Hospitals are subject to numerous state and federal laws, rules, and regulations, like all healthcare organizations. However, due to their outsized role in our nation's healthcare system, the healthcare industry often faces enhanced scrutiny from state and federal authorities. From billing and patient privacy concerns to their financial relationships with physicians, pharmacies, and others, hospitals frequently find themselves facing scrutiny in all areas of their operations.
As a result, while all healthcare organizations must prioritize compliance, hospitals must be especially certain that they have their ducks in a row. Hospital administrators and compliance officers must be confident in the efficacy of their compliance and patient safety programs and prepared to demonstrate this efficacy to state and federal authorities when necessary.
“Conducting regularly scheduled internal audits is a key component of an effective healthcare compliance program for hospitals. Not only must hospitals conduct these audits to gain a clear understanding of the health of their compliance programs, but being able to demonstrate ongoing efforts to assess and maintain compliance can also be critical when dealing with state or federal authorities.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Understanding the Value of Internal Compliance Audits
One of the most effective ways hospitals assess, maintain and demonstrate compliance is by conducting routine internal compliance audits. In an ideal scenario, the internal auditing team will confirm the hospital’s compliance and its documentation will be added to the pile of successful (or “passed”) audits that show that it is operating effectively.
But, if a hospital has compliance failures to address, then conducting regularly scheduled internal audits will allow the hospital to address these failures in a timely fashion—before state or federal authorities (such as the Centers for Medicare and Medicaid Services (CMS) or a Medicare Fraud Control Unit (MFCU)) discover them during an external audit or investigation. In either scenario, the outcome is critically important, and it will inform (or should inform) the hospital’s next steps about state and federal compliance.
Laying the Groundwork for a Hospital’s Successful Internal Compliance Audit
An effective audit is a multi-step process that requires structure, teamwork, and in-depth knowledge of all pertinent sources of state and federal authority. It also requires an unbiased approach, as the goal is to gain an accurate understanding of the hospital’s compliance program. The goal is not to confirm compliance or find a way to spin compliance failures to secure a passing grade.
For hospitals, conducting internal audits also requires precision and tact, as several issues can arise if the process is flawed. Some of the primary concerns include:
- Focusing on the wrong areas can result in a waste of resources. Looking for information in the wrong places is ineffective and costly. Likewise, if a particular area of compliance is relatively low-risk based on the nature of a hospital’s operations or its other recent compliance efforts, then devoting substantial resources to conducting an audit in this area may be highly inefficient.
- Failing to identify all pertinent sources of information can result in a less-than-comprehensive assessment. While hospitals should avoid wasting their resources by focusing on the wrong areas, they must also ensure that they are conducting a comprehensive assessment of the areas under review. Not only can failing to identify pertinent sources of information lead to inaccurate conclusions, but it can also leave hospital administrators and compliance officers unaware of what they don’t know.
- Failing to protect sensitive information uncovered during the audit can create unnecessary risk in the event of an external inquiry. All internal compliance audits should be conducted with the oversight of outside counsel to ensure that any conclusions reached during the process are protected under the attorney-client privilege. Should an audit uncover one or more instances of noncompliance, failing to protect this information (and remedy the issue(s) efficiently) could lead to unnecessary adverse consequences.
10 Steps for Conducting an Internal Hospital Compliance Audit
With this in mind, what is involved in conducting an effective internal compliance audit for hospitals? Here are 10 key steps toward successfully navigating the internal audit process for hospitals in 2025:
1. Initiate the Audit
Initiating an internal audit should be a formal process. The hospital should engage outside counsel specifically for the audit, and the hospital’s engagement agreement should make clear that counsel is advising and representing the facility during the audit process. This will help preserve the attorney-client privilege, which can be critical if the internal auditors uncover unfavorable information, as discussed above.
Formalizing the audit process also helps to underscore its importance and establish it as a time-limited event. Internal audits should be efficient and not drag on as other priorities get in the way. They should have a clear purpose, a clear start, and a clear end.
2. Review the Hospital’s Compliance Program
An internal audit aims to assess the efficacy of the compliance program of healthcare organizations. As a result, the first step in conducting an internal audit is to review the compliance program itself. All members of the audit team (both internal personnel and outside counsel) need to have a clear understanding of what the hospital should be doing regarding compliance, as this will allow for the identification of any clear compliance failures or potential red flags.
Many hospitals have compliance checklists that they (or their outside counsel) have developed specifically to assess regulatory compliance during the internal audit process. For hospitals that have these checklists, using them is fine—as long as they are up-to-date and reflect the hospital’s current compliance obligations. For those who do not have checklists, a systematic approach to assessing compliance (which may involve developing a checklist based on the facility’s compliance obligations) will be necessary.
3. Review the Current Laws, Rules, and Regulations
The laws, rules, and regulations that govern hospitals’ operations change frequently, both at the state and federal levels. Conducting regularly scheduled internal audits serves not only as a mechanism for assessing and maintaining compliance with a hospital’s existing obligations but also for identifying and addressing any new obligations.
