‘UT SOUTHWESTERN MEDICAL CENTER a mame eter Char Acai Amnsation February 24, 2010 Kenneth Shine, M.D. Executive Vice Chancellor for Health Affairs The University of Texas System 601 Colorado Street Austin, TX 78701 Dear dete Enclosed for your information is a copy of the University of Texas Southwestern Medical Center at Dallas Internal Audit Report — 10:23 Billing Compliance. 1 concur with the auditors’ recommendations. Five recommendations are being implemented. Sincerely, Daniel K. Podolsky, M.D. Enclosure ce: John Roan Charles G. Chaffin Robert Rubel 5323 Hany Hines Bid Dallas, Texas 75390-9002 | 214-648-2508 Fax 214-648-8690 ‘woalsouthwestem eds‘The University of Texas Southwestern Medical Center at Dallas Billing Compliance 10:23 February 24, 2010 Office of Internal Audit 5323 Harry Hines Boulevard Dallas, Texas 75390-9017 (214) 648-6106Billing Compliance- 10:23 © ‘The University of Texas Southwestern Medical Center at Dallas FY 2010 ‘Auorr REPORT February 24, 2010 Dr. Daniel K. Podolsky, President The University of Texas Southwestern Medical Center at Dallas 5323 Harry Hines Boulevard, MC 9002 Dallas, Texas 75390-9002 Dear Dr. Podolsky: ‘The University of Texas Southwestern Medical Center at Dallas Office of Internal Audit has completed its 10:23 Billing Compliance audit as detailed below. Executive Summary The Billing Compliance function at UT Southwestern Medical Center is comprised of two billing compliance programs: 1) Hospital Billing Compliance and 2) Professional (physician and non-physician practitioners) Billing Compliance. Unive Hospitals Billina Compliar Pi The audit identified a significant finding in the Hospital Billing Compliance program. Despite being part of the Medical Center since 2005, the Hospital Billing Compliance program has not established a framework to apply key elements of the “Office of inspector General (OIG) Supplemental Compliance Program Guidance for Hospitals”. As a result, we recommend that the Hospital Billing Compliance program be restructured and designed to incorporate the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. Additionally, we recommend that University Hospitals’ billing compliance efforts be consolidated to promote full coverage of hospital billing compliance risks. Finally, we recommend development of a cohesive risk assessment ‘and a corresponding audit plan which links to risks identified. (See Finding 1.) Professional liance Progra The Professional Biling Compliance Program has well-designed processes which are consistent with “OIG Compliance Guidance for Physician Practices , Federal Register Vol. 65, No.194" and “MDaudit™ Guiding Principles for the University of Texas System.” By incorporating all key elements of OIG and UT System guidance, the Professional Billing Compliance program has ‘established a framework to provide reasonable assurance that the Professional Billing Compliance Program objectives and mission are being achieved. To enhance the implementation of this framework as designed, we provided the following recommendations: Professional billing compliance failures Should be timely monitored; systemic failure rates should be identified, reported and 10:23 Billing Compliance ~ February 24, 2010addressed at the department level; periodic reviews of MDaudit"™ Professional users’ tights should occur; and finally, the Professional Billing Compliance Plan should be updated to reflect the current structure and practices. (See Findings 2-5.) Background The UT Southwestem Medical Center's Billing Compliance function is intended to establish a framework for legal compliance with applicable federal and state billing laws and regulations. The Medical Center's Billing Compliance function consists of two programs: 1) University Hospitals Billing Compliance and 2) Professional Billing ‘Compliance. u Hospitals Com Biling Compliance responsibilities reside with four different groups: The Hospital Compliance Director (HCD), the Billing Compliance Office (BCO), Patient Financial Services (PFS), and Maxim, an outside vendor. Hospital Billing Compliance risk assessments have been prepared by both the HCD and BCO. However, the HCD and BCO assess risks in different ways, and there is litle coordination of risk assessment ‘and other hospital billing compliance efforts between the two functions. Following is a discussion of the current resources used and roles performed by each Hospital Billing Compliance component: » The Corporate Compliance Director for the University Hospitals functions as the Hospital Compliance Director (HCD). ‘She currently does not have assigned staff to perform hospital billing compliance ‘audits. The HCD prepares a risk matrix which documents management's assessment of risks; however, hospital billing compliance risks identified in the HCD's risk matrix are different than risks identified by BCO. «The BCO has developed a risk assessment patterned after risks identified in the OIG work pian and the RAC (Recovery Audit Contractor) audits as well as other sources. While only one Billing compliance auditor is dedicated solely to University Hospitals billing compliance, seven of the Billing compliance auditors (including the Director) have obtained a hospital coding certification, CPC-H (Certified Professional Coder-Hospital). A CPC-H certification qualifies the Billing compliance auditors to perform hospital billing compliance audits. MDaudit” Hospital is scheduled to go online in the second quarter of 2010; however, only. assurance reviews of department self reviews, rather than audits, are currently planned for Hospital Biling Compliance. MDaudit "™ Hospital is an audit software tool that automates the administrative aspects of the billing compliance auditing process. Additionally, a supervisor for the BCO is tasked with performing the ‘Quality Assurance Review of the outside auditor's (Maxim's) work. + Two PFS nurse auditors provide billing compliance audits on an ad hoc basis along with their other assigned responsibilities. * Maxim is contracted to perform quarterly audits of the University Hospitals’ Diagnosis Related Group (DRG) billings. 