subscribe now
Not getting email updates?

A Regulatory Audit Shouldn’t Mean Panic for Health Plans: What You & Your PBM Should Do to be Prepared

January 29, 2019

There are continual regulatory changes in the healthcare industry and it can be hard to keep up with all of the developments, however, errors and non-compliance can be costly to health plans. We all want to be compliant, not just to avoid fines and penalties, but to better serve and safeguard our members. Still, notification of a regulatory audit can send panic throughout an organization. Conducting your own internal audits can be critical to supporting compliance. By learning how to properly identify potential issues through risk assessments, conduct internal auditing and monitoring, properly utilize technology, and prepare with mock audits, regulatory audits no longer need to be feared.

See What Potential Issues Are Hiding: Steps for Identifying Risks

Risk assessments are a good starting point for taking the fear out of audits. With a risk assessment, you can:

  • Identify areas of exposure or challenges
  • Document the key controls, procedures and monitoring activities to safeguard against potential issues and keep them from happening
  • Develop further actions to mitigate risk exposures, if needed, and validate any implemented processes are working

By categorizing risks as low, moderate or high, you can prioritize your audit work plan, addressing the highest risk areas more frequently and utilizing increased resources.

To start, an organization needs to identify its audit universes. These are the areas or functions a company utilizes to meet its objectives. As an example, a pharmacy benefit manager’s (PBM’s) audit universe could include:

  • Benefit Setup/Change
  • Eligibility
  • Fulfillment
  • Claims Adjudication
  • Customer Care
  • Clinical Operations
  • Rebates
  • Information Security
  • Accounting

Each area consists of key activities and procedures where risk assessments can be conducted to determine compliance and what is needed for the next internal audit cycle in order to mitigate risk.

The first step in conducting a risk assessment is to consult external or third-party reports, such as SOC1, which is an independent examination that provides information on the effectiveness of controls that could affect a plan sponsor’s financial reporting. It covers areas similar to the above PBM audit universes, providing examples for each component, as well as key financial reporting controls and testing results. EnvisionRx makes the SOC1 report available to all health plan clients as a resource. Because examinations, like the SOC1, are conducted by external parties, plan sponsors can obtain a higher level of comfort that controls are supporting effective risk mitigation.

It is also important to interact with people working on the frontlines when conducting a risk assessment. As an example, if you’re doing a risk assessment of the prior authorization process, you should interview pharmacists and pharmacy technicians who actually perform prior authorization reviews. They are familiar with all of the potential issues and challenges and can provide the information truly needed to assess risk.

After applying third-party and frontline sources, a plan sponsor can look for any remaining gaps to determine what should be included in the next internal auditing cycle and where it might be appropriate to reassess effectiveness in the upcoming cycle. With a risk assessment, you want to look at what could go wrong and what’s in place to stop that from happening.

Technology Lights the Way

We are seeing a paradigm shift away from the traditional auditing approach, where samples are selected at random and documentation is reviewed manually, to a more scientific approach utilizing data and technology. In fact, the Centers for Medicare and Medicaid Services (CMS) is decreasing reliance on audits in favor of continuous auditing through desktop procedures. Now, when CMS requests periodic reports and universe files, it’s not random because they’re using technology to identify anomalies in data. This means you should be using technology to identify anomalies as well.

There are various tools available today to support this new approach of analytics and monitoring, including data management, visualization and monitoring software programs. These tools allow you to collect hundreds or even thousands of records from multiple sources into one repository. Queries or scripts can then be conducted to analyze the data. Once these queries are created, they can be repeated at regular intervals—weekly, monthly, quarterly—to develop a continuous desktop monitoring program. Visualization software can then be utilized to summarize the details in charts and graphs, rather than creating lengthy paper reports.

To start a continuous desktop monitoring program like this, utilize the following steps:

  1. Identify a risk area or problem (this can be done using data from a risk assessment)
  2. Determine what you want to know or what question you want answered
  3. Identify the scope and criteria for the risk area you want to assess
  4. Determine availability of data needed to do the assessment
  5. Obtain access to the required data and enter it into your data management software program
  6. Perform analytical procedure or queries based on your criteria
  7. Act on results

If the data do not meet the rules established from your criteria, there is a potential issue that should be investigated further and, if needed, an action plan should be developed. The results of your desktop monitoring program can then be reported using visualization software.

EnvisionRx developed a continuous desktop monitoring program two years ago and has 14 scripts, 10 of which are run on a regular basis. Four key areas where your PBM should be using desktop monitoring include:

  • Eligibility – Ensure records of enrolled members and items like low-income subsidy eligibility are accurate and complete in your internal system compared to an external source, such as CMS
  • Clinical – Determine accuracy of items such as rejected claims and prior authorizations
  • Customer Care –Includes grievances and call episode tracking
  • Claims – Includes submission timeliness, error rates and financial reporting accuracy

Desktop monitoring uses less time and resources than traditional audit and monitoring techniques and provides a more real-time look at trends where you are able to examine high-risk areas, determine if there are any potential issues and take corrective action as needed. This allows for more confidence during a regulatory audit.  

Practice Makes Perfect

While doing risk assessments and implementing a desktop monitoring program can help prepare you for a regulatory audit, we all know practice makes perfect. That’s why it is important to conduct mock audits. A robust mock audit process ensures a continuous state of audit readiness.

To establish a mock audit program, use the following process:

  • Plan – Identify the audit participants, define their roles and set expectations. This should include a primary and backup audit team with cross functional representatives, such as pharmacists, members from operational units and the compliance department.
  • Execute – Select difficult cases to ensure your audit team is ready for anything.
  • Review – Review the audit results, provide a final report and get feedback.
  • Act – Complete any necessary corrective actions and remediations, as applicable.

By identifying your risks, using technology to continuously monitor risk areas and conducting mock audits, your organization can feel prepared and sleep well at audit time.

For more information on how the EnvisionRx Compliance & Ethics Department helps prepare you for audits and supports compliance, download our Guide to an Effective Compliance Program

Download compliance guide banner