Emerging trends in internal audit and compliance
In order to maintain strong compliance and internal audit programs, health care organizations are expected to regularly monitor the components of these programs, while also keeping an eye out for current or emerging issues that may need to be addressed. The following examines important practices to keep in mind to ensure optimal governance and oversight.
Laying the groundwork
The Patient Protection and Affordable Care Act (PPACA), as amended by the Health Care and Education Reconciliation Act of 2010, mandates that health care providers and suppliers adopt a compliance and ethics program as a condition of participation in the Medicare, Medicaid and Children's Health Insurance programs. Merely having a program in place is not sufficient; it must be effective in the detection, prevention and reduction of fraud and abuse. Building a sound structure to support the program can facilitate this, and actively and meaningfully involving the organization's board in oversight of the program is critical to this.
To improve compliance efforts and appropriate oversight, organizations must have in place specific training and tools for boards and others. This includes compliance program operations that set expectations and provide guidance in areas such as board member roles, overall compliance planning efforts, self-disclosures, conflicts of interest and more. In addition, training on current and emerging risks is also helpful to stay on top of potential issues.
Establishing an effective and meaningful reporting structure is also essential. Audit and compliance reporting should leverage a work plan as a road map to provide the board with clear information upfront and context around resource allocation. Reporting is also a mechanism to communicate and monitor self- and risk assessments, as well as a way to investigate and implement corrective actions.
Relationships between those overseeing compliance and internal audit functions are fundamental to the overall compliance success of an organization. Committees charged with this effort must all work in tandem to strengthen the control environment, reduce duplication and identify any current or future risks.
The IT universe
Compliance oversight is daunting and keeping a watchful eye on all the moving parts is complex. In particular, managing all that touches an organization's technology processes is especially challenging. This IT universe includes processes, physical assets and specific projects or key events. Everything from operating systems and applications to locations and hardware should be considered when auditing for current and potential risks. Upon defining a universe, organizations can evaluate processes and procedures for effectiveness and implement controls to reduce risks. With a defined universe and clear understanding of management's operational structure, internal audit can assist in promulgating models and other information technology management frameworks to foster a more consistent and reliable environment.
Auditing electronic medical record (EMR) usability is also a critical need in most organizations and internal audit can assist in this emerging area. Implementing a strong governance structure, as well as integrating operational and business process improvement programs, is necessary to assure there is a means to continually improve the effectiveness of the EMR system.
Meaningful use considerations
Health care organizations should plan for potential in-depth reviews directed by the Centers for Medicare & Medicaid Services (CMS) before and after incentive payments are made. Any provider attesting to receive either Medicare or Medicaid incentive payments can be subject to an audit, and exposure to audits continues for six years after the attestation date.
To prepare for a meaningful use audit, providers should save all electronic or paper documentation that supports the attestation, along with any other primary documentation. In addition, a report should be prepared, including numerators and denominators for the measures, the time period covered, plus any other corresponding evidence. The role of internal audit and compliance team members and committees related to meaningful use is important. They ensure the attestation documentation is in place and may also conduct an internal mock audit to monitor and test current risk scenarios and, in turn, recommend process and documentaiton improvements based on results.
Vendor and contract oversight
When assessing risk, vendor selection and contract consideration is critical. Health care organizations should consider the following:
- Perform a risk assessment on the potential outsourced provider or vendor considering the type of data and processes being supported.
- Due diligence or audits should be carried out in advance of a contracted relationship and conducted by a multidisciplinary team, including members from finance, legal, information security, privacy office and corporate security.
- Consider an on-site audit of the vendor, if applicable.
- The evaluation should include the vendors' financial and reputational health, including a Dun and Bradstreet review.
- Develop a structured methodology to assess the vendor's availability, security, privacy controls and more.
- Audits should be performed pre-contract execution, but also be planned and executed based on an annual risk assessment update. The vendor contract should include the provisions needed to allow for the monitoring of the vendor environment and for notifications of changes in that environment.
For more information about this topic and other health care industry issues, contact our webcast health care consulting practice presenters to the right.
Health care industry's big issues in 2014, Part 3 – Compliance and internal audit.