As health plans navigate a complex and evolving regulatory environment at both the state and federal levels, internal compliance audits are an important tool to help mitigate risks and maintain compliance. A proactive approach to internal compliance auditing allows health plans to evaluate organizational compliance with laws, regulations, or internal policy; assess internal controls; improve operational efficiency; and align operations with strategic goals. In this article, we answer common questions and share best practices to help health plans conduct internal compliance audits and leverage the results more effectively.
When and why should health plans conduct an internal compliance audit?
The purpose of an internal compliance audit is to identify compliance risks and operational inefficiencies to provide leadership with the most complete and accurate information to make decisions in line with strategic objectives. Internal compliance audits should be a regular part of a health plan’s compliance program, but the timing and motivation for initiating an internal compliance audit will depend on the organization’s unique circumstances, priorities, and risk.
For example, a health plan may decide to conduct an internal compliance audit to identify and address risks before a regulatory or accreditation body conducts an audit or survey. Alternatively, a health plan could initiate an internal compliance audit in response to a corrective action plan (CAP) or enforcement action, or a new threat that poses a risk to healthcare organizations.
How can health plans determine which areas or processes to focus on when conducting an internal compliance audit?
There is no one-size-fits-all road map for an internal compliance audit, so health plans will need to take the following steps to narrow their focus for each iteration of the audit process:
- Perform a risk assessment: Gather information from multiple input sources to identify potential compliance risks and evaluate them based on their probability of occurrence and severity of the potential impact on your organization. Internal sources include your organization’s own monitoring data, as well as previous public audits, surveys, CAPs, and enforcement actions. External sources include industry guidance from regulatory bodies, such as the U.S. Department of Health and Human Services (DHHS) Office of Inspector General (OIG) Work Plan.
- Create an audit work plan: Based on the insights gleaned in your risk assessment, develop a formal plan that outlines the key areas of focus for your internal compliance audit. It is important to gain support and buy-in from your organization’s leadership before proceeding. The audit work plan should be reviewed and approved by your organization’s board of directors and/or a compliance committee.
- Determine parameters: Define the scope of the audit, including which internal systems and processes to include, the look-back period and/or number of cases to evaluate, and the specific criteria used to assess effectiveness, compliance, and risk within these processes. These parameters should be cohesive; for example, the look-back period needs to coincide with the implementation of the process being audited.
What techniques can auditors use to gather information for an internal compliance audit?
Information for an internal compliance audit can come from a variety of sources, including:
- On-site observation
- Interviews with key personnel in relevant functions, e.g., management, operations, coding, claims/billing, patient care
- Open-ended questionnaires to a broad cross-section of employees
- Policies, procedures, and internal documents
- CAPs and external guidance
- Samples of actual materials produced during the process, such as reports, notifications, or communications, which help evaluate compliance and assess procedural effectiveness
Interviews should focus on open-ended questions that encourage staff to expound on their responses to provide a fuller understanding of their experience with the process. Be open to follow-up questions as you learn from each interviewee. Questions may include:
- How would you describe your role in the process?
- How were you trained for your role?
- Can you walk me through your typical daily routine?
- From your perspective, what about the process is working well, and what needs improvement?
- If you or someone else on the team were unavailable, how would others know how to keep the process moving?
- Are there any other questions I should ask you about the process?
Sampling is another useful technique for internal compliance audits, and one that requires a systematic approach to elicit meaningful insights. Auditors should be sure to select a large enough sample to achieve a statistical confidence level that the results accurately reflect the full data set. To help prevent selection bias, they should use statistical sampling methods such as random sampling, systematic sampling (selecting items at defined intervals in the set), or stratified sampling (dividing the set into strata before random sampling to prevent homogeneity). Experienced auditors with extensive knowledge of the data set may be able to select samples based on their judgment, rather than at random.
Who can serve as a health plan internal compliance auditor?
The most important criterion for an internal compliance auditor is to be impartial and independent from the process or system being audited, meaning they have not previously been responsible for operational implementation or decision making in that area, nor will they dictate operational decisions upon completion of the audit.
Auditors should also have the necessary qualifications and experience to execute the audit. For example, a non-clinician should not be responsible for auditing whether decisions based on medical necessity were in alignment with clinical guidelines, such as Milliman Care Guidelines (MCG). A non-clinician may audit whether decisions were made timely in accordance with federal, state, or accreditation standards; however, they may not evaluate the appropriateness of the clinical determination. Internal compliance audits can be conducted by an internal staff member or a third party, such as an attorney, a CPA, or a licensed clinical reviewer.
