Hospitals, like all healthcare organizations, are subject to numerous state and federal laws, rules, and regulations. But, unlike other healthcare organizations, hospitals often face enhanced scrutiny from state and federal authorities due to the outsized role they play in our nation’s healthcare system.

As a result, while all healthcare organizations need to prioritize compliance, hospitals must be especially certain that they have their ducks in a row for risk management purposes. Hospital administrators and compliance officers must be confident in the efficacy of the compliance programs and internal controls of their healthcare organizations—and they must be prepared to show they are operating effectively and demonstrate this efficacy to state and federal authorities when necessary.

“Conducting regularly scheduled internal audits is a key component of an effective healthcare compliance program for hospitals. Not only must hospitals conduct these audits in order to gain a clear understanding of the health of their compliance programs, but being able to demonstrate ongoing efforts to assess and maintain compliance can also be critical when dealing with state or federal authorities.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

One of the most effective ways for healthcare organizations or hospitals to maintain and demonstrate compliance is by conducting routine internal auditing and keeping the hospital board aware throughout the internal audit processes. In an ideal scenario, these internal audits will serve as risk assessment to confirm the hospital’s compliance, and the hospital’s documentation of the audit will simply get added to the pile of records documenting its successful (or “passed”) audits which show it's operating effectively. But, if a hospital has compliance issues that need to be addressed, conducting regularly scheduled internal audits will ensure that the hospital is able to address these failures and key risks in a timely fashion, before state or federal authorities (such as the Centers for Medicare and Medicaid Services (CMS) or a Medicare Fraud Control Unit (MFCU)) discover them during an external audit or investigation.

Conducting an effective audit is a multi-step process that requires structure, organization, accountability, teamwork, a disciplined approach, and in-depth knowledge of all pertinent sources of state and federal authority. It also requires an unbiased approach, as the goal is accurately evaluating and understanding of the state of the hospital’s compliance program (and not to confirm compliance or find a way to spin compliance failures in order to secure a passing grade). For hospitals, conducting internal audits also requires precision and tact, as: (i) focusing in the wrong areas can result in a waste of resources; (ii) failing to identify all pertinent sources of information can result in a less-than-comprehensive assessment; and, (iii) failing to protect sensitive information uncovered during the audit can create unnecessary risk in the event of an external inquiry.

10 Steps for Conducting an Internal Hospital Audit for Compliance

With all of this in mind, what is involved in conducting an effective internal compliance audit for a hospital? Here are 10 key steps toward successfully navigating the internal audit and evaluation:

1. Initiate the Internal Audit

Initiating an internal audit should be a formal process. The hospital should engage outside counsel for the audit specifically, and the hospital’s engagement agreement should make clear that counsel is advising and representing the facility during the internal audit procedures. This will help with preserving the attorney-client privilege—which can be critical in the event that the internal audit uncovers unfavorable information.

Formalizing the internal audit also helps with underscoring the importance of the process and establishing it as a time-limited event. Internal audits should be efficient, and they should not drag on as other priorities get in the way. An internal audit should have clear objectives, a clear start, and a clear end.

2. Review the Hospital’s Compliance Program

The purpose of an internal audit is to assess the effectiveness of the hospital’s compliance program and internal controls. As a result, when conducting an internal audit, the first step is to review the compliance program itself. All members of the internal audit team (both internal personnel and outside counsel) need to have a clear understanding of what the hospital should be doing, as this will allow for the identification of any clear compliance issues, concerns, key risks, or potential red flags.

Many hospitals and hospital departments have compliance checklists that they (or their outside counsel) have developed specifically for purposes of assessing compliance during an internal audit. For healthcare providers that have these checklists, using them is fine—as long as they are up-to-date and reflect the hospital’s current compliance obligations.

3. Review the Current Laws, Rules, and Regulations

The laws, rules, and regulations that govern hospital operations change frequently. Conducting regularly scheduled internal audits serves not only as a mechanism for assessing and maintaining compliance with a hospital’s existing obligations, but for identifying and addressing any new obligations as well. At the outset of the audit process, the hospital’s administrator and compliance officer should work with outside counsel to ensure that they are aware of any newly applicable compliance obligations, and they should incorporate any such obligations into their facilities’ compliance programs and their internal audit procedures.

