Steps to Conducting an Effective Investigation - DoctorsManagement Steps to Conducting an Effective Investigation - DoctorsManagement

Steps to Conducting an Effective Investigation

by Sean Weiss, Partner & VP of Compliance

A week ago, I had the privilege of speaking for the National Alliance of Medical Auditing Specialists at their all-day virtual conference on Conducting a Fraud Investigation. During this talk, I focused on the importance of using a “Common Sense” approach so as to not over-complicate what most likely is already a complex situation. During my talk, it dawned on me that while most organizations investigate (I use this term loosely), they may not be doing it in any systematic fashion and thus repeating the process with any level of consistency is unlikely. So, this Blog Post will focus on the elements necessary to create an effective policy for conducting an investigation.

I think we all can agree that what we learn from our audits should translate into compliance. Policies and Procedures are derived from audits, or in theory should be, and if we use out of the box P&Ps without modification are we really compliant. And, if we are not updating our P&Ps based on our audit findings, do we have P&Ps? Providers as always can expect to see increased efforts by the federal government to prevent, identify, and punish healthcare fraud.

According to CMS their action plan includes the following:

  • Increased number of prepayment reviews
  • Increased post-payment reviews of medical necessity and medical record documentation supporting claims
  • Overpayment recovery
  • Providers identified by the audit as submitting improper claims will be targeted for more extensive investigation
  • Increased review of evaluation and management claims (2010 study shows that more than 55% of levels selected were incorrect.)
  • Demand for more documentation from providers who submit claims
  • Increased security measures to prevent submission of claims from improper providers


Thus, with the above it is imperative that Monitoring and Auditing become a focal point of the organization. Two things immediately come to mind:

  • The organization must evaluate the effectiveness of its compliance program on an ongoing basis by monitoring compliance with its standards and procedures and by reviewing its standards and procedures to ensure they are current and complete; and
  • A review of pending claims not yet submitted can establish a benchmark that will be used in ongoing reviews to chart the success of the organization’s compliance efforts. (I often recommend this be conducted under attorney-client privilege).


As discussed in previous Blog posts, the DOJ recovered $2.1 billion of the $2.5 billion in False Claims Act cases in 2018 based on “Whistleblowers”.

Remember, when conducting an investigation whereby accusations of Fraud are being leveled make sure you understand and can clearly define the 2-most important terms:

  • Erroneous – claims submitted to the carriers with inadvertence or negligence. Refunds should be made once a detection is made. Providers are not subject to civil penalties, interest or jail.
  • Fraudulent – claims submitted intentionally or with reckless disregard for the intent of inappropriate monetary gain. Providers are subject to civil penalties and jail.


So, let’s discuss the process of structuring your investigation policy. By establishing a clear policy for logging, conducting and documenting investigations, an organization:

  • Minimizes delays associated with determining how to handle investigations.
  • Promotes thorough and uniform investigations.
  • Ensures that all investigation steps, findings and corrective actions (See CAP below) are appropriately documented.
  • Promotes root cause analysis and corrective actions that reduce risk of future violations.
  • Reduces risk realtor will turn to third-party or file a qui tam suit.
  • Ensures organization to proactively self-disclose when appropriate (SDP), qualify for “cooperation credit” (Yates and Filip Memos) and minimize penalties.


The following elements are what in my opinion lead to the development of an effective policy:

  • Relevant data:
    • source, all involved persons, location, timeframes, etc.
  • Consider data analytics
  • Create a process for determining whether to refer to HR or Compliance (with documentation of referral)
  • Assess the risk level and credentials of the lead investigator and members of the team
  • Create a process for determining whether to investigation under privilege and, if so, whether to refer to outside counsel
  • Determine the need for document holds on claims of concern
  • Identify and obtain any governing policies; LCD/Medical Policies/SOPs.
  • Process for interviewing witnesses
  • Process for documentation review
  • Process of Investigation, step-by-step
  • Process of document review and interview summaries added to the investigation tracker
  • Ensuring a separation of privileged or work-product materials
  • Findings of fact and the basis for concluding the report(s) is substantiated or unsubstantiated
  • Process for appropriate input (non-lawyers should not make determinations as to whether laws were violated)
  • Root cause analysis and corrective action plan where report is substantiated (See Sample CAP)
  • Voluntary or SDP process for report & refund policy when overpayments are identified (60-day Rule)
  • Process to remediate violations
  • Process to address root cause of violation and safeguards against future violations
  • Process for tracking completion


Corrective Action Plans (CAPS) are a critical component to sending a clear message that we are committed to doing the right thing. It shows our compliance plan is a living breathing document that’s ever adjusting and growing with the organization.

