SlideShare a Scribd company logo
1 of 47
Download to read offline
withum.com
Internal Audit’s Evolving
Role in Fraud/Abuse and
COVID-19 Risks and Best
Practices
Michael Serluco, Partner, Healthcare
Marc Stein, Principal, Healthcare Advisory
January 13, 2021
withum.com
What We’ll Do Today
Overview of Fraud and Abuse regulations and best practices
Discuss Internal Audit’s role in mitigating Regulatory and
COVID-19 Risks
Overview of CARES Act funding and associated risks and best
practices
Update on DOJ settlement trends and guidance regarding
compliance plans
2
withum.com
Health Care Enforcement Recovery Overview
Health care enforcement continues to be a profitable pursuit for the
Federal Government. From 2017 through 2019 (the most recent period for
which data is available), the Office of Inspector General reports that it
collected $4.20 for every $1.00 spent on enforcement efforts
The Health Care Fraud and Abuse Control (HCFAC) Program was
established under the 1996 Heath Insurance Portability and
Accountability Act (HIPAA) to identify and prosecute health care fraud
and abuse. The 2019 results include :
 Federal Government won or negotiated over $2.6 billion in health care fraud
judgments and settlements.
 $3.6 billion was returned to the Federal Government or paid to private persons
• Approximately $2.5 billion was transferred to the Medicare Trust Funds
3
withum.com
DOJ Guidance
April 2017 and revised in April 2019 the US Department of Justice ("DOJ")
published its guidance on the "Evaluation of Corporate Compliance Programs"
(the "Guidance“) which included the following 11 key compliance program
evaluation topics within 3 overarching questions that prosecutors should use in
their review and assessment of a company’s compliance program:
1. Is the Program well designed?
 Risk Assessment
 Policies and Procedures
 Training and Communication
 Confidential Reporting and Investigation of misconduct
 Third Party Management
 Mergers and Acquisitions
4
withum.com
DOJ Guidance
2. Is the program being implemented effectively?
 Senior and Middle Management
 Autonomy and Resources
 Incentives and Disciplinary Measures
3. Does the program work in practice?
 Continuous Improvement, Periodic Testing and Review
 Analysis and Remediation of Underlying Misconduct
5
withum.com
DOJ Guidance
June 2020 DOJ update changed the second question “is the compliance
program being implemented effectively” to asking instead whether the
compliance program is "adequately resourced and empowered to
function effectively.” This includes:
• Commitment and implementation of a culture of compliance at all levels of the organization
• Ensuring those with day-to-day operational responsibility have adequate resources,
appropriate authority and direct access to governing authority
• Enabling compliance program effectiveness through investment in training and development
and access to relevant data sources
6
withum.com
Top Compliance Risks
The following is a summary of top 2020 compliance risks
Documentation
17%
Coding/Billing
30%
HIPAA
Security
14%
HIPAA Privacy
15%
Medical
Necessity
9%
Government
Enforcement
7%
Other
8%
Source – 2020 Healthicity Compliance and Auditing Benchmark Report
7
withum.com
Compliance Program Trends
To mitigate these risks, the importance of implementing an effective compliance
program that prevents fraud, waste and abuse has grown with the increase in the
number of government settlements of non-compliance with regulations. Of the
organizations included in the report:
 96% have a formal compliance program
 80% perform an annual risk assessment
• 38% take over 21 hours to conduct a risk assessment
 71% of employees will have at least one hour of compliance training
 56% utilize a blended compliance training approach ( online and in-person)
 54% have Chief Compliance Officer (CCO) who meets quarterly with the compliance committee
 45% have the CCO meet with overall Board of Directors/Trustees
 34% anticipate that the great challenge on managing their compliance program is keeping
current on regulations
 31% considered the OIG work plan as the key driver in prioritizing compliance work plan audits
8
withum.com
Compliance Program Trends
 In this environment, developing and implementing an effective compliance
program has become a standard expectation within the health care industry.
 While even the best program cannot prevent all violations, a tailored, proactive
compliance program is more likely to identify issues early.
 Additionally, the existence of such a program is a positive factor when
negotiating with the government, should that become necessary.
 Finally, if any significant compliance issues are detected through your own
compliance program activities, self-reporting is usually a much-preferred
position as opposed to being a target in another one of these government
enforcement actions.
9
withum.com
Fraud and Abuse Regulations
High priority Healthcare Federal Fraud and Abuse laws are as follows:
 False Claims Act (FCA) [31 U.S.C.§§ 3729–3733]
 Physician Self-Referral Law ( Stark Law) [42 U.S.C.§ 1395nn]
 Anti-Kickback Statute (AKS) [42 U.S.C.§ 1320a-7b(b)]
 Exclusion Authorities [42 U.S.C.§ 1320a-7]
 Civil Monetary Penalties Law [42 U.S.C.§ 1320a-7a]
The following Governmental agencies are charged with enforcing these laws:
 Department of Justice (DOJ)
 Department of Health and Human Services (HHS) Office of Inspector General (OIG)
 Centers for Medicare and Medicaid Services (CMS)
11
withum.com
False Claims Act (FCA) Risks
FCA imposes civil liability on any person knowingly presents or caused to be presented, a
false or fraudulent claim for payment by the Government.
Under civil FCA, no specific intent to defraud is required. The civil FCA defines “knowing” to
include actual knowledge but also deliberate or reckless disregard of the truth or falsity of
the information.
Civil penalties may result up to 3 times what the Government paid for each claim plus a
minimum ($11, 665) and maximum ($23,331) per each claim violation after June 20, 2020.
Under civil FCA, each instance of an item or service billed to Medicare or Medicaid counts as
a claim, so fines can add up quickly.
Criminal penalties for submitting false claims include imprisonment and criminal fines
12
withum.com
False Claims Act (FCA) Best Practices
Examples of FCA best practices include the following:
 Monitor coding patterns
 Review billing procedures and claim submission process
 Perform a documentation/coding/billing review looking for: (1) medical necessity; (2)
billing for services not provided; (3) failure to use coding modifiers; and (4) upcoding,
etc.
• Primary reasons for conducting formal documentation/coding audits include:
 Required by internal compliance program
 Ensure bills are accurate and avoid penalties
• Compliance Guidelines published by OIG recommends auditing a minimum size of 10 patient
encounters for each provider
 Small frequent audits reduce error and increase accuracy of claims submissions
• Communication of results to physician
• Implement remediation efforts, where applicable
• Implement applicable training programs
13
withum.com
Physician Self-Referral Law (Stark Law) Risks
Prohibits physicians from referring patients to receive “designated health
services” payable by Medicare and Medicaid from entities with which the
physician or immediate family member has a financial membership,
unless an exception applies
 Financial relationships include both ownership/investment interests and
compensation arrangements
 “Designated health services” include but are not limited to:
• Clinical laboratory services;
• Physical therapy and occupational therapy services;
• Radiology and certain imaging services;
• Radiation therapy services and supplies; and
• Inpatient and outpatient hospital services.
