SlideShare a Scribd company logo

Internal Audit's Evolving Role in Fraud/Abuse and COVID-19 Risks

R
RachelGisser

Michael Serluco, CPA, Partner and Marc Stein, MBA, Principal from Withum provide an overview of the current fraud and abuse environment and the importance of effective compliance plans. They will also discuss COVID-19 financial and revenue cycle compliance risks and the evolving role of internal audit in healthcare organizations to ensure best practices. Learning Objectives -Explain recent regulatory trends and best practices including compliance plans -Identify COVID-19 financial and revenue cycle compliance risks -Describe financial management’s role in mitigating regulatory and other healthcare risk

Business
1 of 47
Download to read offline
withum.com Internal Audit’s Evolving Role in Fraud/Abuse and COVID-19 Risks and Best Practices Michael Serluco, Partner, Healthcare Marc Stein, Principal, Healthcare Advisory January 13, 2021
withum.com What We’ll Do Today Overview of Fraud and Abuse regulations and best practices Discuss Internal Audit’s role in mitigating Regulatory and COVID-19 Risks Overview of CARES Act funding and associated risks and best practices Update on DOJ settlement trends and guidance regarding compliance plans 2
withum.com Health Care Enforcement Recovery Overview Health care enforcement continues to be a profitable pursuit for the Federal Government. From 2017 through 2019 (the most recent period for which data is available), the Office of Inspector General reports that it collected $4.20 for every $1.00 spent on enforcement efforts The Health Care Fraud and Abuse Control (HCFAC) Program was established under the 1996 Heath Insurance Portability and Accountability Act (HIPAA) to identify and prosecute health care fraud and abuse. The 2019 results include :  Federal Government won or negotiated over $2.6 billion in health care fraud judgments and settlements.  $3.6 billion was returned to the Federal Government or paid to private persons • Approximately $2.5 billion was transferred to the Medicare Trust Funds 3
withum.com DOJ Guidance April 2017 and revised in April 2019 the US Department of Justice ("DOJ") published its guidance on the "Evaluation of Corporate Compliance Programs" (the "Guidance“) which included the following 11 key compliance program evaluation topics within 3 overarching questions that prosecutors should use in their review and assessment of a company’s compliance program: 1. Is the Program well designed?  Risk Assessment  Policies and Procedures  Training and Communication  Confidential Reporting and Investigation of misconduct  Third Party Management  Mergers and Acquisitions 4
withum.com DOJ Guidance 2. Is the program being implemented effectively?  Senior and Middle Management  Autonomy and Resources  Incentives and Disciplinary Measures 3. Does the program work in practice?  Continuous Improvement, Periodic Testing and Review  Analysis and Remediation of Underlying Misconduct 5
withum.com DOJ Guidance June 2020 DOJ update changed the second question “is the compliance program being implemented effectively” to asking instead whether the compliance program is "adequately resourced and empowered to function effectively.” This includes: • Commitment and implementation of a culture of compliance at all levels of the organization • Ensuring those with day-to-day operational responsibility have adequate resources, appropriate authority and direct access to governing authority • Enabling compliance program effectiveness through investment in training and development and access to relevant data sources 6
withum.com Top Compliance Risks The following is a summary of top 2020 compliance risks Documentation 17% Coding/Billing 30% HIPAA Security 14% HIPAA Privacy 15% Medical Necessity 9% Government Enforcement 7% Other 8% Source – 2020 Healthicity Compliance and Auditing Benchmark Report 7
withum.com Compliance Program Trends To mitigate these risks, the importance of implementing an effective compliance program that prevents fraud, waste and abuse has grown with the increase in the number of government settlements of non-compliance with regulations. Of the organizations included in the report:  96% have a formal compliance program  80% perform an annual risk assessment • 38% take over 21 hours to conduct a risk assessment  71% of employees will have at least one hour of compliance training  56% utilize a blended compliance training approach ( online and in-person)  54% have Chief Compliance Officer (CCO) who meets quarterly with the compliance committee  45% have the CCO meet with overall Board of Directors/Trustees  34% anticipate that the great challenge on managing their compliance program is keeping current on regulations  31% considered the OIG work plan as the key driver in prioritizing compliance work plan audits 8
withum.com Compliance Program Trends  In this environment, developing and implementing an effective compliance program has become a standard expectation within the health care industry.  While even the best program cannot prevent all violations, a tailored, proactive compliance program is more likely to identify issues early.  Additionally, the existence of such a program is a positive factor when negotiating with the government, should that become necessary.  Finally, if any significant compliance issues are detected through your own compliance program activities, self-reporting is usually a much-preferred position as opposed to being a target in another one of these government enforcement actions. 9
withum.com Fraud and Abuse Regulations High priority Healthcare Federal Fraud and Abuse laws are as follows:  False Claims Act (FCA) [31 U.S.C.§§ 3729–3733]  Physician Self-Referral Law ( Stark Law) [42 U.S.C.§ 1395nn]  Anti-Kickback Statute (AKS) [42 U.S.C.§ 1320a-7b(b)]  Exclusion Authorities [42 U.S.C.§ 1320a-7]  Civil Monetary Penalties Law [42 U.S.C.§ 1320a-7a] The following Governmental agencies are charged with enforcing these laws:  Department of Justice (DOJ)  Department of Health and Human Services (HHS) Office of Inspector General (OIG)  Centers for Medicare and Medicaid Services (CMS) 11
withum.com False Claims Act (FCA) Risks FCA imposes civil liability on any person knowingly presents or caused to be presented, a false or fraudulent claim for payment by the Government. Under civil FCA, no specific intent to defraud is required. The civil FCA defines “knowing” to include actual knowledge but also deliberate or reckless disregard of the truth or falsity of the information. Civil penalties may result up to 3 times what the Government paid for each claim plus a minimum ($11, 665) and maximum ($23,331) per each claim violation after June 20, 2020. Under civil FCA, each instance of an item or service billed to Medicare or Medicaid counts as a claim, so fines can add up quickly. Criminal penalties for submitting false claims include imprisonment and criminal fines 12
withum.com False Claims Act (FCA) Best Practices Examples of FCA best practices include the following:  Monitor coding patterns  Review billing procedures and claim submission process  Perform a documentation/coding/billing review looking for: (1) medical necessity; (2) billing for services not provided; (3) failure to use coding modifiers; and (4) upcoding, etc. • Primary reasons for conducting formal documentation/coding audits include:  Required by internal compliance program  Ensure bills are accurate and avoid penalties • Compliance Guidelines published by OIG recommends auditing a minimum size of 10 patient encounters for each provider  Small frequent audits reduce error and increase accuracy of claims submissions • Communication of results to physician • Implement remediation efforts, where applicable • Implement applicable training programs 13
withum.com Physician Self-Referral Law (Stark Law) Risks Prohibits physicians from referring patients to receive “designated health services” payable by Medicare and Medicaid from entities with which the physician or immediate family member has a financial membership, unless an exception applies  Financial relationships include both ownership/investment interests and compensation arrangements  “Designated health services” include but are not limited to: • Clinical laboratory services; • Physical therapy and occupational therapy services; • Radiology and certain imaging services; • Radiation therapy services and supplies; and • Inpatient and outpatient hospital services. 14
withum.com Physician Self-Referral Law (Stark Law) Risks The Stark Law is a strict liability statute which means proof of specific intent to violate the law is not required. Violations of the Stark Law may result in penalties that include denial of payment, civil monetary penalties of up to $15,000 per service (and $100,000 for schemes that are designed to circumvent the Stark Law) and exclusion from the Medicare and Medicaid programs On November 20, 2020, CMS issued sweeping changes designed to provide flexibility for value-based arrangements and care coordination and reduce the burdens for physicians and healthcare providers. The regulation goes into effect January 19, 2021. 15
withum.com Physician Self-Referral Law (Stark Law)- Best Practices Examples of Stark Law best practices include the following:  Ensure Conflict of Interest Questionnaires are completed, signed and any conflicts disclosed are resolved  Annually review physician compensation to ensure that it is within Fair Market Value benchmarks such as a specific percentile of the MGMA Physician Compensation and Productivity Survey  Annually review physician leased space to ensure it is commercially reasonable representing an arm’s length relationship with comparable properties in the same local area. 16
withum.com Anti-Kickback Statute (AKS) Risks Prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal Health Care Programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients). Applies to all sources of referrals, even patients.  Routinely waiving Medicare and Medicaid patient copayments could implicate the AKS statute and physicians may not advertise that they forgive copayments Violation of AKS is punishable by a $25,000 fine, imprisonment for up to five years, or both, and may subject a violator to civil monetary penalties as well. Violation of AKS is grounds for exclusion from participation in the Medicare and Medicaid programs and other federal health care programs On November 20, 2020, issued its final rule creating new safe harbors and modifying existing safe harbors. These changes are deigned to provide greater flexibility and reduced regulatory burdens for care coordination and value- based arrangements. The regulation goes into effect January 19, 2021. 17
