Health Plan Management: Do You Have Your Internal Controls Under Control?
Linh Crider, CPA, CFE
Internal controls perform an essential role in the health claims process. In most plans, the internal controls encompass basic procedures such as segregation of duties, system access, quality control reviews, and system edits. However, there are a few procedures that are frequently missed by Health Plans, heightening the risk of errors or fraudulent payments. From an auditing perspective, it is important for plan management to review their control procedures to ensure that the following items are included in their control policy:
Segregation of duties
Plans often have a documented policy stating that staff in the enrollment department is prohibited from processing claims, and claims processors may not process enrollments. However, this policy may not be executed correctly if there are no system controls in place to prevent these actions from happening. Moreover, there may not be an established review process to ensure that unauthorized transactions do not occur. Plan management needs to consider the risk that claims could be paid on behalf of ineligible members. Most modern claim systems have the capability to restrict access, so this often can be an easy step to implement. For those plans with older systems, a routine review of unauthorized transactions between the enrollment and claims departments should be done to strengthen the controls in this area.
Plans that do not have a separate department to process plan employee claims need to implement policies to avoid fraud. There should be a policy in place whereby employees are not permitted to process their own claims. However, many plans only have an unenforceable policy and have not implemented system restrictions or review processes to mitigate fraud risk. Thus, an employee could create a fictitious claim without being caught. A written and enforceable policy regarding employee claims is recommended for all plans. In addition, a plan’s system should incorporate edits that prohibit an employee from processing his or her own claim.
Some plans have a separate department to print benefit checks. Often, processors are allowed to pull certain checks from the printing department so they can review them or make corrections before mailing. Unfortunately, some plans do not have a policy which requires all pulled checks to be tracked. This presents a fraud risk where the claims processor could just keep the checks that he or she fraudulently created and removed from the printing department. This underscores the importance of maintaining a list of all checks that are pulled from production. In addition, it is recommended that this list should be forwarded to a supervisor for review.
Implementing the procedures described above can strengthen your plan’s controls and decrease opportunities for employees that may be tempted to commit or collude in acts of fraud. Turn those “paper policies” into procedures with teeth that get the job done.