It seems that surprise visits by special investigative units seem to be on the rise. Though providers are required to cooperate with the investigation, they do have certain rights when complying.
With this in mind, how should you respond to investigators?
First take the time to train your staff before an investigation occurs. You should ask for identification of anyone demanding protected information or access to your office. Your staff should make copies of the investigators identification and document the behavior of any investigator who makes demands or insinuates a threat.
This can help your defense with regard to improper behavior.
Secondly, it is important that you and your staff establish what authority they may have to inspect your office and for what purpose. This is so that you can verify their right to review protected information and see written proof of who they are representing.
This is your right and the office’s responsibility under HIPPA law. If and when you receive a surprise visit by an inspector, the following is a list of options to consider and to give your office some control of the situation.
1) Even with a subpoena, you have the right to defer an unannounced visit and schedule a more convenient time for their request.
2) Once they arrive, if they request additional information, you may ask to schedule another time to complete the inspection to allow adequate administrative staff to comply with the request.
3) You may request legal counsel at any time during the investigation. I would recommend this especially with federal or state agencies.
4) Get a list from the investigator of the information that they intend to inspect.
5) Provide the investigators with a private place to use for the inspection. This should be a place in your office away from your normal operating procedures and any other records, information or office marketing material that may draw their attention to other issues which are not a part of of the purpose of their visit.
6) Make available only the files and documents that they have requested. If they request additional information, you may ask to schedule another time to complete the inspection to allow adequate administrative staff to comply with the request.
7) Remember an investigator is not your friend. Think and remember to shut up. It is natural to attempt to defend your actions and to make sure that the investigators understand your side. However, it can jeopardize your opportunity for an effective defense.
8) If possible, have a compliance consultant available during the investigation. They should meet with you and your staff to review the investigation and to be present during the proceedings. If the consultant feels that there is a chance you could incriminate yourself, he will stop the interview and recommend that the interview be deferred until your attorney can be present.
9) If possible, always be present with the investigator for the duration of the visit. Even better, have a qualified compliance consultant who will stay with the investigator and obtain any information that may be needed to minimize you and your staffs member exposure to the investigator. The consultant may also review the records to give valuable information to determine what the worst case scenario might be.
10) Call or email me with concerns.Remember that the longer you’re in practice, the more likely you will to be investigated. By taking some careful steps when investigated, you can help ensure that your rights are safeguarded and it may result in a better outcome for your practice.
With investigations, CMS audits, OCR audits and MU audits on the rise the best advice that I can give you is to be prepared. So many doctors wait until an investigator walks into their office or until they receive a letter in the mail before doing anything about complying with the laws.
Have your compliance manual up-to-date, including your office policies and procedures as mandated by the OIG. Have copies of your most recent risk assessment and your risk assessment policies and procedures on file in your office as mandated by title II of HIPAA under the Security Rule.
Also, make sure that your office is using the new version of the Notice of Privacy Practices and that your privacy policies and procedures manual have been updated, as mandated by Title II of HIPAA The Privacy Rule.
Finally make sure that you understand the documentation requirements mandated by the CMS, private carriers and most States laws.
Dr. John Davenport DCM, MCS-P