14
withum.com
Physician Self-Referral Law (Stark Law) Risks
The Stark Law is a strict liability statute which means proof of specific intent to
violate the law is not required.
Violations of the Stark Law may result in penalties that include denial of
payment, civil monetary penalties of up to $15,000 per service (and $100,000
for schemes that are designed to circumvent the Stark Law) and exclusion
from the Medicare and Medicaid programs
On November 20, 2020, CMS issued sweeping changes designed to provide
flexibility for value-based arrangements and care coordination and reduce the
burdens for physicians and healthcare providers. The regulation goes into
effect January 19, 2021.
15
withum.com
Physician Self-Referral Law (Stark Law)- Best
Practices
Examples of Stark Law best practices include the following:
 Ensure Conflict of Interest Questionnaires are completed, signed and any
conflicts disclosed are resolved
 Annually review physician compensation to ensure that it is within Fair Market
Value benchmarks such as a specific percentile of the MGMA Physician
Compensation and Productivity Survey
 Annually review physician leased space to ensure it is commercially reasonable
representing an arm’s length relationship with comparable properties in the
same local area.
16
withum.com
Anti-Kickback Statute (AKS) Risks
Prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the
generation of business involving any item or service payable by the Federal Health Care Programs (e.g., drugs,
supplies, or health care services for Medicare or Medicaid patients).
Applies to all sources of referrals, even patients.
 Routinely waiving Medicare and Medicaid patient copayments could implicate the AKS statute and physicians may not advertise
that they forgive copayments
Violation of AKS is punishable by a $25,000 fine, imprisonment for up to five years, or both, and may subject a
violator to civil monetary penalties as well.
Violation of AKS is grounds for exclusion from participation in the Medicare and Medicaid programs and other
federal health care programs
On November 20, 2020, issued its final rule creating new safe harbors and modifying existing safe harbors. These
changes are deigned to provide greater flexibility and reduced regulatory burdens for care coordination and value-
based arrangements. The regulation goes into effect January 19, 2021.
17
withum.com
Anti-Kickback Statute (AKS) - Best Practices
Examples of AKS best practices include the following:
 Physicians should register with the Federal Open Payments Program (Program)
which is mandated by the Affordable Care Act.
• This Program requires that information about gifts, speaking fees, travel, meals and other
benefits made by vendors ( e.g., drug makers, device manufacturers and group purchasing
organizations, etc.) to physicians and teaching hospitals be collected and stored in a
database. Any financial interest a doctor has in a medical business should also be stored.
• This database includes speaking fees, gifts, textbooks, entertainment expenses, meals,
travel costs and fees for serving on advisory boards
 Physicians should check the CMS database maintained under this Program to
make sure the information is accurate as patients, the public and researchers
have the right to access this database.
18
withum.com
Exclusion from Federal Health Care Programs
(FHCP) Risks
OIG is legally required to exclude from participation in all FHCPs
individuals and entities convicted of the following criminal offenses:
 Medicare or Medicaid Fraud
 Patient abuse or neglect
 Felony convictions for health care related fraud, theft or other financial
misconduct
If your physician practice employs or contracts with an excluded
individual or entity and FHCP payment is made for items or services that
person or entity furnishes, whether directly or indirectly, you could be
subject to a civil monetary penalty and/or an obligation to repay any
amounts attributable to the services of the excluded individual or entity.
19
withum.com
Exclusion from Federal Health Care Programs -
Best Practices
Examples of Exclusion best practices include the following:
 For all new employees and vendors, screen against the OIG’s List of Excluded Individuals and
Entities. The online data can be accessed from OIG’s Exclusion Web site.
• If there is a match, do not hire the prospective employee or contract with the prospective vendor
 On a monthly basis, screen all current and prospective employees and contractors against the
OIG’s List of Excluded Individuals and Entities.
 Investigate all potential matches to determine if they are the excluded individual or entity
• If they are a match with the excluded individual or entity, take immediate action to suspend employment or
purchasing services (consistent with policies and procedures)
• If they are not a match with the excluded individual or entity, maintain applicable documentation
 Investigate all potential matches to determine if they are the excluded individual or entity
• If they are a match with the excluded individual or entity, take immediate action to suspend employment or
purchasing services (consistent with policies and procedures)
• If they are not a match with the excluded individual or entity, maintain applicable documentation
20
withum.com
Office of Civil Rights (OCR) and HIPAA Risks
HIPAA compliance is monitored under the Office of Civil Rights
Risk of inadequate compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA)
regulations regarding unauthorized access to Protected Health Information (PHI) related inadequate
controls to privacy and confidentiality
Risk of noncompliance of HIPAA Regulations regarding unauthorized access to PHI as it relates to
HIPAA Security due to inadequate controls surrounding the physical security and logical access to
systems
One of the top healthcare compliance issues for 2020 will be maintaining strong HIPAA and cyber
security and privacy compliance
Breaches continue to occur at a steady pace from a combination of both internal and external causes
such as hackers, viruses and other malicious attacks
21
withum.com
Office of Civil Rights (OCR) and HIPAA Best
Practices
Examples of access best practices include the following:
 Review process for access to system including all devices
 Evaluate policies, forms and requests.
 Test to ensure that access is done in accordance with policies.
 Perform an overall review to ensure access controls are working effectively
• Identify any deficiencies and/or weaknesses and develop a formal remediation plan
• Monitor progress and test that all deficiencies and weaknesses have been corrected
Examples of security best practices include the following:
 Review process for security to system including all devices
 Evaluate policies, forms and requests.
 Test to ensure that security is done in accordance with policies.
 Perform an overall review to ensure security controls are working effectively
• Identify any deficiencies and/or weaknesses and develop a formal remediation plan
• Monitor progress and test that all deficiencies and weaknesses have been corrected
22
withum.com
Credit Balance Risks
Per Patient Protection and Affordable Care Act (PPACA)
 Providers (including physicians) must report and repay Medicare/Medicaid
overpayments within 60 days of “identification” or “applicable reconciliation,” whichever
is later
 Retention of an identified overpayment after the 60-day period considered an “obligation
to pay” subject to a False Claims Act (FCA) enforcement action as a so-called “reverse
false claim”
Examples of Medicare credit balances include instances where a physician is:
 Paid twice for the same service either by Medicare or by Medicare and another insurer;
 Paid for services planned but not performed, or for noncovered services;
 Overpaid because of errors made in calculating beneficiary deductible and/or
coinsurance amounts
23
withum.com
Credit Balance Best Practices
Examples of credit balances best practices include the following:
 Validate accuracy of credit balance aging report by payor (including Medicare
and Medicaid).
 Determine that adequate, trained staff are resolving credit balances
• Is the resource level appropriate?