10:23 Billing Compliance ~ February 24, 2010Professional Billing Compliance ‘The Professional Billing Compliance function is housed within the BCO and includes an established framework for compliance. The BCO consists of a Director and eight billing compliance auditors. The auditors use MDaudit™ Professional to globally audit professional biling across the Medical Center. MDaudit™ Professional is an aucit Software tool that automates the administrative (Le., risk profile development, sample selection, provider/hospital audit results tracking, audit results reporting, etc.) aspects of the billing compliance auditing process. Five of the billing compliance auditors (including the Director) are certified medical coders (CMC) in physician coding and 4 billing compliance auditors are certified professional coders (CPC). These certifications qualify them to perform professional billing compliance audits. ‘As part of its auditing approach using MDaudit"™ Professional, the BCO has developed a risk assessment patterned on risks identified in the OIG work plan. The approach includes annual audits of all providers who have billed for services during the year. Cases selected for audit are based on risks outlined in the OIG work plan and specific to the Medical Center. The designed approach includes quarterly and semi-annual follow-up audits of providers who do not meet certain scoring thresholds. Audit Objectives ‘The primary objective of this audit is to provide reasonable assurance that there are adequate and effective controls applied by the University’s Billing Compliance functions: © To ensure all identified medical billing risks to the UT Southwestern Medical Center and its affliated University Hospitals are appropriately managed. © To build compliance consciousness into daily operations through monitoring procedures and consistent application of corrective, restorative, and/or disciplinary actions in instances of non-compliance. ‘Scope and Methodology The audit covered the period of September 1, 2008 through January 31, 2010. To achieve our objectives, we assessed risk, conducted interviews, observed operations, researched criteria, analyzed processes, and tested controls. This audit is a risk-based audit from the fiscal year 2010 audit plan. Our examination was conducted according to guidelines set forth by The University of Texas System's policy, UTS129 “intemal Audit Activities’, the Regents’ Rules and Regulations, and the institute of Intemal Auditors’ International Standards for the Professional Practice of Internal Auditing Significant Findings Significant audit findings/recommendations are submitted to and tracked by the U. T System Audit Office. Quarterly, the chief business officers are asked for the status of implementation, which is verified by the internal audit directors. A quarterly summary report is provided to the Audit, Compliance, and Management Review Committee of the U. T. System Board of Regents. Additionally, the Committee members receive a detalied summary of "new" significant findings and related recommendations quarterly. 10:23 Biling Compliance — February 24, 2010‘Audit Results/Recommendations (Our audit results and 5 recommendations regarding the billing compliance functions are detailed below. 4. Hospital Billing Compliance has not established a framework to apply key elements of OIG Guidance for Hospitals. The Hospital Billing Compliance program has not established a framework to apply key ‘elements of the “OIG Supplemental Compliance Program Guidance for Hospitals’. The OIG Supplemental Compliance Program Guidance for Hospitals, Federal Register, Vol. 70, No. 19 states: “Hospitals should develop detailed audit plans designed to minimize the risks associated with improper claims and billing practices.” Additionally, the OIG guidance recommends: annual re-evaluation of audit plans, follow-up of previous audit findings, clearly established audit roles, qualified and independent auditors with requisite certifications, evaluation of audit error rates, and review of all billing documentation in support of claims. Further review identified a lack of a cohesive Hospital Billing Compliance program to promote full coverage of hospital biling compliance risks. The current Hospital Billing ‘Compliance program is fragmented with responsibilities split among four groups: 1) Billing Compliance Office (BCO) 2) Hospitals’ Compliance Director (HCD) 3) Patient Financial Services (PFS) ~ Nurse Auditors; and 4) Maxim, an outside vendor. ‘Compounding the effects of the fragmented program structure is a general lack of coordination and communication among the groups mentioned above. For example, two separate risk assessments pertaining to University Hospitals billing compliance have been developed. For FY 2009, the Billing Compliance Office prepared a isk assessment for the University Hospitals, based on the OIG work plan and the RAC audits. At the same time, the HCD at the hospitals has prepared a risk matrix which addresses University Hospitals’ management's assessment of billing compliance risks; however, it is not based on OIG work plan criteria. ‘Additionally, a risk-based billing compliance auditing plan has not been developed to address BCO and HCD identified risks. As a result, audit coverage is not adequate to address these risks. Planned compliance audits will promote early prevention, detection, and