;,z SOUlHWESTERN

MEDICAL CENTER

Daniel K. Podolsky, M.D. President

Philip O'Bryan Mont~omery, Jr., M.D. Distinguished Presidential Chair III Academic Administration

Professor of Internal Medicine Doris and Bryan Wildenthal Distinguished Chair in Medical Science

February 24, 2010

Kenneth Shine, M.D.

Executive Vice Chancellor for Health Affairs The University of Texas System

601 Colorado Street

Austinl' ~~8701

Dearrmoe:

Enclosed for your information is a copy of the University of Texas Southwestern Medical Center at Dallas Internal Audit Report - 10:23 Billing Compliance.

I concur with the auditors' recommendations. Five recommendations are being

implemented.

~

Daniel K. Podolsky, M.D.

Enclosure

cc: John Roan Charles G. Chaffin Robert Rubel

5323 Harry Hines Blvd./ Dallas, Texas 75390-9002/214-648-2508 Fax 214-648-8690 www.utsouthwestern.edu

The University of Texas Southwestern Medical Center at Dallas

Billing Compliance 10:23

February 24, 2010

Office of Internal Audit 5323 Harry Hines Boulevard Dallas, Texas 75390-9017 (214) 648-6106

The University of Texas Southwestern Medical Center at Dallas Billing Compliance- 10:23

FY 2010

AUDIT REPORT February 24,2010

Dr. Daniel K. Podolsky, President

The University of Texas Southwestern Medical Center at Dallas 5323 Harry Hines Boulevard, MC 9002

Dallas, Texas 75390-9002

Dear Dr. Podolsky:

The University of Texas Southwestern Medical Center at Dallas Office of Internal Audit has completed its 10:23 Billing Compliance audit as detailed below.

Executive Summary

The Billing Compliance function at UT Southwestern Medical Center is comprised of two billing compliance programs: 1) Hospital Billing Compliance and 2) Professional (physician and non-physician practitioners) Billing Compliance.

University Hospitals Billing Compliance Program

The audit identified a significant finding in the Hospital Billing Compliance program. Despite being part of the Medical Center since 2005, the Hospital Billing Compliance program has not established a framework to apply key elements of the "Office of Inspector General (OIG) Supplemental Compliance Program Guidance for Hospitals". As a result, we recommend that the Hospital Billing Compliance program be restructured and designed to incorporate the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. Additionally, we recommend that University Hospitals' billing compliance efforts be consolidated to promote full coverage of hospital billing compliance risks. Finally, we recommend development of a cohesive risk assessment and a corresponding audit plan which links to risks identified. (See Finding 1.)

Professional Billing Compliance Program

The Professional Billing Compliance Program has well-designed processes which are consistent with "OIG Compliance Guidance for Physician Practices , Federal Register Vol. 65, NO.194" and "MDauditTM Guiding Principles for the University of Texas System." By incorporating all key elements of OIG and UT System guidance, the Professional Billing Compliance program has established a framework to provide reasonable assurance that the Professional Billing Compliance Program objectives and mission are being achieved. To enhance the implementation of this framework as designed, we provided the following recommendations: Professional billing compliance failures should be timely monitored; systemic failure rates should be identified, reported and

10:23 Billing Compliance - February 24,2010

- 1 -

addressed at the department level; periodic reviews of MDaudit™ Professional users' rights should occur; and finally, the Professional Billing Compliance Plan should be updated to reflect the current structure and practices. (See Findings 2-5.)

Background

The UT Southwestern Medical Center's Billing Compliance function is intended to establish a framework for legal compliance with applicable federal and state billing laws and regulations. The Medical Center's Billing Compliance function consists of two programs: 1) University Hospitals Billing Compliance and 2) Professional Billing Compliance.

University Hospitals Billing Compliance

Billing Compliance responsibilities reside with four different groups: The Hospital Compliance Director (HCD), the Billing Compliance Office (BCO), Patient Financial Services (PFS), and Maxim, an outside vendor. Hospital Billing Compliance risk assessments have been prepared by both the HCD and BCO. However, the HCD and BCD assess risks in different ways, and there is little coordination of risk assessment and other hospital billing compliance efforts between the two functions. Following is a discussion of the current resources used and roles performed by each Hospital Billing Compliance component:

• The Corporate Compliance Director for the University Hospitals functions as the Hospital Compliance Director (HCD). She currently does not have assigned staff to perform hospital billing compliance audits. The HCD prepares a risk matrix which documents management's assessment of risks; however, hospital billing compliance risks identified in the HCD's risk matrix are different than risks identified by BCO.

• The BCD has developed a risk assessment patterned after risks identified in the DIG work plan and the RAC (Recovery Audit Contractor) audits as well as other sources. While only one Billing compliance auditor is dedicated solely to University Hospitals billing compliance, seven of the Billing compliance auditors (including the Director) have obtained a hospital coding certification, CPC-H (Certified Professional Coder-Hospital). A CPC-H certification qualifies the Billin~ compliance auditors to perform hospital billing compliance audits. MDauditT Hospital is scheduled to go online in the second quarter of 2010; however, only assurance reviews of department self reviews, rather than audits, are currently planned for Hospital Billing Compliance. MDaudit TM Hospital is an audit software tool that automates the administrative aspects of the billing compliance auditing process. Additionally, a supervisor for the BCO is tasked with performing the Quality Assurance Review of the outside auditor's (Maxim's) work.

• Two PFS nurse auditors provide billing compliance audits on an ad hoc basis along with their other assigned responsibilities.

• Maxim is contracted to perform quarterly audits of the University Hospitals' Diagnosis Related Group (DRG) billings.

10:23 Billing Compliance - February 24, 2010

-2-

Professional Billing Compliance

The Professional Billing Compliance function is housed within the BCO and includes an established framework for compliance. The BCO consists of a Director and eight billing compliance auditors. The auditors use MDaudit™ Professional to globally audit professional billing across the Medical Center. MDauditTM Professional is an audit software tool that automates the administrative (i.e., risk profile development, sample selection, provider/hospital audit results tracking, audit results reporting, etc.) aspects of the billing compliance auditing process. Five of the billing compliance auditors (including the Director) are certified medical coders (CMC) in physician coding and 4 billing compliance auditors are certified professional coders (CPC). These certifications qualify them to perform professional billing compliance audits.

As part of its auditing approach using MDaudit™ Professional, the BCO has developed a risk assessment patterned on risks identified in the OIG work plan. The approach includes annual audits of all providers who have billed for services during the year. Cases selected for audit are based on risks outlined in the OIG work plan and specific to the Medical Center. The designed approach includes quarterly and semi-annual follow-up audits of providers who do not meet certain scoring thresholds.

Audit Objectives

The primary objective of this audit is to provide reasonable assurance that there are adequate and effective controls applied by the University's Billing Compliance functions:

• To ensure all identified medical billing risks to the UT Southwestern Medical Center and its affiliated University Hospitals are appropriately managed.

• To build compliance consciousness into daily operations through monitoring procedures and consistent application of corrective, restorative, and/or disciplinary actions in instances of non-compliance.

Scope and Methodology

The audit covered the period of September 1, 2008 through January 31, 2010. To achieve our objectives, we assessed risk, conducted interviews, observed operations, researched criteria, analyzed processes, and tested controls.

This audit is a risk-based audit from the fiscal year 2010 audit plan. Our examination was conducted according to guidelines set forth by The University of Texas System's policy, UTS129 "Internal Audit Activities", the Regents' Rules and Regulations, and the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

Significant Findings

Significant audit findings/recommendations are submitted to and tracked by the U. T. System Audit Office. Quarterly, the chief business officers are asked for the status of implementation, which is verified by the internal audit directors. A quarterly summary report is provided to the Audit, Compliance, and Management Review Committee of the U. T. System Board of Regents. Additionally, the Committee members receive a detailed summary of "new" significant findings and related recommendations quarterly.

10:23 Billing Compliance - February 24, 2010

-3-

Audit Results/Recommendations

Our audit results and 5 recommendations regarding the billing compliance functions are detailed below.

1. Hospital Billing Compliance has not established a framework to apply key elements of OIG Guidance for Hospitals.

The Hospital Billing Compliance program has not established a framework to apply key elements of.the "OIG Supplemental Compliance Program Guidance for Hospitals". The OIG Supplemental Compliance Program Guidance for Hospitals, Federal Register, Vol. 70, No. 19 states: "Hospitals should develop detailed audit plans designed to minimize the risks associated with improper claims and billing practices." Additionally, the OIG guidance recommends: annual re-evaluation of audit plans, follow-up of previous audit findings, clearly established audit roles, qualified and independent auditors with requisite certifications, evaluation of audit error rates, and review of all billing documentation in support of claims.