• Are they qualified and well-trained?
 Determine whether there are sufficient quality assurance and root cause
analysis processes.
 Determine sufficiency and effectiveness of controls used to ensure refund and
reporting within 60 days of identification
24
withum.com
Purchasing Cycle Risks
Examples of purchasing cycle risks include the following:
 Unauthorized or fictitious purchases are made.
 Recorded purchases are coded to the wrong G/L account resulting in improper
expense or capitalization.
 Received goods/services do not agree to goods/services ordered.
 Invoices are for incorrect amount or for services not rendered.
 Disbursements are processed for unauthorized purchases.
 Disbursements are not properly authorized or accurate or payment made to in-
appropriate vendor.
 Issuance of checks are not properly controlled.
 Unauthorized employees have access to Purchasing/AP system.
25
withum.com
Purchasing Cycle Best Practices
Examples of purchasing cycle related best practices include the
following:
 Vendor Master Maintenance including new vendor set-up, validation (W-9), and
related procedures.
 Vendor Invoice Processing including 3-way match, invoice approval, invoice
entry, and related procedures.
 Cash Disbursements including check processing, check signing, voided and
stored checks, checks made payable to cash and related procedures.
 Accounts Payable management including monitoring controls and reconciliation
of such items as duplicate payments, expense reimbursements and related
procedures.
26
withum.com
Payroll Cycle Risks
Examples of payroll cycle risks include the following:
 Unauthorized, duplicate or fictitious employees are added to human resource master
files, resulting in unauthorized payroll disbursements.
 New Employees
• Information is recorded incorrectly (e.g., hourly or salary rates, etc.) in the master file resulting in
inaccurate payroll processing and disbursements.
• Are not added to the payroll records in the appropriate period, resulting in errors in payroll
processing and disbursements.
 Active Employees
• Biweekly time is not authorized and does not reflect actual hours worked.
• Approved hourly and/or salary changes are not accurately recorded resulting in over or under
payment of payroll
 Terminated Employees
• Are not removed from master file timely resulting in inaccurate disbursements
27
withum.com
Payroll Cycle Best Practices
Examples of payroll cycle related best practices include the following:
 New Hire including approval of position, salary and benefits, etc.
 Time and Attendance includes daily and biweekly hours by category (e.g.,
regular, overtime, shift differential, etc.), for exempt and nonexempt employees.
 Authorization includes independent approval of employee's timecards and
manual adjustments.
 Review and Processing includes review of outliers (excessive overtime, etc.),
uploading time and attendance reports into payroll system, printing of
paychecks and stubs.
 Distribution of Payment includes actual check distribution or employee access
to their own information.
 General Ledger Update includes payroll interface and reconciliation to General
Ledger and bank statement reconciliation.
28
withum.com
CARES Act Provisions For Health Care Entities
The Coronavirus Aid, Relief, and Economic Security Act (the CARES Act)
attempted to alleviate some of the financial strain on hospitals,
physicians, and other health care entities through a series of new policies
that temporarily boosted Medicare and Medicaid payments, allowed for
added flexibility in treatment modalities, and expanded the availability of
advance or accelerated payments from Medicare.
The CARES Act established a Provider Relief Fund (PRF) to be used for
economic support of health care entities in connection with health care
related expenses or “lost revenues” attributable to COVID-19 and
treatment of uninsured COVID-19 patients.
30
withum.com
Provider Relief Fund Terms and Conditions
The terms and conditions of the Provider Relief Fund state that Relief Fund
Payments will only be used to prevent, prepare for and respond to coronavirus
and shall reimburse the recipients only for healthcare expenses and lost
revenue attributable to coronavirus
The recipient certifies that it provides or provided after January 31, 2020,
diagnoses, testing or care for individuals with possible or actual cases of
COVID-19
The recipient certifies that it will not use the payment to reimburse expenses
or losses that have been reimbursed from other sources or other sources are
obligated to reimburse
31
withum.com
Provider Relief Fund Terms and Conditions
The reporting deadline for PRF dollars is February 15, 2021 and the portal, via HHS, to submit
the data will be open for use as of 1/15/2021
If recipients do not expend PRF funds in full by the end of calendar year 2020, they will have
an additional six months in which to use remaining amounts toward expenses attributable to
coronavirus but not reimbursed by other sources, or to apply toward “lost revenues”. ( will be
discussed further)
For example, the reporting period January – June 2021 will be compared to the same period
in 2020 from a budget perspective, or January – March 2021 will be compared to the same
quarter in 2020 (still waiting for further clarification on this)
For carry over funds through 6/30/21, the reporting deadline is 7/31/21
32
withum.com
Provider Relief Fund Terms and Conditions
Eligibility
 Billed Medicare in 2019
 Provided diagnosis, testing, or care for individuals with actual or possible cases
of COVID-19 after January 31, 2020
 Not excluded from federal healthcare programs
Use of Funds
 Only to prevent, prepare for, and respond to COVID-19
 Only to reimburse for healthcare-related expenses or lost revenues attributable
to COVID-19
 Must not use the funds to compensate for expenses or lost revenues that have
been reimbursed from other sources (i.e., FEMA funding, state grants, program-
specific funding, commercial insurance, etc.)
33
withum.com
Provider Relief Fund Terms and Conditions
Supporting Records
 Maintain all records and cost documentation to support the appropriate use of funds,
and provide to the Secretary of HHS upon request
 Substantiate use of funds for increased healthcare-related expenses or lost revenue
attributable to COVID-19 and evidence that those expenses/losses were not reimbursed
from other sources
 Submit quarterly report to reflect total receipt of funds as well as detailed list of all
projects/activities in which covered funds were expended
Other Compliance Requirements
 Restrictions on balance billing of out-of-network COVID-19 patients (i.e., seeking to
collect more than what the patient would have otherwise been required to pay if he/she
was an in-network patient)
 Restrictions on using funds to pay for excessive salaries of physicians or executives
beyond defined level
34
withum.com
Provider Relief Fund Monitoring/Best Practices
• Upon the decision to retain the funds, the following activities should be taken in order to
manage the funds going forward and support compliance with the terms and conditions:
• Develop reasonable methodologies for calculating lost revenues across key lines of business
and affiliated entities
• Develop mechanisms to identify and track COVID-19-related expenses
• Develop policies, procedures, and standards regarding necessary documentation to support
the use of funds and compliance with HHS’s terms and conditions
• Establish infrastructure for tracking all COVID-19 funding sources and ensuring that the
funds are not being used for duplicate purposes
• Develop monitoring plans to mitigate unique funding compliance risks, such as audits
around balance billing, use of funds for excessive physician and executive salaries, etc.
