Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Fraud: What To Do If You’re Audited

healthcare fraudOver the past several years, we’ve seen a trend in increased investigations and enforcement of healthcare fraud. This trend continued in 2013 and is continuing in 2014. Nationally, in 2013, the United States Attorney’s Office investigated 1,013 new criminal matters involving healthcare fraud and filed charges in 480 of these cases. In Georgia, in 2013, there were 336 Medicaid Fraud Investigations.  Of those investigations, only 13 led to indictment; but of those 13 indicted, 10 resulted in convictions. Given this trend, if you are a healthcare provider, it is vital to know what to do if you find yourself being investigated for fraud.   Following are some important  steps to follow if the government shows up at your door with a search warrant: —  Immediately call your attorney. Do not pass go. Call.  It is crucial to call an attorney who has experience in both health care law and in defense. —  Ask for identification of the people at your door. Review the credentials or business card. Write down the name and contact information. —  Do NOT destroy, alter or remove any documents. —  Be polite. Remain calm. Be cooperative. Say please and thank you. —  Ask for a copy of the search warrant and any affidavit filed in support of the warrant. —  Ask what crime and conduct is under investigation. —  Request that no interviews be conducted until your attorney arrives. —  Immediately advise all supervisory personnel of the search and that they are to wait for the attorney to arrive before answering any questions. —  Compile an inventory of all the documents being removed and ask if you can copy all the documents being seized – this includes making a back up disk for all computer files —  Make a record of everything said by an investigating officer. If you cannot do this during the search, write up your recollection after the search —  If possible, videotape or photograph the search —  DO NOT speak with the press Jeyaram & Associates has helped numerous organizations facing charges of healthcare fraud. To learn more or for assistance, contact Kimberly Sheridan at

More Providers Audited for HIPAA Compliance – Are You Ready?

The number of entities audited for HIPAA compliance has increased. Are you prepared if OCR comes knocking on your door?

Under the HITECH Act, the Department of Health and Human Services is required to conduct periodic audits to ensure that entities are complying with HIPAA. Phase 1 audits concluded in 2012. Now OCR has released information on Phase 2 and more audits are set to begin around October of this year.

HIPAA Covered Entities and Business Associates selected for audits will be asked to quickly produce policies and procedures, executed business associate agreements and other HIPAA-related documentation so that it can be reviewed by OCR to determine if any deficiencies exist. OCR has noted that it intends to focus on the deficiencies identified through Phase 1 audits. These include lack of proper policies and procedures, presence of security risks, failing to conduct a security risk assessment, and failing to have business associate agreements on file.

Small providers should also take note—according to OCR, small providers tended to have more deficiencies than larger providers. OCR has also revealed other details regarding the 2nd audits, OCR will be conducting the audits internally. They have also increased the number of entities to be audited to 400 entities, 350 of which will be Covered Entities and the remaining 50 will be Business Associates. Some of the audits will focus on the Privacy Rule, others on the Breach Notification Rule, and the remainder will focus on compliance with the Security Rule.

If your organization is a covered entity or business associate under HIPAA you want to make sure that you are prepared in case you are one of the entities subject to an audit this Fall. Steps you will want to take include:

  • Have all your HIPAA policies and procedure updated and on file
  • Make sure all your Business Associate Agreements reflect the 2013 changes to the HIPAA Rules and have those agreements properly executed and on file
  • Conduct a security risk assessment if you have not already and ensure that security risks are addressed
  • Engage an experienced healthcare law firm to proactively help you review the aforementioned items to help you identify any potential deficiencies

To view OCR’s Presentation on Phase 2 Audits, click here: OCR Audits Phase 2 by Linda Sanches, Senior Advisor for Health Information 

For more information contact DJ Jeyaram at or Danielle Hildebrand at 

Consistency Lacking in Healthcare Data Bank Reporting

On September 12, 2012, the Office of Inspector General (OIG) issued a report regarding the Healthcare Integrity and Protection Data Bank (HIPDB).  The report was a follow up memorandum to a 2010 report where the OIG found that the Centers for Medicare and Medicaid Services (CMS) did not report all adverse actions to the HIPDB as required by law.  The OIG’s findings indicate that CMS improved reporting for durable medical equipment (DME) suppliers but did not improve adverse action reporting for other types of providers.

The HIPDB is available as a resource to agencies, health plans, and individuals.  The purpose of the HIPDB is to provide a central reporting tool for adverse actions against potentially fraudulent and abusive providers.  Under current law, the HIPDB data will ultimately be transferred to the National Practitioner Data Bank (NPDB).  At that time, the HIPDB will no longer be in operation and the NPDB will be the central location for adverse action queries.  According to the OIG’s report OEI-07-09-00292, the types of adverse actions that must be reported under law include “licensure and certification actions, exclusions from participation in Federal and State health care programs, criminal convictions, civil judgments related to health care, and any other adjudicated actions of decision that the Secretary establishes by regulation.”  There are specific reporting time limits when an adverse action is taken.

In preparing its follow up report, the OIG compared reporting data from 2009 with reporting data from 2012.  The OIG concluded that “the number, frequency, and types of reports indicate compliance with Federal requirements” for DME suppliers; however, the OIG also concluded that “CMS may no longer be reporting any nursing home terminations to the HIPDB.”  Further, data comparisons indicated that the HIPDB is missing reports of adverse actions taken against other types of providers, including prescription drug plans, laboratories, and managed care plans.

As a result of its follow up investigation, the OIG decided to further recommend that CMS report all adverse actions as required by law.

Entities that regularly query the HIPDB for information about providers and solely rely on those query results should exercise caution.  The OIG provides an online search for exclusions.  In addition, the Georgia Secretary of State allows for corporation searches to verify corporate information.  It is recommended that entities exercise due diligence to protect themselves from association with providers who are excluded or have a history of adverse actions.

HCA Under Scrutiny for Alleged Healthcare Fraud

HCA, the largest for-profit hospital in the United States, is facing government scrutiny based on an investigation into the “medical necessity” of cardiac procedures in several of its hospitals, mostly located in Florida. According to a statement issued by HCA, the Justice Department “requested information on reviews assessing the medical necessity of interventional cardiology services provided at any company facility (other than peer reviews).” In this case allegations are that unnecessary cardiac testing and surgeries led to increased profits for HCA.


According to a New York Times article released on August 6, 2012, HCA declined to comment on whether it alerted Medicare, state Medicaid, or private insurers, or reimbursed them for any of the procedures that HCA ultimately deemed unnecessary.  Such notice is required by law.  According to internal HCA reports, doctors made misleading statements in patients’ medical records making it seem that the procedures were medically necessary, when in fact they were not and could have been more appropriately handled by nonsurgical treatment, such as drugs.


One of the physicians contacted by the Times defended his work, maintaining that improved documentation and record keeping would support his medical decision making.  Although clearly not a case of merely poor record keeping, HCA’s current predicament reminds physicians and other providers of the great importance of detailed and organized medical records.