In healthcare private practice, activities such as conducting patient sessions, writing chart notes and communicating your nutritional recommendations are part of day-to-day work. Although these activities become routine, there is one thing that insurance-based practices must always keep in mind: insurance audits. At any point in time, an insurance company can decide to audit your private practice. At that moment, every policy, form, procedure and chart note can come under scrutiny. Becoming well-versed in insurance audits now will help you establish important practices and policies that determine how your business operates. Having sound policies and practices in place can help to prevent an audit in the future, and if ever audited, ensure that your business will stand up to even the toughest scrutiny.  

What does an insurance audit mean?

An insurance audit by an insurance payer for a private practice is a thorough review conducted by the insurance company to ensure that the billing practices of the healthcare provider comply with contractual, regulatory, and policy requirements. This process is intended to verify the accuracy and legitimacy of the claims submitted for reimbursement. It’s the payer’s way of determining how much risk they actually insured over the past year, that can be high or low depending on a few factors, and ultimately and audit ensures: 

• Compliance Verification: Ensure that the private practice is complying with the terms and conditions of the payer agreement, including proper use of codes and adherence to medical necessity guidelines.
• Fraud Prevention: Detect and prevent fraudulent billing practices or overbilling.
• Accuracy of Payments: Confirm that the services billed were actually provided and appropriately documented.
  

What can trigger an insurance audit for your private practice?

The healthcare industry is a competitive and lucrative business, but it is important to be mindful of the rigorous regulations that surround it. It is increasingly important to ensure your company operates under sound business practices, because an audit can actually be triggered quite easily. For instance, one CMS-1500 claim error can throw up a red flag for your business, opening you up to an audit. Below are some popular triggers to consider in order to avoid an insurance audit at your business: 

• Billing errors
• Copayment and deductible violations
• Patient complaints
• Employee and competitor tips

To prevent an insurance audit and reduce the risk of clawbacks in your private practice, it’s essential to implement best practices that ensure compliance with billing and documentation standards. Here are some key strategies: 

1. Ensure accurate coding and billing 

To maintain the highest level of accuracy and efficiency in your coding and billing processes, consider the following key practices:

• Provide Proper Staff Training: Ensure that all staff involved in coding and billing are thoroughly trained and stay updated on current coding standards (ICD-10, CPT, HCPCS).
• Use Billing Software: Utilize reliable medical billing software that is regularly updated to reflect the latest coding changes and payer requirements. Even more, choosing an EHR or practice management software such as Healthie, will support insurance billing, streamline your billing processes, and also ensure consistency across patient information, charting notes, and claim forms.
• Double-Check Claims: Implement a process for double-checking claims for accuracy before submission.
  

{{free-trial-signup}}

2. Ensure comprehensive and timely documentation 

Thorough and prompt documentation is crucial for quality care and compliance alike. Reinforce healthy habits of documentation with the following rules: 

• Maintain Detailed Records: Maintain comprehensive and accurate patient records that clearly document the medical necessity of services provided.
• Leverage Standardized Forms: Use standardized forms and templates to ensure consistency in documentation.
• Provide Timely Documentation: Complete and update patient records in a timely manner, ideally during or immediately following patient encounters.

3. Conduct regular internal audits

The main purpose of an internal audit is to ensure that your business is in compliance with laws and regulations, and therefore reducing the likelihood of being formally audited. An insurance audit can be conducted internally by employees of the organization or externally by an outside Certified Public Accountant (CPA) Firm. The benefit of having an audit conducted by a third party is that they can be more insightful as they are not affected by familiarity or personal biases. In both cases, these audits can flag any potential issues, and create a report that management or a board of directors can use to improve the business. 

• Conduct Periodic Reviews: Conduct regular internal audits of your billing and documentation practices to identify and correct errors proactively.
• Keep Audit Logs: Keep detailed logs of all internal audits, including findings and corrective actions taken.
• Request Third-Party Audits: Consider periodic audits by third-party consultants to provide an unbiased review of your practices.

As you establish, maintain, and conduct regular reviews of your practice policies, you can refer to this checklist, but certainly have your 3rd party auditor review this list and add to it more comprehensively.  

• Each patient must sign a HIPAA Privacy Policy before care is provided.
• New team members must take a HIPAA-compliance course. 
• Team communication is always done using a HIPAA-compliant platform.
• The technology used to run your business and share patient information is HIPAA-compliant, and keeps patient data encrypted. A BAA is obtained for each technology platform.
• A Medical Release Consent form is always obtained prior to communicating with any healthcare provider outside of your business. 
• Every patient session is always documented, detailed, and securely stored for 9+ years.
• Any phone calls or communication with other healthcare providers is documented and stored within the patient's chart.
• The practice will periodically review what is considered PHI. 
• All patient complaints and concerns will be reviewed and addressed swiftly. Thoroughly document the issue and the steps taken as a resolution. Beyond a negative review, a patient complaint can trigger an insurance audit, and should always be taken seriously. 
• Regularly review your company billing reports and insurance-reimbursements to ensure that patients were properly billed for amounts they owe (i.e. copays and deductibles).

4. Stay informed and complaint on billing requirements

It’s essential to be proactive in regularly reviewing your business policies and practices to avoid being put under investigation. This is especially true if you work in a multi-provider practice or have a new provider coming onboard. It can be beneficial to require new providers to take a HIPAA-compliance training course, to ensure that they are following best practices at all times.

