Preparing for HHS InvestigationsFormer Investigator Offers Advice on Preparing for On-Site Visits
Healthcare organizations subject to an HHS fraud or breach investigation need to ensure they're prepared and can respond in a timely manner when investigators visit on-site, says former federal investigator Stephen Morreale.
See Also: Taking Advantage of EMV 3DS
One of the biggest mistakes an organization can make during an on-site visit is to make the investigator wait, says Morreale, a former investigator at the Department of Health and Human Services.
"If you're going to have me wait in a waiting room with other customers and not treat me with respect, given the position and the work that I'm called there to do, then that's going to go against you," he says in an interview with Information Security Media Group (transcript below).
In order to prepare, the organization needs to know who will be interacting with the investigator once they arrive on-site, Morreale says. "You have to have the people who receive these agents be ready to put them in a conference room and get the appropriate company official there," he says. "Sometimes it's legal; sometimes it's the CEO; sometimes it's the operations manager."
In the interview, Morreale also discusses:
- Other mistakes entities make during investigations;
- The most common types of HHS investigations, including on-site and offsite inquiries;
- More tips on how to prepare.
Morreale is chair of the criminal justice department of Worcester State University in Worcester, Mass. In addition, Morreale serves as the lead consultant and coordinator of major fraud cases for a Medicare program contractor. He previously served in law enforcement for 30 years, and is a retired assistant special agent in charge for HHS' Office of Investigations at the Office of Inspector General. Morreale was also previously a compliance officer for a healthcare provider group in Rhode Island.
MARIANNE KOLBASUK MCGEE: To start, tell us very briefly about the kinds of HHS investigations you've done.
STEPHEN MORREALE: I was the assistant special agent in charge so I was supervising many investigations in New England and across the country. Before that, I was with the Drug Enforcement Administration. When I came to HHS, we were starting to look at any number of fraud schemes or attempts to bilk the government, anything from overbilling or services not rendered and billing for them. We were involved in pharmaceutical fraud where a number of actual pharmaceutical companies that were manufacturing were working in collusion with doctors and hospitals. We also were responsible for investigating research fraud. One of the other things we were looking at were situations where people were not protecting properly information - HIPAA violations and such. It was all over the map, anything from small doctor's offices to nursing homes to [larger] organizations.
I remember one particular situation where someone called and complained about a Connecticut hospital that had hired somebody and, shortly after they left, they realized that they had been breached and the employee who had since gone had [taken] a number of documents that had some pretty serious information, including doctor numbers, billing numbers and patient numbers. There was a problem with that and we had to go in and investigate.
Most Common Investigations
MCGEE: What are the most common types of investigations that HHS conducts?
MORREALE: ... We're involved in any number of things, including DME [durable medical equipment] suppliers that are overcharging home health agencies where people are being seen. ... We get complaints from all over. Complaints can come from looking at the data and seeing spikes in billing. Other complaints come directly from competitors who will say, "I don't like what my next door practice is doing and I want to let you know." Also, employees who are not happy leave and ... inform on their previous employer. The investigations run from quality-of-care issues -somebody not being treated well in a nursing home - to somebody stealing information, which is very prominent.
The whole cyberworld has changed the way we look at it. And I think it's important for everybody to realize that, not too long ago, within the last five or 10 years, everything was on paper, and now virtually everything is moving to electronic. We have a new threat in dealing with information that could be shared like that over the Internet if somebody has it in digital form.
Steps to Prepare for an Investigation
MCGEE: Based on your experience, what steps do you think organizations should take to prepare for an HHS breach-related investigation?
MORREALE: When it happens, it's important to figure out how it happened and, importantly, that the proper people are notified. One of the things that's important is for an organization, if they find a breach, begins to conduct their own inquiry as to what happened, where it did it happen, where they're vulnerable and what are the steps they're going to take to fix it. That should be done potentially before somebody comes in.
Sometimes, investigations start because the company itself is reporting on itself. It's self-reporting: 'This is what we found and we have a duty and an obligation to notify the government.' Very often, those performing an investigation come in and see what's happening, see if any mitigating circumstances existed and what the steps are that the organization is taking to stop that from happening again - in other words, identifying where the breach happened.
In most cases, it depends on the investigation whether or not an entity is going to be notified in advance. I can tell you from a criminal investigative standpoint, it's rare that we give a call and let you know that we're coming. More often, the people who come are either auditors or they're civil investigators and they will generally call in advance, let somebody know that they're coming and begin to identify what the scope of their view and their visit will be so that it could help the organization prepare.
But in the circumstance where two or three agents show up from the OIG [Office of Inspector General] - sometimes we would pair with the FBI, sometimes with the MFCU, the Medicaid Fraud Control Unit, if there are some state violations - they will be knocking, showing identification, asking to see the CEO and beginning to look for documents or to interview people.
In order to prepare ... if that happens, what do you do when they arrive? ... If you're going to have me wait in a waiting room with other customers and not treat me with respect, given the position and the work that I'm called there to do, then that's going to go against you. In many cases, you have to have the people who receive these agents be ready to pull them out of the room, put them in a conference room and then get the appropriate company official there. Sometimes it's legal; sometimes it's the CEO; sometimes it's the operations manager. Go and find out what it is they're doing and what they're looking for. It's important being ready for that visit. Sometimes, those visits amount to virtually nothing; it's just checking the facts, being OK and moving on.
Documentation to Prepare
MCGEE: What sorts of documentation should an organization have ready for investigators, say in a HIPAA investigation or a fraud investigation? What should organizations know that they'll need to present?
MORREALE: It would vary ... if someone's just dropping in, then the organization is not necessarily ready with the documents they may need. They may need some time to collect that. I've been involved in HIPAA investigations from both sides, from the side of the government and, after I retired, from the side of being a compliance officer and having to respond to the Office for Civil Rights within HHS. When I first made contact with the Office for Civil Rights after they reached out and had a complaint, I introduced myself as a retired assistant special agent in charge and asked what they were looking for. I asked them to give me a little bit of time. Then what happened is I had to go in and conduct my own investigation, find out what happened, where the documents were, whether there was a mistake, whether there was human error, and ultimately I was able to provide them with all of those documents. More importantly, I was able to allay the fears of the regulator by simply saying, "Here's what I found. There were mistakes. This is what we've done to stop it. We've improved training. We have had a second round of quality checks."
To explain what had happened, it was simply that a patient had come in and was looking for a second opinion from another doctor and they asked for their medical records. The medical records took a little bit of time to pull together because some of them were electronic and some of them were paper, stored offsite. Once those all came together, the particular person who was handling it printed out certain documents, went to the bin where the output paper was, grabbed the paper that was in the bin without looking at whether there was anything left there from another printing operation, put it in an envelope and sealed it, put the patient's name on it and the patient came to pick it up.
What we found in the investigation was they never asked for identification. That was the big mistake. They never double-checked the paperwork and, when that particular person opened the envelope, they found that there were two or three other patients' information that was there. With some irony, the person who was looking for their records to go for the second opinion happened to work for the United States Attorney's Office, so you can imagine what happened when the U.S. Attorney's Office got hold of that. That's when we got a call from HHS, the Office for Civil Rights.
The answer to your question, in summary, is: Do the investigation, collect the relevant documents and, when they come, have them ready for them and explain what the process is, where the mistakes were and what you're doing to prevent it from happening again.
Onsite vs. Offsite Investigations
MCGEE: What's the difference between HHS doing an onsite investigation vs. offsite, and do all offsite initial investigations lead to onsite investigations?
MORREALE: No they don't. For example, if it's HHS and it's from the regulatory side or if it's from the Office for Civil Rights, very often that investigator may never leave their desk. They may simply begin to correspond with the entity starting with a phone call, following up with a letter. In that letter, they will request certain documents. They'll request certain attestations that you have done something to stop [a problem] and to correct it, and that may be the end of the issue. That's exactly what happened in the investigation that I told you about. That was it. They were satisfied with what we did.
If they have to come onsite, generally they're looking for documents, and not every single document. They may select certain documents to almost spot-check to see if you're doing things right or if they can find some mistakes in the process. What's really important for people to understand is there are so few people conducting investigations and there are so many potential violations that they can only do so much. What I think is important is for people to recognize that they're going to ask what did you know about a breach, when did you know and what did you do about it. When you're able to answer those questions and it looks like the organization has a good management structure and response to these kinds of issues, I think in many cases, unless it's a repeat offense, it's acceptable that some mediation or change in policy can be effective and acceptable to the government.
Biggest Mistakes Organizations Make
MCGEE: What are the biggest mistakes that healthcare entities make when they're being investigated by HHS?
MORREALE: Being defensive is a very big mistake people make. The cover-up is worse than the crime in most cases; I think we've seen that over and over again. Accept that people make mistakes; accept the training wasn't as good as it could be; accept that a part-timer made the mistake, and that you may have failed in providing as much training to the part-timer as you did the full-timer. Those mistakes I won't say are acceptable, but they're understandable. The mistakes are not being forthright; the mistakes are trying to hide something. I can't stress enough what I said a moment ago: The cover-up is always worse than the incident and that's what gets people in trouble. It's lying; it's withholding information. It can be something as simple as being asked for records and not doing a diligent job of finding all records.
The problem that people will have - and I really want to make this clear - is that as many entities go to electronic medical records, they have to realize that they may still have records that are held that are on paper. If you don't give the government everything, then you've got a problem. I think the supposition is when that happens, you're hiding something. That can change the entire context and approach of the investigation. You can go from, "Alright, they're human, they made some mistakes and they're on the right track," to, "Wait a minute. I have this document. They didn't turn over a similar document. They're hedging or hiding something." Very often a patient may say, "I have this record and this is wrong." We're going back in to say, "Tell me what records you have." They may say, "I have this record in my hand. If you don't give me a copy of that, then I'm going to begin to wonder whether or not you're well-managed or whether you're trying to pull the wool over our eyes."
Tips on Avoiding Investigations
MCGEE: Finally, do you have any tips for how healthcare entities, and now business associates under HIPAA Omnibus, can avoid becoming the subject of an HHS investigation in the first place?
MORREALE: What you have to do is be proactive. We have to think about the important elements that we have in our custody. What are the important pieces of information that we have that should be protected?
Think about what we keep. We have Social Security numbers, home addresses, names and family members. We also have the doctors that service them, the HIC [insurance ID] numbers and the DEA [Drug Enforcement Agency] numbers for writing prescriptions, and physician numbers, NPI. All of those things separately may not hurt anybody, but collectively could allow me with that information to bill for a doctor, for a hospital or for a patient for things that were never offered and the services were never rendered. What happens is these little [fraudulent] groups will spur up, get a provider number and bill HHS, Medicare or Medicaid - and they may get $1 million in a very short period of time and shut down. Now we have to chase an entity that has opened and closed that never really was set up to treat patients. It was really set up to bilk Medicare and Medicaid by billing inappropriately.