Further review identified a lack of a cohesive Hospital Billing Compliance program to promote full coverage of hospital billing compliance risks. The current Hospital Billing Compliance program is fragmented with responsibilities split among four groups:

1) Billing Compliance Office (BCO)

2) Hospitals' Compliance Director (HCD)

3) Patient Financial Services (PFS) - Nurse Auditors; and

4) Maxim, an outside vendor.

Compounding the effects of the fragmented program structure is a general lack of coordination and communication among the groups mentioned above. For example, two separate risk assessments pertaining to University Hospitals billing compliance have been developed. For FY 2009, the Billing Compliance Office prepared a risk assessment for the University Hospitals, based on the OIG work plan and the RAC audits. At the same time, the HCD at the hospitals has prepared a risk matrix which addresses University Hospitals' management's assessment of billing compliance risks; however, it is not based on OIG work plan criteria.

Additionally, a risk-based billing compliance auditing plan has not been developed to address BCO and HCD identified risks. As a result, audit coverage is not adequate to address these risks. Planned compliance audits will promote early prevention, detection, and response to business conduct that is inconsistent with federal and state laws and with Medical Center values. Through early detection and timely reporting, the Medical Center will benefit from planned audits that assist in minimizing loss and reducing exposure to potential civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion.

Our review of best practices of other premier University Hospital compliance programs identified common factors associated with these programs including:

• a centralized billing compliance group,

10:23 Billing Compliance - February 24,2010

-4-

• a cohesive risk assessment, and

• an annual audit plan charged to perform compliance assurance audits in those areas with the highest risks.

Recommendation

We recommend that the Hospital Billing Compliance program be restructured and designed to incorporate the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19.

Additionally, we recommend consolidation of efforts to ensure complete coverage of University Hospitals billing compliance risks. We further recommend development of a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan should be developed to ensure that planned audits are actually performed. Timely follow-up of audit results is needed to ensure corrective actions occur.

Management Response:

AVP, Office of Compliance:

We agree. We will work with the Executive Compliance Committee, Hospital Administration, the Hospital Compliance Director, and the Director of Billing Compliance to restructure the Hospital Billing Compliance program. We will design the program to include the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. We will develop a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan will be developed to ensure that planned audits are performed. Timely follow-up of audit results will be performed to ensure corrective actions occur.

Hospital Compliance Director:

We agree. We will work with the Executive Compliance Committee, Hospital Administration, the Assistant VP of the Office of Compliance, and the Director of Billing Compliance to restructure the Hospital Billing Compliance program. We will design the program to include the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. We will develop a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan will be developed to ensure that planned audits are performed. Timely follow-up of audit results will be performed to ensure corrective actions occur.

Responsible Party:

AVP, Office of Compliance and Hospital Compliance Director

Implementation Date:

July 30, 2010

2. Professional Billing Compliance failures were not timely monitored.

While the MDaudit ™ model was effectively desiqned, its implementation has been hampered by delayed quarterly reviews. The BCO did not enforce established

10:23 Billing Compliance - February 24, 2010

-5-

timeframes for disputes and did not perform any quarterly reviews while disputes went unresolved. Professionals receiving failing scores are placed on a quarterly review schedule to coincide with their annual review. At present, professionals with failing scores from the first quarter of 2009 will not receive their quarterly reviews until the second quarter of 2010. Further delays in review increase the risk that billing compliance violations, errors, etc. go unheeded increasing the Medical Center's potential exposure risk of civil damages and penalties, criminal sanctions, and administrative penalties, such as program exclusion.

Our analysis of dispute rates revealed resistance from Department Chairs and Billing Managers and lack of enforcement of established timelines for resolving disputes of BCO findings. Internal Audit tested all 46 professionals who received failing scores on their annual reviews in the first quarter of 2009. From the 512 professionals reviewed by the BCO for that quarter, 46 professionals received failing scores. We tested all 46 and determined that results were disputed for twenty (43%) of the 46 professionals with failing scores. Due to disputed results, professionals were granted delays in receiving required quarterly reviews.

The Professional Billing Compliance Plan is clear on the process to complete and finalize audits. The Billing Compliance Advisory Committee (BCAC) has authorized a fourteen day period for departments and providers to respond to audit findings submitted by the BCO. However, after that fourteen day period, another two week period of time has been given for providers to respond to the BCO. Also, it is BCO policy that a professional cannot be put on a review plan until the audit is completed and finalized. The current dispute process promotes further delay by Department Chairs, Billing Managers, or Professionals who do not want to accept the scores they received. The dispute process often runs into the next annual cycle for testing, subsequently interfering with the necessary quarterly and semi-annual reviews that are required to be completed for that period of time.

