With health-care costs cited in recent surveys from The Business Review and Robert Half Management Resources as the No. 1 concern of CEOs and chief financial officers, health benefits administration should be high on the list of areas for internal auditors to consider in their audit planning. But that is not always the case. While some organizations audit their health benefits programs and administrators annually, others are doing little to nothing in this area. For the past 25 years, I have audited health benefits administration (HBA) for corporations, government entities, and nonprofit organizations. During this time, I have identified practices that resulted in recoverable losses and losses that were never recovered because organizations never audited their health benefits plans. A good place to start is to evaluate the oversight of HBA reporting activities that could identify untold losses for the organization.
Many organizations contract with third-party administrators (TPAs) to oversee the claims process, provider network, utilization review, and membership functions. In the arena of claims processing, TPAs can make claim payment errors that result in financial losses to the organization they work for if they are not identified, recovered, and credited back to the plan. Claim overpayments are common in the industry, and most TPAs have audit processes in place to minimize the losses to their clients. Many internal auditors incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can blot out the true understanding of exposures and the necessity of internal audit performing audits, both externally and internally.
Coordination of Benefits
During one engagement, an administrator for a U.S. federal government health benefit's plan changed its method of administering coordination of benefits (COB) from "pursue and pay" to "pay and pursue." Under "pursue and pay," the administrator determines who the primary payor is before making payment. Under "pay and pursue," the administrator pays the claim and pursues a refund only if it's determined to be secondary. Meanwhile, the client is billed for the payment of full benefits, even if it should be the secondary payor. In this case, the financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, the plan received a check for US $2.3 million for its share of the refunds that were not returned to it.
If someone had monitored COB savings, along with other cost containment activities, he or she would have noticed that the COB savings had fallen off and were next to nothing under "pay and pursue." When looking at COB, internal auditors should review the provision of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and reporting of savings to the organization by the administrator. Auditors also should consider the organization's oversight of monitoring COB savings and other cost containment activities performed by the administrator.
The COB case was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request the overpayment from health-care providers (hospitals, physicians, etc.), or use the provider offset, which deducts the overpayment from the provider's next payment. In one case, when a provider voluntarily returned an overpayment, the administrator's policy was to return the refund check to the provider with a form to complete, and send it back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client insisted that the administrator keep the checks received from providers and deposit them in its account. The client's refund activity increased from almost nothing to more than US $1 million a year. Monitoring and analyzing refund activity will provide insight into how well claim overpayments are being controlled.
When looking at refund activity for overpayments, internal auditors should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should include an analysis of refund activity, the reasons for the refunds, breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.
Sometimes it cannot be determined whether an organization's losses are intentional or unintentional. For example, in one audit, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator when it had promised to reduce costs. The organization's finance division requested an internal audit, which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization. Monitoring and approving the funding requests against some measure of expected costs can identify when cost should be investigated.
When reviewing funding requests, internal auditors should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for investigation, bank accounts setup and account access, and the internal funding reconciliation process.
While losses may occur because of the administrator's practices, losses also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed care. When organizations use PPO networks that are independent of the administrator's contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing. In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator's network claims with the negotiated rates into the claims system. However, because the client's external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated US $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO's quarterly billings for its share of the savings to a discount savings as reported by the administrator.
While examining discounts, internal auditors should review the administrator's or independent PPO network's contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.
Knowledge Is Power
There are frequent reports on fraud, abuse, and errors in government health programs from the U.S. Department of Health and Human Services' Office of the Inspector General and the U.S. Government Accountability Office. And because many U.S. corporations' health plans mirror government programs, the risk of exposure in organizations is the same. Organizations have incurred tremendous losses by not auditing benefits administration or having an understanding of the internal oversight within their organizations.
Developing a team concept within an organization for understanding the exposures in the industry is a practical role for internal audit. This knowledge puts internal auditors in a position to provide management with assurance that the millions spent on employees' health benefits are accurate, reasonable, and justified.