into areas of process improvement within the organization.

Leveraging an automated process provides multiple benefits:

  • It allows the organization to proactively monitor known indicators, including CMS-approved issues around which the RACs are focusing for reviews.
  • It improves compliance processes by establishing collaboration between providers, health information management, and revenue cycle professionals.
  • It promotes process improvement by focusing on accurate reporting capabilities down to the procedure level, and can spark efforts to more accurately document patient encounters.
  • It provides the ability to create dashboard reports, which can be used as a communication tool when educating the organization’s employees on compliance efforts. Putting the process within one tool also gives organizations the ability to establish links for CMS to review the dashboard reports and get visibility into organization policy.
  • It puts the organization at a competitive compliance advantage by allowing it to track for high-risk claims and mitigate the issues by assigning a lead auditor and requesting accurate documentation from the provider before CMS receives the bill. For instance, identification of the diagnosis related groups (DRGs) in which coding errors most commonly occur can lead to a process in which claims containing those DRG codes are funneled automatically to a lead coder for pre-submission review to ensure correct coding and sequencing.

Automation, in whatever industry, can arm organizations with data-analytic firepower that allows them to get out ahead of their regulators, identifying areas of vulnerability, tracking and expediting records requests, support auditing and monitoring efforts, and identifying opportunities for improvement. The right technology, set up with the right parameters and supported by properly detailed data, can help the organization prevent fraud, waste, and abuse, improve overall accuracy and efficiency, and reduce the risk of compliance failure.

About the Author

Joe DeVita

joe-devita-pricewaterhousecooper-pwcJoe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite. Joe has more than 21 years of IT development, implementation and project management experience and has worked with many of the firm's key clients, including JP Morgan Chase, BP Amoco, IBM, NIKE and Toyota Motors, working with many key issues surrounding risk management and IT controls, including:

  • Assisting our clients to optimize their risk and internal control activities, including SOX readiness/optimization activities, through assessing the effectiveness of internal controls, ensuring alignment with the organizations business objectives and risks and using control activities to drive process improvement and enhanced business value
  • Custom developing and deploying solutions for clients to facilitate various processes not captured in the core ERP environments.
  • Ensuring IT is aligned to organizational strategy, responsive to a changing business climate, with clearly defined policies and procedures that take into account legal and regulatory compliance requirements
  • Enhancing the process of developing robust controls around pre- and post-implementation system reviews through a clearly defined project management methodology that emphasizes the importance of benefits management
  • Performing third-party and other opinion-level services in response to service organization requests from customers for information about internal controls or requests for access to audit (generally in accordance with contractual agreements)
  • Assisting ERP clients to optimize and sustain a real-time controls environment at an enterprise level. We evaluate the effectiveness of current controls and develop a plan to rationalize financial and operationally significant controls. We subsequently design and implement a full range of simplified, standardized controls within core business applications that enables the company to document, monitor and continuously assess the effectiveness of those controls in a real-time environment
Joe is a Certified Public Accountant (CPA), and a Certified Information Technology Professional (CITP). He also holds a Bachelor of Science degree in Business Administration from American University in Washington, D.C.