Internal Controls
What Are They?
Broadly, Internal Controls are the methods and procedures used to provide reasonable assurance that the organization’s objective and goals will be met. The main objectives of a system of Internal Controls is to ensure reliability and integrity of information, compliance with policies, procedures, laws and regulations, safeguarding of assets, economical and efficient use of resources.
 
Principles/Components?
The well-established COSO Internal Control Framework identifies five interrelated components for managing business risks: the control environment, risk assessment, control activities, information and communication and monitoring. More information regarding each component can be found on the Office of Internal Audit Website.
 
Main Types?
Generally, there are two types of Internal Controls, preventive and detective, and both are essential to an effective system of Internal Controls.
 
Preventive Controls are: proactive and are designed to deter or stop an unwanted outcome before it happens. Examples of preventive controls are: Policies and Procedures, Passwords, Approvals, Verifications, Access Limitation and Segregation of Duties.
 
Detective Controls are: designed to uncover errors or irregularities after they occur. Examples of detective controls are: Reconciliations, Performance Review/Analysis (Budget to Actual, Forecasts, Prior Period Review), Inventory Counts, Internal Audits and Surprise Cash Counts.
 
Who is Responsible?
EVERYONE!!! Yes, everyone plays a part in the University of South Alabama/USA Health systems of Internal Controls! While ultimately management is responsible for ensuring controls are in place, that responsibility is many times delegated to individual areas of operation; therefore, every employee has some responsibility for making our Internal Control system function!
 
How is my Department Doing?
Now that you know more about Internal Controls, if you’d like to see how your area or department is doing, an Internal Control Self-Assessment can be found on the Office of Internal Audit Website.
Medical Record Cloning

“Cloning refers to documentation that is worded exactly like previous entries, copied-and-pasted. Authorship and documentation in an EHR must be authentic. Cloned documentation does not meet medical necessity requirements for coverage of services (if it does not accurately reflect the patient’s status). Identification of this type of documentation will lead to denial of services for lack of medical necessity and recoupment of all overpayments made.” - Palmetto GBA, USA’s Medicare Administrative Contractor

While USA policy does not outright forbid physicians from copy-pasting progress notes and then editing specific to their current patient status (in order to save time), we do not condone it either, based on the risk of neglecting to assure the editing results in a progress note that is 100% accurate. If a claim is submitted based on a progress note that does not accurately reflect the patient status, it would constitute a False Claim.

Breazeale, Sachse & Wilson, L.L.P. – “The OIG announced a fraud settlement on January 7, 2016 with a cardiology group in Somerville, New Jersey that was based on the cloning of electronic medical records. The Somerset Cardiology Group agreed to pay $422,741 in a civil money penalty (CMP) settlement stemming from allegations it submitted false or fraudulent claims. This cardiology group allegedly cloned patient progress notes and upcoded evaluation and management (E/M) services, according to the OIG. The cardiology group had self-disclosed these issued to the OIG after it discovered the alleged billing errors through an internal quality assurance audit.

Specifically, the OIG contended that the Somerset cardiology practice cloned patient progress notes, as well as improperly coded and submitted for payment to Medicare E&M services that used current procedural terminology codes to reflect a higher level of service than the cardiologists actually preformed resulting in higher payments by Medicare to which Somerset cardiology was not entitled.”

If you have any questions about how to appropriately document patient charts, you may contact Cynthia Holland, Billing Compliance Director, at (251) 434-3778, or email cholland@health.southalabama.edu.
Drug and Alcohol Testing 

USA Health is committed to creating and maintaining a safe workplace free of substance abuse. As of August 2021, USA Health policy requires pre-employment drug and alcohol screening and “for cause” drug and alcohol screening for all USA Health employees. This policy includes our drug and alcohol testing requirements, testing procedures, implication of testing outcomes, and information on self reporting, or self-referral to USA's Employee Assistance Program.
The South Compass is a joint newsletter from the Offices of
Internal Audit and Compliance at the University of South Alabama.

HELPFUL RESOURCES

Ethics & Compliance Hotline or Direct Dial 1-844-666-3569