So You Wanna Blow the Whistle: How to Report Fraud and Abuse in Health Care

Every so often, we receive messages from providers who have observed downright concerning and potentially fraudulent practices in their healthcare organizations—but aren’t sure what to do about it. As such, we thought it was high-time to provide some best practices for navigating fraud—specifically, how to approach Medicare fraud reporting. Of course, accidents happen. Things may get overlooked from time to time. But, if you suspect intentional fraud, abuse, or even waste in your organization, below are some steps for addressing it, per this joint document from the American Occupational Therapy Association (AOTA), National Association for the Support of Long Term Care (NASL), the American Speech-Language-Hearing Association (ASHA), and the American Physical Therapy Association (APTA). 

But first, let’s take a look at some of the most common types of healthcare fraud, according to the National Healthcare Anti-Fraud Association (links are our own): 

• “Billing for services that were never rendered—either by using genuine patient information, sometimes obtained through identity theft, to fabricate entire claims or by padding claims with charges for procedures or services that did not take place.
• “Billing for more expensive services or procedures than were actually provided or performed, commonly known as ‘upcoding’—i.e., falsely billing for a higher-priced treatment than was actually provided (which often requires the accompanying ‘inflation’ of the patient's diagnosis code to a more serious condition consistent with the false procedure code).
• “Performing medically unnecessary services solely for the purpose of generating insurance payments...
• “Misrepresenting non-covered treatments as medically necessary covered treatments for purposes of obtaining insurance payments...
• “Falsifying a patient's diagnosis to justify tests, surgeries or other procedures that aren't medically necessary.
• “Unbundling—billing each step of a procedure as if it were a separate procedure.
• “Billing a patient more than the co-pay amount for services that were prepaid or paid in full by the benefit plan under the terms of a managed care contract.
• “Accepting kickbacks for patient referrals.
• “Waiving patient co-pays or deductibles...and over-billing the insurance carrier or benefit plan (insurers often set the policy with regard to the waiver of co-pays through its provider contracting process; while, under Medicare, routinely waiving co-pays is prohibited and may only be waived due to ‘financial hardship’).”

If you’ve witnessed any of these situations in your workplace (or anything else that you believe to be fraudulent, abusive, or wasteful), here are some things you can do about it:

1. Talk to your supervisor or compliance officer.

Providers who suspect fraud or abuse should immediately stop participating in the concerning activity and speak with their supervisor. Generally speaking, this stands regardless of whether or not the issue is Medicare-related. However, if you’re not comfortable taking that path, you can go to another supervisor within your organization or reach out to your organization’s compliance officer. 

According to the joint document, while compliance issues are often best handled by speaking with your direct supervisor, reaching out to the compliance officer does have an important benefit: compliance officers are “legally bound to ensure confidentiality and whistleblower protections.” As for staff who aren’t directly employed by the facility where the issue is occuring, the general consensus is that it’s best to reach out to the compliance officer for your direct employer first. Then, if he or she doesn’t properly address the situation, go to the compliance officer at the facility in question.

2. Choose between confidentiality and anonymity.

There are two ways you can go about speaking up about a Medicare “compliance violation” (a.k.a. fraud, abuse, or waste): confidentially or anonymously. Confidentiality means that the compliance officer knows who you are—and in turn, you receive legal protection for coming forward. 

According to the joint document, “confidentiality provides the best protection and is accomplished by making the report official rather than attempting to report without disclosing your identity.” Anonymity, on the other hand, means that you keep your identity hidden, which is not only challenging to accomplish, but also potentially risky. If you are found out, you are not eligible for “protections under the applicable federal and state whistleblower laws.”

That said, ultimately, the decision on how to come forward is yours to make, and if you’re ever in doubt about the best way to handle a specific situation—or your personal liability in the matter—you may wish to speak to a healthcare attorney before doing anything at all. Those conversations will be protected under attorney-client privilege. 

3. Take it outside of your organization.

If internal channels are not available—or functional—then it’s best to reach out to an outside organization for assistance (per the joint resource and this OIG page). Here are some suggestions:

4. Get your ducks in a row.

According to the OIG, “investigations are most successful when you provide as much information as possible about the allegation and those involved.” Thus, the agency recommends that you have available the following information prior to reaching out via its hotline:

• “Name and contact information of the individual or business related to your complaint. This includes, if available, addresses, telephone numbers, e-mail addresses, etc.
• “Narrative explaining the nature, scope, time frame and how you came to learn about the activity in question.
• “The name and contact information of any individual who can help corroborate the information you are reporting.
• “Supporting evidence in electronic format that can be uploaded with your report. This may include e-mail communications, documents, billing records or photographs.”

There are a couple other things to note when reaching out to the OIG, including the fact that the OIG does not provide status updates regarding complaints, which means you may not ever hear back about whether or not the OIG opened an investigation based on the information you provided. There are also no appeal rights regarding action taken on these complaints, which means whatever decision the Inspector General makes on these issues is final. That said, you are allowed to request relevant records about your complaint beginning six months after making it via the OIG Freedom of Information Act officer. According to the OIG, you should phrase your request as “a search for records,” as opposed to a request for a status update. 

Unfortunately, healthcare fraud is more common than most of us would like to believe, which means many healthcare providers will—at some point in their careers—run into a situation that isn’t on the up and up. While these steps should help point you in the right direction about what to do next, there really is no substitute for the expert advice of a healthcare attorney. After all, these types of situations can get messy fast, and having legal counsel on your side can go a long way toward ensuring that regardless of what goes down, you’re protected.