Prescription for Health-care Audits

Prescription for Health-care Audits

Using data analysis tools with surgical precision can enable auditors to diagnose problems afflicting their organization

CLIFF THERRIEN, CIA
SENIOR AUDITOR, FAIRVIEW HEALTH SERVICES

Although many audit groups use data analysis techniques to conduct accounts payable and payroll audits, with a little imagination they can accomplish much more. Deciding how to use data analysis and data mining technologies can be a bit intimidating at first, but with practice, they can become indispensable audit tools.

For auditors at Fairview Health Services, a regional health group based in Minneapolis, the greatest fear was conducting tests and coming up with substantial findings only to have care system managers systematically dismantle the auditors' methods and conclusions to the point that their findings become irrelevant. By putting some thought into their projects and keeping their scope narrowly focused, the audit group found success in areas such as verifying employee and vendor eligibility and searching for fraud and error in its pharmacy operations.

MATCHING RECORDS

Given the unique environment of health-care providers and the growing concern that foreign-born employees are appropriately documented, verifying the legitimacy of employees and vendors is a major concern for Fairview. Failure to comply with either of these conditions could result in hefty fines or loss of eligibility for federal or state programs and grants. Fairview's auditors routinely conduct tests to verify that employees and vendors have a legitimate right to work for, or conduct business with, the company. In these tests, auditors verify employee and vendor master records against several reputable sources of free, third-party data.

To help combat health-care fraud, the U.S. Department of Health and Human Services' (HHS') Office of the Inspector General (OIG) maintains a database on its Web site listing individuals and organizations that are not allowed to work for, or conduct business with, health-care facilities receiving Medicare or Medicaid payments. The database can be downloaded from http://oig.hhs.gov/fraud/exclusions.html. By importing the database into data analysis software, Fairview's auditors can match the list to the company's employee and vendor master files to identify potential excluded providers. After verifying that the data has been imported into their data analysis software correctly, auditors prepare it for analysis by:

• Separating name fields in the employee records or OIG data into three fields: first name, middle name, and last name.
• Joining the employee records to the OIG data by matching the last name only and splitting the resulting last name matches into two separate files: one where the first names match and another where they do not. In "Employee Data Verification" on page 33, the OIG data shows the name Al K. Sanders, but the employee records list the name Al M. Sanders. Because the middle initial is different, this match can be eliminated and the remaining three kept for confirmation.
• Visually reviewing the second file where the first names do not match for first names that may be written differently, such as William and Bill. However, auditors don't spend a great amount of time doing this because there are many records, and they could end up wasting time chasing false positives.
• Returning to the OIG Web site after matching by name to confirm or clear the names on their short list by entering tax ID numbers. The OIG displays a confirmation page that can be saved and used as a workpaper.

Auditors can further identify excluded providers by matching employee or vendor master files to a database maintained by the U.S. Government Accountability Office, which can be downloaded in a variety of formats from www.epls.gov. Any potential matches identified can be verified by clicking on the "Exact Name and SSN/TIN" link at the top left of the Web page. However, because this file contains 62 fields listing alias names and addresses, auditors can spend considerable time merging them all into one field and eliminating duplicates. Audit groups may want to avoid tackling this hurdle or allow for time to format the data.

UNCOVERING FRAUD

Another way data mining and analysis can help auditors is by verifying existing information to discover fraud. In April 2007, Fairview's pharmacy department was undergoing a system conversion, and auditors obtained its script files and physician database to review whether pharmacies were effectively controlling prescriptions.

One of the key fields in the department's records is the U.S. Drug Enforcement Agency (DEA) number, which is a series of numbers assigned to a health-care provider permitting it to write prescriptions for controlled substances. A valid DEA number consists of nine characters. The first two characters are always letters. The first letter identifies the type of registrant such as a practitioner, teaching institution, or researcher. A partial list of these registration codes is available from Wikipedia at http://en.wikipedia.org/wiki/DEA_number. The second letter is the registrant's last initial. The remaining numeric characters contain an algorithm to further check validity. This check-digit algorithm can be calculated by:

• Adding the second, fourth, and sixth digits and multiplying the sum by two.
• Adding the first, third, and fifth digits.
• Adding these two sums together.

The resulting number's far right numeral should be the same as the seventh character in the DEA number. If the check figure does not compute correctly, the DEA number is invalid and has either been entered into the pharmacy application incorrectly or was provided fraudulently.

Using data analysis software, auditors recalculated the DEA number algorithm and identified all the physicians who prescribed controlled substances whose DEA number was incorrect. Because this data includes information on physicians outside of the company's care system, auditors took the additional step of purchasing a CD-ROM containing all valid DEA numbers and the physicians to whom they are issued from the U.S. Department of Commerce. Auditors extracted more than 1 million records from the CD-ROM, imported the data into analysis software, and verified the physicians' DEA numbers, names, addresses, and DEA number expiration dates directly from the source data. Their analysis revealed that the pharmacy's prescription application, which stores physician and prescription data, was not automatically recalculating the DEA number check-digit algorithm. The pharmacy department quickly addressed the problem and completed a cleanup of the physician data. All records with incorrect DEA numbers that could not be verified were deleted, forcing the number to be re-entered and the check-digit recalculation performed the next time a prescription is filled for that physician.

LESSONS LEARNED

Verifying the status of employees and vendors and detecting prescription fraud are among the many unique projects Fairview's audit group has completed using data analysis techniques. A key component to the success of these endeavors is the commitment of audit managers to constantly ask, "What else can we do?"

As with any audit process, it is important to document what auditors did with data analysis tools to achieve their results. Only then can auditors reproduce their work to corroborate audit findings and answer skeptics who question their assertions. At Fairview, however, auditors are more often asked to perform deeper analysis for more specific results. This has resulted in more project requests from business managers and invitations from audit clients to come back after their corrective action has been implemented.

Cliff Therrien, CIA, is senior auditor at Fairview Health Services in Minneapolis.

Reprinted with permission from Internal Auditor magazine, April 2008 issue.

Site Search: