Internal Audit and Compliance - Health Care Compliance Association
Internal Audit and Compliance - Health Care Compliance Association
Internal Audit and Compliance - Health Care Compliance Association
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Volume Eight<br />
Number Eleven<br />
November 2006<br />
Published Monthly<br />
Earn CEU<br />
credit<br />
See insert<br />
Meet<br />
Marti Arvin<br />
Privacy Officer,<br />
University of Louisville<br />
page 15<br />
Save the Date!<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
Employee<br />
education<br />
about<br />
False Claims<br />
Recovery<br />
page 4<br />
Also:<br />
Practical advice on data<br />
breach notification laws<br />
page 41<br />
November 2006
The <strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> <strong>Association</strong><br />
has moved to its new<br />
headquarters, located<br />
at:<br />
6500 Barrie Road,<br />
Suite 250<br />
Minneapolis, MN 55435<br />
Our address has changed,<br />
but our telephone<br />
<strong>and</strong> fax numbers remain<br />
the same:<br />
Toll-free phone:<br />
888/580-8373<br />
Local phone:<br />
952/988-0141<br />
Fax:<br />
952/988-0146<br />
And you can always<br />
reach us via e-mail at<br />
info@hcca-info.org<br />
or on our Web site at<br />
www.hcca-info.org<br />
<strong>Health</strong> <strong>Care</strong><br />
<strong>Audit</strong>ing &<br />
Monitoring<br />
Tools<br />
Buy Now <strong>and</strong><br />
Receive One Year of Updates<br />
Free!<br />
The <strong>Health</strong> <strong>Care</strong> <strong>Audit</strong>ing & Monitoring<br />
Tools manual is a compilation of excellent<br />
resources donated by HCCA members to<br />
help others with their compliance programs.<br />
This valuable resource assists health care<br />
compliance professionals who want to save<br />
time <strong>and</strong> money by offering examples of<br />
what their colleagues are doing to address<br />
similar auditing <strong>and</strong> monitoring issues.<br />
Just as auditing <strong>and</strong> monitoring are<br />
ongoing activities, this manual is an<br />
evolving resource that will be updated<br />
twice a year to reflect new regulations<br />
<strong>and</strong> additional compliance concerns.<br />
Subscribers to updates will receive more<br />
auditing <strong>and</strong> monitoring tools, policies,<br />
<strong>and</strong> advice.<br />
The original purchase of <strong>Health</strong> <strong>Care</strong> <strong>Audit</strong>ing &<br />
Monitoring Tools is $395, which includes the first<br />
two updates free. Afterwards, HCCA members can<br />
subscribe to annual updates for $195.<br />
6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
Phone 888-580-8373<br />
FAX 952-988-0146<br />
November 2006<br />
<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
ASK<br />
John asks the leadership<br />
your questions<br />
Editors note: John Falcetano is Chief<br />
<strong>Audit</strong>/<strong>Compliance</strong> Officer for University<br />
<strong>Health</strong> Systems of Eastern Carolina<br />
<strong>and</strong> a long-time member of HCCA.<br />
This column has been created to give<br />
members the opportunity to submit their questions by e-mail to<br />
Jfalcetano@cox.net <strong>and</strong> have John contact members of HCCA<br />
leadership for their response.<br />
L E A D E R S H I P<br />
John Falcetano<br />
Q: What part does <strong>Internal</strong> <strong>Audit</strong> play in a compliance program?<br />
The answer below was provided by M. Ruppert <strong>and</strong> A. Rolein.<br />
Much like HCCA <strong>and</strong> the health care compliance profession<br />
in 1996, the Institute of <strong>Internal</strong> <strong>Audit</strong>ors (IIA) was established<br />
in 1941, marking the formal birth of the internal<br />
audit profession. The primary role of an internal auditor is to provide<br />
independent, objective assessments of governance, risk, <strong>and</strong> control.<br />
<strong>Internal</strong> control systems overlay the typical operational systems of an<br />
organization to ensure management objectives are being met. <strong>Internal</strong><br />
audit has, since its inception, audited compliance to help boards <strong>and</strong><br />
management ensure achievement of key regulatory requirements.<br />
In this regard, internal auditors have traditionally assessed the spirit of<br />
the seven elements of the federal Sentencing Guidelines, though they<br />
have referred to the elements somewhat differently (e.g., tone at the<br />
top, current st<strong>and</strong>ard operating procedures, fraud hotlines, etc.) The<br />
advent of corporate compliance in health care has not changed the role<br />
of the internal auditor; it has changed government focus on enforcement<br />
<strong>and</strong>, thereby, health care focus on regulatory compliance. The focus<br />
on compliance has resulted in the assimilation of the seven elements<br />
into corporate compliance programs under the oversight of compliance<br />
professionals, although compliance remains a management responsibility,<br />
much like internal controls remain a management responsibility.<br />
Given limited resources, it is imperative that the <strong>Internal</strong> <strong>Audit</strong> <strong>and</strong><br />
<strong>Compliance</strong> departments create collaborative partnerships to best serve<br />
organizational boards with these limited resources.<br />
In past issues of <strong>Compliance</strong> Today, the AHIA/HCCA <strong>Audit</strong>ing<br />
& Monitoring Focus Group issued various articles on auditing <strong>and</strong><br />
Continued on page <br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
2006 Conferences:<br />
San Diego, CA<br />
■ <strong>Compliance</strong> Academy<br />
December 4-7<br />
Orl<strong>and</strong>o, FL<br />
■ <strong>Compliance</strong> Academy<br />
November 6-9<br />
T H E<br />
Louisville, KY<br />
■ Tri-State Area <strong>Compliance</strong> Conference<br />
November 3<br />
Nashville, TN<br />
■ South Central Area Meeting<br />
November 10<br />
2007 Conferences:<br />
Scottsdale, AZ<br />
■ <strong>Compliance</strong> Academy<br />
June 4-7<br />
San Francisco, CA<br />
■ <strong>Compliance</strong> Academy<br />
February 5-8<br />
■ Advanced Academy<br />
June 25-28<br />
Orl<strong>and</strong>o, FL<br />
■ <strong>Compliance</strong> Academy<br />
November 5-8<br />
Chicago, IL<br />
■ <strong>Compliance</strong> Institute<br />
April 22-25<br />
Dallas, TX<br />
■ <strong>Compliance</strong> Academy<br />
March 19-22<br />
■ National Corporate<br />
<strong>Compliance</strong> Week<br />
May 20-26<br />
ON<br />
C A L E N D A R<br />
INSIDE<br />
3 Ask leadership<br />
4 Employee education<br />
& FCA<br />
10 Government enforcement<br />
of quality<br />
15 Meet Marti Arvin<br />
18 CEO letter<br />
22 Go local<br />
24 <strong>Internal</strong> investigations<br />
30 Getting the most from<br />
your CIA<br />
34 <strong>Compliance</strong> 101<br />
41 Practical advice on data<br />
breach laws<br />
44 Weblinks<br />
45 New members<br />
888-580-8373 • www.hcca-info.org<br />
November 2006
Darrell W. Contreras is the Chief <strong>Compliance</strong><br />
Officer at Maricopa Integrated <strong>Health</strong><br />
System in Phoenix. He may be reached by<br />
phone at 602/344-5915 or by e-mail at<br />
darrell.contreras@hcs.maricopa.gov<br />
The Deficit Reduction Act of 2005<br />
(DRA) included section 6032<br />
entitled, “Employee Education<br />
About False Claims Recovery” (hereinafter<br />
referred to as “Section 6032”). 1 With this<br />
section, health care organizations that receive<br />
annual Medicaid payments of at least $5<br />
million are statutorily required to implement<br />
elements of a compliance program to continue<br />
participation in the Medicaid program.<br />
As such, this legislation has been viewed as<br />
the first statutory requirement for a compliance<br />
program. The good news is, most health<br />
care organizations already have an existing<br />
compliance program. The bad news is that<br />
this section uses the words “detailed information,”<br />
“detailed provisions,” <strong>and</strong> a “specific<br />
discussion” to define how to comply with the<br />
requirements of the law. This requirement<br />
raises just one simple question—”How much<br />
‘detail’ is enough?”<br />
Unlike the good ol’ days when we, as<br />
compliance officers, were toiling to implement<br />
the <strong>Health</strong> Insurance Portability<br />
<strong>and</strong> Accountability Act (HIPAA) Privacy<br />
Regulations, where every requirement was<br />
By Darrell W. Contreras, JD<br />
spelled out, Section 6032 leaves to the<br />
imagination of the compliance community<br />
the definitions of “detailed” <strong>and</strong> “specific.”<br />
But, as compliance officers, we have been<br />
here before. In drafting a Code or St<strong>and</strong>ards<br />
of Conduct document for a health<br />
care organization, there has always been the<br />
question of what to include <strong>and</strong> whether<br />
the included material was good enough to<br />
be both simple for all levels of employees to<br />
underst<strong>and</strong>, yet detailed enough to provide<br />
adequate guidance. In the end, the best<br />
answer for the “St<strong>and</strong>ards of Conduct” was<br />
to use available statutes <strong>and</strong> publications<br />
as a guide, <strong>and</strong> create the best document<br />
possible. The same principle applies to<br />
compliance with Section 6032. Without<br />
specific guidance to define “detailed provisions”<br />
<strong>and</strong> “specific discussion,” compliance<br />
officers must use the available resources to<br />
make best efforts to comply with Section<br />
6032. At Maricopa Integrated <strong>Health</strong><br />
System (MIHS), we used a step-by-step<br />
breakdown to review the previously undefined<br />
requirements of Section 6032.<br />
The Deficit Reduction Act – What is<br />
required?<br />
The first step to compliance is to review the<br />
requirements of the Section 6032. The turmoil<br />
caused by three small paragraphs of the DRA<br />
can be broken down into a few key elements.<br />
Under the Act, a health care entity must:<br />
1. Establish written policies applicable to all<br />
employees <strong>and</strong> contractors that provide<br />
“detailed information” about:<br />
a. The federal False Claims Act<br />
b. Administrative remedies under the<br />
Act<br />
c. Any state laws pertaining to civil or<br />
criminal penalties for false claims<br />
<strong>and</strong> statements, <strong>and</strong><br />
d. Include whistleblower protections under<br />
such laws, with a specific focus on preventing<br />
<strong>and</strong> detecting fraud, waste, <strong>and</strong> abuse;<br />
2. Include in the written policies “detailed<br />
provisions regarding the entity’s policies<br />
<strong>and</strong> procedures for detecting <strong>and</strong> preventing<br />
fraud, waste, <strong>and</strong> abuse;”<br />
3. Include in the employee h<strong>and</strong>book a “specific<br />
discussion” of the federal <strong>and</strong> state<br />
False Claims Act laws, the whistleblower<br />
protections afforded to employees who<br />
make reports of potential false claims, “<strong>and</strong><br />
the entity’s policies <strong>and</strong> procedures for<br />
detecting <strong>and</strong> preventing fraud, waste, <strong>and</strong><br />
abuse,” <strong>and</strong><br />
4. Implement all of this by January 1, 2007.<br />
The False Claims Act policy<br />
Based on the elements set forth above, a<br />
health care entity must create a False Claims<br />
Act policy, based on the federal False Claims<br />
Act. 2 This Act includes definitions to be<br />
included in the policy, the elements for the<br />
prima facie case, <strong>and</strong> the penalties associated<br />
with violations of the federal False Claims<br />
Act. It is worth noting that the federal False<br />
Claims Act applies beyond health care. As<br />
such, some of the provisions may not apply<br />
to health care entities. As long as the entity<br />
includes the elements that explain the federal<br />
False Claims Act as it applies to the entity, the<br />
requirement is satisfied.<br />
When the federal False Claims Act provisions<br />
are delineated in the policy, the next<br />
Continued on page <br />
November 2006<br />
<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
You’re a compliance professional, which means<br />
you can’t rest at simply knowing one or two<br />
key areas when it comes to compliance matters.<br />
With the CCH <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> Portfolio<br />
Deluxe you get the need-to-know information<br />
that affects every aspect of health care compliance.<br />
It comes as four resources (<strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> Professional’s Manual, Journal of<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong>, <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
Reporter, <strong>and</strong> the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> Letter)<br />
that are designed to work seamlessly together.<br />
Visit health.cch.com or call 888-224-7377.<br />
When your company’s<br />
compliance steps rest<br />
on your decisions,<br />
look to Wolters Kluwer.<br />
Presenting the CCH <strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> Portfolio Deluxe.<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
<br />
November 2006<br />
© 2006 Wolters Kluwer Law & Business. All rights reserved.