withum.com Anti-Kickback Statute (AKS) - Best Practices Examples of AKS best practices include the following:  Physicians should register with the Federal Open Payments Program (Program) which is mandated by the Affordable Care Act. • This Program requires that information about gifts, speaking fees, travel, meals and other benefits made by vendors ( e.g., drug makers, device manufacturers and group purchasing organizations, etc.) to physicians and teaching hospitals be collected and stored in a database. Any financial interest a doctor has in a medical business should also be stored. • This database includes speaking fees, gifts, textbooks, entertainment expenses, meals, travel costs and fees for serving on advisory boards  Physicians should check the CMS database maintained under this Program to make sure the information is accurate as patients, the public and researchers have the right to access this database. 18
withum.com Exclusion from Federal Health Care Programs (FHCP) Risks OIG is legally required to exclude from participation in all FHCPs individuals and entities convicted of the following criminal offenses:  Medicare or Medicaid Fraud  Patient abuse or neglect  Felony convictions for health care related fraud, theft or other financial misconduct If your physician practice employs or contracts with an excluded individual or entity and FHCP payment is made for items or services that person or entity furnishes, whether directly or indirectly, you could be subject to a civil monetary penalty and/or an obligation to repay any amounts attributable to the services of the excluded individual or entity. 19
withum.com Exclusion from Federal Health Care Programs - Best Practices Examples of Exclusion best practices include the following:  For all new employees and vendors, screen against the OIG’s List of Excluded Individuals and Entities. The online data can be accessed from OIG’s Exclusion Web site. • If there is a match, do not hire the prospective employee or contract with the prospective vendor  On a monthly basis, screen all current and prospective employees and contractors against the OIG’s List of Excluded Individuals and Entities.  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation 20
withum.com Office of Civil Rights (OCR) and HIPAA Risks HIPAA compliance is monitored under the Office of Civil Rights Risk of inadequate compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations regarding unauthorized access to Protected Health Information (PHI) related inadequate controls to privacy and confidentiality Risk of noncompliance of HIPAA Regulations regarding unauthorized access to PHI as it relates to HIPAA Security due to inadequate controls surrounding the physical security and logical access to systems One of the top healthcare compliance issues for 2020 will be maintaining strong HIPAA and cyber security and privacy compliance Breaches continue to occur at a steady pace from a combination of both internal and external causes such as hackers, viruses and other malicious attacks 21
withum.com Office of Civil Rights (OCR) and HIPAA Best Practices Examples of access best practices include the following:  Review process for access to system including all devices  Evaluate policies, forms and requests.  Test to ensure that access is done in accordance with policies.  Perform an overall review to ensure access controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected Examples of security best practices include the following:  Review process for security to system including all devices  Evaluate policies, forms and requests.  Test to ensure that security is done in accordance with policies.  Perform an overall review to ensure security controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected 22
withum.com Credit Balance Risks Per Patient Protection and Affordable Care Act (PPACA)  Providers (including physicians) must report and repay Medicare/Medicaid overpayments within 60 days of “identification” or “applicable reconciliation,” whichever is later  Retention of an identified overpayment after the 60-day period considered an “obligation to pay” subject to a False Claims Act (FCA) enforcement action as a so-called “reverse false claim” Examples of Medicare credit balances include instances where a physician is:  Paid twice for the same service either by Medicare or by Medicare and another insurer;  Paid for services planned but not performed, or for noncovered services;  Overpaid because of errors made in calculating beneficiary deductible and/or coinsurance amounts 23
withum.com Credit Balance Best Practices Examples of credit balances best practices include the following:  Validate accuracy of credit balance aging report by payor (including Medicare and Medicaid).  Determine that adequate, trained staff are resolving credit balances • Is the resource level appropriate? • Are they qualified and well-trained?  Determine whether there are sufficient quality assurance and root cause analysis processes.  Determine sufficiency and effectiveness of controls used to ensure refund and reporting within 60 days of identification 24
withum.com Purchasing Cycle Risks Examples of purchasing cycle risks include the following:  Unauthorized or fictitious purchases are made.  Recorded purchases are coded to the wrong G/L account resulting in improper expense or capitalization.  Received goods/services do not agree to goods/services ordered.  Invoices are for incorrect amount or for services not rendered.  Disbursements are processed for unauthorized purchases.  Disbursements are not properly authorized or accurate or payment made to in- appropriate vendor.  Issuance of checks are not properly controlled.  Unauthorized employees have access to Purchasing/AP system. 25
withum.com Purchasing Cycle Best Practices Examples of purchasing cycle related best practices include the following:  Vendor Master Maintenance including new vendor set-up, validation (W-9), and related procedures.  Vendor Invoice Processing including 3-way match, invoice approval, invoice entry, and related procedures.  Cash Disbursements including check processing, check signing, voided and stored checks, checks made payable to cash and related procedures.  Accounts Payable management including monitoring controls and reconciliation of such items as duplicate payments, expense reimbursements and related procedures. 26
withum.com Payroll Cycle Risks Examples of payroll cycle risks include the following:  Unauthorized, duplicate or fictitious employees are added to human resource master files, resulting in unauthorized payroll disbursements.  New Employees • Information is recorded incorrectly (e.g., hourly or salary rates, etc.) in the master file resulting in inaccurate payroll processing and disbursements. • Are not added to the payroll records in the appropriate period, resulting in errors in payroll processing and disbursements.  Active Employees • Biweekly time is not authorized and does not reflect actual hours worked. • Approved hourly and/or salary changes are not accurately recorded resulting in over or under payment of payroll  Terminated Employees • Are not removed from master file timely resulting in inaccurate disbursements 27
withum.com Payroll Cycle Best Practices Examples of payroll cycle related best practices include the following:  New Hire including approval of position, salary and benefits, etc.  Time and Attendance includes daily and biweekly hours by category (e.g., regular, overtime, shift differential, etc.), for exempt and nonexempt employees.  Authorization includes independent approval of employee's timecards and manual adjustments.  Review and Processing includes review of outliers (excessive overtime, etc.), uploading time and attendance reports into payroll system, printing of paychecks and stubs.  Distribution of Payment includes actual check distribution or employee access to their own information.  General Ledger Update includes payroll interface and reconciliation to General Ledger and bank statement reconciliation. 28
withum.com CARES Act Provisions For Health Care Entities The Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) attempted to alleviate some of the financial strain on hospitals, physicians, and other health care entities through a series of new policies that temporarily boosted Medicare and Medicaid payments, allowed for added flexibility in treatment modalities, and expanded the availability of advance or accelerated payments from Medicare. The CARES Act established a Provider Relief Fund (PRF) to be used for economic support of health care entities in connection with health care related expenses or “lost revenues” attributable to COVID-19 and treatment of uninsured COVID-19 patients. 30
withum.com Provider Relief Fund Terms and Conditions The terms and conditions of the Provider Relief Fund state that Relief Fund Payments will only be used to prevent, prepare for and respond to coronavirus and shall reimburse the recipients only for healthcare expenses and lost revenue attributable to coronavirus The recipient certifies that it provides or provided after January 31, 2020, diagnoses, testing or care for individuals with possible or actual cases of COVID-19 The recipient certifies that it will not use the payment to reimburse expenses or losses that have been reimbursed from other sources or other sources are obligated to reimburse 31
withum.com Provider Relief Fund Terms and Conditions The reporting deadline for PRF dollars is February 15, 2021 and the portal, via HHS, to submit the data will be open for use as of 1/15/2021 If recipients do not expend PRF funds in full by the end of calendar year 2020, they will have an additional six months in which to use remaining amounts toward expenses attributable to coronavirus but not reimbursed by other sources, or to apply toward “lost revenues”. ( will be discussed further) For example, the reporting period January – June 2021 will be compared to the same period in 2020 from a budget perspective, or January – March 2021 will be compared to the same quarter in 2020 (still waiting for further clarification on this) For carry over funds through 6/30/21, the reporting deadline is 7/31/21 32
withum.com Provider Relief Fund Terms and Conditions Eligibility  Billed Medicare in 2019  Provided diagnosis, testing, or care for individuals with actual or possible cases of COVID-19 after January 31, 2020  Not excluded from federal healthcare programs Use of Funds  Only to prevent, prepare for, and respond to COVID-19  Only to reimburse for healthcare-related expenses or lost revenues attributable to COVID-19  Must not use the funds to compensate for expenses or lost revenues that have been reimbursed from other sources (i.e., FEMA funding, state grants, program- specific funding, commercial insurance, etc.) 33
