Technology, Compliance & Fraud: The Common Sense Approach
This auditing and compliance “Tip of the Week” was originally published by the National Alliance for Medical Auditing Specialists (NAMAS), a division of DoctorsManagement.
One of the best new books that I have come across of late is entitled Scam Me If You Can: Simple Strategies to Outsmart Today’s Rip-Off Artists. The book was written by one Frank Abagnale. If that name sounds familiar to you, it is because he was the subject – or perhaps in the end, the anti-hero – of the 2002 film Catch Me If You Can, which starred Leonardo DiCaprio and Tom Hanks and told the story of Abagnale’s early life.
At the age of 19, Abagnale used his impressive social engineering skills and coupled them with his nascent skills as a forger and made millions of dollars pretending to be a PanAm pilot, a doctor and, in the State of Louisiana, going so far as to pass the bar exam and becoming a lawyer. In the end he was imprisoned, and upon release, has dedicated his life to helping financial institutions, law enforcement and average citizens avoid being victimized by fraudsters utilizing the 21st century versions of his 1960s techniques.
So why would I mention such a book when discussing healthcare compliance and auditing? A cursory look at healthcare IT news in any given month provides very clear rationale for my interest in this topic. The headlines are rife with stories of healthcare practices and institutions of all shapes and sizes that have fallen prey to hackers, ransomware attacks and identity theft. The people doing it could be as far away as Hong Kong, China or Russia, or as close as the long-trusted office manager who is stealthily enriching themselves off the honest work of their employer.
In his latest tome, Abagnale makes a point of saying that the technology, and the new forms of communication it offers, makes the work of the scammer far easier than anything he could have possibly imagined while at his criminal peak. Whether it be e-mail, social networks or one of a million applications that use personal data, the security of information is only as strong as the weakest link in the chain.
This maxim is especially true in the healthcare space. Financial losses in our sector could have been avoided with a few common-sense measures, combined with a requisite amount of skepticism:
- If the e-mail looks odd, you’ve got yourself fraud – Even if the sender is familiar to you, an e-mail with erroneous information, or one that contains a link that is not immediately familiar to you carries with it risk of wider infiltration into secure systems. Look for things such as strange subject lines, links that end in anything other than “.com” or rampant misspellings. If you are using Microsoft Outlook, using the preview pane lets you preview the message contents and avoid fully opening e-mails that would put you and your entire organization at risk.
- A system not updated is a system at risk – While some systems will notify you of security updates, or perhaps even update your laptop or PC while shutting down, other more complex systems, notably EHRs and practice management systems, require outside notification and intervention to be properly updated and secured. If your vendor shares information in an online user group or similar forum, it is best to be an active member of such communities in order to maintain the most up-to-date (and oftentimes most secure) version of applications and systems commonly used by your organization.
- The voice of opportunity on the phone is your own – Phone scammers have been for many years perhaps the most voluminous and pernicious perpetrators of fraud. All one really needs from the person answering the telephone is a small nugget of extracted information to wreak havoc on your organization and your patients. While on the telephone, it is best to remember the guiding principles of HIPAA. Unless the person on the other end of the line can verify, beyond a shadow of a doubt, that they have a legitimate right to information they are requesting, in the words of the WOPR computer from another film favorite, WarGames: “The only winning move is not to play.” To put it in poker terms, if you’re on the phone and you don’t recognize the sucker, it’s probably you.
Depending on the size of your organization, and the types of information you handle, the items above may be the beginning of a much longer list of measures taken internally to protect the sensitive information handled by your organization. In addition to a through onboarding process for new hires, ongoing compliance training, coupled with common sense in day-to-day tasks, can protect your organization from financial and reputational harm.
This Week’s Audit Tip Written By:
Paul is a Senior Compliance Consultant with our parent organization, DoctorsManagement.
Here’s why thousands of providers trust DoctorsManagement to help improve their coding and documentation.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credential.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.