Employee education about False Claims Recovery ...continued from page <br />
step is to include any state false claims laws.<br />
The Centers for Medicare <strong>and</strong> Medicaid Services<br />
(CMS) has created a Web page where<br />
the public can check Medicaid Fraud Statutes<br />
for each state. 3 By selecting the state in<br />
which the entity operates, the search engine<br />
pulls all the state laws related to Medicaid<br />
fraud. If the state has a false-claims law, it<br />
will fall under the heading of “Civil False<br />
Claims.” This citation can then be linked to<br />
review the specific state law(s) to evaluate<br />
their applicability to the False Claims Act<br />
policy. Regardless of whether the state currently<br />
has a false claims law in effect, keep<br />
checking the legislative activity, because the<br />
DRA included incentives for states to create<br />
false-claims laws that mirror the federal<br />
False Claims Act. As a practical matter, this<br />
provision of the DRA will likely bring many<br />
state false-claims laws in line with the federal<br />
False Claims Act.<br />
The last element of the False Claims Act<br />
policy is the whistle blower protection.<br />
Federal whistle blower protection is specifically<br />
addressed under the title of “Civil<br />
actions for false claims.” 4 For purposes of the<br />
False Claims Act policy, compliance requires<br />
incorporating the key provisions into the<br />
policy. To determine if a specific state has<br />
enacted whistle-blower protection laws, the<br />
CMS Medicaid Fraud Statutes Web page<br />
(reference #3) provides a useful tool. If the<br />
state has whistle blower protection laws, then<br />
the policy should include the key provisions<br />
of the law(s).<br />
In drafting the MIHS False Claims Act<br />
policy, we personalized the policy instead of<br />
purely copying text from the statutes. In so<br />
doing, the MIHS False Claims Act policy<br />
reflects that MIHS will comply with or will<br />
not engage in specific behavior. We also<br />
included definitions <strong>and</strong> simplified the language<br />
where possible, recognizing that this is<br />
a policy for employees to read <strong>and</strong> not a statute.<br />
Additionally, we structured the policy to<br />
follow the elements required by the Section<br />
6032. As such, the policy includes major sections<br />
entitled:<br />
n The Federal False Claims Act<br />
n The State False Claims Acts<br />
n Federal <strong>and</strong> State Penalties (Administrative,<br />
Civil, <strong>and</strong> Criminal), <strong>and</strong><br />
n Federal <strong>and</strong> State Whistleblower Protection<br />
Laws<br />
As part of the whistle-blower protection section,<br />
we included a discussion <strong>and</strong> reference<br />
to the MIHS Non-Retaliation Policy to help<br />
reinforce that, as an entity, we do not tolerate<br />
retaliation for issues or concerns that are<br />
raised in good faith.<br />
Policies <strong>and</strong> procedures for detecting <strong>and</strong><br />
preventing fraud, waste, <strong>and</strong> abuse<br />
Section 6032 states that as part of the False<br />
Claims Act policy, there must be “detailed<br />
provisions regarding the entity’s policies <strong>and</strong><br />
procedures for detecting <strong>and</strong> preventing<br />
fraud, waste, <strong>and</strong> abuse.” As such, Section<br />
6032 recognizes that there may be existing<br />
policies <strong>and</strong> procedures in place. For many<br />
organizations, these policies <strong>and</strong> procedures<br />
may be part of the existing compliance<br />
program in the St<strong>and</strong>ards of Conduct<br />
or in separate policies, such as a compliance<br />
reporting or fraud detection policy.<br />
Therefore, there is no need to re-draft these<br />
policies <strong>and</strong> procedures or copy them into<br />
the False Claims Act policy. Instead, Section<br />
6032 requires discussion of those policies<br />
<strong>and</strong> reference to the entity’s existing policies.<br />
In the MIHS False Claims Act Policy, we<br />
used the section entitled, “MIHS Programs<br />
to Prevent <strong>and</strong> Detect Fraud” to refer to<br />
the existing MIHS <strong>Compliance</strong> Reporting<br />
Policy <strong>and</strong> to reaffirm the obligation of all<br />
MIHS personnel to report suspected fraud<br />
<strong>and</strong> abuse through the existing reporting<br />
structure, the compliance office, or the<br />
compliance hotline.<br />
False Claims Acts <strong>and</strong> whistle-blower protection<br />
in employee h<strong>and</strong>books<br />
Section 6032 requires that a discussion of the<br />
federal <strong>and</strong> state False Claims Acts, as well<br />
as the whistle-blower protection laws related<br />
to those Acts, be included in “any employee<br />
h<strong>and</strong>book.” For organizations that already<br />
have a compliance program, this should<br />
include the St<strong>and</strong>ards of Conduct along with<br />
any other employee manual. Specifically, the<br />
St<strong>and</strong>ards of Conduct should include information<br />
about the organization’s non-retaliation<br />
policy, which represents the organization’s<br />
commitment to whistle blower protection.<br />
Additionally, the St<strong>and</strong>ards of Conduct should<br />
include information about how to report<br />
issues or concerns, specifically, the detection<br />
<strong>and</strong> prevention of fraud, waste, <strong>and</strong> abuse.<br />
This is one of the seven foundational elements<br />
of the Department of <strong>Health</strong> <strong>and</strong> Human<br />
Services Office of Inspector General (OIG)<br />
<strong>Compliance</strong> Program Guidance. 5 Lastly, the<br />
St<strong>and</strong>ards of Conduct should include bullet<br />
points referring to the organization’s commitment<br />
to complying with federal <strong>and</strong> state<br />
laws <strong>and</strong> regulations, <strong>and</strong> its commitment to<br />
submit only those claims for which there is<br />
accurate documentation. Many of these bullet<br />
points can be extracted from the language in<br />
one of the many Corporate Integrity Agreements<br />
authored by the OIG.<br />
At MIHS, we were in the process of revising<br />
<strong>and</strong> republishing our St<strong>and</strong>ards of Conduct.<br />
Although we included the St<strong>and</strong>ards of<br />
Conduct language that has become st<strong>and</strong>ard<br />
fare in Corporate Integrity Agreements<br />
regarding billing <strong>and</strong> compliance with federal<br />
<strong>and</strong> state laws <strong>and</strong> regulations, we modified<br />
the bullet point to specifically address the<br />
requirements of Section 6032, with reference<br />
to the MIHS False Claims Act Policy. The<br />
November 2006<br />
<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
language we included is:<br />
We do not tolerate making or submitting<br />
false or misleading claims or statements<br />
to any government agency, health care<br />
program or payer source (See MIHS False<br />
Claims Act Policy)<br />
The general discussion of the False Claims<br />
Act incorporates by reference the detailed discussion<br />
of the federal <strong>and</strong> state False Claims<br />
Acts, administrative remedies, <strong>and</strong> whistle<br />
blower protections as required by Section<br />
6032.<br />
We also included a copy of the MIHS False<br />
Claims Act Policy in the New Employee<br />
h<strong>and</strong>book. In addition to providing the h<strong>and</strong>book<br />
<strong>and</strong> policy to all new employees, we<br />
included a brief overview of the policy as part<br />
of the new employee orientation to ensure<br />
that new employees are aware of the policy<br />
<strong>and</strong> know how to locate it. Attendance at<br />
<strong>and</strong> completion of new employee orientation<br />
is documented, allowing us to demonstrate<br />
compliance at a later date. New employees<br />
are easy to educate, because they are a captive<br />
audience. The challenge is distributing<br />
the new policy to existing employees <strong>and</strong><br />
documenting their receipt of the policy. The<br />