withum.com Provider Relief Fund Terms and Conditions Supporting Records  Maintain all records and cost documentation to support the appropriate use of funds, and provide to the Secretary of HHS upon request  Substantiate use of funds for increased healthcare-related expenses or lost revenue attributable to COVID-19 and evidence that those expenses/losses were not reimbursed from other sources  Submit quarterly report to reflect total receipt of funds as well as detailed list of all projects/activities in which covered funds were expended Other Compliance Requirements  Restrictions on balance billing of out-of-network COVID-19 patients (i.e., seeking to collect more than what the patient would have otherwise been required to pay if he/she was an in-network patient)  Restrictions on using funds to pay for excessive salaries of physicians or executives beyond defined level 34
withum.com Provider Relief Fund Monitoring/Best Practices • Upon the decision to retain the funds, the following activities should be taken in order to manage the funds going forward and support compliance with the terms and conditions: • Develop reasonable methodologies for calculating lost revenues across key lines of business and affiliated entities • Develop mechanisms to identify and track COVID-19-related expenses • Develop policies, procedures, and standards regarding necessary documentation to support the use of funds and compliance with HHS’s terms and conditions • Establish infrastructure for tracking all COVID-19 funding sources and ensuring that the funds are not being used for duplicate purposes • Develop monitoring plans to mitigate unique funding compliance risks, such as audits around balance billing, use of funds for excessive physician and executive salaries, etc. • Monitor and communicate newly published regulatory guidance to applicable stakeholders 35
withum.com OIG 2020 Active Work Plan Items - COVID -19 Audit of CARES Act Provider Relief Funds—General and Targeted Distributions to Hospitals  Objective is to determine whether providers that received PRF payments complied with certain Federal requirements, and the terms and conditions for reporting and expending PRF funds. Audit of Medicare Telehealth Services During the COVID-19 Pandemic: Program Integrity Risks  CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to access a wider range of telehealth services without having to travel to a health care facility. This review will be based on Medicare Parts B and C data and will identify program integrity risks associated with Medicare telehealth services during the pandemic. We will analyze providers' billing patterns for telehealth services. We will also describe key characteristics of providers that may pose a program integrity risk to the Medicare program. 36
withum.com Telehealth During COVID-19 Coronavirus Preparedness and Response Supplemental Appropriations Act includes a provision allowing the Secretary of the HHS to waive certain Medicare telehealth payment requirements during the Public Health Emergency to allow beneficiaries in all areas of the country to receive telehealth services, including at their home. Starting March 6, 2020 all Medicare patients are eligible for telehealth services. The rural-only patients’ requirement was suspended. This expires at end of Public Health Emergency. CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule (see next slide). 37
withum.com Telehealth During COVID-19 CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule. There are 3 categories of services:  Medicare Telehealth Visits  Virtual Check-in  E-visits 38
withum.com Telehealth During COVID-19 New Jersey Telehealth Requirements (as of November 16, 2020)  Any NJ licensed healthcare provider may provide telehealth services. Licensed out-of-state providers must have a pre-COVID-19 relationship with the patient to conduct a telehealth encounter unless the encounter only concerns COVID-19  Providers are permitted to use alternative technologies such as audio only telephone or video technology commonly available on smartphones and other devices as long as standard of care is met.  Patient may orally consent to telehealth services.  If no pre-existing provider-patient relationship provider must (1) inform patient of his identity, professional credentials and contact information and (2) identify the patient by name, DOB, phone number and address.  A provider is no longer required to review a patient’s medical history and medical records prior to an initial telehealth encounter. Providers should use clinical judgment to obtain relevant medical history and review available medical records to meet applicable standards of care.  If the patient consents, provider must forward the records of the telehealth encounter to the patient’s primary care provider or provider that the patient requests. 39
withum.com Role of Internal Audit During COVID-19 The following are questions as to how internal audit should focus based on the COVID-19 impact on the organization:  How relevant is the current audit plan and what parts of it require recalibration?  How does Internal Audit keep pace with the speed of changes occurring in the business, including changes in the control environment?  How does the department pivot to help the organization address new business risks?  How does an internal audit team better use technology and data to gain insight? The response to the above questions is that Internal Audit should take a more data-driven approach that monitors and takes action quickly to help the organization navigate the risks created due to COVID-19. This can be achieved through a simplified continuous risk assessment through use of technology to monitor risks created due to COVID-19 through an internal audit focus. 41
withum.com Role of Internal Audit During COVID-19 Re-calibrate its approach to cyclical audit planning and coverage of risk  Adopt an agile management approach  Embrace short term prioritization and regular review /updates to the IA plan to mirror the changing pace of risk and assurance needs  Collaborate with key stakeholders to understand and new and/or elevated risks and assess how best to support with the provision of assurance. Continue to deliver on-going assurance activities without disrupting critical operational areas during times of crisis  Accelerate the deployment of analytics to deliver IA work remotely , increase coverage, focus on outliers, and reduced business interruption , while still providing valuable insights and assurance. Work more closely with external providers to reduce disruptions of the business Provide an objective voice to organization teams who need to make decisions quickly 42
withum.com Role of Internal Audit During COVID-19 Reconsidering Threats and Risks  At the onset of the virus, some internal audit functions reacted by lending their risk management expertise to help resolve immediate service delivery and operational issues.  Leveraging investments in data analytics to identify relevant key performance indicators facilitated the automated monitoring of risks.  Risk assessment involves providing audit services for new and emerging risk areas.  For example, some organizations made temporary changes to service delivery models to quickly restart operations, which made up for shortages in employees.  These events led to the curtailment of specific traditional controls, requiring new risk mitigation strategies and enhanced audit monitoring.  Especially of concern to internal audit were questions of how exceptions to controls and risk acceptances were granted, as well as third-party risks, including supply chain disruptions  Finally, recovery and, in some cases, survival planning is another example of internal auditors lending their expertise in facilitating organizational objectives 43
withum.com Role of Internal Audit During COVID-19 Enhanced Monitoring and Reporting  To the extent available, internal auditors are also using data provided by vendors and third-party service providers to enhance monitoring capabilities. Internal auditors have dedicated more time to reviewing external assessment reports, such as Service Organization Control (SOC) 1, SOC 2, and internal reports provided by vendors. These can include performance reports, information feeds, industry benchmark activity reports, and compliance with service-level agreements.  Some areas of focus include ensuring compliance with regulatory expectations, despite the challenges caused by COVID-19. Activities include documentation, coding and billing audits regarding : (1) medical necessity; (2) billing for services not provided; (3) failure to using coding modifiers and (4) upcoding. 44
withum.com Challenges For Internal Audit During COVID-19 Continue to function effectively where stakeholders have competing priorities  Reduce the amount of stakeholder input and produce short, sharp advisory pieces and leverage system access and available data to the greatest extent  Provide more frequent updates Consider alternative methods in gathering evidence of control execution or absence of documentation related to confirmation of key steps  Might be circumstances of control override with employees seeking workarounds to existing security protocols and internal controls in order to keep the business operating effectively  Fraud incentives are increased in times of crisis 45
withum.com Internal Audit Department Structure In-sourced In-house staff performs internal audit functions Outsourced Hire a third-party firm to provide resources to perform internal audit functions Co-sourced Use a blend of internal and external resources to perform internal audit functions
withum.com Internal Audit Department Structure In-source Description • A formally established department comprised of staff reporting to the Board and an appropriate member of Senior Management Advantages • Builds and retains institutional knowledge • Helps to foster internal ownership of issues Disadvantages • Independence can be impaired over time • Potential limited depth of technical skills can reduce effectiveness
withum.com Internal Audit Department Structure Outsource Description • Third party firm provides all components of internal audit function and reports to member of Board and appropriate member of senior management Advantages • Independent and objective • Greater insights into alternative approaches and best practices Disadvantages • Dependence on strength of third- party relationship and capability • Potential staff continuity issues
withum.com Internal Audit Department Structure Co-source Description • Third party firm supplements internal audits on a project- by-project basis at direction of Senior Management or Board Advantages • Can obtain appropriate specialized or technical skills for each audit area on an as needed basis Disadvantages • Discretionary use might lead to lack of focus
withum.com Questions? Contact your Presenters Michael A. Serluco, CPA Partner, Healthcare Services mserluco@withum.com (732) 759 6821 Marc Stein Principal, Healthcare Advisory Services mstein@withum.com (732) 828 1614

