ROAD MAP

Road Map
Risk-Based Auditing: 4 Ways to Identify Areas of Organizational Risk
 Risk-Based Auditing: 4 Ways to Identify Areas of Organizational Risk
A recent survey of over 500 healthcare directors and C-suite
executives identified heightened regulatory scrutiny, rapid speed of
disruptive technology innovation, and ensuring PHI security as the top
industry risks for 2016.1 The continuing growth of regulatory
compliance demands in the healthcare industry – and the heightened
risk that comes with it - is placing an enormous strain on auditing
resources in most organizations. Deploying those resources in the most
effective way means narrowing audit focus to those areas that pose the
greatest risk.
Many organizations are moving to risk-based auditing to combat the increased
risks prevalent in the healthcare industry today. With only so much time
available for auditing, it’s critical for organizations to target specific areas
of interest and not devote time to areas with little or no significant impact.
Moving from an annual risk assessment program to a risk-based audit plan
can be one of the most impactful moves a healthcare organization can make.
Risk-based versus traditional auditing
In a traditional audit program, organizations develop plans for a period of time
that involve scheduled, routine audits. For example, many will conduct audits
of all their providers reviewing a set number of cases over a fixed period of
time. There is some focus on risk involved because based on results, the
organization may audit some providers more frequently. However, the overall
goal is getting through the list so all providers are ultimately audited over a
one or two year period.
1
Risk-based auditing, on the other hand, targets perceived or known areas of
risk and vulnerability. A true risk-based audit targets particular practices and
codes based on specific concerns. Instead of taking a rigid, provider-by-
provider or area-by-area approach, a risk-based program allows the audit team
the flexibility to devote auditing resources to areas or providers that may be
displaying potential negative issues. Risk-based audits are performed on an
ad-hoc, unscheduled basis and are not tied to any particular provider or
practice. In most cases, they target a cross section of providers, zeroing in
on trouble areas regardless of location.
In the end, all audits are technically risk-based in that the goal is to review
controls to determine how effectively they are ensuring proper coding and
billing. The key difference with risk-based audits comes down to scope and
methodology. And with resources becoming scarcer, it becomes more critical
to focus in on areas in the organization that present the highest levels of risk.
Identifying areas of risk
The first step in risk-based auditing is to identify where the greatest risks
to the organization lie. Here are four ways to help develop these targets.
 Leverage Multiple Sources

1. Internal Review 2. External Guidance.

Keep a close eye and an open ear to stay in tune with what is happening in
your organization. There could be chatter or rumors of things going on that
should be looked at within the organization that could be perceived as risk
areas. Review the results of prior internal audits for trends that could lead you
to potential risk areas. Look at referral relationships and arrangements, prior
privacy breaches, and quality-related events. If you are using up-to-date analytics
software, you can mine your billing data to uncover trends that could prove to
be trouble over time.
Staying in tune with agencies that regulate Medicare or Medicaid can be a
source for identifying risk areas. The annual OIG work plan outlines what
federal regulators will be focusing on when they monitor organizations and
offers a solid blueprint for identifying risk targets.You may also discover risk
areas by monitoring provider questions, payor requests, and hotline submissions.
PEPPER reports can also be an effective source to uncover trouble areas. The
program targets particular areas for short-term acute-care hospitals involving
coding and admission necessity areas. Reviewing these data points can help with
your risk targeting.

PEPPER
Reports
Identify High
Annual OIG
Risk Areas
Work Plan
Outliers Audit
Automation

Workflow Identify
Automation
Hotline Risk
Submissions
Areas ??
Provider
Questions

Corrective Payor
Action Requests

2
 Target Outliers and Trends
3. Target Outliers
In a risk-based program, auditors tend to look for outliers. Specific areas
include high-level E&M billing, teaching physician modifiers, and specialty
procedures. Auditors can then turn their focus to any of these areas where
potential trouble may be lurking.
For example, Modifier 25 is a particular target audit area according the OIG
Workplan. If an organization begins to see issues in that area, they may pull
claims data that spans multiple providers or an entire practice to try to get a
broader look at the problem. They can then take corrective action to minimize
or eliminate the risk of investigation by third party entities.
Another key area is the issue of Critical Care Time. The OIG looks for
physicians who appear to exceed 12 hours of care in a 24-hour period and
will flag these instances for further investigation. Using an analytics solution
allows you to target this specific area and parse your data to uncover any
providers that are over the threshold and address.
3
4. Mine Your Data
Targets of risk-based audits shouldn’t be selected solely in terms of total
revenue at risk. Although some of these areas may have the greatest financial
impact potential, because of their significance, they also will likely have the most
effective controls in place to guard against negative outcomes. A more effective
method to establish focus areas for a risk-based audit is to analyze claims and
billing data that may reveal trends that could actually lead to problems. These
areas may not have the same total value as higher profiled areas, but may, in
fact, present a higher risk.
Unfortunately it’s virtually impossible to conduct full chart review audits on
every potential risk.You need to be able to leverage billing and remit data
to monitor key hospital and provider risks and hone in on provider billing
patterns that stand out when compared to peers.
That’s where technology comes into play.
An integrated software solution enables continuous monitoring and analysis
of your billing and claims data. This allows you to deal with issues in real time,
as opposed to doing post mortems after the fact. Once you see an area
trending out of the norm, you can easily call up a random sample for review,
something that is time consuming and resource draining with a manual process.
You can then quickly compile and report results for easy retrieval at a later
date. Analyzing this data systemically is much more effective and productive
than laboriously combing through Excel spreadsheets manually. A robust
software solution helps you prioritize your audit focus and extends the
number of risk areas you can monitor.
 Being Proactive Minimizes Your Risks

Benefits of risk-based audits The future

Risk-based audits can be more effective for organizations because they
proactively seek out areas that could be problems and allow earlier, faster
resolution before any damage is done. They provide more frequent education
for those who need it and offer more frequent reporting, keeping compliance
in the forefront rather than making it simply an annual presence. This keeps
compliance awareness at a higher level throughout the organization.
There’s a fine line between traditional and risk-based audits but more
organizations are moving scheduled providers audits out from a year to two
years. That leaves room for audit teams to do more education and risk-based
auditing. Traditional provider based auditing will likely always be with us, but as
compliance demands grows and resources become strained, a risk-based audit
program may prove to be your most effective option.

Implementing a risk-based audit program can also alter provider mindsets.

Since they will be audited according to their level of risk, providers begin to
understand the consequences of their actions. They soon realize that improved
behavior will result in less frequent audits.

The key benefit of risk-based audits is that it allows you to stay ahead of third
party entities that are trying put a magnifying glass on your organization.

4
 Sources

1
Executive Perspectives on Top Risks for 2016: Key Issues Being Discussed in the Boardroom and C-Suite, survey
from Protiviti and North Carolina State University ERM Initiative

5

About Hayes and MDaudit
Hayes Management Consulting is a leading, national
healthcare consulting firm and software developer that
partners with healthcare organizations to streamline
operations, improve revenue and enhance technology
to drive success in an evolving healthcare landscape.
Hayes’ MDaudit™ software automates administrative tasks
involved in the billing audit process, dramatically improving
productivity and helping healthcare organizations reduce
billing compliance risk.
To learn how MDaudit can help you streamline your
auditing and compliance program, call 617-559-0404 or
email mdaudit@hayesmanagement.com.You can also request
a demo at www.hayesmanagement.com/software.
1320 Centre Street, Suite 402 | Newton Center, MA 02459
Phone: 617-559-0404 | Fax: 617-559-0415
www.hayesmanagement.com | info@hayesmanagement.com
Once you’ve established a baseline, the next step
is to make improvements by initiating a corrective
action program that addresses your people, process,
and technology.
People
Focus on training and education so everyone in the
organization understands the depth and impact of
the problem and what their role in solving it should
be. Specific actions to take include:
• Establish accountability and self-reporting by
root cause owner and process owner
• Set a zero to low tolerance for finger pointing
and excuses
• Recognize improvement and determine conse-
quences for unacceptable outcomes
Workflow
A thorough process review will help highlight re-
dundancies and time-wasting tasks and will quantify
the outcome or performance expectation for each
task. The most effective way to improve the work-
flow process is to eliminate errors that could result
in a denial
Key points to include:
• Develop robust pre-visit/visit management pro-
cess