HIPAA Extends Big Brother's Reach
MANAGED CARE August 1997. ©1997 Stezzi Communications
Physicians' relations with practice management companies, accountants and other advisers may be significantly altered as providers come to grips with the federal government's antifraud initiative.
While most providers need to conduct an internal assessment of their compliance with billing rules and regulations, such an internal assessment would lead to a discussion that would result in records the government then could obtain upon request, along with any reports, work notes, analysis and recommendations that were created as part of the internal audit. Further, the Health Insurance and Portability and Accountability Act of 1996 (HIPAA) established that "reckless indifference" to the accuracy of submitted claims might constitute fraud by an inattentive provider. An internal review of billing compliance could discover and highlight a pattern of problems that might be deemed evidence of fraud. Thus, if handled carelessly, a provider's internal audit could create a package of information available for the government or a private plaintiff to use in a subsequent investigation or challenge.
Further, these problems are sometimes discovered in the course of unrelated activities, such as a billing review by a practice management consultant that was intended to identify new billing opportunities. When such a review instead (or additionally) identifies billing problems, the provider is now in a terrible position. Not only must a provider address the identified problems, but it must be done in the full light of day, because the identified information and documents and work notes produced in connection with that review and assessment are available for the government's use.
This government scrutiny also exposes health care consultants and certified public accountants to potential allegations of negligence, malpractice or fraud. Advisers — health attorneys included — frequently present themselves as "experts" whose knowledge and skills help our clients avoid trouble and maximize their opportunities.
When a health care adviser then initiates an activity that harms the client, this is, at best, foolish and may be a potential breach of the adviser's fiduciary duty to the client. If this harm could have been avoided or minimized — and the confidentiality problem we are now discussing definitely can be avoided or minimized — then a malpractice claim against the adviser might be possible.
Even when a provider engages an adviser to identify missed reimbursement opportunities, the provider often expects the adviser to pay attention to any problems or other important information identified (or reasonably identifiable) during the course of the assignment. If the adviser notes problems and fails to communicate them to the provider, or even if the adviser fails to note problems that were readily identifiable, this too may be a breach of the adviser's fiduciary duty to the client.
Some advisers try to reduce risks by giving an oral presentation to the provider, thus minimizing the written product. But the adviser's work notes and other materials remain discoverable. If the adviser took no work notes, the provider's notes from discussions with the adviser are discoverable. (If no one took any notes, I would question the usefulness of the assignment!)
In addition, these advisers may themselves be vulnerable to allegations of fraud. When an adviser learns of information from his provider client that suggests (or even confirms) evidence of fraud, the government may contend that the adviser has a duty to communicate that information to the government. Failure to disclose fraudulent activity can itself can be actionable as "misprision of felony," as well as under the False Claims Act. This usually arises in the criminal context, but some government officials have suggested that it can apply civilly as well. While many of my colleagues feel this is a ridiculous overextension of the law, government officials appear to disagree. Because there is no such thing as "accountant-client privilege" or "practice management consultant-client privilege," the adviser cannot argue that he or she is not allowed to disclose information that federal law might require be disclosed. Advisers who find themselves in this position will feel rather uncomfortable, to say the least.
Ironically, because there is no consultant-client privilege or CPA-client privilege, the consultant who learns of billing problems could become involved in litigation against the client! This would be grossly unfair, of course. The provider would undoubtedly make a number of equitable and legal arguments challenging this entitlement, and could even prevail in that challenge. But a qui tam lawsuit — one in which a private party sues on behalf of the government — often is not disclosed to the defendant until a number of months have passed, so the provider may not be in a position to object until the case has been fairly well developed. Also, consider the consultant's dilemma if the client refuses to acknowledge evidence of fraud. If the consultant perceives it has an obligation to ensure that this information is disclosed to the government, the consultant might perceive that a qui tam lawsuit is a viable alternative approach to disclosure.
I recognize that these sort of records and claims audits are one of the "bread and butter" items routinely offered by health care consultants (especially medical practice consultants). These consultants therefore are understandably hesitant to abandon these activities because of the dangers described here. But HIPAA has changed the rules. The government now has both the ability and reason to probe into billing irregularities more frequently and with greater consequences than ever before. The danger of advisers facilitating damaging disclosures and creating dangerously discoverable work product cannot be ignored.
Solving the privilege problem
Talk about being caught between the proverbial rock and hard place! How can a provider assess compliance with reimbursement and regulatory requirements without developing information and creating written work product that the government can look at and utilize for its own advantage? How can management consultants continue to offer this sort of assessment and compliance service for clients without harm to the clients and to themselves?
The answer, I believe, is that this sort of work must be handled under the direction of a competent health lawyer, working collaboratively with competent advisers and competent members of the provider's staff. Further, this must all be done within the delicate parameters of the attorney-client privilege, to preserve the confidentiality of the team's investigation, analysis, work notes and internal written communications.