Recommended

Withum's 2022 Healthcare Symposium
Withum's 2022 Healthcare SymposiumWithum's 2022 Healthcare Symposium
Withum's 2022 Healthcare SymposiumRachelGisser
 
Maximize Revenue Through Coding, Documentation and Denial Management
Maximize Revenue Through Coding, Documentation and Denial ManagementMaximize Revenue Through Coding, Documentation and Denial Management
Maximize Revenue Through Coding, Documentation and Denial ManagementRachelGisser
 
Withum Healthcare Tax Update 2022
Withum Healthcare Tax Update 2022Withum Healthcare Tax Update 2022
Withum Healthcare Tax Update 2022RachelGisser
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 

Recommended

Withum's 2022 Healthcare Symposium
Withum's 2022 Healthcare SymposiumWithum's 2022 Healthcare Symposium
Withum's 2022 Healthcare SymposiumRachelGisser
 
Maximize Revenue Through Coding, Documentation and Denial Management
Maximize Revenue Through Coding, Documentation and Denial ManagementMaximize Revenue Through Coding, Documentation and Denial Management
Maximize Revenue Through Coding, Documentation and Denial ManagementRachelGisser
 
Withum Healthcare Tax Update 2022
Withum Healthcare Tax Update 2022Withum Healthcare Tax Update 2022
Withum Healthcare Tax Update 2022RachelGisser
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall girls in Goa, +91 9319373153 Escort Service in North Goa
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 

More Related Content

Recently uploaded

Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Anamaria Contreras
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 

Recently uploaded (20)

Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.Traction part 2 - EOS Model JAX Bridges.
Traction part 2 - EOS Model JAX Bridges.
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 

Featured

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 

Featured (20)

Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 

Internal Audit's Evolving Role in Fraud/Abuse and COVID-19 Risks

  • 1. withum.com Internal Audit’s Evolving Role in Fraud/Abuse and COVID-19 Risks and Best Practices Michael Serluco, Partner, Healthcare Marc Stein, Principal, Healthcare Advisory January 13, 2021
  • 2. withum.com What We’ll Do Today Overview of Fraud and Abuse regulations and best practices Discuss Internal Audit’s role in mitigating Regulatory and COVID-19 Risks Overview of CARES Act funding and associated risks and best practices Update on DOJ settlement trends and guidance regarding compliance plans 2
  • 3. withum.com Health Care Enforcement Recovery Overview Health care enforcement continues to be a profitable pursuit for the Federal Government. From 2017 through 2019 (the most recent period for which data is available), the Office of Inspector General reports that it collected $4.20 for every $1.00 spent on enforcement efforts The Health Care Fraud and Abuse Control (HCFAC) Program was established under the 1996 Heath Insurance Portability and Accountability Act (HIPAA) to identify and prosecute health care fraud and abuse. The 2019 results include :  Federal Government won or negotiated over $2.6 billion in health care fraud judgments and settlements.  $3.6 billion was returned to the Federal Government or paid to private persons • Approximately $2.5 billion was transferred to the Medicare Trust Funds 3
  • 4. withum.com DOJ Guidance April 2017 and revised in April 2019 the US Department of Justice ("DOJ") published its guidance on the "Evaluation of Corporate Compliance Programs" (the "Guidance“) which included the following 11 key compliance program evaluation topics within 3 overarching questions that prosecutors should use in their review and assessment of a company’s compliance program: 1. Is the Program well designed?  Risk Assessment  Policies and Procedures  Training and Communication  Confidential Reporting and Investigation of misconduct  Third Party Management  Mergers and Acquisitions 4
  • 5. withum.com DOJ Guidance 2. Is the program being implemented effectively?  Senior and Middle Management  Autonomy and Resources  Incentives and Disciplinary Measures 3. Does the program work in practice?  Continuous Improvement, Periodic Testing and Review  Analysis and Remediation of Underlying Misconduct 5
  • 6. withum.com DOJ Guidance June 2020 DOJ update changed the second question “is the compliance program being implemented effectively” to asking instead whether the compliance program is "adequately resourced and empowered to function effectively.” This includes: • Commitment and implementation of a culture of compliance at all levels of the organization • Ensuring those with day-to-day operational responsibility have adequate resources, appropriate authority and direct access to governing authority • Enabling compliance program effectiveness through investment in training and development and access to relevant data sources 6
  • 7. withum.com Top Compliance Risks The following is a summary of top 2020 compliance risks Documentation 17% Coding/Billing 30% HIPAA Security 14% HIPAA Privacy 15% Medical Necessity 9% Government Enforcement 7% Other 8% Source – 2020 Healthicity Compliance and Auditing Benchmark Report 7
  • 8. withum.com Compliance Program Trends To mitigate these risks, the importance of implementing an effective compliance program that prevents fraud, waste and abuse has grown with the increase in the number of government settlements of non-compliance with regulations. Of the organizations included in the report:  96% have a formal compliance program  80% perform an annual risk assessment • 38% take over 21 hours to conduct a risk assessment  71% of employees will have at least one hour of compliance training  56% utilize a blended compliance training approach ( online and in-person)  54% have Chief Compliance Officer (CCO) who meets quarterly with the compliance committee  45% have the CCO meet with overall Board of Directors/Trustees  34% anticipate that the great challenge on managing their compliance program is keeping current on regulations  31% considered the OIG work plan as the key driver in prioritizing compliance work plan audits 8
  • 9. withum.com Compliance Program Trends  In this environment, developing and implementing an effective compliance program has become a standard expectation within the health care industry.  While even the best program cannot prevent all violations, a tailored, proactive compliance program is more likely to identify issues early.  Additionally, the existence of such a program is a positive factor when negotiating with the government, should that become necessary.  Finally, if any significant compliance issues are detected through your own compliance program activities, self-reporting is usually a much-preferred position as opposed to being a target in another one of these government enforcement actions. 9
  • 10. withum.com Fraud and Abuse Regulations High priority Healthcare Federal Fraud and Abuse laws are as follows:  False Claims Act (FCA) [31 U.S.C.§§ 3729–3733]  Physician Self-Referral Law ( Stark Law) [42 U.S.C.§ 1395nn]  Anti-Kickback Statute (AKS) [42 U.S.C.§ 1320a-7b(b)]  Exclusion Authorities [42 U.S.C.§ 1320a-7]  Civil Monetary Penalties Law [42 U.S.C.§ 1320a-7a] The following Governmental agencies are charged with enforcing these laws:  Department of Justice (DOJ)  Department of Health and Human Services (HHS) Office of Inspector General (OIG)  Centers for Medicare and Medicaid Services (CMS) 11
  • 11. withum.com False Claims Act (FCA) Risks FCA imposes civil liability on any person knowingly presents or caused to be presented, a false or fraudulent claim for payment by the Government. Under civil FCA, no specific intent to defraud is required. The civil FCA defines “knowing” to include actual knowledge but also deliberate or reckless disregard of the truth or falsity of the information. Civil penalties may result up to 3 times what the Government paid for each claim plus a minimum ($11, 665) and maximum ($23,331) per each claim violation after June 20, 2020. Under civil FCA, each instance of an item or service billed to Medicare or Medicaid counts as a claim, so fines can add up quickly. Criminal penalties for submitting false claims include imprisonment and criminal fines 12
  • 12. withum.com False Claims Act (FCA) Best Practices Examples of FCA best practices include the following:  Monitor coding patterns  Review billing procedures and claim submission process  Perform a documentation/coding/billing review looking for: (1) medical necessity; (2) billing for services not provided; (3) failure to use coding modifiers; and (4) upcoding, etc. • Primary reasons for conducting formal documentation/coding audits include:  Required by internal compliance program  Ensure bills are accurate and avoid penalties • Compliance Guidelines published by OIG recommends auditing a minimum size of 10 patient encounters for each provider  Small frequent audits reduce error and increase accuracy of claims submissions • Communication of results to physician • Implement remediation efforts, where applicable • Implement applicable training programs 13
  • 13. withum.com Physician Self-Referral Law (Stark Law) Risks Prohibits physicians from referring patients to receive “designated health services” payable by Medicare and Medicaid from entities with which the physician or immediate family member has a financial membership, unless an exception applies  Financial relationships include both ownership/investment interests and compensation arrangements  “Designated health services” include but are not limited to: • Clinical laboratory services; • Physical therapy and occupational therapy services; • Radiology and certain imaging services; • Radiation therapy services and supplies; and • Inpatient and outpatient hospital services. 14
  • 14. withum.com Physician Self-Referral Law (Stark Law) Risks The Stark Law is a strict liability statute which means proof of specific intent to violate the law is not required. Violations of the Stark Law may result in penalties that include denial of payment, civil monetary penalties of up to $15,000 per service (and $100,000 for schemes that are designed to circumvent the Stark Law) and exclusion from the Medicare and Medicaid programs On November 20, 2020, CMS issued sweeping changes designed to provide flexibility for value-based arrangements and care coordination and reduce the burdens for physicians and healthcare providers. The regulation goes into effect January 19, 2021. 15
  • 15. withum.com Physician Self-Referral Law (Stark Law)- Best Practices Examples of Stark Law best practices include the following:  Ensure Conflict of Interest Questionnaires are completed, signed and any conflicts disclosed are resolved  Annually review physician compensation to ensure that it is within Fair Market Value benchmarks such as a specific percentile of the MGMA Physician Compensation and Productivity Survey  Annually review physician leased space to ensure it is commercially reasonable representing an arm’s length relationship with comparable properties in the same local area. 16
  • 16. withum.com Anti-Kickback Statute (AKS) Risks Prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal Health Care Programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients). Applies to all sources of referrals, even patients.  Routinely waiving Medicare and Medicaid patient copayments could implicate the AKS statute and physicians may not advertise that they forgive copayments Violation of AKS is punishable by a $25,000 fine, imprisonment for up to five years, or both, and may subject a violator to civil monetary penalties as well. Violation of AKS is grounds for exclusion from participation in the Medicare and Medicaid programs and other federal health care programs On November 20, 2020, issued its final rule creating new safe harbors and modifying existing safe harbors. These changes are deigned to provide greater flexibility and reduced regulatory burdens for care coordination and value- based arrangements. The regulation goes into effect January 19, 2021. 17
  • 17. withum.com Anti-Kickback Statute (AKS) - Best Practices Examples of AKS best practices include the following:  Physicians should register with the Federal Open Payments Program (Program) which is mandated by the Affordable Care Act. • This Program requires that information about gifts, speaking fees, travel, meals and other benefits made by vendors ( e.g., drug makers, device manufacturers and group purchasing organizations, etc.) to physicians and teaching hospitals be collected and stored in a database. Any financial interest a doctor has in a medical business should also be stored. • This database includes speaking fees, gifts, textbooks, entertainment expenses, meals, travel costs and fees for serving on advisory boards  Physicians should check the CMS database maintained under this Program to make sure the information is accurate as patients, the public and researchers have the right to access this database. 18
  • 18. withum.com Exclusion from Federal Health Care Programs (FHCP) Risks OIG is legally required to exclude from participation in all FHCPs individuals and entities convicted of the following criminal offenses:  Medicare or Medicaid Fraud  Patient abuse or neglect  Felony convictions for health care related fraud, theft or other financial misconduct If your physician practice employs or contracts with an excluded individual or entity and FHCP payment is made for items or services that person or entity furnishes, whether directly or indirectly, you could be subject to a civil monetary penalty and/or an obligation to repay any amounts attributable to the services of the excluded individual or entity. 19
  • 19. withum.com Exclusion from Federal Health Care Programs - Best Practices Examples of Exclusion best practices include the following:  For all new employees and vendors, screen against the OIG’s List of Excluded Individuals and Entities. The online data can be accessed from OIG’s Exclusion Web site. • If there is a match, do not hire the prospective employee or contract with the prospective vendor  On a monthly basis, screen all current and prospective employees and contractors against the OIG’s List of Excluded Individuals and Entities.  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation  Investigate all potential matches to determine if they are the excluded individual or entity • If they are a match with the excluded individual or entity, take immediate action to suspend employment or purchasing services (consistent with policies and procedures) • If they are not a match with the excluded individual or entity, maintain applicable documentation 20
  • 20. withum.com Office of Civil Rights (OCR) and HIPAA Risks HIPAA compliance is monitored under the Office of Civil Rights Risk of inadequate compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations regarding unauthorized access to Protected Health Information (PHI) related inadequate controls to privacy and confidentiality Risk of noncompliance of HIPAA Regulations regarding unauthorized access to PHI as it relates to HIPAA Security due to inadequate controls surrounding the physical security and logical access to systems One of the top healthcare compliance issues for 2020 will be maintaining strong HIPAA and cyber security and privacy compliance Breaches continue to occur at a steady pace from a combination of both internal and external causes such as hackers, viruses and other malicious attacks 21
  • 21. withum.com Office of Civil Rights (OCR) and HIPAA Best Practices Examples of access best practices include the following:  Review process for access to system including all devices  Evaluate policies, forms and requests.  Test to ensure that access is done in accordance with policies.  Perform an overall review to ensure access controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected Examples of security best practices include the following:  Review process for security to system including all devices  Evaluate policies, forms and requests.  Test to ensure that security is done in accordance with policies.  Perform an overall review to ensure security controls are working effectively • Identify any deficiencies and/or weaknesses and develop a formal remediation plan • Monitor progress and test that all deficiencies and weaknesses have been corrected 22
  • 22. withum.com Credit Balance Risks Per Patient Protection and Affordable Care Act (PPACA)  Providers (including physicians) must report and repay Medicare/Medicaid overpayments within 60 days of “identification” or “applicable reconciliation,” whichever is later  Retention of an identified overpayment after the 60-day period considered an “obligation to pay” subject to a False Claims Act (FCA) enforcement action as a so-called “reverse false claim” Examples of Medicare credit balances include instances where a physician is:  Paid twice for the same service either by Medicare or by Medicare and another insurer;  Paid for services planned but not performed, or for noncovered services;  Overpaid because of errors made in calculating beneficiary deductible and/or coinsurance amounts 23
  • 23. withum.com Credit Balance Best Practices Examples of credit balances best practices include the following:  Validate accuracy of credit balance aging report by payor (including Medicare and Medicaid).  Determine that adequate, trained staff are resolving credit balances • Is the resource level appropriate? • Are they qualified and well-trained?  Determine whether there are sufficient quality assurance and root cause analysis processes.  Determine sufficiency and effectiveness of controls used to ensure refund and reporting within 60 days of identification 24
  • 24. withum.com Purchasing Cycle Risks Examples of purchasing cycle risks include the following:  Unauthorized or fictitious purchases are made.  Recorded purchases are coded to the wrong G/L account resulting in improper expense or capitalization.  Received goods/services do not agree to goods/services ordered.  Invoices are for incorrect amount or for services not rendered.  Disbursements are processed for unauthorized purchases.  Disbursements are not properly authorized or accurate or payment made to in- appropriate vendor.  Issuance of checks are not properly controlled.  Unauthorized employees have access to Purchasing/AP system. 25
