Compliance audits are a vital part of maintaining a compliant, effective, and efficient revenue cycle.
Without regular audits, it’s essentially impossible to identify systems that need to be revamped or functions that could be streamlined.
However, what happens after those audits is just as important. How do you take the critical information revealed in a compliance audit and put it into practice?
Here, we’ll dive into how RCM teams can get the most out of their audit findings, focusing on four critical strategies:
- Building a strong audit response team
- Prioritizing and categorizing issues
- Conducting root-cause analysis
- Implementing technological solutions
Let’s get started!
Understanding the Audit Landscape in RCM
Types of Audits and Their Impact
There are several types of revenue cycle audits that RCM teams ought to conduct. Some of the most common are:
- Compliance audits, which look at an organization’s compliance with applicable healthcare laws, regulations, and industry standards;
- Coding audits, which evaluate the accuracy of your medical coding practices;
- Documentation audits, which evaluate the accuracy and thoroughness of medical documentation practices; and
- Revenue integrity audits, which are a big-picture assessment of your organization’s overall financial health.
Each audit type has different processes but they all ultimately have the same goal: identifying areas for improvement. The results of your audit can include findings such as backed-up medical billing workflows that are slowing down your revenue cycle, inaccuracies with a specific group of codes, or a lack of clear policies on a certain compliance issue.
In this piece, we’ll focus on compliance audits, which are one of the most common types and can also result in highly impactful findings for your organization—especially if your revenue cycle audit reveals that certain regulations aren’t being followed.
Common Compliance Issues Identified in Audits
There are countless regulations that healthcare RCM departments must comply with. Without regular audits, keeping track of all of them on an ongoing basis is nearly impossible. Indeed, staying compliant requires diligent, ongoing efforts to remain proactive, rather than reactive.
Common compliance risks or issues that audits can identify include:
- Lack of telehealth provider qualifications in terms of licensing, billing, or operations
- Data security measures that are not up to industry or regulatory standards
- Broken processes for medical coding
- Issues arising from a switch to a value-based care compensation model
- Lapse in or lack of protocols for requirements like risk assessments, conflict of interest reviews, etc.
- Gaps in training for new and current staff, or lack of training resources for continuous learning
The implications for each of these findings differ in degree of urgency, but all findings need to be addressed.
For example, if your audit shows that new staff are having trouble accessing certain training materials, that’s a problem that can likely be remedied quickly—at least to a workable degree, while a long-term solution is put into place.
However, if your audit were to find a serious cybersecurity vulnerability in one of your systems, that would require swift and immediate action to avoid potential data breaches. These in turn could lead to privacy issues for your patients, loss of reputation for your organization, and regulatory fines or punishments.
Proactively Addressing the Results of an RCM Compliance Audit
Once a compliance audit has been completed and the results are in, it’s time to build a plan of action. With the right plan and the right team in place, you’ll come out of the internal audit stronger than you went in.
1. Build a Strong Post-Audit Response Team
Your post-audit response team members are the ones who will communicate and lead the implementation of the changes your audit has identified as necessary.
It’s a complex, important job—and one that requires team members with different skill sets. The ability to take quick action and effectively communicate needs and changes to staff is paramount.
Assembling the Right Team
The audit response team should be led by your compliance officer or a member of your compliance department staff.
Other members should include individuals whose work covers different functions of your RCM, such as coding or reporting. Any senior staff who have experience dealing with audits should be included, along with less experienced staff who can learn from them.
The team leader can then delegate the work of reviewing the audit findings and developing plans to meet the recommendations or requirements. Those plans should include:
- What will be done
- Who will do it
- When it will be completed
Establishing Effective Communication Protocols
Clear, respectful, and efficient communication between your audit response team and the rest of the RCM team will go a long way toward making sure the audit recommendations are implemented fully and in a timely manner.
The first order of business is transparency: Let your entire team know who is on the audit response team, what their roles are, and what team members may be asking of staff members as they go through the process of remediation. Otherwise, staff may be understandably confused or on guard if a fellow employee interviews them on how they conduct their work!
It’s also important that your audit response team sticks to the facts when communicating about audit findings, timelines, or goals. Statements of problems should be factual and stated in precise terms.