answer for us was to distribute the policy to<br />
all employees as part of an organization-wide<br />
training program.<br />
Training employees on the False Claims Act<br />
Does Section 6032 require that employees be<br />
trained? Technically, no. Although Section<br />
6032 does not state that health care entities<br />
must provide training to all personnel on the<br />
False Claims Act, the title of Section 6032 is,<br />
“Employee Education About False Claims Recovery.”<br />
Therefore, it could be argued that the<br />
requirement to train employees on Section<br />
6032 is implicit. In addition, the publication<br />
of any new policy creates an obligation for<br />
the health care entity to introduce the new<br />
policy to affected personnel. If compliance<br />
means following the rules, then as compliance<br />
officers, we are obligated to inform personnel<br />
of the rules they are expected to follow. The<br />
same principle applies to the False Claims<br />
Act policy. Moreover, it would be difficult to<br />
argue compliance with Section 6032 without<br />
training, because existing employees would<br />
have no means by which to know or read the<br />
new False Claims Act policy. As such, a good<br />
faith effort for compliance with Section 6032<br />
should include employee training on the False<br />
Claims Act policy.<br />
In earlier years, teaching employees how to<br />
be whistleblowers was not viewed favorably<br />
by many organizations. However, with the<br />
inclusion of the effectiveness provisions of<br />
the OIG’s <strong>Compliance</strong> Program Guidance, 6<br />
effective compliance programs should be<br />
evaluated based on employee knowledge of<br />
how to appropriately report issues or concerns,<br />
including suspected fraud, waste, <strong>and</strong><br />
abuse. As a result, training personnel on the<br />
False Claims Act policy should not be viewed<br />
as giving employees a direct line to the OIG.<br />
Rather, training employees should be viewed<br />
as reinforcing the existing compliance culture,<br />
educating employees on what constitutes a<br />
false claim, <strong>and</strong> showing them what to do if<br />
they suspect a violation of the False Claims<br />
Act policy.<br />
The MIHS False Claims Act Policy training is<br />
based on a train-the-trainer model that uses<br />
department managers as the trainers. This<br />
helps to ensure accountability <strong>and</strong> improve<br />
completion percentages. The policy is the<br />
foundation for the training, but trainers are<br />
provided with a summary training “script”<br />
to guide them through the training. All<br />
employees are given a copy of the MIHS False<br />
Claims Act Policy, <strong>and</strong> they are told where the<br />
policy resides on the Intranet. All attendees<br />
are required to print <strong>and</strong> sign a sign-in log to<br />
verify attendance. Completion will be audited<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
to ensure that the compliance office has evidence<br />
to demonstrate that all personnel were<br />
trained on the MIHS False Claims Act Policy.<br />
In addition to employees, Section 6032<br />
requires that the False Claims Act Policy<br />
apply to contractors or agents of the entity.<br />
In the context of education, this means that<br />
contractors <strong>and</strong> agents, <strong>and</strong> their employees,<br />
must also receive information about the<br />
entity’s False Claims Act Policy. Fortunately,<br />
this is similar to requirements in Corporate<br />
Integrity Agreements in which an entity is<br />
required to provide its St<strong>and</strong>ards of Conduct<br />
to all vendors, contractors, physicians, <strong>and</strong><br />
agents. In those situations, many entities<br />
satisfy this requirement by including a copy<br />
of the St<strong>and</strong>ards of Conduct as part of all<br />
new contracts <strong>and</strong> sending a copy to existing<br />
contractors. This may be burdensome, so it<br />
would be wise to investigate other options,<br />
such as e-mailing the policy, to make the<br />
requirement manageable. Many organizations<br />
have a central repository for contracts<br />
through which all contractors can be identified.<br />
The same concept <strong>and</strong> methodology<br />
applies to the medical staff, some of whom<br />
may be a part of group practice that itself<br />
must comply with Section 6032. Looking<br />
ahead, the MIHS False Claims Act Policy<br />
will be included:<br />
n In the New Employee Orientation h<strong>and</strong>book<br />
for employees<br />
n As part of the contracting process for all<br />
new contracts<br />
n As part of the medical staff credentialing<br />
packet<br />
What happens if you are wrong?<br />
Even though MIHS has taken many proactive<br />
steps to comply with Section 6032, there is<br />
always a chance that our method is wrong.<br />
What happens if our approach to compliance<br />
is not what the regulators envisioned?<br />
Continued on page <br />
November 2006
Employee education about False Claims Recovery ...continued from page <br />
Unfortunately, there are too many times when the fear of being wrong<br />
is used to prevent movement in the right direction. To avoid this, we<br />
framed the discussion as, “If we are wrong, what is the harm?” Maybe<br />
a policy must be amended, or some similar modification needs to be<br />
made. However, in the context of ensuring the continuity of Medicaid<br />
payments, making a modification is a small price to pay. Certainly the<br />
price of modification is not great enough to delay the implementation<br />
of an entity’s False Claims Act policy. Of all the regulatory activity in the<br />
compliance sector over the past several years, no evidence indicates that<br />
an organization that has made a good faith effort to comply with Section<br />
6032 is at risk for civil or administrative penalties. For that reason,<br />
we have elected to charge forward to ensure that the January 1, 2007<br />
compliance deadline is satisfied. n<br />
1 Pub. L. No. 109-171 § 6032<br />
2 31 U.S.C. § 3729<br />
3 Centers for Medicare <strong>and</strong> Medicaid Services, Medicaid Fraud Statutes Website, http://www.cms.hhs.gov/apps/mfs/<br />
State_Select.asp (last visited Sept. 25, 2006).<br />
4 31 U.S.C. 3730(h)<br />
5 See generally Publication of the OIG <strong>Compliance</strong> Program Guidance for Hospitals, 63 Fed. Reg. 8987 (February 23,<br />
1998)<br />
6 OIG Supplemental <strong>Compliance</strong> Program Guidance for Hospitals, 70 Fed. Reg. 4858, 4874 (January 31, 2005)<br />
Ask Leadership ...continued from page <br />
monitoring, the latest of which addressed the roles of compliance<br />
<strong>and</strong> internal audit functions. First, readers should visit or revisit those<br />
articles <strong>and</strong> second, use the following as guidelines for key roles that<br />
internal auditors should fulfill relative to their organization’s compliance<br />
program:<br />
n Participate as members of the corporate compliance committee,<br />
provide input on the annual compliance work plan, <strong>and</strong> report key<br />
compliance findings identified in internal audits.<br />
n Coordinate risk assessment <strong>and</strong> annual work planning processes to<br />
avoid duplication of effort <strong>and</strong> separately manage the auditing <strong>and</strong><br />
monitoring components of the plan.<br />
n Include discussions with the compliance officer when planning every<br />
audit. Because internal auditors typically focus on risk-based audits,<br />
this will ensure key compliance risks are addressed.<br />
n Review all compliance-related audit “findings” with the compliance<br />
officer to ensure corporate awareness before issues are reported.<br />
n Assist the compliance officer in investigating certain hotline-initiated<br />
matters.<br />
n Participate in the analysis of conflict of interest matters.<br />
n Share <strong>and</strong> discuss various issues frequently to ensure joint underst<strong>and</strong>ing<br />
of current issues, risks, <strong>and</strong> actions being taken. n<br />
November 2006<br />
<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006
By: Janice Anderson, Cheryl Wagonhurst, <strong>and</strong> Neil Smithline, MD<br />