How should auditors conduct themselves throughout the internal compliance audit process?
In addition to remaining impartial and independent, auditors have other key responsibilities when conducting an audit, including:
- Planning and managing the audit process: Auditors help define the objective, scope, time frame, and information-gathering techniques, including which materials and how many to include. They’re also responsible for executing the audit according to the approved work plan.
- Communicating with key stakeholders: Holding a kickoff call with senior staff and important contributors before beginning the audit helps establish agreement on timelines, systems to be audited, sample sizes, and criteria. Upon completing the audit, the auditor is responsible for submitting an audit report that includes findings, conclusions, and recommendations, as well as discussing the report with key stakeholders.
- Documenting nonconformances: As the auditor gathers and interprets information within the scope of the audit, they should carefully note any nonconformances, instances in which the established processes or compliance standards were not followed according to the audit criteria, for inclusion in the final audit report. In cases of pervasive or gross nonconformance, auditors should be careful not to place blame or implicate anyone, and it may be best to discuss with legal counsel before documenting them.
- Checking adequacy and accuracy: Auditors should be sure they have access to adequate documentation and materials to conduct the audit according to the audit plan. As they create the audit report, they should check that all conclusions are clearly supported with evidence.
Throughout the process, auditors should comport themselves with honesty, fairness, approachability, patience, and courtesy to avoid influencing the outcome with their own behavior. The biggest compliment an auditor can receive is that the audit was fair.
What does an example internal compliance audit process look like?
The following example illustrates how the internal compliance audit process could look for a midsize regional health plan focusing on compliance and risk mitigation in the grievance handling process.
Step 1: Risk Assessment
The health plan’s compliance department conducts its annual corporate compliance risk assessment of grievances and identifies potential risks, including inconsistent documentation, delayed responses, and member dissatisfaction trends. Based on the probability of noncompliance, the severity of potential fines and reputational damage, and the direct link to member experience and regulatory scrutiny, the compliance department decides to prioritize grievance management as the focus of an internal compliance audit.
Step 2: Work Plan
The internal compliance audit team defines the audit objectives as follows:
- Assess compliance with CMS and state grievance requirements.
- Evaluate process efficiency.
- Identify areas of opportunity for improvement.
The audit scope includes a six-month look-back period of a sample of grievance cases across all product lines. The internal compliance audit team briefs department stakeholders on the audit purpose and timeline.
Step 3: Execution
The internal compliance audit team collects grievance logs, case files, system screenshots, and policy documents. The team tests case samples against applicable regulations and internal policies for timely acknowledgment, complete resolution, proper categorization, and documentation completeness.
Step 4: Reporting
The team creates an audit report, highlighting that 30% of grievances were resolved outside the required time frame, 15% were misclassified, leading to incorrect handling, and documentation was inconsistent in 40% of cases. Report recommendations include workflow redesign, staff training and education, and system enhancements.
Step 5: Risk Mitigation
The grievance manager collaborates with the compliance department to develop a CAP to address the observations and recommendations in the audit report. The CAP includes steps to implement a grievance tracking dashboard, update staff training materials, conduct ongoing refresher training, assign accountability to grievance team leads, and set measurable goals of 95% on-time resolution within 90 days.
Step 6: Reassessment
Three months after implementing the CAP, the team conducts a follow-up audit. Results show on-time resolution has improved to 92%, misclassification has dropped to 5%, and documentation compliance has improved to 90%. The improvements are deemed sustainable, with ongoing monitoring embedded into monthly compliance reviews.
Outcome
In this example, the internal compliance audit helped the health plan strengthen its grievance management processes, reduce potential regulatory risk, and improve member satisfaction. The team intends to replicate the audit model for other high-priority areas, such as appeals and prior authorizations.
How Forvis Mazars Can Help
Our payor services team at Forvis Mazars is committed to helping health plans maintain regulatory excellence by supporting a wide range of compliance matters. Our professionals include licensed clinical staff, Certified Healthcare Auditors, Certified Healthcare Compliance professionals, Certified Fraud Examiners, and Certified Professional Coders who can advise your internal compliance team or serve in the internal compliance auditor role. If you have questions or need assistance with an internal compliance audit, please reach out to our team today.