• Regulatory Updates: Stay informed about changes in insurance payer policies, coding guidelines, and healthcare regulations.
• Compliance Programs: Implement a compliance program that includes regular training, policy updates, and adherence to legal and payer requirements.
• Professional Development: Encourage ongoing education and certification for staff involved in billing and coding.

5. Utilize an EHR platform with an integrated billing system

Implement an EHR platform with integrated billing capabilities so that administrative tasks are automated while also providing higher accuracy. 

• Automated Alerts: Use software with automated alerts for potential billing errors, coding mismatches, or missing documentation.
• Analytics Tools: Leverage data analytics tools to track billing patterns, identify anomalies, and monitor compliance metrics.
• Integrated Billing Functionality: Use a billing software that is built into your EHR platform or directly integrates with it. This will ensure that claims are linked to the correct patient profile and chart, eliminating the need to reenter information which is prone to human error. 

How long should you keep patient and billing records in case of an audit? 

Keeping good records is crucial for every business, but especially in the health and wellness industries where it involves storing patient chart notes and paperwork. The duration for maintaining these records may vary per insurance company and state, but generally, chart notes must be kept for at least 9 years. Failing to do so can result in inspections by numerous organizations, including the FBI, and ultimately close your business. Therefore, it’s essential to understand the importance of maintaining these files to avoid audits or other legal issues. 

If you’re still relying on paper charts, you might quickly find that long-term, secure storage is a problem, particularly if you need to access these files regularly. In addition, relying on physical copies of your files puts your business at risk. In the case of a fire, flood, or other unfortunate events, files can be compromised or lost.

For these reasons (and several others), most providers have shifted entirely to the electronic storage of patient files. Electronically storing chart notes not only saves space, but also makes locating these files easier. If you are choosing to store documents (such as PDFs or word files) on your local computer, there are extra steps that need to be taken to ensure compliance with regulation. Patient information should be encrypted so that if anyone gains access to the computer, these documents remain secure. You must also maintain a backup in the event that your computer is damaged, lost, or stolen. 

To forgo the logistical and practical issues associated with the physical or local computer storage of patient files, most providers are utilizing Electronic Health Record platforms. Cloud-based EHR platforms can solve both storage and security issues in the long-term. A cloud-based platform allows you to sign-in from any computer to access your patient charts, knowing that the information is always secure and cannot be lost. When choosing your cloud-based EHR platform, it is important to choose a platform that focuses on security, keeping data encrypted and stored in multiple locations. These measures allow you to easily store and access patients files long-term, without concerns of compliance or space in maintaining physically stored files. 

Always use HIPAA-compliant ways to store and share patient PHI

Allowing PHI that is in your care to be vulnerable to security threats is one way that your business can be flagged for an audit. Protected Health Information, otherwise known as PHI, is any health information that is tied to an individual. PHI is deemed to be “individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).” PHI is protected under HIPAA, meaning it includes one or more of the following 18 identifiers below: 

• Names (Full or last name and initial)
• All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
• Dates (other than year) directly related to an individual
• Phone Numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers (including serial numbers and license plate numbers)
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Communicate with other healthcare providers using a HIPAA-compliant form of communication

Communicating with other healthcare providers is another ideal way to avoid an insurance audit in your practice. However, the key is to communicate with a provider who is also HIPAA-compliant, using a secure two-way form of communication.

Some examples of secure two-way communication are: 

• E-Fax: Most insurance companies will require providers to have a fax line. Many doctors offices and other wellness professionals still rely on sending faxes to share patient documents and chart notes. In lieu of having a physical fax machine in your office, E-Fax allows you to digitally send and receive fax documents. 
• Encrypted email: Utilize an email provider that guarantees the encryption of email content to protect any important information from being read by anyone other than the intended recipients. Standard email is not considered HIPAA-compliant, and therefore puts your patient information at risk.
• Phone: Phone calls with other providers are considered a secure means of communication. However, in the event of an insurance audit it is nearly impossible to recall what information you shared and received. To protect your business, document the occurrence of the call and include any important takeaways from the session in your patient’s chart.
  

You may also want to ensure that you have a Business Associates Agreement (BAA) with any technology platform that you use. This will be required for insurance reimbursement for telehealth. What this means is that the communication platform is encrypted to maintain security and privacy. HIPAA privacy laws protect patient PHI, and limit the access controls of this information. Moreover, communication, as well as documents and shared images, would not be readable in transmission.

In healthcare private practice, daily activities like conducting patient sessions, writing chart notes, and communicating nutritional recommendations are routine. However, insurance-based practices must always remain vigilant about insurance audits. At any time, an insurance company can decide to audit your practice, scrutinizing every policy, form, procedure, and chart note. By becoming well-versed in insurance audits now, you can establish crucial practices and policies that shape your business operations. Sound policies and practices not only help prevent future audits but also ensure that your business can withstand even the toughest scrutiny if audited.

I received an insurance audit notice, now what? 

Despite taking all of these steps, there’s always a chance that your business may have to undergo an insurance audit. Insurance audits are sometimes conducted at random, so there might not have been any wrongdoing on your part. An insurance audit can be a rigorous process, but with proper preparation and adherence to best practices, a private practice can navigate it successfully and maintain compliance with insurance payer requirements. Learn more about what to do if you’ve been notified of an insurance audit here: Handling an insurance audit.