• Monitor and communicate newly published regulatory guidance to applicable stakeholders
35
withum.com
OIG 2020 Active Work Plan Items - COVID -19
Audit of CARES Act Provider Relief Funds—General and Targeted Distributions to
Hospitals
 Objective is to determine whether providers that received PRF payments complied with certain
Federal requirements, and the terms and conditions for reporting and expending PRF funds.
Audit of Medicare Telehealth Services During the COVID-19 Pandemic: Program
Integrity Risks
 CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to
access a wider range of telehealth services without having to travel to a health care facility. This
review will be based on Medicare Parts B and C data and will identify program integrity risks
associated with Medicare telehealth services during the pandemic. We will analyze providers'
billing patterns for telehealth services. We will also describe key characteristics of providers that
may pose a program integrity risk to the Medicare program.
36
withum.com
Telehealth During COVID-19
Coronavirus Preparedness and Response Supplemental Appropriations Act
includes a provision allowing the Secretary of the HHS to waive certain
Medicare telehealth payment requirements during the Public Health
Emergency to allow beneficiaries in all areas of the country to receive
telehealth services, including at their home. Starting March 6, 2020 all
Medicare patients are eligible for telehealth services. The rural-only patients’
requirement was suspended. This expires at end of Public Health Emergency.
CMS list of services that are normally furnished in-person that may be
furnished via Medicare telehealth. Services are described by HCPCS codes and
paid under the Physician Fee Schedule (see next slide).
37
withum.com
Telehealth During COVID-19
CMS list of services that are normally furnished in-person that may be
furnished via Medicare telehealth. Services are described by HCPCS
codes and paid under the Physician Fee Schedule. There are 3 categories
of services:
 Medicare Telehealth Visits
 Virtual Check-in
 E-visits
38
withum.com
Telehealth During COVID-19
New Jersey Telehealth Requirements (as of November 16, 2020)
 Any NJ licensed healthcare provider may provide telehealth services. Licensed out-of-state
providers must have a pre-COVID-19 relationship with the patient to conduct a telehealth
encounter unless the encounter only concerns COVID-19
 Providers are permitted to use alternative technologies such as audio only telephone or video
technology commonly available on smartphones and other devices as long as standard of care is
met.
 Patient may orally consent to telehealth services.
 If no pre-existing provider-patient relationship provider must (1) inform patient of his identity,
professional credentials and contact information and (2) identify the patient by name, DOB, phone
number and address.
 A provider is no longer required to review a patient’s medical history and medical records prior to
an initial telehealth encounter. Providers should use clinical judgment to obtain relevant medical
history and review available medical records to meet applicable standards of care.
 If the patient consents, provider must forward the records of the telehealth encounter to the
patient’s primary care provider or provider that the patient requests.
39
withum.com
Role of Internal Audit During COVID-19
The following are questions as to how internal audit should focus based on the
COVID-19 impact on the organization:
 How relevant is the current audit plan and what parts of it require recalibration?
 How does Internal Audit keep pace with the speed of changes occurring in the business,
including changes in the control environment?
 How does the department pivot to help the organization address new business risks?
 How does an internal audit team better use technology and data to gain insight?
The response to the above questions is that Internal Audit should take a more
data-driven approach that monitors and takes action quickly to help the
organization navigate the risks created due to COVID-19. This can be achieved
through a simplified continuous risk assessment through use of technology to
monitor risks created due to COVID-19 through an internal audit focus.
41
withum.com
Role of Internal Audit During COVID-19
Re-calibrate its approach to cyclical audit planning and coverage of risk
 Adopt an agile management approach
 Embrace short term prioritization and regular review /updates to the IA plan to mirror the
changing pace of risk and assurance needs
 Collaborate with key stakeholders to understand and new and/or elevated risks and assess how
best to support with the provision of assurance.
Continue to deliver on-going assurance activities without disrupting critical
operational areas during times of crisis
 Accelerate the deployment of analytics to deliver IA work remotely , increase coverage, focus on
outliers, and reduced business interruption , while still providing valuable insights and
assurance.
Work more closely with external providers to reduce disruptions of the
business
Provide an objective voice to organization teams who need to make decisions
quickly
42
withum.com
Role of Internal Audit During COVID-19
Reconsidering Threats and Risks
 At the onset of the virus, some internal audit functions reacted by lending their risk
management expertise to help resolve immediate service delivery and operational
issues.
 Leveraging investments in data analytics to identify relevant key performance
indicators facilitated the automated monitoring of risks.
 Risk assessment involves providing audit services for new and emerging risk areas.
 For example, some organizations made temporary changes to service delivery models to quickly restart
operations, which made up for shortages in employees.
 These events led to the curtailment of specific traditional controls, requiring new risk mitigation
strategies and enhanced audit monitoring.
 Especially of concern to internal audit were questions of how exceptions to controls and risk
acceptances were granted, as well as third-party risks, including supply chain disruptions
 Finally, recovery and, in some cases, survival planning is another example of internal auditors lending
their expertise in facilitating organizational objectives
43
withum.com
Role of Internal Audit During COVID-19
Enhanced Monitoring and Reporting
 To the extent available, internal auditors are also using data provided by
vendors and third-party service providers to enhance monitoring
capabilities. Internal auditors have dedicated more time to reviewing
external assessment reports, such as Service Organization Control (SOC) 1,
SOC 2, and internal reports provided by vendors. These can include
performance reports, information feeds, industry benchmark activity
reports, and compliance with service-level agreements.
 Some areas of focus include ensuring compliance with regulatory
expectations, despite the challenges caused by COVID-19. Activities include
documentation, coding and billing audits regarding : (1) medical necessity;
(2) billing for services not provided; (3) failure to using coding modifiers and
(4) upcoding.
