Risk managers as whistleblowers: Is it ever the right path to take?
Executive Summary
A risk manager’s allegations of fraud regarding her former employer are raising questions about the ethics of a risk manager becoming a whistleblower. Experts say the risk manager must exhaust all other remedies before reporting malfeasance to regulators.
Under the right circumstances, a risk manager might be obligated to report fraud to outsiders.
Reaping financial benefits from participating in a qui tam lawsuit might be acceptable.
Risk managers face special ethical considerations in becoming a whistleblower because they are largely responsible for preventing and correcting fraudulent behavior.
Reporting malfeasance to regulators might be only choice after other efforts
Any professional, ethical risk manager knows the right thing to do upon finding evidence of fraud within the healthcare employer. Notifying senior leadership and taking corrective action comes naturally.
But what if senior leadership doesn’t act to stop the fraud and make amends? At what point do you, the risk manager, pick up the phone and report the fraud to outside regulators? Can you become a whistleblower?
You can become a whistleblower, and in some situations you are ethically and professionally obligated to do so, according to experts consulted by Healthcare Risk Management. But that step is fraught with tremendous career risks and should be taken only after you are certain all other remedies have been tried, they say.
Whistleblowing is nothing new in healthcare, but a situation in San Diego is bringing attention to the unique aspects of having a risk manager or similar administrator turn in the employer. In that case, a former risk manager at Alvarado Hospital in San Diego has filed a $50 million False Claims Act suit against Prime Healthcare Services and accused it of defrauding Medicare at 14 health centers. The lawsuit alleges that Prime increased Medicare patients by eliminating observation care and refusing to discharge patients to post-acute facilities. This case is believed to be the first one in which a risk manager is the whistleblower. (See the story on p. 51 for more on that lawsuit. See the story on p. 52 for more on the ethical dilemma for risk managers.)
Risk managers in unique position
A risk manager faces a difficult choice when considering whistleblowing because he or she is charged with looking out for the interests of the employer, says Andrew A. Oppenberg, MPH, CPHRM, DFASHRM, director of risk management and patient safety officer at Dignity Health Glendale Memorial Hospital and Health Center in Glendale, CA. Oppenberg also is a former president of the American Society for Healthcare Risk Management (ASHRM). That responsibility, not applicable to most whistleblowers, is what raises ethical questions, he says.
"The answer is yes, you can be a whistleblower," Oppenberg says. "Where the law starts to be broken, the ethical responsibility to protect your employer ends. You have to follow the law as risk managers and from an ethical standpoint, you have to take the high road. At that point, you are obligated to report, not just allowed."
But that advice doesn’t entirely address the quandary. Although risk managers can blow the whistle in the worst of circumstances, that answer assumes that all other internal remedies have been exhausted, Oppenberg notes. Determining exactly how much effort is enough and when to declare defeat can be the most difficult part of the process, he says.
"That’s where the line gets drawn, when they know it’s wrong and the intent is to keep doing something that is wrong," he says. "You can’t go along with that because you have a license and a reputation to protect."
Oppenberg also notes that failing to report known fraud could expose the risk manager to individual liability in the form of fines or even criminal charges.
Willful fraud changes equation
The breaking point might come when other leaders in the organization make it clear that they are not going to stop the behavior, says Josh Hyatt, MHL, CPHRM, senior risk management specialist with NORCAL Mutual Insurance in San Diego. Hyatt also was previously a Medicare fraud investigator with the Centers for Medicare and Medicaid Services (CMS). The risk manager suing Prime alleges that senior leaders acknowledged the fraud and had no intention of stopping. (See the story on p. 52 for more on that allegation.)
However, there are rare situations in which the wrongdoing is so horrendous that immediately blowing the whistle could be justified.
"If you have a senior executive who is just off the wall and you’re blatantly breaking the law, you might have to go over his head and report to the appropriate authority," he says. "You would still go to someone high in the organization and say that this step is necessary, so let’s do it together and report to the proper authorities."
The nature of the wrongdoing also can determine the appropriateness of whistleblowing, Hyatt says.
"If it is sloppy compliance or people not being as diligent as they should be in following the rules, that is something that you might be more willing to work with administration to get it right even if it doesn’t happen right away," he says. "But if it seems like a willful attempt to defraud the government or break the law, you might have less patience for any delays in fixing it. Then blowing the whistle can be the right step." (Hyatt once reported his employer for alleged fraud. See the story on p. 52 for details. Monetary rewards also can complicate matters See the story on p. 52 for more on that issue.)
Don’t go it alone
Oppenberg cautions that, if it comes to the point, risk managers should not act alone. This is not the time to be Norma Rae or Erin Brockovich going up against the system, he says. A whistleblower should proceed with the support of an attorney and any senior executives who can support the allegations, he says.
The outcome of the Prime Healthcare case could shape how risk managers address their frustrations over unresolved fraud or illegal activity, Hyatt says. It also might affect how employers look at their risk managers.
"This case gives the perception of risk managers that they could be dangerous because of the unique access they have to data and the internal workings of the organization," Hyatt says. "That could play against risk managers. Information may become more controlled around them, which could be very bad."
Sources
- Josh Hyatt, MHL, CPHRM, Senior Risk Management Specialist, NORCAL Mutual Insurance, San Diego, CA. Telephone: (800) 652-1051, ext. 1755. Email:
[email protected].
- Andrew A. Oppenberg, MPH, CPHRM, DFASHRM, Director of Risk Management and Patient Safety Officer, Dignity Health Glendale Memorial Hospital and Health Center, Glendale, CA. Telephone: (815) 502-2218. Email: [email protected].
