How to Mitigate the Risk of an Audit

© 2023 HMP Global. All Rights Reserved.
Any views and opinions expressed are those of the author(s) and/or participants and do not necessarily reflect the views, policy, or position of Today’s Wound Clinic or HMP Global, their employees, and affiliates.

An audit may be unavoidable for healthcare providers, but as Michael J. Crouch, BS, CHT, CPC, CPMA, noted at his WoundCon session, there are ways to lessen an audit’s severity.
 
As Crouch said, medical audits serve the following functions:

• Reviewing the quality of care provided to patients
• Ensuring appropriate and accurate coding and billing practices
• Identifying documentation deficiencies and provide education to Providers
• Ensuring appropriate revenue is captured
• Determining if organizational policies and practices are current and effective
• Defending against federal and payer audits, malpractice litigation, and health plan denials

Crouch noted the most common trigger for a post-payment audit is provider profiling and data mining to identify irregular billing practices and outliers. He added that post-payment audits can also be triggered by complaints made by patients or employees about the practice.
 
The Centers for Medicare and Medicaid Services (CMS) process more than 1 billion claims a year, and Crouch noted the likelihood of errors in submitted claims can result in billions of dollars annually in improper payments by Medicare. He noted the Recovery Audit Contractor (RAC) demonstration program was created in 2003 to ensure accurate payments to providers, and by 2014, RAC prevented $22.3 million in improper payments by reviewing claims before they were paid.
 
Audit contractors include the following: Medicare Administrative Contractors (MAC), Office of the Inspector General (OIG), RACs, Supplemental Medical Review Contractor (SMRC), and Unified Program Integrity Contractors (UPIC). An additional form of audit, noted Crouch, is internal audits conducted by provider or facility personnel.

A Closer Look at the Types of Audits

CMS Contractor Audits include the following:
1. Comprehensive Error Rate Testing (CERT) audits
2. Office of Inspector General (OIG) audits
3. Recovery Audit Contractor (RAC) audits
4. Supplemental Medical Review Contractor (SMRC) audits
5. Targeted Probe & Educate (TPE) Program audits
6. Unified Program Integrity Contractor (UPIC) audits
 
CERT audits. These are post-payment audit used to measure and determine if MACs are making improper Fee for Service (FFS) payments. As Crouch noted, a stratified random sample (approximately 50,000) of Medicare FFS claims are reviewed during each reporting period to determine the estimated improper payment rate. There are 5 categories of improper payments in a CERT audit: insufficient documentation, inaccurate coding, lack of medical necessity, no documentation, and other (orders, signatures, etc.).
 
OIG audits. Crouch said post-payment claim reviews in OIG audits revealed the following issues:

• Inadequate documentation of medical necessity
• Billing errors such as omitting charges, modifiers, etc.—especially inaccurate charging for evaluation & management (E/M) services with hyperbaric oxygen therapy (HBOT)
• Coding errors such as omitting pertinent diagnosis codes, using incorrect procedure codes, etc.

RAC audits. Crouch noted RAC audits are based on overpayments and/or underpayments to hospitals, provider practices, nursing homes, home health agencies, durable medical equipment suppliers, and any other provider/supplier that bills Medicare Parts A or B. RAC audits can be triggered by anything from an innocent documentation error to outright fraud, noted Crouch. He added these audits are part of a systematic and concurrent operating process that ensures compliance with Medicare's clinical payment criteria, documentation, and billing requirements. Specific issues are identified by the CMS’ “new issue review” process, with a few exceptions. RACs, noted Crouch, conduct both complex and automated post-payment reviews.
 
SMRC audits. Known as “smirk” audits, SMRC audits concern issues and projects identified through CMS internal data analysis, the CERT program, federal agencies (e.g., OIG, DOJ) and others, according to Crouch. Noridian Healthcare Solutions, LLC is the current SMRC conducting nationwide medical review projects, as directed by CMS. As part of a SMRC audit, Crouch said documentation is reviewed to determine whether select claims were billed in compliance with coverage, coding, and payment rules. Once the review is complete, he noted a provider can request a discussion and education (D&E) period to receive education on improving future billing practices and/or submit additional documentation.
 