At the outset of the audit process, the hospital’s administrator and compliance officer should work with outside counsel to ensure that they are aware of any newly applicable compliance obligations, and they should incorporate any such obligations into their facilities’ compliance programs and their internal audit procedures. During the audit process, it will be important to distinguish between the time periods before and after changes in the law—as compliance may look different during each period.
4. Assemble the Audit Team
Due to hospitals’ size and the complexity of their systems and operations, an effective internal audit requires a carefully selected high-performing team. The team should include the hospital’s compliance officer, chief information officer, in-house and outside counsel, and others such as billing managers and systems managers with relevant subject-matter expertise. Generally, the same individuals should manage the hospital’s internal audits on an ongoing basis—as this consistency can promote both accuracy and efficiency—though the hospital’s leaders and counsel must give due consideration to the risk of certain individuals on the team underperforming or having a compromised interest in the outcome of the audit process.
5. Assign Roles, Responsibilities, and Reporting Obligations
Each audit team member should have a clearly defined role and responsibilities. All team members should also have clear reporting obligations, as this will ensure that all pertinent findings end up in the audit report. As noted above, assigning the same roles and responsibilities to the same team members will enhance the efficiency of the audit process; though, once again, the hospital’s leaders and counsel must be careful not to become overly comfortable or too trusting of the team they have in place. The audit process itself must have checks and balances to ensure that it serves its intended purpose.
6. Identify All Sources of Relevant Information
Comprehensiveness is critical when conducting an internal audit. The audit team must identify, collect, and examine all relevant information from internal controls and all data sources. If even a single relevant data source goes overlooked (i.e., the revenue cycle management, an employee’s smartphone, or an offsite cloud server), this can compromise the efficacy of the audit.
Crucially, in this scenario, there is a risk that the audit will fail to uncover relevant information, and if this happens, the hospital’s leadership will be unaware of the deficiency. This can put the facility in a precarious situation if state or federal authorities uncover the overlooked information (and the deficiency in the hospital’s audit procedures) during an external examination.
7. Examine the Data
Once the internal audit team has identified all relevant information sources, the next step is to examine the data. This includes the hospital’s billing data (including Medicare, private insurance, and other payor data) and data regarding the hospital’s patient communication practices, contracting practices, privacy practices, telehealth practices, prescription practices, and other regulated operations. There are numerous aspects to hospital compliance, each demanding equal scrutiny. Again, if a hospital’s internal audit is non-comprehensive in any respect, this will jeopardize the efficacy of the audit and prevent the hospital’s leadership from making informed decisions.
8. Conduct a Comprehensive Compliance Assessment
After examining the data, the hospital’s outside compliance counsel will conduct a comprehensive compliance assessment. The primary purposes of this assessment are twofold: (i) to determine if the hospital is adhering to its compliance program and (ii) to determine if the hospital’s compliance program addresses all pertinent legal and regulatory requirements. Assessing compliance requires in-depth knowledge of all of the laws, rules, and regulations that apply, and, as a result, it is imperative that hospitals work with highly experienced outside attorneys who focus their practice specifically on the area of healthcare compliance.
9. Document the Audit Appropriately
In certain respects, appropriately documenting an internal compliance audit is just as important as conducting it. Without proof of an audit’s completion and results, the hospital cannot demonstrate compliance with state or federal authorities. Likewise, if a hospital’s documentation of an internal audit omits key information, this will raise questions about the sufficiency of the audit, and this, in turn, will raise questions about the sufficiency of the hospital’s compliance program.
Thus, hospitals must document their audits appropriately—which generally involves relying on their outside counsel to prepare a comprehensive audit report. Just as hospitals need to be confident in their compliance programs, they need to be confident that their audit documentation will serve its intended purpose when needed.
10. Determine (and Take) Appropriate Next Steps
Finally, once the audit process is complete, the hospital’s administrator and compliance officer should work with outside counsel to determine (and take) appropriate next steps. If an audit confirms that the hospital is in full compliance, then the next step may be maintaining the status quo. However, if an audit uncovers compliance deficiencies in any area of the hospital’s operations, then the hospital’s leadership will need to work with outside counsel to promptly address the deficiencies—both in updating the hospital’s compliance program and remedying the hospital’s past compliance failures.
Final Thoughts: Conducting an Effective Internal Hospital Compliance Audit in 2025
Like many other businesses, hospitals increasingly rely on artificial intelligence (AI)-based software tools to manage and document many aspects of their operations. This trend will almost certainly continue into 2025 and perhaps well beyond. While there is nothing inherently wrong with using AI, hospital administrators and compliance officers must be confident that their AI-based tools are up to the task. They also need to ensure that their facilities have adequate contractual protections if an AI tool is responsible for a compliance oversight or failure.
While compliance presents many complex and evolving challenges for hospitals, this is not an excuse for failure. Authorities like CMS and the U.S. Department of Health and Human Services (HHS) have made this clear. As a result, hospitals need to prioritize compliance, and conducting effective internal compliance audits is a key part of the process.
