A strategic co-sourcing partnership: Healthcare system chooses Protiviti as its trusted adviser in internal audit and compliance

Healthcare organisations are under growing pressure to meet compliance obligations, maintain profit margins, optimise the revenue cycle functions and reduce risk. Most risks in the healthcare industry are exacerbated by provider organisations performing a variety of services and having decentralised operations across multiple states — risks audit and compliance functions must address. Some organisations try to build a robust internal audit department to address the inherent complexity of their operations; others look outside to form long-lasting relationships with experienced partners they can trust.

One healthcare organisation, with multiple locations across the United States, chose the latter path. The healthcare system had experienced significant growth and changes in recent years; however, its internal audit function was having a hard time addressing all aspects of the ever-expanding enterprise effectively. The organisation recognised that the internal audit function had a lot of capacity but chose not to audit certain areas because it did not have the right expertise internally.

To address these challenges, the organisation sought to revitalise its internal audit function through a co-sourced partnership with a respected firm with deep healthcare expertise. The CEO was familiar with Protiviti’s extensive knowledge of the industry and proven internal audit expertise through his work as the chair of the audit and compliance committee of another healthcare provider organisation where Protiviti served as the outsourced internal audit function.

The CEO invited a Protiviti team to conduct a comprehensive, top-to-bottom assessment of the internal audit programme to assist in understanding where the current programme differed from leading practices, to identify opportunities for improvement and to provide a detailed road map to attain world-class status. The objectives were clear: Determine if the current internal audit function had the following attributes:

1. Clearly defined purpose and role
2. Established governance and reporting structure
3. Qualified and skilled resources
4. Robust risk assessment and audit plan development process
5. Comprehensive and consistent audit approach
6. Robust audit and findings follow-up process

The assessment culminated in a final report delivered to the board of directors. The report identified several areas of opportunity which, when addressed, would meet the objective of achieving industry leader status for the internal audit function.

From an assessment to a strategic co-sourcing partnership

During the course of the assessment, the organisation’s internal audit team developed a close and productive working relationship with Protiviti, and the trust between the two organisations grew. Through the assessment, the organisation recognised Protiviti’s expertise in a range of healthcare risk management domains and invited other Protiviti specialty practice teams to address other risk areas across the enterprise, including compliance, IT audit and technical operations. Some of the key areas that Protiviti assisted with included:

Revenue cycle

Protiviti helped the organisation identify potential revenue opportunities within the billing function. Protiviti used data analytics to quantify outliers and select high-risk targeted accounts and performed sample-based testing to confirm instances where the billed amount was less than the contracted rate.

In addition, Protiviti performed an assessment of select billing and collection practices with a primary focus on compliance. An operational and analytical review was also performed of the denials management programme inclusive of identification, tracking, classification, root causation and resolution of denials incurred. Specific areas of review included collection follow-up protocols, timeframes and correspondence; medical necessity, clinical and coding denials, and appeals processes; and credit balance resolution and government overpayments.

Compliance

Protiviti performed a compliance review of drug diversion prevention and detection processes, billing for drug waste with the JW modifier, and controlled substance prescribing practices at three select facilities within the organisation’s system.

The organisation also asked Protiviti’s compliance practice to review select Centers for Medicare & Medicaid Services’ (CMS) conditions of participation (CoPs). Protiviti reviewed the organisation’s policies, procedures and practices for adherence to select, targeted components of the current CMS CoPs for hospitals and provided feedback on opportunities to align with CMS’ CoP stipulations more optimally.

Information technology

Protiviti assisted with several projects, including a payment card industry (PCI) programme review, which included an assessment of the reasonableness of oversight programmes and associated processes in place for complying with the PCI Data Security Standard (DSS). Protiviti also performed external penetration testing to assess vulnerabilities within the organisation’s cybersecurity environment. The scope of the penetration testing included the identification, analysis and exploitation of select vulnerabilities to demonstrate potential impacts, along with the use of web application testing, password attacks and social engineering techniques to determine areas that may be exploited by an attacker.

Finance

Protiviti supported the organisation with a review of its current processes for compliance with regulations under section 501(r) for tax-exempt hospitals, including the system’s community health needs assessment, financial assistance policy, determination of amounts generally billed and uninsured collection efforts.

Other projects

The organisation continues to rely on Protiviti as its trusted risk management partner to tackle several projects every year, including:

• HIPAA privacy, security and breach notification review: Evaluating the organisation’s existing programmes for enforcing compliance with the safeguarding of protected health information (PHI) as required by the Final Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA).
• Behavioral health chart review: Reviewing select inpatient behavioral health encounters to determine if reasonable documentation exists to support applicable certification and recertification requirements.
• Critical care chart review: Reviewing select encounters associated with critical care services in order to determine if documentation and coding of critical care by providers is accurate and adheres to applicable CMS coding regulations.

A single-source relationship built on trust

Starting with an initial internal audit programme assessment, this healthcare provider is now characterised by a risk-based approach for audit and compliance, better corporate governance, and enhanced subject-matter expertise. The organisation partners with Protiviti on a recurring basis not only for internal audit assistance but also for compliance audit assistance, an area of opportunity uncovered in the initial comprehensive internal audit programme assessment. Through this collaboration, the organisation has completed several high-priority risk management projects and significantly raised the maturity of its compliance function.

More importantly, the organisation has gained a trusted adviser in Protiviti — an invaluable relationship in an industry characterised by constant regulatory pressure and change. Together, the two organisations are working hand-in- hand to deliver the world-class internal audit and compliance services that the CEO envisioned.