TPE audits. The goal of a TPE audit, noted Crouch, is to help providers identify their issues and improve. He said the MACs target providers with high claim error rates or unusual billing practices compared to their peers. In a TPE audit, providers are subject to as many as 3 rounds of reviews (both pre- and post-payment) and individualized education, dependent upon the error rate. If a provider has high error rate after the third round, Crouch said MAC will refer the provider to CMS for further action; however, he noted only a small percentage of providers will fail all 3 rounds of audits.
 
UPIC audits. If a provider appears to have knowingly and intentionally furnished services that are not covered, or filed claims for services not furnished as billed, or made any false statement on the claim or supporting documentation to receive payment, Crouch said the MAC or RAC personnel may discuss potential referral of the matter to the UPIC. As he noted, if the UPIC agrees there is potential fraud, waste, and/or abuse, the MAC or RAC personnel shall escalate and refer the matter to the UPIC. Billing aberrations are also identified by data mining, which he noted may indicate fraud, waste, abuse or a pattern of repeated misconduct or conduct that is clearly abusive or potentially fraudulent.
 
Internal audits. Although they are a “tedious, necessary evil,” Crouch emphasized internal audits still play a crucial role in a healthcare provider's quality improvement program. He said internal audits can uncover inconsistencies in documentation and coding practices, identify coding and billing errors, reveal fraudulent billing practices, reduce legal exposure and liability risks, and reduce potential fines.
 
As part of an internal audit, Crouch advises all licensed providers do the following:

• Invest in billing, coding, and documentation compliance and develop policies and practices that support this compliance
• Learn appropriate use of codes, documentation requirements
• Learn how to access Local Coverage Determinations/Local Coverage Articles (LCDs/LCAs) and understand policy nuances

What Auditors Are Looking for From Your Documentation

Documentation must be comprehensive, stressed Crouch. He noted each patient encounter should stand alone, should reflect the patient’s condition for that day, and should include the following:

• Date of service (DOS) and reason for the visit
• Patient’s history of present illness (HPI)/medical history/past interventions
• Patient’s signs and symptoms including the physical exam/photos, if relevant
• Wound description and measurements
• Any required documentation, as indicated by coverage policies
• Details of the service rendered and/or item(s) furnished
• Medical necessity—why the service/item(s) was provided
• Treatment plan
• Signed orders for service/item(s) and rationale for orders
• Identity and legible signature of person providing the item/service

Preparation and Management for an Additional Documentation Request

Successfully passing an audit depends almost entirely on the documentation submitted in response to an Additional Documentation Request (ADR), emphasized Crouch. He noted documentation must be comprehensive and include DOS that may not include the dates denied—for example, the patient’s encounter (visit) when problem was first identified and any lab or test results. He said this includes reviewing documentation that has “carried forward” in the electronic health record (EHR), a feature that can cause serious problems during audits if information is not relevant for that DOS (or is contradictory).
 
Make sure the patient’s name (or MR#) is on each page sent and the provider’s name is legible. Also ensure that every order is signed and dated—if not, auditors will not consider the information, cautioned Crouch.
 
Read each ADR very carefully and note the due date, what was specifically requested, and how/where to send your response, advised Crouch. Don’t procrastinate—he said one should respond in a timely manner because although the audit letter may indicate a deadline of 45 days, the actual date of processing may be as short as 30 days. Failure to respond by the deadline (or at all) will result in a denial and forfeiture of any monies received for those DOS, which Crouch said also applies if/when asking for an extension.
 
Believe it or not, Crouch said, the government still uses fax machines and medical records must be faxed in, which can pose a problem if color photos help to argue your case (such as a failing flap) since faxes render black and white images.

Clinical Pearls

Crouch stressed the importance of documentation. He advised the following:

• Ensure that medical necessity is clearly stated for each service provided.
• Ensure that treatment progress and response is present.
• Ensure that documentation supports further treatment(s)—such as another round of HBOT, more than 4 skin substitute applications, etc.
• Ensure that each element of the documentation requirements spelled out in LCDs is present.
• Ensure that there is evidence of your medical decision making—just because you document a Wagner grade III, doesn’t make it so (must have supporting evidence).
• Include photos when they support your medical decision making.

If you get audited, don’t panic, said Crouch. “If your documentation practices are sound, you should have no issues,” he said. “If they are not, make sure to incorporate lessons learned into your documentation practices.”

Information regarding coding, coverage, and payment is provided as a service to our readers. Every effort has been made to ensure accuracy. However, HMP and the author do not represent, guarantee, or warranty that coding, coverage, and payment information is error-free and/or that payment will be received.