Regulators’ perfect storm: HIPAA audits and more medical fraud

The new, more stringent regulatory environments designed to aggressively address medicalfraud and the management of Protected Health Information (PHI) have created the perfect storm for regulators and organizations to detect fraud and decrease the frequency of data breaches.

This push has also created an opportunity for organizations anticipating these audits to perform an information governance overhaul. So, while the immediate focus should be on HIPAA compliance and preventing data breach, there are other beneficial by-products that may result from an audit that can decrease an organization’s overall information governance risk.
Large healthcare providers are often responsible for the most egregious medical fraud and incidences of data breach typically due to the transactional and operational challenges that plague all big organizations. Other instances of HIPAA violations and data breach could have been prevented through a proactive audit or assessment, and then through remediation within the organization to address deficiencies.

These challenges include: multiple information management systems, third-party cloud repositories, the need for coordination on behalf of multiple business units for billing, cross-referencing strategies with governmental agencies, programs and private vendors.

Address the challenges

The challenges are particularly important to address as providers, and their  businesses associates can now expect they will be subject to audits by the Office of Civil Rights (OCR) – the enforcement arm of the Department of Health and Human Services – under the Health Insurance Portability and Accountability Act (HIPAA) and certain aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act as of Sept. 23, 2013.

This date is important because the new amendments to HIPAA are now fully enforceable as the period for compliance and implementation has passed for organizations. Now, all of the HIPAA updates and amendments that have expanded the requirements for security, privacy, policy creation and employee training are likely to be audited.

Self-reporting is no longer the primary way data breach or noncompliance with HIPAA will be discovered. Active auditing will begin to take center stage as the OCR and other regulators get their cadence and establish a comfort level of enforcement.

Coupled with the anticipated HIPAA audits, there has been a drastic increase in medical fraud in the United States in recent years. Many of these fraud cases fall under the False Claims Act (FCA) and involve fraud against the government.

Medical fraud is an intentional attempt by providers and, sometimes, their insured or beneficiaries, to fraudulently receive payments or benefits under a policy or program.

Fraud takes many forms

Medical fraud can take many forms, including knowingly billing for unnecessary services, services not performed or price inflation for more expensive services than were provided. It is helpful to view medical fraud as a multi-party crime; potential perpetrators could be the covered entity, business associate and/or the patient.

The increase in health care fraud is a primary reason why the United States Government Accountability Office has deemed the Medicare and Medicaid programs “high-risk.”  This designation should also factor in eRisk. eRisk contributes to a high-risk designation because protecting PHI, guarding against medical fraud and eDiscovery implications that accompany non-compliance and litigation are very real concerns for covered entities.

HIPAA audits facilitate fraud detection

Given the timing of the new HIPAA audits, the rise of medical fraud in the United States and the transition in the medical field to electronic records, it is certain that for covered entities to protect themselves they should assess where they are in terms of eRisk. These HIPAA audits will motivate covered entities to put in place technology and processes that will assist them in HIPAA compliance and enhance their ability to investigate fraud in their organizations.

While covered entities and their business associates are updating their policies and procedures to meet HIPAA’s requirements, they have opportunities to assess their risks in other areas.

A perfect example of a question that has multiple areas of impact pertains to those doing business with HIPAA-covered entities.  Under HIPAA, covered entities have an explicit duty to update all their agreements with third-party business associates and to assure that they not only protect PHI and Personally Identifiable Information (PII), but also address liability for security breach.

Non-HIPAA related questions that relate more to eDiscovery and information governance also include how third parties store this data and how a covered entity can retrieve relevant information when necessary. This question must be asked to assess whether a cloud provider is HIPAA compliant, but is also crucial to understanding the eDiscovery and Information Governance process. If this question is not considered at first, there will be expensive, time-consuming consequences later.

The role of eRisk consultants

During a HIPAA assessment, it is beneficial to ask an eRisk consultant to evaluate the workflows and processes related to billing and other repositories that have fraud-enabling potential. Also, this is the time to implement clear document retention and archiving policies to assure that email and other archived data is susceptible to a legal hold and can be retrieved, reviewed and expired. The ability to review email internally is an enormous advantage in combating medical fraud.

Benefit from the opportunity

The covered entities that view this impending regulatory crackdown as an opportunity to improve their policies, processes and employee training will be well positioned to avoid fines or litigation.

While the nexus between HIPAA assessments and audits and medical fraud may not at first glance seem related, they are. As entities evaluate the new requirements for HIPAA compliance, they will be taking a closer look at their internal systems. They should invest in technology and training that can protect health information, as well as detect fraud.

There are many in-house tools and indexing engines that can quickly analyze information to detect fraud and retrieve relevant custodians and related subjects for early case assessment (ECA). This gives covered entities a unique opportunity to examine their HIPAA compliance and their ability to conduct ECA and internal investigations to detect fraud.

* Allison Walton is a lawyer and CEO of Fortis Quay, Inc., a global information governance, eDiscovery and compliance consultancy.  She is an active thought leader in the Information Governance space and has presented globally on topics like: data privacy, data breach, defensible deletion and the importance of employee education in the use of emerging technologies that can present serious risks to the organization. She is creator of The Quay Calculator™, a tool that measures an organization’s Information Governance Risk and provides a baseline for an action plan in order to reduce detected risks. She can be reached at