As regulatory pressures increase and healthcare compliance issues grow more complex, internal audit and compliance programs must work together to help organizations address risks effectively and efficiently. However, this can be challenging in the current environment, where healthcare systems are consolidating, competition among providers for patient volume is increasing and expense reduction is on everyone’s mind.


Healthcare compliance audits involve assessing adherence to regulations with components like documentation and privacy measures. Key stakeholders, including healthcare providers and regulators, benefit from improved compliance, data security, and transparent healthcare operations, ensuring patient trust and regulatory compliance for sustained success.

What are Healthcare Compliance Audits?

Healthcare compliance audits are systematic evaluations of a healthcare organization's adherence to various regulations (like HIPAA), laws, internal policies, and procedures to ensure patient safety and mitigate the risk of non-compliance while delivering top-notch patient care.

One substantial risk in today’s competitive environment is that providers must routinely enter into contractual agreements with key physicians to deal with the demands of population-based healthcare and the competitive healthcare landscape. These trends leave hospitals caught between the demand to “get deals done” and the need to implement robust compliance procedures to ensure these arrangements are compliant with federal and state laws.

Additionally, the healthcare industry is facing increasing legal fines and penalties for a range of issues related to noncompliant activities.

  • U.S. Department of Justice (DOJ) recovered $6 billion from False Claims Act cases in 2014.
  • $2.3 billion recovered from cases against federal healthcare programs (Medicare and Medicaid1).
  • Office of Inspector General (OIG) and DOJ resolved 971 criminal cases and 533 civil cases.
  • Over 700 whistleblower lawsuits have netted total recoveries of $22.75 billion since 20091.

This evidence underscores the critical need to strengthen proactive governance oversight of healthcare providers by building strong and transparent compliance and audit programs that interact effectively throughout the organization.


Common Compliance and Audit Risks in Healthcare

The absence of action: Lack of attention to high-risk areas in an organization can result in potential whistleblower claims, investigations, defense expense and the possibility of fines and penalties, along with negative publicity. One example is when a contract management process or flow is unorganized or doesn’t anticipate all the necessary steps that need to be taken in relation to physician compensation arrangements. This absence of action, such as not performing proper Fair Market Value efforts related to associated payments or not accurately monitoring time and effort reporting, is an early indicator of subpar contract management of the physician agreement process. This inaction shows a failure to identify issues proactively and a lack of reporting transparency and could lead to significant regulatory exposure.

Compensation between referral-related organizations: Additional risk lies in the exchange of money or benefits between and among referral-related organizations, such as pharmaceutical and medical device companies, physicians and service providers. These payments must be monitored to ensure compliance with the Stark Law, Anti-Kickback Statute and appropriate state laws.

No conflicts of interest procedures: Hospitals should implement conflicts of interest disclosure policies and manage a robust process to ensure all conflicts are identified and managed proactively. No agreement should ever be in place that offers compensation related to past, present or future referrals.

Monitoring and auditing federal claims for healthcare services: Any claims paid by the federal government that are not compliant with coding and documentation regulations or are a result of a STARK violation that lead to a pattern or practice of overpayments can potentially be subject to fines and penalties under the federal False Claims Act. This risk increases when routine audits of the documentation, coding and billing of paid claims are not performed or when an organization does not perform all of the necessary compliance tasks associated with physician compensation arrangements. When creating an annual audit work plan, an organization should establish the frequency of audits based on internal and external risks and factors regarding the area of review.

Reactive program: Responding immediately to resolve problems that have been identified addresses only part of the compliance function. A best-practice compliance and audit program functions in a manner that is proactive and not reactive. A well laid out audit and compliance program can anticipate organizational and industry risk. This will help identify potential areas of investigation and help budget resources. Preparing the organization to perform these functions is critical to success. The compliance program should be viewed as an investment, not an expense of doing business.

Best-practice compliance, contract management and conflict of interest reporting help ensure there are neither inducements, nor incentives to refer physicians to a particular hospital for reasons other than quality of care or the best interest of the patient.


Foundational Elements of Compliance and Audit
  • Healthcare governance: The board of directors should establish and oversee the organization’s commitment to corporate responsibility. By following the U.S. government’s best-practice compliance program, board members have visibility into problems or concerns, and compliance and audit leadership have a direct reporting relationship to the board. The board members should be aware of and have the ability to oversee initiatives related to the code of conduct, policies, procedures and measures preventing and responding to violations. Most importantly, the results of all audits and investigation should be presented to the identified board oversight of the audit and compliance function. The structure of this relationship can be scalable, depending on the size and complexity of the organization.
  • Autonomy of compliance and audit officers: The audit and compliance officer should have a direct reporting relationship to the board and be able to bypass management or organizational interference and pressures in certain situations. Total transparency can only happen if the board can meet with compliance and internal audit officers without management representation or fear of reprisal.
  • Enterprise Risk Management (ERM) program: Many organizations perform ERM assessments to plan for potential areas to proactively invest their audit resources. Many organizations are beginning to perform this function on an annual basis. ERM areas commonly include risk in billing, operations, finance, human capital, IT, legal and reputation. Many experts suggest engaging the applicable department leadership proactively in these discussions, so they feel included in the ERM efforts. Also, for these efforts to gain traction in an organization, it is important that leadership “sell” the importance of the project.


