Healthcare Business Management Association - HBMA
Leading the Business of Healthcare Login
HBMA News HBMA News - HBMA Healthcare Business Management Association

Risk Assessment


Read more great articles from Billing

Read more from the latest issue of Billing.

Risk Assessment

I scrub government websites daily for compliance updates and it amazes me how every year hundreds of providers are arrested for defrauding the government out of millions of dollars. In fact, on June 25, 2014, The Centers for Medicare & Medicaid Services (CMS) reported that its fraud prevention system identified or prevented $210 million in improper Medicare payments during its second year of operation (fiscal year 2013). Below are statistics from the Office of Inspector General's (OIG) website:

  • In 2014, OIG reported 465 criminal actions against individuals or entities that committed crimes against Health & Human Services (HHS) programs. It also reported 266 civil actions, including false claims and unjust-enrichment lawsuits filed in federal district court, civil monetary penalties settlements, and administrative recoveries related to provider self-disclosure matters. OIG reported the exclusions of 1,720 individuals and entities from participation in federal healthcare programs.
  • In the first half of fiscal year 2014, OIG reported expected recoveries of more than $3.1 billion consisting of nearly $295 million in audit receivables and about $2.83 billion in investigative receivables, which included about $813.7 million in non-HHS investigative receivables resulting from work in areas such as the states' shares of Medicaid restitution.

Additionally, CMS announced that it expects to expand use of its fraud prevention system beyond its initial focus of identifying potential fraud into areas of waste and abuse, which will increase future savings.

I travel across the US providing consulting services on compliance, and I tell my clients to use the following two-step process:

  1. Train and educate providers that now is the time, more than ever, to be proactive versus reactive when it comes to healthcare compliance.
  2. Train and educate leaders to perform risk management and sustain a culture of compliance.

The world of compliance is one that never ends. You start by assessing the organization's risk and determining any hazards or vulnerabilities tied to a risk or risks. The next step is to prioritize each risk. Once that step is completed, you should put control measures into place, such as training and education, policies and procedures, purchasing equipment, and hiring more personnel.

Risk Assessment
Broadly defined, risk management includes any activity, process, or policy to reduce liability exposure. From both a patient safety and a financial perspective, it is vital that medical organizations and physician practices conduct risk management activities aimed at preventing harm to patients and reducing medical malpractice claims. One tool used in risk management is a risk assessment.

A risk assessment allows you to identify, track, and manage vulnerabilities and weaknesses within your medical organization. The assessment helps to prioritize high-risk areas for more effective compliance management. A risk area such as employees not knowing about your emergency plan would need to be prioritized as "high risk." Learning to prioritize your risk areas is just as important as knowing how to conduct the risk assessment.

Let's start with why risk management is important using an example of documentation. The OIG recommends examining three months of claims/services submitted after implementing a compliance program to establish a benchmark to measure future compliance against. The other aspects of your audit (sample size, audit tools, and risks) are subject to your medical organization and other logistics. In general, the OIG recommends auditing five or more medical records per federal payor, or five to ten random medical records per physician, or 10 percent of the payor's/physician's case volume.

A random sample of claims from a payor or physician is usually audited first. Include in your audit a review of your most commonly used diagnosis, procedure, supply codes, and modifiers. If necessary, you might follow up with a focused audit of just claims that report codes identified as high risk for fraud or abuse. Using a claims analyst checklist will help you identify the appropriateness of coding, documentation, and completeness of claims. The checklist should help you answer important questions such as:

  • Was the service actually performed and was it documented appropriately?
  • Are correct physician and/or practice ID numbers (NPI) (TID) listed on claims?
  • Is documentation appropriately signed and dated?
  • Is there a procedure code that would more accurately reflect the service performed?
  • Does documentation support the code(s) reported?

The risk assessment may involve updating clinical documents to ensure that the documents used encourage clear and complete documentation of patient care.

Benchmarking will allow you to chart your compliance efforts by showing either an increase or reduction in the number of claims paid or denied. By performing a three-month claims audit, you can determine whether or not claims submitted were done so accurately and reflect that all services performed were documented and billed. You can also ensure that all services provided were reasonable and medically necessary. It will be important to ensure that there aren't any incentives for providers to perform unnecessary procedures or services. Ultimately, you're looking for a 95 percent accuracy rating. For our example risk assessment, our score is a 35 percent accuracy rating. We came up with this rating due to the following reasons:

  • Provider billed for service but only nurse saw patient
  • Documentation did not support the diagnosis billed
  • Patient was seen at nursing facility, which wasn't place of service on claim
  • GZ modifier had to be applied due to not having appropriate advanced beneficiary notices

Policies to Ensure Compliance
Our next step would be to either create or update policies and procedures relevant to the above findings to ensure better compliance. The following policies should be implemented:

  • Coding and Billing for Services – to establish criteria for the correct coding and billing of medical services
  • Incident to Billing – to establish criteria for the correct coding, billing, and supervision requirements of medical services completed by nonphysicians
  • Medical Documentation – to establish criteria for following medical record documentation guidelines as published by CMS
  • Nursing Facility Billing – to ensure compliance with applicable regulations with services rendered in a nursing facility setting
  • Advanced Beneficiary Notices – to ensure employees are educated on provider-ordered items or services that do not meet the requirements of medical necessity and on when to provide patients with an ABN

Once the policies are implemented, all employees must be provided with a copy of the new policy and attest that they understand the policy, will follow it, and know that they will be held accountable for noncompliance. If further training and education are needed, then it should be provided, as well. It is a best practice to have the attestation kept in the employee's file for future reference. The circle of compliance will then continue. I advise my clients to closely monitor the policies and procedures built for adherence. Leaders should not be afraid to hold employees accountable for noncompliance.

The only constant in healthcare is change. Therefore, policies should be reviewed on an annual basis for updates. Of course, some policies, especially billing or federal regulations, may have to be updated sooner. Most importantly, you never want to have a policy in place that your medical organization or practice no longer follows. If you come across an outdated policy, it is a best practice to inactivate the policy immediately and investigate why it is not currently being followed and continue to monitor others for compliance.

Michelle Ann Richards is the compliance manager for the American Association of Professional Coders' (AAPC) Compliance Division. She has more than 20 years of healthcare leadership experience. Richards was part of the team responsible for building 7Atlis, AAPC's compliance solution software ( She has successfully built a network of healthcare attorneys while providing compliance assistance to their clients on corporate integrity agreements or under government radar. Richards works with independent physician practices, hospitals, hospital-owned physician practices, federally qualified health centers, and third parties in healthcare across the US. She can be reached at

Related Searches: Risk, Assessment, Billing, HBMA