Hello, everyone. I'm Brian Zimmerman with Becker's Healthcare. Thank you for joining us for this podcast. Today, I'm thrilled to be joined by Pam D'Apuzo, managing director, VMG Health, and Frank Cohen, senior director, VMG Health. And and today, we're gonna dive in and talk about building a continuous improvement model for billing and coding compliance. So so let's get into it here. Frank, I'm gonna tap on you to get us going on this first question, which is why is it essential for medical practices to conduct regular compliance risk analyses, And how can these analyses help identify potential vulnerabilities before they become critical issues? Well so, I mean, the thing to to remember is that medical practices, we're probably in one of the most tightly regulated and highly complex spaces of any other industry, except for maybe the aerospace industry or something like that. Because it's not just all the HIPAA rules that we have designed to protect patient data and all that, but you have centers for Medicare, Medicaid services conducting audits, Medicare administrative contractors, recovery audit contractors, comprehensive error rate testing. Right? The CERT program, the OIG, and the DOJ are involved in looking at these practices. You have the supplemental Medicare review contractors, zone program integrity, and I could just go on. Right? There's just the list goes on and on with all the different agencies that are focused on looking at the billing, and coding and billing, that goes on within these medical practices. So so, you know, why do they wanna do it? Well, one is to avoid penalties and lawsuits. Right? So these regulations, not only not only are there, like, tens of thousands of pages of confusing documentation that that talk about these the audit the rules and regulations for coding and billing that create these audits, but they change all the time. So trying to stay on top of them through regular risk checks is absolutely essential to avoid fines or even sanctions that go on, for some of these practices. The second is that we we need to protect patient data. So and even though we're talking about billing and coding audits, the HIPAA side is really important also because as the teams get access to the EHRs, to get access to the client data, and the medical records, we have to be sure that we're, protecting all the the confidential patient information as well. And so there, they have to look at things like software, whether they have, SOC 2 certification or HITRUST certification or whatnot. The other is we wanna be able to help them with operational efficiency. So what these analyses do is they highlight inefficiencies in the compliance, area of the practice. A lot of times, they don't even notice that that's the case. So if they fix that, they can streamline operations, even improve patient care. So for example, if we're coming in and doing high level, audit risk analysis, for example, in, either in, real time or prospective or retrospective audits, we can identify areas where there's patterns of potential coding and billing errors so that if you fix the cause, you don't have to deal with the symptoms later on. And the other would be building a compliance culture, which is really critical. So without these regular assessments, you don't know what's going on. And, you know, I was always of the opinion and and have preached that if you can't measure it, you can't manage it. And so the analytics becomes really important so that the compliance part of it stays right on the top of the priorities. So when when we get, if you can train people to understand the analytics and and to monitor what's going on, there's a lot less room for human error because we're more reliant upon the data components of it. And that's a real common cause of compliance violations is human error. So, ultimately, when you're done, these assessments act as a proactive tool. They take a look at the weak spots, like, you know, data security gaps, processing consistencies, coding and billing issues before they turn into big problems for the practice. Frank, I think you played all that out really comprehensively and clearly the stakes are are clearly high here. Pam, though, wanna make some space for you to add on if you if you wanna contribute anything additional on this first question. Sure. I think, you know, on the issues of the billing and the coding audits, which is an area that, you know, I work in quite often, I'll say that having that risk analysis to help identify potentially which services might be problematic and then being able to kind of dive in and see what those issues are and what the policies and procedures that the organization may have had in place, whether or not it's meeting the criteria, is very important. And I think that Frank touched on another very important area about operational efficiency. I think that not everyone views compliance as an area that might help in that space of efficiency, but it does. Because once you can identify what some of the issues might be related to coding, creating a template, for example, for the physician or the providers that might help them not only document compliantly to meet all of the requirements for that specific service, but help them more efficiently be able to do that in a way that will help them get through that documentation requirement a lot quicker, I think, is an important piece to to highlight as well. Yeah. These yeah. Definitely, the efficiency is something folks out there are definitely