For Auditors and Compliance Officers
This article is written by the American Institute of Healthcare Compliance Audit Education Department
New to Compliance & Auditing for Compliance? This short article is #3 in a three-part series addressing various areas of auditing and monitoring healthcare providers for compliance. You may want to read Article #1 – Importance of Compliance Audits and Article #2 Auditing for Anti-Kickback Statute Violations.
Introduction
A healthcare compliance audit checks adherence to laws (such as HIPAA, Stark, Anit-Kickback Statue, coding, billing rules) and includes reviewing written policies, assessing internal controls, verifying staff training, monitoring data security, examining processes, interviewing staff, and ensuring a robust reporting/corrective action process is in place. This is all aimed at risk reduction and better patient care.
The focus of this article is to discuss the difference between a Gap Analysis and Risk Assessment when conducting an audit.
Conducting an Audit can be Complex
To audit, gap analyze, and risk assess healthcare compliance, an organization systematically identifies standards, gathers data, evaluates compliance gaps and threats, prioritizes issues, then create corrective plans. This is followed by conducting monitoring audits and review to find and fix deficiencies before they become major problems. It is a continuous process.
Core Components of a Healthcare Compliance Audit often include:
Risk Assessment & Scope
- Identifying high-risk areas (e.g., billing, privacy, patient safety) and defining what the audit will cover.
Performing a Documentation Review
- Checking written policies, procedures, training records, consent forms, and compliance plans for completeness and accuracy.
Testing Internal Controls
- Evaluating safeguards for data (EHR, access), billing, and operations to prevent fraud and errors.
Workforce Competency
- Verifying that employees understand and follow policies through training logs and interviews.
Conducting Interviews & Observation
- Talking to staff and watching workflows to see if policies are truly followed in practice.
HIPAA Compliance
- Data Security & Privacy auditing to determine HIPAA/HITECH compliance, access controls, and breach protocols.
Billing & Coding Accuracy
- Performing pre-billing and post-billing audits to ensure claims are correctly coded and comply with payer rules.
Reporting & Investigation
- Assessing the effectiveness of hotlines, whistleblower protections, and how reported issues are handled.
Corrective Action Plan (CAP)
- Developing and tracking steps to fix any identified compliance gaps.
Gap Analysis
The distance between where you are where you need to be
Conducting an audit often requires performing a gap analysis. A gap analysis identifies the difference between your current state and desired compliance levels. Simply put, it starts by defining the compliance goal, assesses current performance (what your organization is actually doing) and pinpointing exactly where the organization is falling short.
In healthcare compliance, a Gap Analysis finds what you're missing compared to a standard (e.g., Coding or HIPAA rules), showing the "what's missing" and "how far" from compliance, while a Risk Assessment identifies why you're vulnerable, evaluating the likelihood and impact of threats (like breaches) to determine what controls are truly needed to mitigate risk, forming two complementary steps to achieve full, effective compliance, not replacements for each other.
Key Steps for Risk Mitigation Gap Analysis:
1. First, start with defining the scope and objective.
- Clearly state what you're analyzing (processes, compliance, performance) and the desired outcome or standard (e.g., regulatory compliance, industry best practice).
2. Next, define benchmarks, goals that need to be met.
- Define the desired state. Establish benchmarks, goals, and ideal performance levels, often based on regulations, standards, or strategic objectives.
- Create list of items being measured and evaluated.
3. Conduct an Evaluation to Assess Current State.
- Document existing performance, processes, policies, and controls, gathering data through audits, interviews, and metrics.
4. Identify & Analyze Gaps.
- Compare current vs. desired states to find discrepancies.
- Use tools like SWOT or process mapping to visualize inefficiencies, as taught by AIHC in the Auditing for Compliance online course which addresses gap analysis.
5. Conduct Root Cause Analysis (RCA).
- Dig deep to understand why gaps exist (e.g., outdated policies, lack of training, resource issues).
6. Prioritize or Rank by Severity.
- Rank gaps by severity, impact, and risk level (e.g., using an impact/effort matrix) to focus on the most critical issues first.
7. Develop Action Plan (Remediation).
- Create detailed plans with specific actions, assigned owners, resources, timelines, and success metrics to close each prioritized gap.
8. Implement & Execute.
- The organization must act and ensure necessary resources and support are in place.
9. Monitor & Review.
- Continuously track progress, measure results against KPIs, and make adjustments to ensure effective risk reduction.
10. Communicate & Report.
- Share findings and progress with stakeholders to maintain transparency and buy-in.
Risk Assessment – The “Why” and “How Bad”
After identifying what's missing (the gaps), the risk assessment quantifies how bad those gaps are. The risk assessment evaluates potential threats to compliance and patient safety. This process explains why gaps matter and dictates what to fix to manage risk effectively. It includes an impact analysis, evaluating controls and calculate residual risk.
Difference between Gap Analysis & Risk Assessment:
Gap Analysis = Current vs. Standard
Risk Assessment = Threats/Vulnerabilities vs. Assets
Key steps for a risk assessment following a gap analysis:
1. Identify Risks from Gaps.- Take the identified gaps (e.g., lack of security training, outdated software) and pinpoint the specific threats or vulnerabilities they create (e.g., phishing, data breach, system failure).
2. Analyze Risk (Likelihood & Impact). For each identified risk, determine.
- Likelihood: How probable is it that this risk will occur?
- Impact/Severity: How bad would the consequences be (financial, operational, reputational) if it did happen?
3. Evaluate & Prioritize Risks.
- Combine likelihood and impact to score each risk (e.g., High, Medium, Low) and prioritize them. Focus on high-impact, high-likelihood risks first.
4. Develop Mitigation (Control) Strategies.
- For prioritized risks, design actions to eliminate, reduce, or transfer the risk. These are your control measures (e.g., implementing training, upgrading systems).
5. Record Findings & Controls.
- Document the entire process, including identified risks, analysis, chosen controls, and responsibilities. This is often a legal requirement.
6. Implement Controls.
- Put the planned actions into practice.
7. Monitor & Review.
- Don’t stop short, complete the cycle by regularly checking if controls are working and update the assessment as the environment, threats, or business needs change.
Auditing for Compliance
Even if you have some audit experience, taking an online course and certifying can fill-in knowledge gaps and provide essential skills to lead an audit team.
To become a lead auditor, many organizations will require you to complete a training course that covers auditing principles, management systems, and leadership skills, followed by passing an exam and gaining auditing experience, such as offered by the American Institute of Healthcare Compliance (AIHC), recognized as a Licensing/Certifying partner with the Centers for Medicare & Medicaid Services (CMS).
Resources to Stay Informed
Lead Auditors and Compliance Officers need to stay informed. Subscribing to government notifications is one way. You may also want to review current educational articles (free) published by the American Institute of Healthcare Compliance (AIHC)– click here for the Auditing category, and view all articles or by additional categories.
Videos can be a helpful way to stay informed. We recommend the following which may be of interest for you or members of your audit and compliance team!
- Risk Management Playlist;
- Corporate Compliance Playlist;
- HIPAA Playlist
- Individual Videos
This article is written by the American Institute of Healthcare Compliance Audit Education Department
References
- Auditing for Compliance online training course by the American Institute of Healthcare Compliance.
Copyright © 2025 American Institute of Healthcare Compliance All Rights Reserved