3 Risks of Conducting a Compliance Self Audit

compliance self auditBy: Valery Bond

Healthcare practitioners, boards of directors, compliance and safety officers have heard time and time again that compliance programs should work in conjunction with routine self audits and reviews to assess the internal condition of a business. Performing a compliance self audit can be effective, but there are also risks that these key staff members need to be aware of.

A seasoned compliance officer should recognize that the first question to ask about any compliance program is “does the program address and protect the organization from risk?” The second is “how are risks determined and who is to correct any deficiencies found?” And thirdly, “how is the board kept informed of significant developments or regulatory exposure points that affect compliance?”

Herein lie the three risks of self-auditing:

  1. the ability to identify the risk
  2. the wherewithal to address the deficiencies, or in some cases, disciplinary actions taken and resolved to report to the board; and
  3. proper recording of such reports.

Even a seasoned staff member responsible for compliance may not recognize, nor know how to report to the board of directors, let alone keep minutes for the same.  The OIG has identified that board of director participation, or lack thereof, is a fineable offense. The oversight obligation is based on the fiduciary responsibility that the board members owe to the organization.  Simply not knowing the requirement of board participation leaves a healthcare agency exposed.  Everything compliant and non-compliant must be reported and recorded with an organization’s board.

Anyone inside an organization who is responsible for regulatory compliance should be utilizing metrics to assist in finding risk factors. For example, coding and billing audits should be conducted and compared with variances in performance identified year over year to track and trend. Without a metrics report, how can a compliance officer or responsible staff member accurately report to the board of directors and demonstrate need for correction? Further, a minute book that includes a risk assessment report, resolutions and corrective actions must be recorded and maintained.

These three risk areas can easily be overlooked in a compliance self audit. Providers are well served to bring in full spectrum compliance consulting support to ensure staff is well trained for meaningful and risk reducing outcomes.

Related Posts

Comments (1)

[…] controls, audit controls, integrity controls, and transmission methods of ePHI are protected through the HIPAA […]

Leave a comment