  • 25. withum.com Purchasing Cycle Best Practices Examples of purchasing cycle related best practices include the following:  Vendor Master Maintenance including new vendor set-up, validation (W-9), and related procedures.  Vendor Invoice Processing including 3-way match, invoice approval, invoice entry, and related procedures.  Cash Disbursements including check processing, check signing, voided and stored checks, checks made payable to cash and related procedures.  Accounts Payable management including monitoring controls and reconciliation of such items as duplicate payments, expense reimbursements and related procedures. 26
  • 26. withum.com Payroll Cycle Risks Examples of payroll cycle risks include the following:  Unauthorized, duplicate or fictitious employees are added to human resource master files, resulting in unauthorized payroll disbursements.  New Employees • Information is recorded incorrectly (e.g., hourly or salary rates, etc.) in the master file resulting in inaccurate payroll processing and disbursements. • Are not added to the payroll records in the appropriate period, resulting in errors in payroll processing and disbursements.  Active Employees • Biweekly time is not authorized and does not reflect actual hours worked. • Approved hourly and/or salary changes are not accurately recorded resulting in over or under payment of payroll  Terminated Employees • Are not removed from master file timely resulting in inaccurate disbursements 27
  • 27. withum.com Payroll Cycle Best Practices Examples of payroll cycle related best practices include the following:  New Hire including approval of position, salary and benefits, etc.  Time and Attendance includes daily and biweekly hours by category (e.g., regular, overtime, shift differential, etc.), for exempt and nonexempt employees.  Authorization includes independent approval of employee's timecards and manual adjustments.  Review and Processing includes review of outliers (excessive overtime, etc.), uploading time and attendance reports into payroll system, printing of paychecks and stubs.  Distribution of Payment includes actual check distribution or employee access to their own information.  General Ledger Update includes payroll interface and reconciliation to General Ledger and bank statement reconciliation. 28
  • 28. withum.com CARES Act Provisions For Health Care Entities The Coronavirus Aid, Relief, and Economic Security Act (the CARES Act) attempted to alleviate some of the financial strain on hospitals, physicians, and other health care entities through a series of new policies that temporarily boosted Medicare and Medicaid payments, allowed for added flexibility in treatment modalities, and expanded the availability of advance or accelerated payments from Medicare. The CARES Act established a Provider Relief Fund (PRF) to be used for economic support of health care entities in connection with health care related expenses or “lost revenues” attributable to COVID-19 and treatment of uninsured COVID-19 patients. 30
  • 29. withum.com Provider Relief Fund Terms and Conditions The terms and conditions of the Provider Relief Fund state that Relief Fund Payments will only be used to prevent, prepare for and respond to coronavirus and shall reimburse the recipients only for healthcare expenses and lost revenue attributable to coronavirus The recipient certifies that it provides or provided after January 31, 2020, diagnoses, testing or care for individuals with possible or actual cases of COVID-19 The recipient certifies that it will not use the payment to reimburse expenses or losses that have been reimbursed from other sources or other sources are obligated to reimburse 31
  • 30. withum.com Provider Relief Fund Terms and Conditions The reporting deadline for PRF dollars is February 15, 2021 and the portal, via HHS, to submit the data will be open for use as of 1/15/2021 If recipients do not expend PRF funds in full by the end of calendar year 2020, they will have an additional six months in which to use remaining amounts toward expenses attributable to coronavirus but not reimbursed by other sources, or to apply toward “lost revenues”. ( will be discussed further) For example, the reporting period January – June 2021 will be compared to the same period in 2020 from a budget perspective, or January – March 2021 will be compared to the same quarter in 2020 (still waiting for further clarification on this) For carry over funds through 6/30/21, the reporting deadline is 7/31/21 32
  • 31. withum.com Provider Relief Fund Terms and Conditions Eligibility  Billed Medicare in 2019  Provided diagnosis, testing, or care for individuals with actual or possible cases of COVID-19 after January 31, 2020  Not excluded from federal healthcare programs Use of Funds  Only to prevent, prepare for, and respond to COVID-19  Only to reimburse for healthcare-related expenses or lost revenues attributable to COVID-19  Must not use the funds to compensate for expenses or lost revenues that have been reimbursed from other sources (i.e., FEMA funding, state grants, program- specific funding, commercial insurance, etc.) 33
  • 32. withum.com Provider Relief Fund Terms and Conditions Supporting Records  Maintain all records and cost documentation to support the appropriate use of funds, and provide to the Secretary of HHS upon request  Substantiate use of funds for increased healthcare-related expenses or lost revenue attributable to COVID-19 and evidence that those expenses/losses were not reimbursed from other sources  Submit quarterly report to reflect total receipt of funds as well as detailed list of all projects/activities in which covered funds were expended Other Compliance Requirements  Restrictions on balance billing of out-of-network COVID-19 patients (i.e., seeking to collect more than what the patient would have otherwise been required to pay if he/she was an in-network patient)  Restrictions on using funds to pay for excessive salaries of physicians or executives beyond defined level 34
  • 33. withum.com Provider Relief Fund Monitoring/Best Practices • Upon the decision to retain the funds, the following activities should be taken in order to manage the funds going forward and support compliance with the terms and conditions: • Develop reasonable methodologies for calculating lost revenues across key lines of business and affiliated entities • Develop mechanisms to identify and track COVID-19-related expenses • Develop policies, procedures, and standards regarding necessary documentation to support the use of funds and compliance with HHS’s terms and conditions • Establish infrastructure for tracking all COVID-19 funding sources and ensuring that the funds are not being used for duplicate purposes • Develop monitoring plans to mitigate unique funding compliance risks, such as audits around balance billing, use of funds for excessive physician and executive salaries, etc. • Monitor and communicate newly published regulatory guidance to applicable stakeholders 35
  • 34. withum.com OIG 2020 Active Work Plan Items - COVID -19 Audit of CARES Act Provider Relief Funds—General and Targeted Distributions to Hospitals  Objective is to determine whether providers that received PRF payments complied with certain Federal requirements, and the terms and conditions for reporting and expending PRF funds. Audit of Medicare Telehealth Services During the COVID-19 Pandemic: Program Integrity Risks  CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to access a wider range of telehealth services without having to travel to a health care facility. This review will be based on Medicare Parts B and C data and will identify program integrity risks associated with Medicare telehealth services during the pandemic. We will analyze providers' billing patterns for telehealth services. We will also describe key characteristics of providers that may pose a program integrity risk to the Medicare program. 36