Editor’s note: Janice Anderson <strong>and</strong> Cheryl a medical staff issue. Today, a hospital that<br />
Wagonhurst are partners in the law firm provides poor-quality care can find itself the<br />
of Foley & Lardner LLP. Janice Anderson subject of civil <strong>and</strong> criminal penalties for filing<br />
false claims.<br />
may be reached in Chicago by telephone at<br />
312/832-4530. Cheryl Wagonhurst may<br />
be reached in Los Angeles by telephone The medical staff <strong>and</strong> CEO of United<br />
at 310/975-7839. Neil Smithline, MD, Memorial Hospital (UMH) in Greenville,<br />
Mercer <strong>Health</strong> & Benefits, contributed Michigan learned first h<strong>and</strong> the devastating<br />
to this article. He may be reached in San consequences that can occur from inadequate<br />
Francisco, by telephone at 415/743-8700. quality <strong>and</strong> peer review. In 2001, UMH <strong>and</strong><br />
two physicians who served on the hospital<br />
The focus on quality <strong>and</strong> safety Medical Executive Committee were indicted<br />
in hospitals has increased dramatically<br />
over the past several years. aid, <strong>and</strong> private insurers. The indictment was<br />
for conspiring to defraud Medicare, Medic-<br />
Historically, the task of monitoring the quality<br />
of care provided by physicians has been cedures performed by an anesthesiologist on<br />
based on unnecessary pain management pro-<br />
delegated by hospitals to the medical staff, staff at UMH. 3 The government’s case against<br />
<strong>and</strong> the biggest risk that hospitals faced when the hospital executive <strong>and</strong> physicians centered<br />
confronted with a quality issue was malpractice<br />
liability. Often, in fact, the hospital’s best be lacking, thereby protecting the significant<br />
on peer review procedures allegedly found to<br />
defense to malpractice lawsuits that stemmed revenue generated by the anesthesiologist who<br />
from a poorly performing physician was to ran, what the government characterized as, a<br />
claim that it was not responsible for malpractice<br />
committed by members of its indepen-<br />
UMH pled guilty <strong>and</strong> agreed to pay fines<br />
“pain mill.” Rather than face a criminal trial,<br />
dent medical staff. 1<br />
totaling more than $1 million in 2003.<br />
But, times have changed. The public is now Other cases have followed UMH. In 2002,<br />
aware that hospitals may not always provide Redding Medical Center (RMC) in Redding,<br />
California was served with a federal<br />
safe medical care, that the government’s focus<br />
on quality is on the rise, <strong>and</strong> that individuals government search warrant that alleged that<br />
recognize the rewards available to them by the hospital allowed unnecessary procedures<br />
filing private lawsuits (called qui tam suits) <strong>and</strong> surgeries to be performed on patients<br />
alleging health care fraud. In fact, in 2005 in violation of the federal False Claims Act<br />
alone, more than 1,100 health care fraud (FCA). 4 RMC paid more than $50 million to<br />
cases were filed by individual qui tam relators settle that claim. And, in 2006, Our Lady of<br />
alone. 2 These staggering statistics make clear Lourdes Regional Medical Center, in Baton<br />
that hospitals no longer can consider quality Rouge, Louisiana paid over $3.8 million to<br />
Janice Anderson<br />
resolve health care fraud claims arising from<br />
billing for allegedly unnecessary elective<br />
angiograms, angioplasty, <strong>and</strong> stenting procedures<br />
performed by a staff physician between<br />
1999 <strong>and</strong> 2003. 5 It is now clear that hospital<br />
peer review <strong>and</strong> quality activities are “front<br />
<strong>and</strong> center” for government enforcers.<br />
Hospital quality management <strong>and</strong> peer<br />
review programs<br />
The Medicare Conditions of Participation,<br />
along with the laws of every state, require<br />
hospitals to develop peer review <strong>and</strong> quality<br />
management systems to review the professional<br />
practices of the clinical personnel<br />
providing services to patients. The traditional<br />
quality assurance mechanisms found in hospitals<br />
include the quality assurance program,<br />
the risk management program, <strong>and</strong> the<br />
utilization review program. Taken together,<br />
these programs provide hospital-wide quality<br />
reviews (including auditing of patient<br />
records), education, <strong>and</strong> prevention.<br />
Augmenting these hospital systems is the<br />
medical staff peer review process that is generally<br />
conducted by committees of physicians<br />
<strong>and</strong>, in some cases, may involve nurses <strong>and</strong><br />
other practitioners. These committees conduct<br />
screening <strong>and</strong> review of patient records,<br />
investigate individual physician’s clinical competence,<br />
<strong>and</strong> may make recommendations to<br />
November 2006<br />
10<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
Cheryl Wagonhurst<br />
the other medical staff committees or officers<br />
(e.g., the Medical Executive Committee or the<br />
chief of a department) for further action. Peer<br />
review procedures rarely focus on issues of<br />
overall quality of care, but tend to be incident<br />
driven with a focus on individual physician<br />
performance, rather than the general practice<br />
patterns of all physicians in the hospital. Peer<br />
review is conducted under procedures defined<br />
in the medical staff bylaws.<br />
Peer review is founded on the belief that only<br />
physicians can evaluate physicians. It generally<br />
focuses on whether the care provided by<br />
an individual physician is medically necessary<br />
<strong>and</strong> consistent with the st<strong>and</strong>ards of practice.<br />
Studies show that this retrospective analysis is<br />
often fraught with a high degree of variability.<br />
6 The success of peer review in any specific<br />
case depends on the commitment of each<br />
individual hospital’s medical staff <strong>and</strong> the<br />
extent to which they can put aside the normal<br />
human reluctance to evaluate a peer <strong>and</strong><br />
engage in honest <strong>and</strong> thorough evaluation.<br />
To encourage peer review, Congress passed<br />
the <strong>Health</strong> <strong>Care</strong> Quality Improvement Act<br />
of 1986 (HCQIA) 7 to give immunity to peer<br />
review participants, so long as the participants<br />
act in good faith <strong>and</strong> in the reasonable belief<br />
that the peer review action furthered quality<br />
of care. Congress hoped that by passing<br />
the HCQIA, legitimate peer review activity<br />
would flourish <strong>and</strong> improve the quality of<br />
care in hospitals nationwide.<br />
Some would argue that Congress’ best-laid<br />
plans did not pan out. Today, traditional<br />
quality <strong>and</strong> peer review activities may or may<br />
not be effective in dealing with poorly performing<br />
physicians. The peer review processes<br />
are lengthy <strong>and</strong> depend upon physicians who<br />
donate precious time to review the practices<br />
of fellow physicians who may be friends or<br />
competitors. All too often, by the time a<br />
quality of care issue is identified <strong>and</strong> actually<br />
dealt with, a plethora of evidence exists that<br />
shows a pattern of poor quality care (i.e.,<br />
subst<strong>and</strong>ard care, lack of medical necessity, or<br />
over-utilization).<br />
The quality revolution<br />
In recent years, hospital quality activities have<br />
changed from an informal process of auditing<br />
<strong>and</strong> evaluating care on a case-by-case basis, to<br />
a “science” based on quantitative analysis of<br />
sophisticated quality data. This change was<br />
spurred in part by the Institute of Medicine<br />
(IOM) report, “To Err Is Human: Building a<br />
Safer <strong>Health</strong> System.” 8 Issued in 1999, the report<br />
concluded that up to 98,000 Americans<br />
die each year from medical mistakes, making<br />
preventable medical errors the eighth leading<br />
cause of death in the United States—<br />