44
withum.com
Challenges For Internal Audit During COVID-19
Continue to function effectively where stakeholders have competing
priorities
 Reduce the amount of stakeholder input and produce short, sharp advisory
pieces and leverage system access and available data to the greatest extent
 Provide more frequent updates
Consider alternative methods in gathering evidence of control execution
or absence of documentation related to confirmation of key steps
 Might be circumstances of control override with employees seeking
workarounds to existing security protocols and internal controls in order to keep
the business operating effectively
 Fraud incentives are increased in times of crisis
45
withum.com
Internal Audit Department Structure
In-sourced
In-house staff performs internal audit
functions
Outsourced
Hire a third-party firm to provide
resources to perform internal audit
functions
Co-sourced
Use a blend of internal and external
resources to perform internal audit
functions
withum.com
Internal Audit Department Structure
In-source
Description • A formally established department
comprised of staff reporting to the
Board and an appropriate member of
Senior Management
Advantages • Builds and retains institutional
knowledge
• Helps to foster internal ownership of
issues
Disadvantages • Independence can be impaired over
time
• Potential limited depth of technical
skills can reduce effectiveness
withum.com
Internal Audit Department Structure
Outsource
Description • Third party firm provides all
components of internal audit function
and reports to member of Board and
appropriate member of senior
management
Advantages • Independent and objective
• Greater insights into alternative
approaches and best practices
Disadvantages • Dependence on strength of third-
party relationship and capability
• Potential staff continuity issues
withum.com
Internal Audit Department Structure
Co-source
Description • Third party firm supplements internal
audits on a project- by-project basis at
direction of Senior Management or
Board
Advantages • Can obtain appropriate specialized or
technical skills for each audit area on
an as needed basis
Disadvantages • Discretionary use might lead to lack of
focus
withum.com
Questions? Contact your Presenters
Michael A. Serluco, CPA
Partner, Healthcare Services
mserluco@withum.com
(732) 759 6821
Marc Stein
Principal, Healthcare Advisory Services
mstein@withum.com
(732) 828 1614

More Related Content

Recently uploaded

20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdfMintel Group
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerAggregage
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in  PhilippinesEntrepreneurship lessons in  Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 

Recently uploaded (20)

20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdftrending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
trending-flavors-and-ingredients-in-salty-snacks-us-2024_Redacted-V2.pdf
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Driving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon HarmerDriving Business Impact for PMs with Jon Harmer
Driving Business Impact for PMs with Jon Harmer
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in  PhilippinesEntrepreneurship lessons in  Philippines
Entrepreneurship lessons in Philippines
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 

Featured

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 

Featured (20)

Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 

Internal Audit's Evolving Role in Fraud/Abuse and COVID-19 Risks

  • 1. withum.com Internal Audit’s Evolving Role in Fraud/Abuse and COVID-19 Risks and Best Practices Michael Serluco, Partner, Healthcare Marc Stein, Principal, Healthcare Advisory January 13, 2021
  • 2. withum.com What We’ll Do Today Overview of Fraud and Abuse regulations and best practices Discuss Internal Audit’s role in mitigating Regulatory and COVID-19 Risks Overview of CARES Act funding and associated risks and best practices Update on DOJ settlement trends and guidance regarding compliance plans 2
  • 3. withum.com Health Care Enforcement Recovery Overview Health care enforcement continues to be a profitable pursuit for the Federal Government. From 2017 through 2019 (the most recent period for which data is available), the Office of Inspector General reports that it collected $4.20 for every $1.00 spent on enforcement efforts The Health Care Fraud and Abuse Control (HCFAC) Program was established under the 1996 Heath Insurance Portability and Accountability Act (HIPAA) to identify and prosecute health care fraud and abuse. The 2019 results include :  Federal Government won or negotiated over $2.6 billion in health care fraud judgments and settlements.  $3.6 billion was returned to the Federal Government or paid to private persons • Approximately $2.5 billion was transferred to the Medicare Trust Funds 3
  • 4. withum.com DOJ Guidance April 2017 and revised in April 2019 the US Department of Justice ("DOJ") published its guidance on the "Evaluation of Corporate Compliance Programs" (the "Guidance“) which included the following 11 key compliance program evaluation topics within 3 overarching questions that prosecutors should use in their review and assessment of a company’s compliance program: 1. Is the Program well designed?  Risk Assessment  Policies and Procedures  Training and Communication  Confidential Reporting and Investigation of misconduct  Third Party Management  Mergers and Acquisitions 4
  • 5. withum.com DOJ Guidance 2. Is the program being implemented effectively?  Senior and Middle Management  Autonomy and Resources  Incentives and Disciplinary Measures 3. Does the program work in practice?  Continuous Improvement, Periodic Testing and Review  Analysis and Remediation of Underlying Misconduct 5
  • 6. withum.com DOJ Guidance June 2020 DOJ update changed the second question “is the compliance program being implemented effectively” to asking instead whether the compliance program is "adequately resourced and empowered to function effectively.” This includes: • Commitment and implementation of a culture of compliance at all levels of the organization • Ensuring those with day-to-day operational responsibility have adequate resources, appropriate authority and direct access to governing authority • Enabling compliance program effectiveness through investment in training and development and access to relevant data sources 6
  • 7. withum.com Top Compliance Risks The following is a summary of top 2020 compliance risks Documentation 17% Coding/Billing 30% HIPAA Security 14% HIPAA Privacy 15% Medical Necessity 9% Government Enforcement 7% Other 8% Source – 2020 Healthicity Compliance and Auditing Benchmark Report 7
  • 8. withum.com Compliance Program Trends To mitigate these risks, the importance of implementing an effective compliance program that prevents fraud, waste and abuse has grown with the increase in the number of government settlements of non-compliance with regulations. Of the organizations included in the report:  96% have a formal compliance program  80% perform an annual risk assessment • 38% take over 21 hours to conduct a risk assessment  71% of employees will have at least one hour of compliance training  56% utilize a blended compliance training approach ( online and in-person)  54% have Chief Compliance Officer (CCO) who meets quarterly with the compliance committee  45% have the CCO meet with overall Board of Directors/Trustees  34% anticipate that the great challenge on managing their compliance program is keeping current on regulations  31% considered the OIG work plan as the key driver in prioritizing compliance work plan audits 8
  • 9. withum.com Compliance Program Trends  In this environment, developing and implementing an effective compliance program has become a standard expectation within the health care industry.  While even the best program cannot prevent all violations, a tailored, proactive compliance program is more likely to identify issues early.  Additionally, the existence of such a program is a positive factor when negotiating with the government, should that become necessary.  Finally, if any significant compliance issues are detected through your own compliance program activities, self-reporting is usually a much-preferred position as opposed to being a target in another one of these government enforcement actions. 9
  • 10. withum.com Fraud and Abuse Regulations High priority Healthcare Federal Fraud and Abuse laws are as follows:  False Claims Act (FCA) [31 U.S.C.§§ 3729–3733]  Physician Self-Referral Law ( Stark Law) [42 U.S.C.§ 1395nn]  Anti-Kickback Statute (AKS) [42 U.S.C.§ 1320a-7b(b)]  Exclusion Authorities [42 U.S.C.§ 1320a-7]  Civil Monetary Penalties Law [42 U.S.C.§ 1320a-7a] The following Governmental agencies are charged with enforcing these laws:  Department of Justice (DOJ)  Department of Health and Human Services (HHS) Office of Inspector General (OIG)  Centers for Medicare and Medicaid Services (CMS) 11