  • 35. withum.com Telehealth During COVID-19 Coronavirus Preparedness and Response Supplemental Appropriations Act includes a provision allowing the Secretary of the HHS to waive certain Medicare telehealth payment requirements during the Public Health Emergency to allow beneficiaries in all areas of the country to receive telehealth services, including at their home. Starting March 6, 2020 all Medicare patients are eligible for telehealth services. The rural-only patients’ requirement was suspended. This expires at end of Public Health Emergency. CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule (see next slide). 37
  • 36. withum.com Telehealth During COVID-19 CMS list of services that are normally furnished in-person that may be furnished via Medicare telehealth. Services are described by HCPCS codes and paid under the Physician Fee Schedule. There are 3 categories of services:  Medicare Telehealth Visits  Virtual Check-in  E-visits 38
  • 37. withum.com Telehealth During COVID-19 New Jersey Telehealth Requirements (as of November 16, 2020)  Any NJ licensed healthcare provider may provide telehealth services. Licensed out-of-state providers must have a pre-COVID-19 relationship with the patient to conduct a telehealth encounter unless the encounter only concerns COVID-19  Providers are permitted to use alternative technologies such as audio only telephone or video technology commonly available on smartphones and other devices as long as standard of care is met.  Patient may orally consent to telehealth services.  If no pre-existing provider-patient relationship provider must (1) inform patient of his identity, professional credentials and contact information and (2) identify the patient by name, DOB, phone number and address.  A provider is no longer required to review a patient’s medical history and medical records prior to an initial telehealth encounter. Providers should use clinical judgment to obtain relevant medical history and review available medical records to meet applicable standards of care.  If the patient consents, provider must forward the records of the telehealth encounter to the patient’s primary care provider or provider that the patient requests. 39
  • 38. withum.com Role of Internal Audit During COVID-19 The following are questions as to how internal audit should focus based on the COVID-19 impact on the organization:  How relevant is the current audit plan and what parts of it require recalibration?  How does Internal Audit keep pace with the speed of changes occurring in the business, including changes in the control environment?  How does the department pivot to help the organization address new business risks?  How does an internal audit team better use technology and data to gain insight? The response to the above questions is that Internal Audit should take a more data-driven approach that monitors and takes action quickly to help the organization navigate the risks created due to COVID-19. This can be achieved through a simplified continuous risk assessment through use of technology to monitor risks created due to COVID-19 through an internal audit focus. 41
  • 39. withum.com Role of Internal Audit During COVID-19 Re-calibrate its approach to cyclical audit planning and coverage of risk  Adopt an agile management approach  Embrace short term prioritization and regular review /updates to the IA plan to mirror the changing pace of risk and assurance needs  Collaborate with key stakeholders to understand and new and/or elevated risks and assess how best to support with the provision of assurance. Continue to deliver on-going assurance activities without disrupting critical operational areas during times of crisis  Accelerate the deployment of analytics to deliver IA work remotely , increase coverage, focus on outliers, and reduced business interruption , while still providing valuable insights and assurance. Work more closely with external providers to reduce disruptions of the business Provide an objective voice to organization teams who need to make decisions quickly 42
  • 40. withum.com Role of Internal Audit During COVID-19 Reconsidering Threats and Risks  At the onset of the virus, some internal audit functions reacted by lending their risk management expertise to help resolve immediate service delivery and operational issues.  Leveraging investments in data analytics to identify relevant key performance indicators facilitated the automated monitoring of risks.  Risk assessment involves providing audit services for new and emerging risk areas.  For example, some organizations made temporary changes to service delivery models to quickly restart operations, which made up for shortages in employees.  These events led to the curtailment of specific traditional controls, requiring new risk mitigation strategies and enhanced audit monitoring.  Especially of concern to internal audit were questions of how exceptions to controls and risk acceptances were granted, as well as third-party risks, including supply chain disruptions  Finally, recovery and, in some cases, survival planning is another example of internal auditors lending their expertise in facilitating organizational objectives 43
  • 41. withum.com Role of Internal Audit During COVID-19 Enhanced Monitoring and Reporting  To the extent available, internal auditors are also using data provided by vendors and third-party service providers to enhance monitoring capabilities. Internal auditors have dedicated more time to reviewing external assessment reports, such as Service Organization Control (SOC) 1, SOC 2, and internal reports provided by vendors. These can include performance reports, information feeds, industry benchmark activity reports, and compliance with service-level agreements.  Some areas of focus include ensuring compliance with regulatory expectations, despite the challenges caused by COVID-19. Activities include documentation, coding and billing audits regarding : (1) medical necessity; (2) billing for services not provided; (3) failure to using coding modifiers and (4) upcoding. 44
  • 42. withum.com Challenges For Internal Audit During COVID-19 Continue to function effectively where stakeholders have competing priorities  Reduce the amount of stakeholder input and produce short, sharp advisory pieces and leverage system access and available data to the greatest extent  Provide more frequent updates Consider alternative methods in gathering evidence of control execution or absence of documentation related to confirmation of key steps  Might be circumstances of control override with employees seeking workarounds to existing security protocols and internal controls in order to keep the business operating effectively  Fraud incentives are increased in times of crisis 45
  • 43. withum.com Internal Audit Department Structure In-sourced In-house staff performs internal audit functions Outsourced Hire a third-party firm to provide resources to perform internal audit functions Co-sourced Use a blend of internal and external resources to perform internal audit functions
  • 44. withum.com Internal Audit Department Structure In-source Description • A formally established department comprised of staff reporting to the Board and an appropriate member of Senior Management Advantages • Builds and retains institutional knowledge • Helps to foster internal ownership of issues Disadvantages • Independence can be impaired over time • Potential limited depth of technical skills can reduce effectiveness
  • 45. withum.com Internal Audit Department Structure Outsource Description • Third party firm provides all components of internal audit function and reports to member of Board and appropriate member of senior management Advantages • Independent and objective • Greater insights into alternative approaches and best practices Disadvantages • Dependence on strength of third- party relationship and capability • Potential staff continuity issues
  • 46. withum.com Internal Audit Department Structure Co-source Description • Third party firm supplements internal audits on a project- by-project basis at direction of Senior Management or Board Advantages • Can obtain appropriate specialized or technical skills for each audit area on an as needed basis Disadvantages • Discretionary use might lead to lack of focus
  • 47. withum.com Questions? Contact your Presenters Michael A. Serluco, CPA Partner, Healthcare Services mserluco@withum.com (732) 759 6821 Marc Stein Principal, Healthcare Advisory Services mstein@withum.com (732) 828 1614