As with any protocol, your communication protocol should be clearly documented and easily accessible by your post-audit team members.
performance-driving RCM insights?
2. Prioritize and Categorize Issues
When deciding how to proceed after an audit, RCM leaders should take a methodical approach.
Risk-Based Prioritization
Risk-based prioritization is a method for determining which issues pose the greatest risk to an organization and the order in which they should be addressed.
Typically, there are four levels of risk:
- Tolerable, or having little to no impact on your day-to-day operations
- Low, or having a low impact on your business with a low likelihood of occurring
- High, or having a high impact on your business with a high likelihood of occurrence
- Intolerable, or having a critical impact on your business that could cause significant harm
So, if an audit found significant potential for a data breach in one of your systems, that would likely fall into the High or Intolerable category of risk, placing it above something like a need for greater staff training on a certain issue. That might pose a Low or Tolerable risk, depending on what specifically the training gap covers.
Developing a Categorization Matrix
Because deciding what category of risk an issue falls into needs to be as objective as possible, a categorization matrix can be extremely useful.
The matrix consists of an X-axis that graphs “Impact” and a Y-axis that graphs “Likelihood.” You can see an example below:
Utilizing Decision Trees
Decision trees are another useful tool in determining risk and how to remediate it. Because they are a visual representation of steps to take based on specific situations, they can be easier for staff to utilize than a series of written instructions.
3. Conduct Root Cause Analysis
Root cause analysis is a method of uncovering the underlying, or root, causes of issues that emerge in an audit.
Often, those root causes are hidden behind other, more visible issues, which is why this is such an important step. Without conducting root cause analysis, you might fix a compliance issue for a short time, only to have it emerge yet again in your next audit.
Steps in Root Cause Analysis
While there are several different ways to conduct root cause analysis, one of the simplest involves merely asking the question “Why?” until you arrive at the root of the problem.
In other words, for a specific issue that needs remediation, you would ask why that issue is occurring. When you get the answer, you ask “Why?” again. If you continue doing so, as many times as needed, you’ll find yourself at the root cause of the issue.
Here’s a simplified example:
Problem: The number of patients on payment plans has declined.
Why has the number declined?
Answer: Patients are not being offered payment plans until the third contact.
Why are they not being offered payment plans until the third contact?
Answer: Representatives were not aware they were allowed to offer payment plans before that point.
Why were they not aware?
Answer: The written protocols for payment plans state that they should not be offered until that point.
In this case, it seems the root cause is that the written protocols need to be updated, as they are giving employees the wrong information.
4. Implement Technological Solutions
Technology can be a huge help when it comes to effectively addressing audit findings. Automation, data security, and ongoing monitoring are just a few of the functions that can be streamlined using technological solutions.
Technological Tools for Audit Management
Technology is integral to all RCM functions, and audit management and response is no different.
Whether it involves encrypting data to protect confidentiality, automating the comparison of patient email addresses with public records of known personal email addresses, or another solution, technology can provide critical support to staff and help address the root causes of issues.
Overall, technology enables the continuous monitoring of RCM processes and controls, rapid identification of non-compliance, the ability to quickly develop targeted mitigation plans, and last (but certainly not least)—reduced regulatory risk.
A Checklist for Post-Audit Response
Finally, we’d like to leave you with a simple checklist outlining the steps to take post-audit. These are the same steps our team at Revco takes each time we go through an audit (and we do so frequently!).
Post-Audit Reporting & Remediation
- Document audit findings with evidence to prove your conclusion.
- If non-compliance is discovered, follow internal procedures to remediate.
- Log all issues and their associated remediation status. This should include strict timelines.
- Perform follow-up audits to confirm that any issues identified have been fully remediated.
Ongoing Monitoring
- Audit continuously, using technology and spot checking where necessary.
- Make addressing identified issues efficiently part of your overall process. To do so, you’ll need to ensure that they are documented, communicated, and remediated in a timely manner.
Elevate Your RCM Performance with Revco
The most effective healthcare organizations use audits to identify opportunities for growth. At Revco, we do the same. We’re committed to serving our clients with excellence, and we’re constantly calibrating our processes for the best results.
If you’re ready to reach new levels of financial health, explore our Early Out, Bad Debt, and Denials Management services today.