response to business conduct that is inconsistent with federal and state laws and with Medical Center values. Through early detection and timely reporting, the Medical Center will benefit from planned audits that assist in minimizing loss and reducing exposure to potential civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion. Our review of best practices of other premier University Hospital compliance programs identified common factors associated with these programs including: a centralized billing compliance group, 40:23 Billing Compliance - February 24, 2010 oe© acohesive risk assessment, and an annual audit plan charged to perform compliance assurance audits in those areas with the highest risks. Recommendation We recommend that the Hospital Billing Compliance program be restructured and designed to incorporate the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. Additionally, we recommend consolidation of efforts to ensure complete coverage of University Hospitals billing compliance risks. We further recommend development of a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan should be developed to ensure that planned audits are actually performed. Timely follow-up of audit results is needed to ensure corrective actions occur. Management Response: AVP, Office of Compliance: We ‘agree. We will work with the Executive Compliance Committee, Hospital Administration, the Hospital Compliance Director, and the Director of Billing Compliance to restructure the Hospital Billing Compliance program. We will design the program to include the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. We will develop a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan will be developed to ensure that planned audits are performed. Timely follow-up of audit results will be performed to ensure corrective actions occur. Hospital Compliance Director: We ‘agree. We will work with the Executive Compliance Committee, Hospital Administration, the Assistant VP of the Office of Compliance, and the Director of Billing Compliance to restructure the Hospital Billing Compliance program. We will design the program to include the OIG Supplemental Compliance Program Guidance for Hospitals published in the Federal Register, Vol. 70, No. 19. We will develop a cohesive annual risk assessment and corresponding audit plan. A monitoring system for the audit plan will be developed to ensure that planned audits are performed. Timely follow-up of audit results will be performed to ensure corrective actions occur. Responsible Party: ‘AVP, Office of Compliance and Hospital Compliance Director Implementation Date: July 30, 2010 2. Professional Billing Compliance failures were not timely monitored. ‘While the MDaudit ™ model was effectively designed, its implementation has been hampered by delayed quarterly reviews. The BCO did not enforce established 10:23 Billing Compliance — February 24, 2010 -5-timeframes for disputes and did not perform any quarterly reviews while disputes went unresolved. Professionals receiving failing scores are placed on a quarterly review schedule to coincide with their annual review. At present, professionals with failing ‘scores from the first quarter of 2009 will not receive their quarterly reviews until the second quarter of 2010. Further delays in review increase the risk that billing compliance violations, errors, etc. go unheeded increasing the Medical Center's potential exposure risk of civil damages and penalties, criminal sanctions, and administrative penalties, such as program exclusion. Our analysis of dispute rates revealed resistance from Department Chairs and Billing Managers and lack of enforcement of established timelines for resolving disputes of BCO findings. Internal Audit tested all 46 professionals who received failing scores on their annual reviews in the first quarter of 2009. From the 512 professionals reviewed by the BCO for that quarter, 46 professionals received failing scores. We tested all 46 and determined that results were disputed for twenty (43%) of the 46 professionals with failing scores. Due to disputed results, professionals were granted delays in recelving required quarterly reviews. ‘The Professional Billing Compliance Plan is clear on the process to complete and finalize audits. The Billing Compliance Advisory Committee (BCAC) has authorized a fourteen day period for departments and providers to respond to audit findings ‘submitted by the BCO. However, after that fourteen day period, another two week period of time has been given for providers to respond to the BCO. Also, it is BCO policy that a professional cannot be put on a review plan unti the audit is completed and finalized, ‘The current dispute process promotes further delay by Department Chairs, Billing Managers, or Professionals who do not want to accept the scores they received. The dispute process often runs into the next annual cycle for testing, subsequently interfering with the necessary quarterly and semi-annual reviews that are required to be ‘completed for that period of time. Recommendation: Enforce the established timetable set forth in the Billing Compliance Plan as authorized by the BAC for handling dispute resolutions. Additionally, the BCO should continue to perform quarterly reviews, irrespective of ongoing disputes over MDaudit™ scoring. Management Response: We agree. We will enforce the established timetable set forth in the Billing Comy Plan as authorized by the BCAC for handling dispute resolutions. Additionally, the BCO will continue to perform quarterly reviews, imespective of ongoing disputes over MDaudit™ scoring. le Party: Director of Billing Compliance Implementation Date: May 31, 2010 10:23 Billing Compliance — February 24, 2010