Recommendation:

Enforce the established timetable set forth in the Billing Compliance Plan as authorized by the BCAC for handling dispute resolutions. Additionally, the BCO should continue to perform quarterly reviews, irrespective of ongoing disputes over MDaudit™scoring.

Management Response:

We agree. We will enforce the established timetable set forth in the Billing Compliance Plan as authorized by the BCAC for handling dispute resolutions. Additionally, the BCO will continue to perform quarterly reviews, irrespective of ongoing disputes over MDauditTM scoring.

Responsible Party:

Director of Billing Compliance

Implementation Date:

May 31,2010

10:23 Billing Compliance - February 24,2010

-6-

3. Systemic failure rates should be identified, reported and addressed at the

department level.

Our review of MDaudit™ scores for the 1st quarter of 2009 identified systemic failure rates for certain departments. We determined that systemic departmental failure rates for the same departments continued into the second, third, and fourth quarters without being identified, reported and addressed at the department level. These recurring failure rates indicated that current departmental billing practices are in need of immediate improvement.

Recurring systemic failure rates increase the risk of exposure to potential civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion.

Failure rates were calculated quarterly by department based on annual MDaudit™ scores for providers. For each department, the number of professionals failing their annual billing compliance audit during a quarter was divided by the total number of professionals receiving an annual billing compliance audit during that quarter.

Recommendation:

In addition to the individual provider remediation process, systemic failure rates should be identified, reported and addressed at the department level. By immediately addressing non-compliance at the department level, recurring systemic failures may be prevented.

The BCO should calculate and monitor departments' billing compliance failure rates. Departments with high failure rates should receive immediate formal intervention at the department level to prevent recurring systemic billing compliance failure.

The BCO should develop a formal structured training program centered on improving billing compliance scores at the departmental level. Audit scores and identified areas of non-compliance should be monitored at the department level to evaluate effectiveness of training.

Additionally, departments with recurring systemic failure rates should be reported to the Billing Compliance Advisory Committee (BCAC) and the University Billing Compliance Committee (UBCC). The BCO should work with the BCAC and UBCC to plan for and manage additional departmental remediation efforts.

Management Response:

We agree. Systemic failure rates will be identified, reported and addressed at the department level. The BCQ will calculate and monitor departments' billing compliance failure rates. Departments with high failure rates will receive immediate formal intervention at the department level to prevent recurring systemic billing compliance failure.

10:23 Billing Compliance - February 24, 2010

-7-

Additionally, the BCQ will develop a formal structured training program centered on improving billing compliance scores at the departmental level. Audit scores and identified areas of non-compliance will be monitored at the department level to evaluate effectiveness of training.

Departments with recurring systemic failure rates will be reported to the Billing Compliance Advisory Committee (BCAC) and the University Billing Compliance Committee (UBCC). The BCQ will work with the BCAC and UBCC to plan for and manage additional departmental remediation efforts.

Responsible Party:

Director of Billing Compliance

Implementation Date:

May 31,2010

4. Periodic reviews of MDaudit™ users' rights should occur.

All MDaudit TM users (including audited clinical departments) have unrestricted access, including the ability to change audit findings and MDauditIM scores; however, no inappropriate changes were identified durin~he audit. Limitation on user access rights for the Billing Compliance Office MDaudit system does not conform to the same standards required by the Medical Center's Information Systems Security Program Security Manual, Policy No. 200-04, Systems Access Management, and state and local guidelines.

To assist in the UT Southwestern department billing compliance self reviews, approximately 20 UT Southwestern employees besides BCQ staff have access rights to MDaudit™ . Various billing compliance personnel are given access to MDaudit TM to perform departmental self reviews on a quarterly basis. Results of those quarterly reviews are transmitted to the BCQ for documentation of completion. From our observations of the self review process, we determined that access rights within MDaudit™ are not based on a functional assessment of job responsibilities and are not limited based on specific billing compliance roles. For example, every departmental employee granted access to MDaudit™ has access to not only the self reviews they perform, but to the audits performed by the BCO, including the audit scores determined for each professional reviewed.

Currently, a periodic review is not conducted to determine that assigned levels of access are appropriate given departmental compliance responsibilities. Failure to limit access to employees based on the minimum amount of information required to perform their jobs can lead to unauthorized and/or inappropriate use of the system.

