Fraud investigation tips from Deloitte's Mike Little
FierceHealthPayer: Anti-Fraud: Can you share some best practices for preserving and storing evidence (particularly medical records) in fraud, waste and abuse investigations?
Mike Little: Understand the sensitivity of records you work with and the requirements of the Health Insurance Portability and Accountability Act (HIPAA). When obtaining documents that contain protected health information (PHI), you need to know who can obtain them, how they can be obtained, how they can be stored and what processes must be used to transfer them.
Look at how electronic records are transferred: Is the encryption sufficient? Is there encryption at all? The answer should be yes, since PHI should always be transmitted in an encrypted, secure state, and the government has requirements for that encryption.
Are records provided on a thumb or disk drive, and if so are those devices encrypted? Where and how are they stored to prevent PHI loss by employees? This is a significant challenge, as is cybertheft of data from corporate storage.
When you obtain information that may be relied on as evidence, it's vital to authenticate the records. Track documents from when they were obtained from their lawful custodian to when they were provided to prosecutors, showing who had access to them at every step along the way.
Document these points: Who obtained the records? When and from whom were they obtained? Where are they being stored? Who has access to them? Who has [already] accessed them? For how long and for what purpose? When were records returned to the [internal storage] location? And ultimately, when were records returned to their original custodian once the investigation concluded?
Information security is important. For hard copy records, know where they're stored and who has access to them. Make sure there's an appropriate evidence locker or cabinet that has limited access in use.
Comments