Prescription for health-care audits: using data analysis tools with surgical precision can enable auditors to diagnose problems afflicting their organization

Internal Auditor,  April, 2008  by Cliff Therrien

• E-mail
• Print
• Link

ALTHOUGH MANY AUDIT GROUPS USE data analysis techniques to conduct accounts payable and payroll audits, with a little imagination they can accomplish much more. Deciding how to use data analysis and data mining technologies can be a bit intimidating at first, but with practice, they can become indispensable audit tools.

For auditors at Fairview Health Services, a regional health group based in Minneapolis, the greatest fear was conducting tests and coming up with substantial findings only to have care system managers systematically dismantle the auditors' methods and conclusions to the point that their findings become irrelevant. By putting some thought into their projects and keeping their scope narrowly focused, the audit group found success in areas such as verifying employee and vendor eligibility and searching for fraud and error in its pharmacy operations.

MATCHING RECORDS

Given the unique environment of health-care providers and the growing concern that foreign-born employees are appropriately documented, verifying the legitimacy of employees and vendors is a major concern for Fairview. Failure to comply with either of these conditions could result in hefty fines or loss of eligibility for federal or state programs and grants. Fairview's auditors routinely conduct tests to verify that employees and vendors have a legitimate right to work for, or conduct business with, the company. In these tests, auditors verify employee and vendor master records against several reputable sources of free, third-party data.

To help combat health-care fraud, the U.S. Department of Health and Human Services' (HHS') Office of the Inspector General (OIG) maintains a database on its Web site listing individuals and organizations that are not allowed to work for, or conduct business with, health-care facilities receiving Medicare or Medicaid payments. The database can be downloaded from http://oig.hhs.gov/fraud/exclusions.html. By importing the database into data analysis software, Fairview's auditors can match the list to the company's employee and vendor master files to identify potential excluded providers. After verifying that the data has been imported into their data analysis software correctly, auditors prepare it for analysis:

* If the name fields in the employee records or OIG data are grouped, auditors separate them into three fields: first name, middle name, and last name.

* Auditors join the employee records to the OIG data by matching the last name only and split the resulting last name matches into two separate files: one where the first names match and another where they do not. In "Employee Data Verification" on page 33, the OIG data shows the name Al K. Sanders, but the employee records list the name Al M. Sanders. Because the middle initial is different, this match can be eliminated and the remaining three kept for confirmation.

* Auditors visually review the second file where the first names do not match for first names that may be written differently, such as William and Bill. However, they don't spend a great amount of time doing this because there are many records, and auditors could end up wasting time chasing false positives.

* After matching by name, auditors return to the OIG Web site and confirm or clear the names on their short list by entering tax ID numbers. The OIG displays a confirmation page that can be saved and used as a workpaper.

Auditors can further identify excluded providers by matching employee or vendor master files to a database maintained by the U.S. Government Accountability Office, which can be downloaded in a variety of formats from www.epls.gov. Any potential matches identified can be verified by clicking on the "Exact Name and SSN/TIN" link at the top left of the Web page. However, because this file contains 62 fields listing alias names and addresses, auditors can spend considerable time merging them all into one field and eliminating duplicates. Audit groups may want to avoid tackling this hurdle or allow for time to format the data.

UNCOVERING FRAUD

Another way data mining and analysis can help auditors is by verifying existing information to discover fraud. In April 2007, Fairview's pharmacy department was undergoing a system conversion, and auditors obtained its script files and physician database to review whether pharmacies were effectively controlling prescriptions.

One of the key fields in the department's records is the U.S. Drug Enforcement Agency (DEA) number, which is a series of numbers assigned to a healthcare provider permitting it to write prescriptions for controlled substances. A valid DEA number consists of nine characters. The first two characters are always letters. The first letter identifies the type of registrant such as a practitioner, teaching institution, or researcher. A partial list of these registration codes is available from Wikipedia at http://en.wikipedia.org/wiki/DEA_number. The second letter is the registrant's last initial. The remaining numeric characters contain an algorithm to further check validity. This check-digit algorithm can be calculated by: