The Trump administration has repeatedly made it clear that fraud, waste, and abuse will be targets under the new administration, and healthcare is feeling the heat. This administration has signaled a robust approach to enforcing the False Claims Act, with a continued priority focus on coding and violations of the Anti-kickback Statute. It will also seek to protect the whistleblower provisions of the False Claims Act, which a federal judge in the Middle District of Florida held was unconstitutional last fall.
Federal investigators often turn to electronic medical record, transaction processing vendors, and practice management systems in order to substantiate their cases against healthcare providers. The Government will generally issue a subpoena, warrant, or civil investigative demand for records in the vendor’s possession with respect to a certain provider or provider organization. The subpoena, depending on the nature of the investigation and issuing jurisdiction, may have a variety of different requirements.
First, check and see if this is even your customer. A lot of agencies don’t know which vendors maintain PHI, and a lot of providers carry very similar names. I am not sure how many varieties of “pediatric” and “associates” exist in the United States, but there’s a lot. Confirm the agency is looking into your client and not a “look-a-like.” The easiest way to do this is with a NPI-TIN combination.
Next, determine your obligations to your customer and their patients. Consult your Business Associate Agreement, HIPAA, and as applicable, Part 2 and state privacy laws on what to say to your customer – if anything. Note, the response may differ depending on whether the investigation is civil or criminal. Under HIPAA, generally a business associate should notify a covered entity prior to the disclosure of PHI. An exception exists if there is a valid law enforcement delay, as HIPAA defines that term. You also have to contend with the rules of criminal and civil procedure that are in play.
Third, understand the point of the investigation in broad strokes. Why is there an investigation? Is there a patient safety issue (e.g. drug diversion)? Is it fraud? This important because it could affect how interact with law enforcement and your customer. You generally won’t get anywhere asking for details; however, most investigating officers will divulge the general purpose of their subpoena.
Inventory what services you provide this customer and how that might relate to the activities subject to the scope of the subpoena. There is a difference in quality between a billing/RCM customer and a SaaS one. Review the file to see if there is a relationship to ensure, at a minimum, that you understand any potential exposure.
Before you even get a subpoena, try to get your products ready. Some products, in the spirit of user simplicity, have gaps in how clinical and/or billing records are amended. Once an insurance claim is submitted, most payers require contemporaneous or at least fast clinical documentation. Signature integrity is important. Timestamps regarding clinical notes, and amendments thereto, are important – and if an auditor relied on your data, and reasonably came to the wrong conclusion because of how note creation and amendment are presented in your software or audit log, you could get roped into the False Claims Act. Previously, I have written about how you should ensure you have a note signature system that actually closes notes and forces providers to formally amend them, as to avoid making your product a vehicle for fraud. Get this stuff on your roadmap, if you haven’t already.
Work with law enforcement. The government is, like it or not, the largest customer in healthcare. They need to be treated with respect, and in the spirit of partnership. These are usually cases about public funds and/or patient safety, failing to take it seriously will bring some heat. That said, in almost each subpoena or warrant I have worked on, my client has faced technical or timing limitations. Each time, law enforcement was willing to work with my client. If you can or cannot produce something, let them know, and give them good faith estimates (with some reasonable buffer) on when you can produce the requested documents.
Review your production. You want to look at what you give the government. It almost goes without saying, but look at it with a critical eye. You want to especially be alert for anything the government may try to pin on you. If they are prosecuting a healthcare provider for fraud, there’s a good chance that provider goes to jail destitute. If the government wants to recover public funds, they very may well turn to a vendor whom in their eyes, had reckless processes. This is about understanding exposure – and also, if you find something you have an opportunity to remediate it. That will help your case, if any comes up down the line.
Finally, you might have to suspend your customer’s account. Depending on what you know about the investigation and uncover as you review the production, you may need to suspend the terminate services. I generally recommend working with law enforcement to ensure it does not inadvertently interfere with their investigation. If the government directs you to continue to permit a provider to submit claims through your system, they will struggle to later argue you were “reckless” in cooperating with them. That said, if there is a clear patient safety issue, there is a different sort of tension. If your product is facilitating provider conduct, that beyond a shadow of a doubt, is harming patient safety, you have a thicket of ethical and legal problems to wrestle with. In these cases, I try to make law enforcement to recognize the patient safety risk of maintaining an environment, and request further advisement. This – appropriately – usually leads to the suspension of the provider’s services.
eHealth Law Blog 