Answering the door: How to respond to government regulators

By Paul Cirel

When regulators come knocking, the most common type of contact is a notice of audit.

Just like there is no such thing as a routine traffic stop, there is no such thing as a routine audit. When CMS (the Center for Medicare and Medicaid Services) or the OIG (Office Inspector General) or DMA (Division of Medical Assistance) sends a request for certain patients’ medical records, the provider should assume there is a common denominator to those claims that leads the government to suspect fraud or abuse.

Of course, not responding is not an option. Failure to respond will result in the withholding of payments, debarment and the service of a subpoena for the same (and probably more) records.

One piece of good news is that extending the deadline for responding is usually an option, and more time is almost always necessary to make a thorough and informed response.

Complete records

The first task in preparing to respond to an audit is to ensure that the records are complete. The only way to do that thoroughly is to compare each medical record with its corresponding billing record. Remember, those billings are where the government’s investigation began.

A sample checklist before sending in any records might include: Is there a note for each visit? If a lab test or X-ray was ordered, is the report in the chart? If a consult was billed, is there a report to the referring physician? If a referral was made, is there an entry documenting it?

A couple of notes of caution in producing records. First and foremost, never create or alter a missing or wanting entry or document.

Nothing will lead more quickly to an obstruction of justice prosecution than the production of tampered records. If the records are less than thorough, the provider can address those issues in a cover letter or addendum that explains and provides the missing information. If that becomes necessary, such additional information should only be submitted with the assistance of counsel.

Second, audit requests frequently ask for particular dates of service rather than complete medical files. Those requests can be traps for the unwary.

Of course, medical records – and a physician’s knowledge of a patient – are cumulative in nature. As a result, isolated entries may not adequately reflect the complexity of the patient’s medical history or the physician’s medical decision making, both of which affect which evaluation and management service level was billed.

Isolated service dates also run the risk of overlooking relevant test results, X-ray reports or consultations. So, while less is usually best when dealing with the government, this may be an instance where a provider is better served by producing more documents than requested. Of course, that, too, is a decision best made with the assistance of counsel.

One last point in responding to an audit. If at all possible, do not produce original records and, if you must, make copies.

Surprise visits

What if investigators show up, without a warrant, asking to look at records and to speak with you? This much is certain: It’s not because they just happened to be in the neighborhood.

They have an agenda and, if they did not call first to make an appointment, it also includes the element of surprise. This is a situation in which the answer to “Who’s there?” matters a lot.

By law, OIG and MFCU (Medical Fraud Control Unit) investigators are entitled to “immediate access” to a provider’s office to examine records. Failure to grant such access can result in program exclusion and/or payment withholding.

However, “immediate” means within 24 hours – not the moment they arrive. And examining records means examining records; it does not mean conducting interviews. Also, the request to examine records must be in writing, even if it’s delivered in person.

Faced with a surprise visit, the prudent provider will not answer any questions, but will politely explain that it is a bad time, and ask to schedule a return appointment at the investigator’s convenience (within 24 hours if they so request). The provider should then immediately call a lawyer.

At that point, ground rules can be established for the return visit. For starters, the provider should explain that investigators’ presence during office hours could compromise patient care (and HIPAA confidentiality), and that they should come back during non-patient hours – even if it means in the evening.

That is a hard request to turn down, and may well result in having more than 24 hours to prepare.

Second, request a list of the records to be examined in advance. If they provide the list, it will allow an abbreviated review for completeness and perhaps some advanced insight into their agenda. If they decline to provide a list, insight of a different sort will be gained.

Regardless, investigators are not entitled to unfettered access to records or to the office.

They do not have carte blanche to rummage through patient files. Rather, they can only examine specifically identified patient charts. Also, they can be limited to an isolated location because, while the investigators are entitled to examine Medicare and Medicaid patient records, the provider is obliged to ensure the confidentiality of all other patient records.

Finally, investigators are allowed to examine and copy records, but not to remove originals. Likely, they will bring their own portable copy machine. Regardless, it is important to keep track of every record they examine.

The subpoena

More common than a surprise visit is the receipt of a subpoena. That is especially so since the advent of HIPAA, which authorizes DOJ (the Department of Justice) to issue administrative subpoenas. Previously, subpoenas could only be issued on behalf of a grand jury as part of a criminal investigation.

On the state level, the Massachusetts Attorney General’s office has increasingly been using its own administrative subpoena powers – called civil investigative demands (CIDs) – in state matters that have not percolated to the grand jury level.

Whether issued administratively or through a grand jury, subpoenas can compel the production of far more than medical charts.

At a minimum, they often include billing and payment ledgers, payroll accounts, bank records, appointment books and vendor files. Such subpoenas are usually directed to a “keeper of records” who is also required to provide testimony to authenticate the records.

Subpoenas almost always signal a well-developed and targeted investigation, and the only sensible response is to immediately contact counsel (who will likely be able to negotiate some relief, if only in time and volume).

If there’s one thing a provider should not do upon receiving a subpoena, it is to call the investigator or prosecutor whose name and number is often on the cover sheet.

Search warrants

The most serious and intrusive investigative contact the government can initiate is a search warrant.

Search warrants must be approved by a judge, based on a sworn affidavit by law enforcement personnel detailing why they believe it is likely that a crime has been committed and that evidence of that crime will be found in the location to be searched.

In health care fraud and abuse investigations, a search warrant usually suggests the presence of an informant or qui tam relator with recent and fairly intimate knowledge of the office.

Such a warrant also suggests that the government has alleged exigent circumstances; e.g., that if the records were simply subpoenaed they would be altered or destroyed by the provider beforehand.

If law enforcement officers show up with a search warrant, counsel must be contacted immediately. Make no attempt to interfere with the search but, at least until counsel arrives, be watchful.

Warrants do contain limits, including: The precise physical area to be searched, the materials that the agents are authorized to seize; the time frame, including the number of days after the issuance in which it must be executed, and the time of day (usually, between 6 a.m. and 10 p.m.) during which it must be served.

That is not to suggest that a provider engage in any substantive communication with the agents executing the search. Warrants do not compel answers to any questions, and no information should be volunteered.

Also, search warrants do not authorize government agents to detain anyone, and employees are therefore free to leave. But, while search warrants do not authorize interviews, neither do they prevent them.

In other words, employees can agree to be interviewed and, under no circumstances should they be instructed not to be. Instead, it is best left to counsel to provide the employees with information about their rights.

In the meantime, the provider should do no more than keep track of who was interviewed and, if possible, what was said. At the conclusion of the search, the agents are required to leave an inventory of every item seized.

One final word

Of course, not every fraud and abuse audit investigation or prosecution results in a penalty, sanction or conviction.

But they all do produce a fairly high level of anxiety and frequently a need to overcome an ill-conceived first step by the provider.

All too often that initial contact is mishandled because, other than thinking “it can’t happen to me,” the provider had never thought about what to do if it did happen.

You should think about it because, to paraphrase Hyman Roth, “this is the business you’ve chosen.” MMLR

Any questions or comments should be directed to the editor at: reni.gertner@mamedicallaw.com

Paul Cirel is a partner at Dwyer & Collora in Boston and focuses his practice on the representation of health care professionals including individual physicians, corporate providers and group practices.