Responsibilities of Audit and Compliance Committees

Audit committees’ roles and responsibilities can vary among organizations, depending on size, ownership and structure. However, audit committees commonly function as subcommittees of the board with board representation. They offer oversight and direction to the compliance and audit programs. Some of the functions might include engaging external auditors for an annual financial audit or for cause review, assessing the high-risk and high-value contracts and their management oversight, approving and monitoring audit work plans, receiving reports for management, reporting on findings to the complete board, assuring that the conflicts of interest disclosure process is functioning as designed and vetting any inappropriate behavior or unethical influences. The audit and compliance committee should have final say on audit results. “Audit shopping,” or the act of receiving additional opinions due to unfavorable findings must be disallowed. When an external audit is necessary, careful due diligence should be performed pro-actively to assure the selection of an expert third party.

Compliance committees typically function to support the compliance program and the compliance officer. Typically, the compliance officer functions as chair of these meetings, develops an agenda of items to be discussed and produces meeting minutes. The breadth of responsibilities of a compliance committee can differ based on the organization (similar to the Audit Committee). However, sharing of audit results, education plans, industry updates and other compliance program points of interest are typical discussion points. Committee representation typically includes, in addition to the CEO and board representative, leaders from the following disciplines: Operations, Medical Staff, Nursing, Finance, Human Resources, Billing, Coding, Privacy/Security, Information Technology, Health Information Management and Physician Extenders. Of course, all organizations are different, and this list can vary.

How to Establish Cohesive Audit and Compliance Committees

Setting up audit and compliance committees for success requires having certain criteria for conducting the function established in advance.

These routinely include:

  • Have a charter in writing.
  • Pre-establish rules and constraints.
  • Define roles of different members and their responsibilities.
  • Establish clear guidelines on voting rights.
  • Include provisions to hire outside counsel.
  • Have the authority to renew appointments and terminate management.
  • Review external audits and conflicts of interests.
  • Make provisions for recusal obligations.
  • Ensure positive interactions with stakeholders.

Fulfilling these criteria necessitates the employment of certain strategies. The audit and compliance committees should foster open communications with other departments, be careful that actions by any board members are not intimidation tactics and support members and guests who bear unpopular news. The committees should also establish accountability and authority and enforce meeting restrictions when needed. These include excusing the president, board members, CFO or other stakeholders from discussions when there is a conflict of interest or the discussion pertains to the individual. Conflict of interest disclosure policies should be established proactively for all board members, and there should be an opportunity at each meeting for recusal if areas of conflicts are discussed.


Technology to Strengthen Audit and Compliance Efforts in Healthcare

Healthcare organizations can also boost compliance and audit efficiency with a robust, integrated technology platform. An effective way to achieve this is to standardize internal controls and create a centralized repository for the organization’s controls, including those for operational efficiency, regulatory compliance and financial reporting. Additionally, these controls need to be directly associated with all applicable regulations, processes and identified or anticipated risks. An integrated governance, risk and compliance solution could potentially help healthcare providers and payers efficiently monitor regulatory changes, automate risk assessment and audits, effectively manage policies and procedures and streamline training programs.

Advanced solutions can support different types of audits, such as IT audits, financial audits, compliance audits, supplier audits and quality audits. They also provide end-to-end functionality to manage the audit lifecycle. Additionally, an enterprise risk management approach increases visibility into the organization’s risk profile, including the multitude of internal and external risks and the controls implemented to mitigate them. Such an approach allows managers to prioritize response strategies for optimal risk rewards.

A critical challenge for the healthcare industry is to manage documents and align policies and procedures with the regulatory compliance system. Lastly, it is important that audit and compliance reports convey the proper information to the governance body. Reports should highlight the applicable regulatory changes, associated controls mapped to the new regulatory requirements, existing control assessment results, training gaps, the number of policies that require updates, risk assessments and other key data.


Moving Forward

Healthcare is one of the most complicated markets within the world economy. The increasing regulatory intervention by the government to monitor healthcare organizations has become more sophisticated, which requires healthcare organizations evolve with it. To do so, it is imperative that compliance and audit processes work closely together to be proactive and to resolve issues quickly and appropriately as they arise. This will validate the enterprise’s corporate responsibility and protect its integrity


Ready to get started?

Speak to our experts Let’s talk