  • 11. withum.com False Claims Act (FCA) Risks FCA imposes civil liability on any person knowingly presents or caused to be presented, a false or fraudulent claim for payment by the Government. Under civil FCA, no specific intent to defraud is required. The civil FCA defines “knowing” to include actual knowledge but also deliberate or reckless disregard of the truth or falsity of the information. Civil penalties may result up to 3 times what the Government paid for each claim plus a minimum ($11, 665) and maximum ($23,331) per each claim violation after June 20, 2020. Under civil FCA, each instance of an item or service billed to Medicare or Medicaid counts as a claim, so fines can add up quickly. Criminal penalties for submitting false claims include imprisonment and criminal fines 12
  • 12. withum.com False Claims Act (FCA) Best Practices Examples of FCA best practices include the following:  Monitor coding patterns  Review billing procedures and claim submission process  Perform a documentation/coding/billing review looking for: (1) medical necessity; (2) billing for services not provided; (3) failure to use coding modifiers; and (4) upcoding, etc. • Primary reasons for conducting formal documentation/coding audits include:  Required by internal compliance program  Ensure bills are accurate and avoid penalties • Compliance Guidelines published by OIG recommends auditing a minimum size of 10 patient encounters for each provider  Small frequent audits reduce error and increase accuracy of claims submissions • Communication of results to physician • Implement remediation efforts, where applicable • Implement applicable training programs 13
  • 13. withum.com Physician Self-Referral Law (Stark Law) Risks Prohibits physicians from referring patients to receive “designated health services” payable by Medicare and Medicaid from entities with which the physician or immediate family member has a financial membership, unless an exception applies  Financial relationships include both ownership/investment interests and compensation arrangements  “Designated health services” include but are not limited to: • Clinical laboratory services; • Physical therapy and occupational therapy services; • Radiology and certain imaging services; • Radiation therapy services and supplies; and • Inpatient and outpatient hospital services. 14
  • 14. withum.com Physician Self-Referral Law (Stark Law) Risks The Stark Law is a strict liability statute which means proof of specific intent to violate the law is not required. Violations of the Stark Law may result in penalties that include denial of payment, civil monetary penalties of up to $15,000 per service (and $100,000 for schemes that are designed to circumvent the Stark Law) and exclusion from the Medicare and Medicaid programs On November 20, 2020, CMS issued sweeping changes designed to provide flexibility for value-based arrangements and care coordination and reduce the burdens for physicians and healthcare providers. The regulation goes into effect January 19, 2021. 15
  • 15. withum.com Physician Self-Referral Law (Stark Law)- Best Practices Examples of Stark Law best practices include the following:  Ensure Conflict of Interest Questionnaires are completed, signed and any conflicts disclosed are resolved  Annually review physician compensation to ensure that it is within Fair Market Value benchmarks such as a specific percentile of the MGMA Physician Compensation and Productivity Survey  Annually review physician leased space to ensure it is commercially reasonable representing an arm’s length relationship with comparable properties in the same local area. 16
  • 16. withum.com Anti-Kickback Statute (AKS) Risks Prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal Health Care Programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients). Applies to all sources of referrals, even patients.  Routinely waiving Medicare and Medicaid patient copayments could implicate the AKS statute and physicians may not advertise that they forgive copayments Violation of AKS is punishable by a $25,000 fine, imprisonment for up to five years, or both, and may subject a violator to civil monetary penalties as well. Violation of AKS is grounds for exclusion from participation in the Medicare and Medicaid programs and other federal health care programs On November 20, 2020, issued its final rule creating new safe harbors and modifying existing safe harbors. These changes are deigned to provide greater flexibility and reduced regulatory burdens for care coordination and value- based arrangements. The regulation goes into effect January 19, 2021. 17
  • 17. withum.com Anti-Kickback Statute (AKS) - Best Practices Examples of AKS best practices include the following:  Physicians should register with the Federal Open Payments Program (Program) which is mandated by the Affordable Care Act. • This Program requires that information about gifts, speaking fees, travel, meals and other benefits made by vendors ( e.g., drug makers, device manufacturers and group purchasing organizations, etc.) to physicians and teaching hospitals be collected and stored in a database. Any financial interest a doctor has in a medical business should also be stored. • This database includes speaking fees, gifts, textbooks, entertainment expenses, meals, travel costs and fees for serving on advisory boards  Physicians should check the CMS database maintained under this Program to make sure the information is accurate as patients, the public and researchers have the right to access this database. 18
  • 18. withum.com Exclusion from Federal Health Care Programs (FHCP) Risks OIG is legally required to exclude from participation in all FHCPs individuals and entities convicted of the following criminal offenses:  Medicare or Medicaid Fraud  Patient abuse or neglect  Felony convictions for health care related fraud, theft or other financial misconduct If your physician practice employs or contracts with an excluded individual or entity and FHCP payment is made for items or services that person or entity furnishes, whether directly or indirectly, you could be subject to a civil monetary penalty and/or an obligation to repay any amounts attributable to the services of the excluded individual or entity. 19
  • 19. withum.com Exclusion from Federal Health Care Programs - Best Practices Examples of Exclusion best practices include the following:  For all new employees and vendors, screen against the OIG’s List of Excluded Individuals and Entities. The online data can be accessed from OIG’s Exclusion Web site. • If there is a match, do not hire the prospective employee or contract with the prospective vendor  On a monthly basis, screen all current and prospective employees and contractors against the OIG’s List of Excluded Individuals and Entities.  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation 20
  • 20. withum.com Office of Civil Rights (OCR) and HIPAA Risks HIPAA compliance is monitored under the Office of Civil Rights Risk of inadequate compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations regarding unauthorized access to Protected Health Information (PHI) related inadequate controls to privacy and confidentiality Risk of noncompliance of HIPAA Regulations regarding unauthorized access to PHI as it relates to HIPAA Security due to inadequate controls surrounding the physical security and logical access to systems One of the top healthcare compliance issues for 2020 will be maintaining strong HIPAA and cyber security and privacy compliance Breaches continue to occur at a steady pace from a combination of both internal and external causes such as hackers, viruses and other malicious attacks 21
  • 21. withum.com Office of Civil Rights (OCR) and HIPAA Best Practices Examples of access best practices include the following:  Review process for access to system including all devices  Evaluate policies, forms and requests.  Test to ensure that access is done in accordance with policies.  Perform an overall review to ensure access controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected Examples of security best practices include the following:  Review process for security to system including all devices  Evaluate policies, forms and requests.  Test to ensure that security is done in accordance with policies.  Perform an overall review to ensure security controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected 22
  • 22. withum.com Credit Balance Risks Per Patient Protection and Affordable Care Act (PPACA)  Providers (including physicians) must report and repay Medicare/Medicaid overpayments within 60 days of “identification” or “applicable reconciliation,” whichever is later  Retention of an identified overpayment after the 60-day period considered an “obligation to pay” subject to a False Claims Act (FCA) enforcement action as a so-called “reverse false claim” Examples of Medicare credit balances include instances where a physician is:  Paid twice for the same service either by Medicare or by Medicare and another insurer;  Paid for services planned but not performed, or for noncovered services;  Overpaid because of errors made in calculating beneficiary deductible and/or coinsurance amounts 23
