When it comes to data privacy in healthcare fraud investigations and litigation, there is more than HIPAA to consider. 

Fraud investigations and litigation in the healthcare industry are growing. Whether these matters are handled internally or involve external parties to produce to, increased regulatory scrutiny — coupled with vast amounts of data generated by healthcare organizations — has created a pressing need for such organizations to become more adept at comprehensively inventorying, accessing, and reviewing internal data sources for potential fraud.

A perennially tricky issue, and one that is just getting thornier, concerns how to treat sensitive, private data in a healthcare context. Healthcare organizations need to be mindful not only of carefully managing protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), but also protected consumer information, which is now subject to regulations such as the California Consumer Privacy Act. Challenges and costs related to being compliant with these regulations are growing and setting themselves up to be just as substantial as managing privilege in litigation.

Healthcare data: What privacy rules apply?

To make sure these new compliance requirements do not inadvertently extend timelines or burn through budgets, those managing healthcare fraud matters need to proactively take stock of which regulatory regimes concerning personal data are applicable in their case and what data sets being reviewed in their matter could potentially have personal data subject to regulation.

Now there is certainly a gray area in distinguishing between protected health information and protected consumer information in a healthcare context. Technically, information is PHI (and therefore subject to HIPAA) if it is created or received by a healthcare provider or health plan. But in today’s data-driven environment, there are a variety of touchpoints between consumers and healthcare services (e.g., marketing data analytics, customer service records, fitness app logs, fringe benefit tracking) that defy traditional understandings of what exactly differentiates PHI from a broader pool of potentially protected consumer data.

So, whether subject to HIPAA or CCPA or other privacy mandates, healthcare companies nowadays need to be able to track potentially protected information across all of their data sources, including those not traditionally considered sensitive in that they do not contain information such as health histories, lab test results, or medical bill information.

Healthcare fraud: Muddying the data privacy waters

The nature of healthcare fraud further complicates an approach to identifying and appropriately treating sensitive personal data. Matters related to false claims, physician self-referral, Medicaid/Medicare fraud, improper kick-backs, or non-compliant contract and billing practices (to name a few), most often require delving into internal email communications to understand to what extent a fraudulent pattern exists within the organization under investigation, thus enlarging the data pool subject to privacy mandates.

The internal work of sorting out billing and coding issues is a messy affair that involves relaying a variety of details of specific patient treatment across multiple related emails. Methodically tracking how these questions get resolved internally over time is at the heart of good healthcare fraud investigation and litigation practice. And carefully treating the sensitive data involved in these conversations is a responsibility that comes with it. If, for instance, you are relying on techniques to extract personal data that have only been tested on structured electronic medical records, you will be missing data that is potentially protected in relevant email discussions.

Similar to the task of finding potentially privileged information in large document sets, identifying and treating personal data in healthcare fraud requires its own dedicated workflow, leveraging a mix of tools and methods. The key to successful identification and treatment of protected personal data is being deliberate about the process you design and implement, and specific about the tools you are integrating into it.