seeking. Pam, can you expand on how compliance auditing specifically complements risk analysis? What are some best practices there medical practices should also follow to to sort of ensure both of those areas are are effectively integrated? Yeah. I think combining those two areas of auditing with the risk analysis is really a complimentary tool that allows these practices to have a compliance program that is comprehensive. Without the combination of those two things, you are really unable to identify where there might be potential issues. Most medical practices feel that they're doing everything right. You know, they're busy, they're seeing patients, they're doing everything appropriately. But it's not until you conduct one the analysis and then follow that up with the audit to really be able to drill down and see where there might be some identified risk areas that need corrective action. And that corrective action is going to be varied depending on what issues are really, identified during the course of the audit. And once you identify what those issues are, you can compare that to what the policy and procedures are of the practice or the organization to identify where we can take that correction. We need to maybe update the policy and procedure, perhaps it's outdated. That's kind of another issue that we see quite often is that organizations or practices identify policies and procedures, they set them in place, but they don't go back and update them as regulatory areas are being updated and changed. We're seeing updates constantly. It's not just annual. We're seeing updates throughout the year. We see them on an annual basis. Like, now this time of year, we're starting to hear what's coming for the year ahead. This kind of fall, October through December is when we start to really hear what's coming for the year ahead. So looking at those new regulatory changes, updating policies and procedures to ensure that we're compliant with the new regulatory requirements is incredibly important, and then getting that information out to the providers. Routine education and training, unfortunately, is not part of every practice. So I think it's very important to have that be 1 and, you know, part of the compliance program is an annual education and training, and then have those updates as often as necessary depending on what the regulatory changes are. We also have CPT changes that comes out annually. We have ICD diagnosis changes. Those 2 are not happening in tandem. January 1st each year, we get CPT code updates, and then October 1st each year, we get ICD changes. So it's important. There's a lot that practices need to stay on top of, but staying on top of all of those new updates is what allows them to be more compliant. And I think the risk analysis portion is what allows us to kind of hone in on what areas we really should be focusing on. You need to have a plan in place to be able to do that, right? Just haphazardly looking at things is not an effective or efficient compliance program. It needs to be very well outlined so that we can ensure that we are doing this in a very organized fashion and that corrective action. Because once you've identified that issue, you wanna ensure that you're taking corrective action as quickly and appropriately as possible. Yeah. There's some great points there about trying to make these assessments actionable and also your points around not this not being haphazard in the frequency by which this needs to happen because of the the amount of changes out there. Frank, anything to to add on here? Just 2 things I wanted to to mention was, you know, in in the real world, right, so theoretically, we should be auditing a 100% of everything even before it gets submitted. You know? And and and that's a theoretical place. In the real world, though, we have budget constraints and restrictions, all these practices do. So they can't do it. So they have to set some kind of a rule. Maybe, we audit 10 encounters for every provider every year or 20 encounters for every provider every couple years or whatever. So what the risk analysis does is allows them to focus this. So it helps them prioritize where they're gonna focus the audits so they're not spreading all those resources too thin. Right? It it highlights, you know, those most critical areas that they need to look at. And the idea is what you're trying to do is say, hey. What do I look like to an outside auditor? Whether it's a government auditor or a private payer, we wanna be proactive and not reactive, and risk analysis is proactive. So it helps you sort of a priori identify where those potential issues are are gonna be. So I just wanted to mention that. Yeah. Yeah. I I think throughout the the conversation, the the importance of risk analysis and and and auditing as well has been really really underlined to that. How how important this work is. But, of course, this work necessarily isn't necessarily easy all the time. So in in your experience in in both of your experience, I'm curious what the biggest challenges are medical practices encounter when trying to combine compliance risk analysis with auditing. How can they overcome these challenges and and really create the the comprehensive compliance strategy that sort of been outlined or detailed in this conversation? Pam, you wanna go first? Sure. I I I think Frank hit the the main point, which is the budgetary constraints. That's probably the number one issue. Compliance generally has a very tight budget, which makes