  • 23. withum.com Credit Balance Best Practices Examples of credit balances best practices include the following:  Validate accuracy of credit balance aging report by payor (including Medicare and Medicaid).  Determine that adequate, trained staff are resolving credit balances • Is the resource level appropriate? • Are they qualified and well-trained?  Determine whether there are sufficient quality assurance and root cause analysis processes.  Determine sufficiency and effectiveness of controls used to ensure refund and reporting within 60 days of identification 24
  • 24. withum.com Purchasing Cycle Risks Examples of purchasing cycle risks include the following:  Unauthorized or fictitious purchases are made.  Recorded purchases are coded to the wrong G/L account resulting in improper expense or capitalization.  Received goods/services do not agree to goods/services ordered.  Invoices are for incorrect amount or for services not rendered.  Disbursements are processed for unauthorized purchases.  Disbursements are not properly authorized or accurate or payment made to in- appropriate vendor.  Issuance of checks are not properly controlled.  Unauthorized employees have access to Purchasing/AP system. 25
  • 25. withum.com Purchasing Cycle Best Practices Examples of purchasing cycle related best practices include the following:  Vendor Master Maintenance including new vendor set-up, validation (W-9), and related procedures.  Vendor Invoice Processing including 3-way match, invoice approval, invoice entry, and related procedures.  Cash Disbursements including check processing, check signing, voided and stored checks, checks made payable to cash and related procedures.  Accounts Payable management including monitoring controls and reconciliation of such items as duplicate payments, expense reimbursements and related procedures. 26
  • 26. withum.com Payroll Cycle Risks Examples of payroll cycle risks include the following:  Unauthorized, duplicate or fictitious employees are added to human resource master files, resulting in unauthorized payroll disbursements.  New Employees • Information is recorded incorrectly (e.g., hourly or salary rates, etc.) in the master file resulting in inaccurate payroll processing and disbursements. • Are not added to the payroll records in the appropriate period, resulting in errors in payroll processing and disbursements.  Active Employees • Biweekly time is not authorized and does not reflect actual hours worked. • Approved hourly and/or salary changes are not accurately recorded resulting in over or under payment of payroll  Terminated Employees • Are not removed from master file timely resulting in inaccurate disbursements 27
  • 27. withum.com Payroll Cycle Best Practices Examples of payroll cycle related best practices include the following:  New Hire including approval of position, salary and benefits, etc.  Time and Attendance includes daily and biweekly hours by category (e.g., regular, overtime, shift differential, etc.), for exempt and nonexempt employees.  Authorization includes independent approval of employee's timecards and manual adjustments.  Review and Processing includes review of outliers (excessive overtime, etc.), uploading time and attendance reports into payroll system, printing of paychecks and stubs.  Distribution of Payment includes actual check distribution or employee access to their own information.  General Ledger Update includes payroll interface and reconciliation to General Ledger and bank statement reconciliation. 28
  • 28. withum.com CARES Act Provisions For Health Care Entities The Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) attempted to alleviate some of the financial strain on hospitals, physicians, and other health care entities through a series of new policies that temporarily boosted Medicare and Medicaid payments, allowed for added flexibility in treatment modalities, and expanded the availability of advance or accelerated payments from Medicare. The CARES Act established a Provider Relief Fund (PRF) to be used for economic support of health care entities in connection with health care related expenses or “lost revenues” attributable to COVID-19 and treatment of uninsured COVID-19 patients. 30
  • 29. withum.com Provider Relief Fund Terms and Conditions The terms and conditions of the Provider Relief Fund state that Relief Fund Payments will only be used to prevent, prepare for and respond to coronavirus and shall reimburse the recipients only for healthcare expenses and lost revenue attributable to coronavirus The recipient certifies that it provides or provided after January 31, 2020, diagnoses, testing or care for individuals with possible or actual cases of COVID-19 The recipient certifies that it will not use the payment to reimburse expenses or losses that have been reimbursed from other sources or other sources are obligated to reimburse 31
  • 30. withum.com Provider Relief Fund Terms and Conditions The reporting deadline for PRF dollars is February 15, 2021 and the portal, via HHS, to submit the data will be open for use as of 1/15/2021 If recipients do not expend PRF funds in full by the end of calendar year 2020, they will have an additional six months in which to use remaining amounts toward expenses attributable to coronavirus but not reimbursed by other sources, or to apply toward “lost revenues”. ( will be discussed further) For example, the reporting period January – June 2021 will be compared to the same period in 2020 from a budget perspective, or January – March 2021 will be compared to the same quarter in 2020 (still waiting for further clarification on this) For carry over funds through 6/30/21, the reporting deadline is 7/31/21 32
  • 31. withum.com Provider Relief Fund Terms and Conditions Eligibility  Billed Medicare in 2019  Provided diagnosis, testing, or care for individuals with actual or possible cases of COVID-19 after January 31, 2020  Not excluded from federal healthcare programs Use of Funds  Only to prevent, prepare for, and respond to COVID-19  Only to reimburse for healthcare-related expenses or lost revenues attributable to COVID-19  Must not use the funds to compensate for expenses or lost revenues that have been reimbursed from other sources (i.e., FEMA funding, state grants, program- specific funding, commercial insurance, etc.) 33
  • 32. withum.com Provider Relief Fund Terms and Conditions Supporting Records  Maintain all records and cost documentation to support the appropriate use of funds, and provide to the Secretary of HHS upon request  Substantiate use of funds for increased healthcare-related expenses or lost revenue attributable to COVID-19 and evidence that those expenses/losses were not reimbursed from other sources  Submit quarterly report to reflect total receipt of funds as well as detailed list of all projects/activities in which covered funds were expended Other Compliance Requirements  Restrictions on balance billing of out-of-network COVID-19 patients (i.e., seeking to collect more than what the patient would have otherwise been required to pay if he/she was an in-network patient)  Restrictions on using funds to pay for excessive salaries of physicians or executives beyond defined level 34
  • 33. withum.com Provider Relief Fund Monitoring/Best Practices • Upon the decision to retain the funds, the following activities should be taken in order to manage the funds going forward and support compliance with the terms and conditions: • Develop reasonable methodologies for calculating lost revenues across key lines of business and affiliated entities • Develop mechanisms to identify and track COVID-19-related expenses • Develop policies, procedures, and standards regarding necessary documentation to support the use of funds and compliance with HHS’s terms and conditions • Establish infrastructure for tracking all COVID-19 funding sources and ensuring that the funds are not being used for duplicate purposes • Develop monitoring plans to mitigate unique funding compliance risks, such as audits around balance billing, use of funds for excessive physician and executive salaries, etc. • Monitor and communicate newly published regulatory guidance to applicable stakeholders 35
