In previous posts, we’ve discussed the possibilities for automating the various components of governance, risk, and compliance (GRC), and the benefits such automation can provide to organizations. Now, let’s move from the theoretical to the tangible and discuss how automation can help organizations in an industry with particularly complex data and compliance environments: healthcare.
Like financial services and energy, healthcare operates within a regulatory landscape so byzantine it would boggle the Byzantines. Almost every aspect of the sector is overseen by at least one and sometimes several regulatory authorities, and staying in compliance with those various regimes imposes a substantial burden of time and expense on providers. In this atmosphere, where regulation intersects literally with issues of life and death, the need for compliance reporting is critical, and it’s illogical and impractical to try and accumulate and integrate the volume of data involved using ad hoc methods such as spreadsheets or makeshift applications.
To drill down to a manageable topic, let’s focus on just one aspect of healthcare regulation: the Medicare Recovery Audit Contractor (RAC) program. Established as part of the Medicare Modernization Act of 2003, the RAC program was designed to fight fraud, waste, and abuse in the Medicare program by identifying and reducing improper payments on fee-for-service claims. The Department of Health and Human Services, through its Centers for Medicare & Medicaid Services (CMS), awarded contracts to four permanent recovery audit contractor firms, which were empowered to conduct audits of healthcare providers’ records to identify both overpayments and underpayments. The mission of the RACs is to recoup overpayments; prevent future improper payments to safeguard the Medicare Trust Fund; lower CMS’s error rate; and promote process improvements at CMS, among Medicare administrative contractors, and among providers.
All in all, the program is very similar to that of the Defense Contract Audit Agency (DCAA), which provides audit services to the Department of Defense and other federal entities. As such, the steps healthcare organizations can take to get out ahead of the auditors through automation and process improvements can be illustrative for organizations in other industries subject to heavy regulation and/or government contract audits.
The burden RAC audits place on providers is obvious: the time and effort of complying with records requests, and the potential monetary loss from identification of overpayments. The question, then, is how can healthcare organizations leverage GRC technology tools to reduce those efforts and exposures?
First, an organization needs to understand its claims system so it can define the areas and indicators on which RACs are concentrating in their audits, then assess whether its claims system has the capability to flag those transactions. Areas and indicators could include issues related to coding of medical records (e.g., incorrect coding of principal diagnosis, leading to inappropriate reimbursement), issues related to suspicious diagnoses based on patient demographics (e.g., uterine or ovarian surgery for a male patient), or indicators of potential duplicate payments for a single service, such as identical or similar claims made for the same patient on the same date or by the same doctor.
Flagging these items would launch a workflow into a GRC technology tool that would assign an auditor to review the transaction to determine that the payments are correct in accordance with the medical documentation, and that there are no errors in payment or potential incidents of fraud. The workflow would contain the key follow-up audit process, specify the people responsible, lay out a timeline for the review, and provide a “container” to store and report the documentation of the review. The technology would also function as the dashboard report for the compliance department, enumerating the scope of claims that are likely to be audited by the organization’s RAC and providing a view into areas of process improvement within the organization.
Leveraging an automated process provides multiple benefits:
Automation, in whatever industry, can arm organizations with data-analytic firepower that allows them to get out ahead of their regulators, identifying areas of vulnerability, tracking and expediting records requests, support auditing and monitoring efforts, and identifying opportunities for improvement. The right technology, set up with the right parameters and supported by properly detailed data, can help the organization prevent fraud, waste, and abuse, improve overall accuracy and efficiency, and reduce the risk of compliance failure.
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.
Joe has more than 21 years of IT development, implementation and project management experience and has worked with many of the firm’s key clients, including JP Morgan Chase, BP Amoco, IBM, NIKE and Toyota Motors, working with many key issues surrounding risk management and IT controls, including:
Joe is a Certified Public Accountant (CPA), and a Certified Information Technology Professional (CITP). He also holds a Bachelor of Science degree in Business Administration from American University in Washington, D.C.