surpassing vehicle accidents, breast cancer,<br />
<strong>and</strong> AIDS. The report made headline news<br />
<strong>and</strong> alarmed health care providers, regulators,<br />
<strong>and</strong> the public. More disturbing than the<br />
sheer number of preventable errors that occur<br />
in hospitals daily was the report’s conclusion<br />
that medical errors were caused primarily by<br />
systemic problems in hospitals <strong>and</strong> not by the<br />
poor performance of errant individual doctors<br />
<strong>and</strong> nurses.<br />
The first IOM report was followed closely<br />
by a second report, “Crossing the Quality<br />
Neil Smithline<br />
Chasm: A New <strong>Health</strong> System for the 21st<br />
Century.” 9 Issued in 2001, the second report<br />
proposed six aims for improving patient care<br />
(i.e., safety, effectiveness, patient centeredness,<br />
timeliness, efficiency, <strong>and</strong> equitable<br />
care) <strong>and</strong> ten rules to guide the redesign of<br />
health care to achieve these aims. The report<br />
stressed evidence-based decision making to<br />
reduce variance in medical practice among<br />
physicians.<br />
Other organizations responded to the heightened<br />
focus on patient safety <strong>and</strong> quality, <strong>and</strong><br />
a flurry of national quality initiatives began.<br />
In 2000, the Leapfrog Group, an organization<br />
formed by large purchasers of health care,<br />
established evidenced-based patient safety<br />
practices to reduce medical mistakes in hospitals,<br />
<strong>and</strong> the Institute for <strong>Health</strong>care Improvement<br />
(IHI) launched a “Campaign to Save<br />
100,000 Lives” in 2004. Specialty societies,<br />
like the Society of Thoracic Surgeons <strong>and</strong> the<br />
American College of Cardiology, also came<br />
out with st<strong>and</strong>ardized process <strong>and</strong> outcomesmeasurement<br />
tools to guide the delivery of<br />
safer patient care.<br />
The Joint Commission on the Accreditation<br />
of <strong>Health</strong> Organizations (JCAHO) began its<br />
intensive focus on quality in 1999 when it<br />
m<strong>and</strong>ated as a condition of accreditation that<br />
Continued on page 12<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
11
Government enforcement of quality ...continued from page 11<br />
hospitals report on quality “core measures.” 10<br />
Soon after, the Centers for Medicare <strong>and</strong><br />
Medicaid Services (CMS) joined with the<br />
Hospital Quality Alliance (HQA), a publicprivate<br />
collaboration of hospitals that is<br />
designed to help hospitals improve quality by<br />
measuring <strong>and</strong> reporting objective, easy-tounderst<strong>and</strong><br />
data on hospital performance. 11<br />
In 2004, CMS <strong>and</strong> JCAHO agreed to adopt<br />
the same st<strong>and</strong>ardized performance measures<br />
for hospital reporting <strong>and</strong> began publicizing<br />
the data on the Hospital Compare Web site 12<br />
to help consumers improve decision making<br />
about their health care.<br />
Government enforcement<br />
Historically, hospital quality <strong>and</strong> peer review<br />
systems have existed as unrelated to the<br />
traditional billing <strong>and</strong> finance functions of<br />
the hospital. Recent activity by the government,<br />
however, has linked quality of care with<br />
billing requirements, <strong>and</strong> hospitals that fail<br />
to deliver quality patient care may find themselves<br />
the subject of government enforcement<br />
for billing fraud.<br />
The government has a powerful tool to<br />
enforce quality care – the federal False Claims<br />
Act (FCA). 13 Enacted during the Civil War,<br />
the statute focuses on preventing fraud among<br />
federal contractors. The Civil FCA imposes<br />
penalties on any person who knowingly<br />
presents (or causes to be presented) a false or<br />
fraudulent claim for payment, or makes a false<br />
statement to get a claim paid. The law uses qui<br />
tam enforcement, which encourages private<br />
citizens (called qui tam relators or “whistleblowers”)<br />
to disclose false or fraudulent<br />
activities to the government. Whistleblowers<br />
can receive up to 25% of the total recovery or<br />
settlement if the government prosecutes the<br />
case, <strong>and</strong> up to 30% of the proceeds if the<br />
government decides not to intervene, but the<br />
qui tam relator proceeds or his or her own.<br />
The penalties for a successful FCA case can<br />
be exorbitant. <strong>Health</strong> care providers can face<br />
triple damages plus civil penalties of $5,500<br />
to $11,000 for each <strong>and</strong> every false claim.<br />
If the plaintiff prevails, the courts will also<br />
award reasonable costs <strong>and</strong> attorney fees<br />
against the defendant.<br />
Whistleblowers <strong>and</strong> the government alike<br />
find the financial motivation compelling to<br />
pursue allegations of false claims. Since 1986,<br />
the federal government has recovered more<br />
than $15 billion dollars under the FCA. 14<br />
With a mean relator share of $1,700,153,<br />
whistleblowers can strike gold if the government<br />
prevails in the lawsuit. 15 These awards<br />
have proven to be an effective incentive for<br />
whistleblowers <strong>and</strong> an excellent investment<br />
for the federal government. The number of<br />
qui tam cases per year has increased exponentially<br />
since the whistleblower provisions were<br />
enacted, 16 <strong>and</strong> the federal government recovers<br />
$15 for every $1 it invests in FCA whistleblower<br />
actions involving health fraud. 17<br />
In addition to FCA liability, whistleblower<br />
claims often lead to charges of criminal <strong>and</strong><br />
civil violations under numerous other health<br />
care fraud statutes, such as criminal charges<br />
under 18 U.S.C. § 287 for false claims,<br />
§ 1001 for false statements, § 1341 for mail<br />
fraud, § 1343 for wire fraud, <strong>and</strong> § 1347 for<br />
health care fraud. Charges can be brought<br />
under 42 U.S.C. § 1320a-7b(a)-(e) for fraud<br />
on federal health care programs <strong>and</strong> illegal<br />
remuneration, 18 U.S.C. § 371 for conspiracy,<br />
<strong>and</strong> § 1349 for attempted conspiracy. In<br />
certain cases, the government can also bring<br />
charges for money laundering, racketeering,<br />
<strong>and</strong> misconduct related to Employee Retirement<br />
Income Security Act (ERISA) plans. 18<br />
If the case involves patient neglect or abuse,<br />
the government can prosecute providers for<br />
violations of a patient’s civil rights. 19<br />
Exclusion from federal programs is another<br />
potent weapon in the government’s arsenal.<br />
The threat of exclusion from the Medicare<br />
<strong>and</strong> Medicaid program (the kiss of death for<br />
most hospitals) can be used to exert leverage<br />
in settlement agreements with health care<br />
providers. 20 The <strong>Health</strong> Insurance Portability<br />
<strong>and</strong> Accountability Act of 1996 (HIPAA) 21<br />
exp<strong>and</strong>ed the already extensive list of reasons<br />
for exclusion, increased the number of offenses<br />
for which exclusion must be imposed,<br />
<strong>and</strong> established additional minimum periods<br />
for which person must remain excluded. If<br />
the provider is convicted of criminal offenses<br />
in connection with delivery of health care<br />
services or the neglect or abuse of a patient,<br />
the exclusion is m<strong>and</strong>atory. 22<br />
The FCA’s definition of a false claim is<br />
extremely broad <strong>and</strong> creates limitless opportunities<br />
for the prosecution of providers.<br />
Although a substantial number of health care<br />
FCA cases involve actions that traditionally<br />
have been considered fraudulent, such as<br />
billing for services that were never performed,<br />
misrepresenting the identity of the provider<br />
who performed the service, or “up coding”<br />
(i.e., billing the government for more expensive<br />
care than was delivered), 23 prosecutors<br />
<strong>and</strong> qui tam relators now are claiming fraud<br />