it a little bit challenging to be able to have this comprehensive program. The other is lack of resources and lack of expertise to be able to actually conduct the analysis and conduct the audit. So I think both of those areas, we definitely see that there is an issue that impacts how viable this program can be because without those two things, without having the right personnel and also having the the budget set aside to be able to do this. But it is an incredibly important part of operations to have these types of compliance programs. It's a requirement. So I believe Frank, again, kind of hit this, approach correctly is that if you conduct the compliance analysis, it allows you to really kind of hone in and drill down to the areas that pose the greatest risk to the organization or the practice, and those are the ones that they really should be focusing on. And then once they're able to do that, I think that will help them really focus in on what areas need improvement, what areas pose the greatest risk to the organization that need that corrective action, and focus on on what that corrective action should be. Does it need to be a template that needs to be updated? Is it simply going to to just be education to the providers? Maybe they're just not aware of the new requirement for that specific service that they can improve upon through education. So aside from that, I think the other areas, who's keeping up with the regulatory updates? If their if their compliance folks aren't aware of those changes, aren't really in a position to stay on top of all of these new regulatory requirements, that's another area of potential risk for them as well. Because if the providers aren't being made aware of the changes and aren't well versed in what the requirements are, they're not gonna be able to, keep up with the new changes and certainly will be posing more risk to the organization. And then lastly, I think the the biggest challenge of all that we don't really talk about is just human nature and this resistance to change. I think even when all of the resources are there and there aren't budgetary constraints that are are not making this a viable program, I think the issue is just individual folks and their resistance to to change. So that always for us is probably one of the the bigger areas of of issue that we have. We we go out. We train the providers. We provide them all the right tools to be able to do this correctly. But, ultimately, we have a hard time having them be open and willing to change even when you're providing them all of the the resources that they need to be able to do that. Yeah. Yeah. A lot there. So the the resistance to change, even the bandwidth on teams to really keep up with changes coming up, the general lack of expertise sometimes, and and, of course, the, a big one, budgetary constraints. Frank, what would you like to expand on here or or add to the list? Well, I can tell you that that we do this all the time, obviously. And so the the biggest challenges I find the one is all this fragmented data. You'd be amazed. I mean, this is 2024, and you'd be amazed at how many of these organizations can't get access to the data we need in order to, conduct the risk analysis. And and, you know, my thought is, if you can't get us the data to do this, how in the world have you been doing any kind of risk analysis for coding and billing over over the years? Right? And so, you know, the data are scattered in different departments. IT, a lot of these compliance firms are siloed. Right? Compliance is over here. You have, revenue cycle that may have some parts to do it over here. IT is siloed, and people don't communicate with each other. And so trying to get access to the data can be really difficult. So even having a centralized EHR system, which a lot of people do in one place, it's it's still difficult for people sometimes to get access to the data. The other part is limited expertise. You know? I understand that not a lot of these places have in house compliance experts or analysts or whatever, but, you know, listen. They don't know the difference between an 837 p and an 837 I. And if you're listening to this podcast and you don't know the difference between those 2, then you're kind of part of the problem in that respect. You know? Because those are the things that people need to understand if if they're gonna be able to run these kinds of analysis. You know? And so I think that, to me, the solution is I know this is about challenges, but I think the solution is is they can build these cross functional collaborative teams, you know, embrace the technology, always be training people, and they can sort of align their compliance risk analysis with these auditing efforts. And you have this sort of comprehensive program now. And I I think that's kind of the way to go because there's other stuff. You know, Pam mentioned it. Balancing resources and cost is a problem. You know, these rules change at a whim, and trying to keep up with those is a real problem as well. So I I I just from my perspective, I think that if people get a little more focused on the, analytical requirements to make this work, that life would be a lot easier for them. Yeah. I appreciate you sort of, finishing the conversation off by getting into sort of a a solution painting of solution, what a solution could look like for for our audience. So, Frank, Pam, thank you so much for coming on the podcast today. It's been a pleasure speaking with you. Thank you very much.