10:23 Billing Compliance - February 24, 2010

-8-

Recommendation:

Management should work with the Database Administrator to:

• Develop functionality-based user roles to ensure access granted to MDauditTM users is based on the minimum amount of information required to perform their jobs. Until their functionality exists, log reviews should begin immediately to monitor changes made by users.

• Implement a formal periodic review of user access rights (with a focus on changes in job responsibilities).

• Review, remove and/or disable user access to MDauditTM to reflect current authorized user needs or change in role or employment status.

Management Response:

We agree. We will work with the Database Administrator to:

• Develop functionality-based user roles to ensure access granted to MDaudit™ users is based on the minimum amount of information required to perform their jobs. Until this functionality exists, we will perform log reviews to monitor changes made by users.

• Implement a formal periodic review of user access rights ..

• Review, remove and/or disable user access to MDaudit™ to reflect current authorized user needs or change in role or employment status.

Responsible Party:

Director of Billing Compliance

Implementation Date:

May 31,2010

5. The Professional Billing Compliance Plan should be updated.

The Professional Billing Compliance Plan has not been updated since 2006. An update is needed, because several significant billing compliance changes have occurred since 2006 and are not reflected in the current plan. For example, use of MDaudit™, introduced in 2008, is not mentioned in the plan. Additionally, the role of the BCAC (Billing Compliance Advisory Committee) has changed, since it previously had oversight of both the Professional Billing and University Hospitals Billing Compliance activities. The BCAC currently has oversight of only the professional billing activity.

The Professional Billing Compliance Plan is silent regarding the roles of the University Billing Compliance Committee (UBCC), MSRDP Compliance, Ethics, and Professional Affairs Committee (CEPAC), and the Executive Compliance Committee (ECC). As a result, committee roles and the professional billing compliance reporting structure are unclear. Currently, there appears to be overlap in responsibility for professional billing compliance among four committees: 1) BCAC, 2) (UBCC), 3) (CEPAC), and 4) the (ECC). The Professional Billing Compliance Plan should be updated to clarify

10:23 Billing Compliance - February 24, 2010

- 9-

committee responsibilities, minimize duplication of efforts, and simplify the reporting structure.

Recommendation:

The Professional Billing Compliance Plan should be updated to reflect current practices, and to clarify and define roles and reporting structure of all Committees with oversight of Professional Billing Compliance. Management should review the Plan on an annual basis and obtain committee approval for necessary revisions.

Management Response:

We will review the Professional Billing Compliance Plan to identify needed revisions. We will work with the Professional Billing Compliance oversight committees to clarify roles and reporting structure within the Plan. We will review the Plan on an annual basis going forward and obtain committee approval for necessary revisions.

Responsible Party:

Director of Billing Compliance

Implementation Date:

May 31,2010

Conclusion

University Hospitals Billing Compliance Program

Despite being part of the Medical Center since 2005, the Hospital Billing Compliance program has not established a framework to apply key elements of the "Office of Inspector General (OIG) Supplemental· Compliance Program Guidance for Hospitals". As a result, we recommended the following:

• The Hospital Billing Compliance program should be restructured and redesigned to incorporate the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19.

• University Hospitals billing compliance efforts should be consolidated to promote full coverage of hospital billing compliance risks.

• Develop a cohesive risk assessment and a corresponding audit plan which links to risks identified.

Professional Billing Compliance Program

The Professional Billing Compliance Program has well-designed processes which are consistent with "OIG Compliance Guidance for Physician Practices, Federal Register Vol. 65, NO.194" and "MDauditTM Guiding Principles for the University of Texas System." By incorporating all key elements of OIG and UT System guidance, the Professional Billing Compliance program has established a framework to provide reasonable assurance that the Professional Billing Compliance Program objectives and mission are being achieved. To enhance the implementation of this framework as designed, we provided the following recommendations:

10:23 Billing Compliance- February 24,2010

-10-

• Professional billing compliance failures should be timely monitored;

• Systemic failure rates should be identified, reported and addressed at the department level;

• Periodic reviews of MDaudit™ Professional users' rights should occur; and

• The Professional Billing Compliance Plan should be updated to reflect the current structure and practices.

We appreciate the courtesy and cooperation of all management and staff within the Billing Compliance Programs.

Scot St. Martin, CIA, CCAP Andrea Claire, JD, MBA, CIA Sabrina Skeldon, JD

Manager of Internal Audit Supervisor of Internal Audit Senior Auditor

Hours billed-- 400 hours

Sincerely,

Robert Rubel, CPA, CIA, CISA Director of Internal Audits

10:23 Billing Compliance - February 24. 2010

- 11 -