Privilege Considerations in Internal Audits
Dealing with government scrutiny in health care
by Richard Cheng

To properly implement a sound compliance program is to conduct an effective internal investigation upon gaining knowledge of an alleged wrongdoing or violation.

To incentivize appropriate disclosure within an organization, there should be policies and procedures to encourage reporting and provide an effective communication channel to receive information. Policies and procedures should identify an internal code of conduct, along with a description of how reporting obligations and how adverse events will be addressed.

Most importantly, the policies and procedures must have a non-retaliation policy. A non-retaliation policy communicates to staff that the organization truly encourages self-reporting and individual exercise of disclosing non-compliant behavior. Management must buy in to this feature because it is an indication of an organization’s intent to foster a compliance driven environment.

Creating and possessing policies and procedures is not enough if appropriate mechanisms are unavailable for individuals to report non-compliant behavior and corporate wrongdoing. Many organizations are using compliance hotlines or a web portal to allow expeditious and convenient reporting. While the non-retaliation policy should mitigate some concerns regarding exposure of the reporting party’s identity, an effective disclosure mechanism should allow the reporting party to preserve his or her anonymity. In addition to using a hotline, an organization should consistently train its managers, patient relations department, human resources department and executive team to implement an open-door policy and address non-compliant behavior in a serious and effective manner.

Conducting the Investigation

Assessing why a report is being provided can save you time and resources. Often, third parties simply want to disclose to provide information. This type of reporting is only informational as opposed to an allegation of non-compliance or wrongdoing. A limited investigation may still be warranted, but knowing that will help an organization determine the resources needed to conduct an effective internal investigation. Consider these factors:

Assign an investigator—Allegations and concerns should be reviewed promptly by the most appropriate investigator available. The investigator should possess subject matter knowledge and be unbiased.

Emergency status—If the facts surrounding the reporting render an emergency (e.g. a detriment to patient care), then it should be addressed immediately, and the organization should follow its triage guidelines, if it has one.

Communication and follow-up—After ascertaining the necessary information, the investigator must determine whether the allegation is substantiated in whole, in part or not at all by drafting a formal written report. The report must be communicated to those who need to know, those who will determine corrective action and those who have oversight responsibility. Lastly, based on the allegation or concern, determine what requires a follow-up.

Attorney-client privilege—There needs to be a reasonable basis to assert the privilege. Ask if it is in anticipation of litigation.

Tracking—An organization should consider if it desires all issues to be tracked and determine if it has the resources to perform accurate tracking. A document management process, retention policy and purging policy are helpful.

Case management—It is important to ensure corrective action, if necessary, is taken as soon as possible. Doing so enhances confidence that allegations will be addressed appropriately. An organization should also consider a uniform case management platform, as it allows for more efficient data collection and analysis.

Benchmarking—Consider utilizing benchmarking data. For example, an organization may consider calculating the time taken to close investigations or the percentage of allegations substantiated.

Maintaining Privacy and Security of Information

Post-investigation concerns typically involve an organization’s obligations to maintain both privacy and security of information gained during the investigation. These concerns will likely surround the following issues:

Attorney-client privilege—Generally, discussions seeking legal advice between an attorney and a client or their representatives are privileged.

Attorney-work product—This includes material and mental impressions developed in anticipation of litigation.

Peer review privilege—Generally, discussions and records of peer review committees evaluating competence of care providers are privileged.

Quality assurance privilege—The following are usually considered privileged information:

  1. Discussions and records of medical committees conducting a specific investigation or evaluating quality of medical and health care services.
  2. Discussions and records of compliance officers, regarding compliance activities.
  3. Discussions and records regarding patient safety data concerning adverse events, errors and outcomes.
  4. Discussions and records of formal joint medical or quality assurance committees of one or more health care systems.

Physician-patient privilege—Physician-patient confidential discussions concerning professional services and medical records are usually privileged.

Health information—Under HIPAA any information about health status, provision of health care or payment for health care that can be linked to a specific individual (patient, care and payment) or defined as protected health information (PHI) is privileged.

Waiver of protection—Under certain circumstances, the privilege rules may be violated or waived by the appropriate parties. During an interview, it is important to warn the employee that they are being interviewed for the purpose of an investigation. This is to preserve the privilege for the health care provider/organization. The interviewer should emphasize and document that the privilege is for the organization’s benefit, and the interviewer (e.g. attorney) does not represent the employee.

As a general rule, utilizing the “need-to-know” approach is recommended. An organization should limit discussion to members or designated representatives or the formal investigation team for addressing issues and carrying out specific actions related to the investigation. One suggested method to manage this process is to place appropriate legends denoting the applicable privilege(s) on all electronic and physical materials. Ensure any such information is kept confidential.


It is necessary to emphasize the current aggressive practices by governmental agencies pertaining to health care non-compliance and corporate wrongdoing. It is more important than ever to have an effective compliance program and implement effective internal investigation protocols.