4. Assemble the Internal Auditing Team

Due to hospitals' sizes and the complexity of their systems and operations, conducting an effective internal audit requires a carefully selected, high-performing team. The team should include the hospital’s compliance officer, chief information officer, in-house and outside counsel, and other individuals such as billing managers and systems managers who have relevant subject-matter expertise to comprise the team of internal auditors. Generally, the same individuals should manage the hospital’s internal audits on an ongoing basis, though the hospital’s leaders and counsel must give due consideration to the risk of certain individuals on the team underperforming or having a compromised interest in the outcome of the audit processes.

5. Assign Roles, Responsibilities, and Reporting Obligations

Each member of the audit team should have a clearly defined role and defined operational responsibilities. All team members should also have clear reporting obligations, as this will ensure that all pertinent findings end up in the audit report. Over time, assigning the same roles and responsibilities to the same team members will enhance the efficiency of the audit process; though, once again, the hospital’s leaders and counsel must be careful not to become overly comfortable or too trusting of the team they have in place. The audit process itself must have checks and balances to ensure that it serves its intended purpose.

6. Identify All Sources of Relevant Information

Comprehensiveness is critical when conducting an internal audit. The internal audit team must identify, collect, and examine all relevant information from all data sources. If even a single relevant source goes overlooked (i.e., an employee’s smartphone or an offsite cloud server), this can compromise the efficacy of the internal audit. Crucially, in this scenario, not only is there a risk that the audit will fail to uncover relevant information; but, if this happens, the hospital’s leadership will be unaware of the deficiency. This can put the facility in a precarious situation in the event that state or federal authorities uncover the overlooked information (and the deficiency in the hospital’s audit procedures) during an external examination.

7. Examine the Data

Once the internal auditors and the rest of the team have identified all relevant information sources, the next step is to examine the evidence. This includes not only the hospital’s billing data (including Medicare, private insurance, and other payor data), but information regarding the hospital’s patient communication practices, privacy practices, telehealth practices, prescription practices, and other regulated operations as well. There are numerous aspects to hospital compliance, and each aspect demands equal scrutiny. Again, if a hospital’s internal audit is non-comprehensive in any respect, this will jeopardize the efficacy of the audit, and it will prevent the hospital’s management and hospital board from making informed decisions.

8. Conduct a Comprehensive Compliance and Risk Management Assessment

After examining the data, the hospital’s outside compliance counsel will conduct a comprehensive compliance assessment. The primary purposes of this assessment are twofold: (i) to determine if the hospital is adhering to its compliance program; and, (ii) to determine if the hospital’s compliance program addresses all pertinent legal and regulatory requirements. Assessing compliance requires in-depth knowledge of all of the law, rules, and regulations that apply; and, as a result, it is imperative that healthcare organizations work with highly experienced outside attorneys who focus their practice specifically in the area of healthcare compliance.

9. Document the Internal Audit Appropriately

In certain respects, appropriately documenting internal audits is just as important as conducting the audit itself. Without proof of an audit’s completion and results, the hospital will not be able to demonstrate compliance to state or federal authorities. Likewise, if a hospital’s documentation of internal audit omits key information, this will raise questions about the sufficiency of the audit, and this in turn will raise questions about the sufficiency of the hospital’s compliance program.

10. Determine (and Take) Appropriate Next Steps

Finally, once the audit process is complete, the hospital’s administrator and compliance officer should work with outside counsel to determine (and take) appropriate next steps. If an audit confirms that the hospital is in full compliance, then the next steps may simply be to maintain the status quo. But, if an audit uncovers compliance deficiencies in any area of the hospital’s operations, then the hospital’s leadership will need to work with outside counsel to promptly address the deficiencies—both in terms of updating the hospital’s compliance program and remedying the hospital’s past compliance failures.