Most compliance professionals want to self-disclose when an error is identified but self-disclosure is not always warranted. Oftentimes, things we make mistakes on don’t lead to undeserved remunerations. They could simply be a breakdown in process that needs to be better defined or clarified.

Before a decision is made about self-disclosure, you should speak with your health care attorney to determine the best course of action. However, regardless of the final determination; you still need to develop a CAP.

There are 5 basic aspects of a CAP:

  1. Issue/Problem Definition – Identify the potential problem and provide a lay explanation of the problem (e.g. Cloning)
  2. Root Cause – Identify what led to the potential problem (e.g. The ease of cutting and pasting or carry forward within an EMR)
  3. Action Steps – Identify the steps taken to correct or reverse the potential problem (e.g. Training and Education for all providers documenting within the EMR)
  4. Improvement Benchmark(s) and Timeframes – How you will monitor the situation going forward to ensure compliance (e.g. Re-review of provider documentation within 30-days after training and education)
  5. Certification – The compliance officer or responsible party for ensuring compliance signs off on the CAP


The final aspect is who should actually conduct the investigation:

  • Compliance v. Human Resources – This is critical because of each area’s focus and specific function.
  • Independent v. Under Direction of Counsel – I have stated my position on this above. I like anything where there is a potential for litigation to be done under Attorney-Client Privilege.
  • Managers with Compliance or HR Oversight – These professionals should absolutely be engaged in the process.
  • In-House Counsel v. Outside Counsel – Again, this will be dependent upon the accusations and your internal counsel’s comfort and familiarity with the laws as to whether this is done in-house or via external counsel.


Some additional considerations for you take into account:

  • What are the allegations? This will make a significant impact on the intensity and resources utilized in the review.
  • Likelihood of Qui Tam? See numbers above regarding 2018 DOJ recoveries.
  • Who’s Implicated? If it is contained to a single provider or single employee, the situation may be more manageable. However, if for example, the entire Board of Directors is involved or a group of providers/employees is involved the level of complexity for how best to handle the matter greatly changes.
  • Government Reporting (SDP)? If Fraud is determined to have been perpetrated against the government, then proper reporting via an SDP is required and counsel should direct all aspects moving forward.
  • “Cooperation Credit”? This will be determined and negotiated by counsel with the DOJ.
  • Potential Litigation? Every issue is a potential litigation waiting to happen (My humble opinion)


Remember, It’s Not the Crime; It’s the Cover-up that leads to Obstruction of Justice. This is why included in your policy should be appropriate warnings and/or disclosures to employees potentially implicated. The first is called an Upjohn – In Upjohn Co. v. United States, 449 U.S. 383 (1981), the Supreme Court held that the attorney-client privilege applies to a corporation’s attorney’s communications with corporate employees: 1) when a communication is made to the corporation’s counsel that is acting in their capacity as counsel (and not as business consultants, for example); 2) at the direction of corporate management for the purpose of securing legal advice from counsel; 3) concerning a subject within the scope of employment; and 4) when the employee knows that the purpose of the communication is for the corporation to procure legal advice. (Upjohn at 394-95). The second is what attorneys issue as warnings to employees of the organization aiding in the investigation – these are referred to as “Zar” Warnings. If the company knows that it will or is likely to cooperate with the government, counsel should issue a “Zar” warning to employees that if they make false statements during internal interviews, they could be charged with obstruction of justice. [Press Release, Dep’t of Justice, “Former Computer Associates Executives Indicted on Securities Fraud, Obstruction Charges” (Sept. 22, 2004), available at (obstruction brought against company’s executives, including Ira Zar, for giving false, incomplete, and inaccurate information to counsel with intent that counsel would then provide that information to government)]; see also United States v. Singleton, No. H-06-080, 2006 WL 1984467 (S.D. Tex. July 14, 2006). “Zar” warnings are not required by law, but they are often given out of a sense of fairness to the witness. There are two downsides, though, to giving this warning: (1) it may discourage individuals from agreeing to be interviewed; and (2) the warning may be perceived by the government as inviting employees not to cooperate with the investigation and, thus, jeopardize the company’s chance of getting cooperation credit.

In the end, as with all things compliance related, having a well-defined process for conducting investigations regardless of what the accusations are is vital to having a compliance plan that can withstand the scrutiny of the federal government during an investigation. Remember, in order to have an effective compliance and ethics program under §8B2.1:

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

(1)          exercise due diligence to prevent and detect criminal conduct; and

(2)          otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b)          Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

(1)          The organization shall establish standards and procedures to prevent and detect criminal conduct.


(A)          The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B)          High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

(C)          Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

(3)          The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.


(A)          The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

What to do next…

  1. If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at
  2. Read more about our: Total Compliance Solution

Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?

Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.

Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.

Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.

Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.