  • 34. withum.com OIG 2020 Active Work Plan Items - COVID -19 Audit of CARES Act Provider Relief Funds—General and Targeted Distributions to Hospitals  Objective is to determine whether providers that received PRF payments complied with certain Federal requirements, and the terms and conditions for reporting and expending PRF funds. Audit of Medicare Telehealth Services During the COVID-19 Pandemic: Program Integrity Risks  CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to access a wider range of telehealth services without having to travel to a health care facility. This review will be based on Medicare Parts B and C data and will identify program integrity risks associated with Medicare telehealth services during the pandemic. We will analyze providers' billing patterns for telehealth services. We will also describe key characteristics of providers that may pose a program integrity risk to the Medicare program. 36
  • 35. withum.com Telehealth During COVID-19 Coronavirus Preparedness and Response Supplemental Appropriations Act includes a provision allowing the Secretary of the HHS to waive certain Medicare telehealth payment requirements during the Public Health Emergency to allow beneficiaries in all areas of the country to receive telehealth services, including at their home. Starting March 6, 2020 all Medicare patients are eligible for telehealth services. The rural-only patients’ requirement was suspended. This expires at end of Public Health Emergency. CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule (see next slide). 37
  • 36. withum.com Telehealth During COVID-19 CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule. There are 3 categories of services:  Medicare Telehealth Visits  Virtual Check-in  E-visits 38
  • 37. withum.com Telehealth During COVID-19 New Jersey Telehealth Requirements (as of November 16, 2020)  Any NJ licensed healthcare provider may provide telehealth services. Licensed out-of-state providers must have a pre-COVID-19 relationship with the patient to conduct a telehealth encounter unless the encounter only concerns COVID-19  Providers are permitted to use alternative technologies such as audio only telephone or video technology commonly available on smartphones and other devices as long as standard of care is met.  Patient may orally consent to telehealth services.  If no pre-existing provider-patient relationship provider must (1) inform patient of his identity, professional credentials and contact information and (2) identify the patient by name, DOB, phone number and address.  A provider is no longer required to review a patient’s medical history and medical records prior to an initial telehealth encounter. Providers should use clinical judgment to obtain relevant medical history and review available medical records to meet applicable standards of care.  If the patient consents, provider must forward the records of the telehealth encounter to the patient’s primary care provider or provider that the patient requests. 39
  • 38. withum.com Role of Internal Audit During COVID-19 The following are questions as to how internal audit should focus based on the COVID-19 impact on the organization:  How relevant is the current audit plan and what parts of it require recalibration?  How does Internal Audit keep pace with the speed of changes occurring in the business, including changes in the control environment?  How does the department pivot to help the organization address new business risks?  How does an internal audit team better use technology and data to gain insight? The response to the above questions is that Internal Audit should take a more data-driven approach that monitors and takes action quickly to help the organization navigate the risks created due to COVID-19. This can be achieved through a simplified continuous risk assessment through use of technology to monitor risks created due to COVID-19 through an internal audit focus. 41
  • 39. withum.com Role of Internal Audit During COVID-19 Re-calibrate its approach to cyclical audit planning and coverage of risk  Adopt an agile management approach  Embrace short term prioritization and regular review /updates to the IA plan to mirror the changing pace of risk and assurance needs  Collaborate with key stakeholders to understand and new and/or elevated risks and assess how best to support with the provision of assurance. Continue to deliver on-going assurance activities without disrupting critical operational areas during times of crisis  Accelerate the deployment of analytics to deliver IA work remotely , increase coverage, focus on outliers, and reduced business interruption , while still providing valuable insights and assurance. Work more closely with external providers to reduce disruptions of the business Provide an objective voice to organization teams who need to make decisions quickly 42
  • 40. withum.com Role of Internal Audit During COVID-19 Reconsidering Threats and Risks  At the onset of the virus, some internal audit functions reacted by lending their risk management expertise to help resolve immediate service delivery and operational issues.  Leveraging investments in data analytics to identify relevant key performance indicators facilitated the automated monitoring of risks.  Risk assessment involves providing audit services for new and emerging risk areas.  For example, some organizations made temporary changes to service delivery models to quickly restart operations, which made up for shortages in employees.  These events led to the curtailment of specific traditional controls, requiring new risk mitigation strategies and enhanced audit monitoring.  Especially of concern to internal audit were questions of how exceptions to controls and risk acceptances were granted, as well as third-party risks, including supply chain disruptions  Finally, recovery and, in some cases, survival planning is another example of internal auditors lending their expertise in facilitating organizational objectives 43
  • 41. withum.com Role of Internal Audit During COVID-19 Enhanced Monitoring and Reporting  To the extent available, internal auditors are also using data provided by vendors and third-party service providers to enhance monitoring capabilities. Internal auditors have dedicated more time to reviewing external assessment reports, such as Service Organization Control (SOC) 1, SOC 2, and internal reports provided by vendors. These can include performance reports, information feeds, industry benchmark activity reports, and compliance with service-level agreements.  Some areas of focus include ensuring compliance with regulatory expectations, despite the challenges caused by COVID-19. Activities include documentation, coding and billing audits regarding : (1) medical necessity; (2) billing for services not provided; (3) failure to using coding modifiers and (4) upcoding. 44
  • 42. withum.com Challenges For Internal Audit During COVID-19 Continue to function effectively where stakeholders have competing priorities  Reduce the amount of stakeholder input and produce short, sharp advisory pieces and leverage system access and available data to the greatest extent  Provide more frequent updates Consider alternative methods in gathering evidence of control execution or absence of documentation related to confirmation of key steps  Might be circumstances of control override with employees seeking workarounds to existing security protocols and internal controls in order to keep the business operating effectively  Fraud incentives are increased in times of crisis 45
  • 43. withum.com Internal Audit Department Structure In-sourced In-house staff performs internal audit functions Outsourced Hire a third-party firm to provide resources to perform internal audit functions Co-sourced Use a blend of internal and external resources to perform internal audit functions
  • 44. withum.com Internal Audit Department Structure In-source Description • A formally established department comprised of staff reporting to the Board and an appropriate member of Senior Management Advantages • Builds and retains institutional knowledge • Helps to foster internal ownership of issues Disadvantages • Independence can be impaired over time • Potential limited depth of technical skills can reduce effectiveness
  • 45. withum.com Internal Audit Department Structure Outsource Description • Third party firm provides all components of internal audit function and reports to member of Board and appropriate member of senior management Advantages • Independent and objective • Greater insights into alternative approaches and best practices Disadvantages • Dependence on strength of third- party relationship and capability • Potential staff continuity issues
  • 46. withum.com Internal Audit Department Structure Co-source Description • Third party firm supplements internal audits on a project- by-project basis at direction of Senior Management or Board Advantages • Can obtain appropriate specialized or technical skills for each audit area on an as needed basis Disadvantages • Discretionary use might lead to lack of focus
  • 47. withum.com Questions? Contact your Presenters Michael A. Serluco, CPA Partner, Healthcare Services mserluco@withum.com (732) 759 6821 Marc Stein Principal, Healthcare Advisory Services mstein@withum.com (732) 828 1614