when quality is alleged to be poor, or the care<br />
provided is determined to be unnecessary, or<br />
both.<br />
“Medical necessity fraud” occurs when the<br />
procedures provided (e.g., tests, lab studies)<br />
do not meet medical necessity criteria. Medicare<br />
<strong>and</strong> Medicaid pay only for those services<br />
that are reasonable, medically necessary, <strong>and</strong><br />
used for diagnostic <strong>and</strong> therapeutic purposes<br />
in connection with health care services<br />
provided to beneficiaries. Each time that a<br />
claim is submitted, the provider certifies on a<br />
HCFA (<strong>Health</strong> <strong>Care</strong> Financing Administration,<br />
now CMS) 1500 or UB92 form that<br />
November 2006<br />
12<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
the services are “medically necessary <strong>and</strong><br />
indicated for the health of the patient.” If,<br />
contrary to the certification, the services are<br />
unnecessary, the certification is false <strong>and</strong> the<br />
submission of the claim violates the FCA. 24<br />
In the UMH case, the relator alleged that the<br />
hospital <strong>and</strong> medical staff committees failed<br />
to act on information generated through peer<br />
review that demonstrated that a staff anesthesiologist<br />
was running a “pain mill” at the<br />
hospital by providing medically unnecessary<br />
pain management procedures. As a result, the<br />
anesthesiologist <strong>and</strong> the hospital were charged<br />
with falsely certifying compliance with<br />
Medicare’s medical necessity requirements.<br />
The initial investigation led to a first-of-its<br />
kind criminal prosecution against the hospital.<br />
The federal prosecutors obtained a 31-<br />
count criminal indictment against UMH <strong>and</strong><br />
the chiefs of the medical staff <strong>and</strong> emergency<br />
medicine for mail fraud, wire fraud, <strong>and</strong><br />
conspiracy to commit mail <strong>and</strong>/or wire fraud<br />
relating to the allegedly unnecessary medical<br />
procedures performed by the anesthesiologist.<br />
The crux of the government’s case was<br />
that, notwithst<strong>and</strong>ing information learned<br />
through peer review <strong>and</strong> many complaints<br />
from patients received by the hospital, the<br />
hospital continued to bill <strong>and</strong> collect its fees,<br />
certifying each time that the services were<br />
medically necessary when, in fact, the hospital<br />
knew through its peer review procedures they<br />
were not. The hospital pled guilty to a single<br />
felony charge of wire fraud in a settlement<br />
agreement, paid a fine of more than $1 million,<br />
<strong>and</strong> agreed to reimburse approximately<br />
$750,000 to Medicare, Medicaid, <strong>and</strong> two<br />
private insurers.<br />
In the Redding Medical Center case,<br />
whistleblowers alleged that the performance of<br />
unnecessary heart catherizations, angioplasty,<br />
<strong>and</strong> open-heart surgeries violated the FCA.<br />
Tenet <strong>Health</strong>care Corporation, the parent<br />
of Redding, ultimately signed a $54 million<br />
settlement agreement with the Department<br />
of Justice (DOJ) in 2003. This was the largest<br />
recovery to date from a hospital in an alleged<br />
case of lack of medical necessity. 25 Shortly<br />
thereafter, in 2004, Tenet agreed to divest itself<br />
of RMC <strong>and</strong> sell the assets to an unrelated<br />
third party to avoid RMC’s exclusion from<br />
the Medicare <strong>and</strong> Medicaid programs. 26 Tenet,<br />
RMC, <strong>and</strong> two physicians also faced over 100<br />
civil lawsuits filed by individuals who said that<br />
they or their families underwent unnecessary<br />
surgeries, <strong>and</strong> Tenet set up a $395 million<br />
fund to settle these civil lawsuits. 27<br />
In addition to challenging a hospital’s right to<br />
bill for services that are deemed medically unnecessary,<br />
the government also has attempted<br />
to take the FCA one step further by challenging<br />
the legitimacy of claims submitted for<br />
subst<strong>and</strong>ard or poor quality care. According to<br />
the government, a provider “impliedly certifies”<br />
at the time it submits a claim that the<br />
care provided meets all published rules, regulations,<br />
<strong>and</strong> st<strong>and</strong>ards. If the care provided does<br />
not meet quality st<strong>and</strong>ards, submitting a claim<br />
for reimbursement is tantamount to fraud.<br />
Based on this “implied certification” theory,<br />
several courts have found nursing homes<br />
to be liable under the FCA when the care<br />
provided was found to be so subst<strong>and</strong>ard<br />
that it was deemed to be “worthless.” 28 This<br />
theory was applied in July 2005, when the<br />
U.S. Attorney’s Office announced a first-ofits-kind<br />
settlement with Central Montgomery<br />
Medical Center (CMMC), a hospital located<br />
in Lansdale, Pennsylvania, <strong>and</strong> the hospital’s<br />
management company. 29 The government<br />
alleged that from February through August<br />
2002, CMMC knowingly billed the government<br />
for numerous patients who were improperly<br />
physically <strong>and</strong> chemically restrained<br />
in violation of the Medicare Conditions of<br />
Participation. Although CMMC denied any<br />
wrongdoing, it agreed to pay the government<br />
$200,000 to settle the claim. The case is the<br />
first instance where the federal government<br />
successfully pursued a hospital under the<br />
FCA for failing to comply with the Medicare<br />
Conditions of Participation.<br />
Federal prosecutors have said that they will<br />
continue to use the FCA to pursue patient<br />
abuse <strong>and</strong> neglect cases <strong>and</strong> other quality<br />
of care violations in nursing homes <strong>and</strong><br />
hospitals. According to James G. Sheehan,<br />
Associate U.S. Attorney, Eastern District of<br />
Pennsylvania, the DOJ will continue to target<br />
cases involving:<br />
(1) patient abuse <strong>and</strong> neglect<br />
(2) falsification of records<br />
(3) failure to report adverse events as required<br />
by state laws<br />
(4) improper use of physical or chemical<br />
restraints on patients in violation of federal<br />
regulations<br />
(5) intentional misconduct. 30<br />
Sheehan predicts that future health care fraud<br />
enforcement will focus squarely on quality,<br />
safety, <strong>and</strong> patient dignity. 31<br />
Lewis Morris, Deputy Chief Counsel for the<br />
HHS Inspector General, also has predicted<br />
that health care fraud cases are likely to<br />
increase dramatically. 32 The Deficit Reduction<br />
Act of 2005 (DRA) gives states an<br />
incentive to enact state false-claims laws by<br />
allowing them to retain an extra 10% of<br />
recovered Medicaid funds, if the state adopts<br />
a false-claims statute modeled after the federal<br />
statute. 33 It also m<strong>and</strong>ates that entities that<br />
annually receive or make $5 million dollars in<br />
Medicaid payments be required to implement<br />
policies <strong>and</strong> revise employee h<strong>and</strong>books<br />
to inform their workforce about the federal<br />
<strong>and</strong> state False Claim Acts <strong>and</strong> their whistle<br />
blower protections. 34 Coupled with the<br />
Continued on page 14<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
13
Government enforcement of quality ...continued from page 13<br />
fact that Congress has increased the OIG’s<br />
matching-grant money by $25 million each<br />
year for the next five years for bolstering state<br />
Medicaid Fraud Control Units, fraud cases<br />
focused on the quality of patient care can<br />
only be expected to increase. 35<br />
Integrating quality <strong>and</strong> compliance<br />
What does this mean for providers today, <strong>and</strong><br />
how does this change the role of compliance<br />
officers? It is clear that hospitals can no longer<br />
consider quality an issue that can be addressed<br />
through its normal peer review <strong>and</strong> quality programs.<br />
Unless hospitals link compliance with<br />
quality <strong>and</strong> peer review programs, they may well<br />
