Moffitt Cancer Center has privacy monitoring software that flags potentially inappropriate access, use or disclosure of protected health information (PHI) that could potentially involve executives, such as the chief or deputy chief medical officer. Investigations focus on whether clinical leaders accessed patient records without a legitimate business need, according to Autumn Smallwood, Moffit’s deputy chief compliance officer, who spoke at the recent Health Care Compliance Association (HCCA) Compliance Institute.[1]
Investigating leaders and board members is particularly stressful and challenging because “they exert significant influence and authority over the organization,” added Donna Horseman, who presented with Smallwood at the conference. HCCA publishes RPP.
Horseman is the newly appointed senior vice president (VP) and chief ethics and compliance officer at City of Hope. At the time of the talk, Horseman was Moffitt’s chief compliance officer.
“We have to convey that HIPAA applies to all team members regardless of their role.” Usually, clinicians look at a family member’s PHI, and it’s “not nefarious,” Horseman added. “They feel they have a right to it. It’s something we have discussed ad nauseam at our compliance committee meetings. We reinforce over and over that this information is available to all patients through their patient portal and that should be the mechanism to access it. It’s an issue every organization deals with, and it’s going back to the culture. Having a culture where everyone understands the rules apply regardless of what level they are at is a really big issue.”
Keep an Open Mind
Referring to a situation that occurred before she joined Moffitt, Horseman related an instance when an employee told her the organization’s VP of the quality department was falsifying data reported to Leapfrog—a quality ratings organization. She then set in motion a sensitive investigation.
The complaint was significant because quality ratings are “reported and celebrated widely” and used in marketing materials and contract negotiations with payers. The fact that a senior executive was under suspicion added another dimension.
After receiving the false data allegation, Horseman’s first step was to notify the CEO and chief legal officer, partly to cloak the investigation in attorney-client privilege. She also informed the chief medical officer (CMO) because the VP of quality reported directly to the CMO. Before getting any deeper into the investigation, Horseman asked information technology [IT] staff to sequester the VP’s network files and emails without letting the VP know.
Then, Horseman created an investigation plan.
“We interviewed team members and found there was intentional falsification on Excel spreadsheets and Power Points presented internally in meetings and entered into websites,” Horseman said. All interviews were documented, something she recommends in real-time.
“Contemporaneous documentation is important because you will forget things,” she noted. “Depending on who you are interviewing, you may want to have a witness participate.” IT also sequestered the minutes of all meetings where the false quality ratings were discussed to ensure the VP couldn’t access them.
It was important to keep an open mind about what happened and nail down the facts in case things were not what they seemed, especially because the VP was a longtime employee and highly respected. “You have to be really objective and not jump to any conclusions,” Horseman explained. In light of the fact a senior executive was facing accusations, counsel attended some interviews with team members. “That may cause people to not be as transparent, but these are high-level and serious allegations,” so the trade-off was worthwhile, she said.
Interviewing people in the VP’s department while the VP continued working was a challenge. “It caused concern for team members in the department,” Horseman said. “It had to be done as confidentially as possible.” Ideally, the VP would have been put on administrative leave. There’s always a risk a person under investigation will destroy evidence or retaliate against people they think complained about them.
Another challenge was the fact that Horseman, at the time, wasn’t a member of senior leadership. Subsequently, that changed, but “if you’re not and you’re investigating someone who is, it can be a little bit nerve-wracking.” That’s why the connection with legal counsel and the CMO was essential. “They were kept up to date on the investigation,” she noted. “Counsel was involved in the beginning, and it was done under attorney-client privilege.”
She made sure counsel was aware of her investigation plan. “At the time, I reported to the chief legal officer, so not only were they kept aware throughout, but we notified our board compliance committee when the investigation started, and we kept them in the loop throughout.”
The last interview Horseman conducted was with the VP, who denied the allegations. Until that point, the VP was unaware of the investigation. The VP was terminated. Everything worked out well with Leapfrog when Horseman explained what happened and the corrective actions that the hospital had taken, including segregation of duties. After that experience, the hospital made sure the people who enter quality data don’t benefit from it and that the data entry is witnessed.