find themselves defending a fraud case for filing<br />
claims for services ultimately deemed medically<br />
unnecessary or of poor quality. <strong>Health</strong> care<br />
fraud cases present a far greater risk to hospitals<br />
than malpractice claims (the historical risk faced<br />
by hospitals when care was challenged as subst<strong>and</strong>ard<br />
or unnecessary). Fraud claims are not<br />
covered by insurance, cost thous<strong>and</strong>s to defend<br />
<strong>and</strong> millions to settle, gain public notoriety,<br />
may lead to both criminal <strong>and</strong> civil penalties,<br />
<strong>and</strong> undermine public confidence in the quality<br />
of care provided by the hospital.<br />
So, what should hospitals do now? First <strong>and</strong><br />
foremost, hospital compliance officers must<br />
work h<strong>and</strong>-in-h<strong>and</strong> with hospital administration,<br />
risk managers, quality officers, the<br />
medical staff office, <strong>and</strong> medical staff peer<br />
review committees. Lack of medical necessity<br />
<strong>and</strong> subst<strong>and</strong>ard care should be recognized<br />
as potential compliance issues, <strong>and</strong> should be<br />
included among the other issues addressed by<br />
compliance. Environmental risk assessments<br />
(a component of most hospital compliance<br />
programs), compliance policies, <strong>and</strong> st<strong>and</strong>ards<br />
of conduct should all be revised to tie together<br />
quality, risk management, peer review,<br />
<strong>and</strong> compliance.<br />
Second, compliance education programs<br />
should include information about the link<br />
between the delivery of quality, medically<br />
necessary care, <strong>and</strong> the requirements that<br />
must be met to bill for services. Quality <strong>and</strong><br />
risk management officials need to know<br />
whom to contact in the compliance department<br />
when they uncover instances of poor<br />
quality or unnecessary care, <strong>and</strong> compliance<br />
personnel need to know when to contact legal<br />
counsel to determine whether a risk of health<br />
care fraud may exist, <strong>and</strong> if so, what actions<br />
should be taken.<br />
Finally, compliance auditing <strong>and</strong> monitoring<br />
programs need to be integrated with quality<br />
chart reviews, risk management incident<br />
reporting systems, <strong>and</strong> peer review investigations<br />
to ensure that patterns of poor quality<br />
or medically unnecessary care are identified<br />
quickly <strong>and</strong> corrected. Part of any corrective<br />
action plan developed to address a pattern of<br />
unnecessary or poor quality care should also<br />
evaluate the impact on reimbursement <strong>and</strong><br />
determine whether any repayment obligation<br />
may exist.<br />
The government’s focus on quality will grow<br />
in the coming years. Faced with the increasing<br />
pressure to hold down costs while making<br />
the American health care system safer, the<br />
government likely will use the FCA more<br />
often to challenge poor quality or unnecessary<br />
care. Unless proper steps are taken to integrate<br />
quality into the compliance program, a<br />
hospital could face disastrous consequences,<br />
including fines, penalties, damage to reputation,<br />
<strong>and</strong> a loss of confidence by physicians<br />
<strong>and</strong> patients. And, unlike many of the other<br />
compliance issues that hospitals face, allegations<br />
of unnecessary or poor quality care can<br />
take years to overcome.<br />
Sophisticated hospital compliance officers<br />
will make sure that quality <strong>and</strong> peer review<br />
are integrated into the hospital’s compliance<br />
program, so that circumstances that could<br />
give rise to FCA liability can be addressed<br />
before the government, the press, or other<br />
critics intervene. n<br />
1 In most jurisdictions, a hospital is held liable for malpractice committed<br />
by members of its independent medical staff only if the hospital itself was<br />
negligent because it either failed to respond appropriately when it knew or<br />
should have known of the risk to a patient or because it failed to establish<br />
<strong>and</strong> follow appropriate policies to guide quality of care. See Andrea G.<br />
Nadel, J.D., Hospital’s Liability For Negligence In Failing To Review Or<br />
Supervise Treatment Given By Doctor Or Require Consultation, 12 A.L.R.<br />
4th 57 (1982).<br />
2 Information on False Claims Act Litigation, GAO Briefing for Congressional<br />
Requesters, December 15, 2005, p. 28.<br />
3 United States v. United Memorial Hospital., WL 33001119 (D. Mich.<br />
2002) (denying defendant’s motion to dismiss).<br />
4 Tenet <strong>Health</strong>care Agrees to Pay $54 Million Settlement Over Alleged<br />
Unnecessary Surgeries at Redding Hospital, California <strong>Health</strong>line, Aug. 7,<br />
2003, http://www.californiahealthline.org/index.cfm?Action=dspItem&ite<br />
mID=95253&classed=CL350.<br />
5 Louisiana Hospital Settles Federal Claims of Billing for Medically Unnecessary<br />
Services, 10 BNA <strong>Health</strong> <strong>Care</strong> Fraud Reporter 679 (September 13,<br />
2006).<br />
6 See, e.g., A.M. Smith et al., Peer Review of the Quality of <strong>Care</strong>: Reliability<br />
<strong>and</strong> Sources of Variability for Outcome <strong>and</strong> Process Assessments, 278 J.<br />
Am. Med. Ass’n. 1573 (1997).<br />
7 <strong>Health</strong> <strong>Care</strong> Quality Improvement Act of 1986, 42 U.S.C. § 11101.<br />
8 Committee on Quality of <strong>Health</strong> <strong>Care</strong> in America Committee on Institute<br />
of Medicine, To Err is Human: Building a Safer <strong>Health</strong> System (1999).<br />
9 Committee on Quality of <strong>Health</strong> <strong>Care</strong> in America, Institute of Medicine,<br />
Crossing the Quality Chasm: A New <strong>Health</strong> System for the 21st Century<br />
(2001).<br />
10 JCAHO’s launch of reporting on core measures was an outgrowth of its<br />
ORYX initiative which began in 1997 to integrate the use of outcome <strong>and</strong><br />
other performance measures into the accreditation process. See http://www.<br />
jointcommission.org/Jointcommission/Templates/GeneralInformation.asp.<br />
11 Center for Medicare <strong>and</strong> Medicaid Services, Hospital Quality Initiative<br />
Overview (Dec. 2005), http://www.cms.hhs.gov/HospitalQualityInits/<br />
downloads/HospitalOverview200512.pdf.<br />
12 www.hospitalcompare.com.<br />
13 False Claims Act, 31 U.S.C. §§ 3729-3733.<br />
14 GAO Report at 5.<br />
15 Id. at 32.<br />
16 Id. at 25.<br />
17 False Claims Act Advocate Says Prosecuting FCA Cases is Good Investment<br />
for Government, 10 BNA <strong>Health</strong> <strong>Care</strong> Fraud Report 478 (2006).<br />
18 John J. Meyer et al., <strong>Health</strong> <strong>Care</strong> Fraud <strong>and</strong> Abuse: Enforcement <strong>and</strong><br />
<strong>Compliance</strong>, BNA’s <strong>Health</strong> Law & Business Series (2006).<br />
19 Civil Rights of Institutionalized Persons Act (CRIPA), 42 U.S.C. § 1997.<br />
20 Meyer, supra, at 2600:0328.<br />
21 <strong>Health</strong> Insurance Portability <strong>and</strong> Accountability Act of 1996, 18 U.S.C. §<br />
1347.<br />
22 Meyer, supra, at 2600:0328(a).<br />
23 See John T. Boese, Civil False Claims <strong>and</strong> Qui tam Actions, (3rd Ed.<br />
Aspen Publishers (2006); Joan K. Krause, “Promises to Keep”: <strong>Health</strong> <strong>Care</strong><br />
Providers <strong>and</strong> the Civil False Claims Act, 23 Cardozo L. Rev. 1363, 1382<br />
(2002); Joan K. Krause, <strong>Health</strong> <strong>Care</strong> Fraud <strong>and</strong> Quality of <strong>Care</strong>: a Patient-<br />
Centered Approach, 37 J. <strong>Health</strong> L. 161 (2004).<br />
24 See John T. Boese, When Angry Patients Become Angry Prosecutors:<br />
Medical Necessity, 43 St. Louis U. L. J. 53 (1999); Meyer, supra, at<br />
200:0316.<br />
25 U.S. Attorney Eastern District of California, RMC/Tenet Settlement Fact<br />
Sheet.<br />
26 U.S. Office of the Attorney General, OIG <strong>and</strong> Tenet <strong>Health</strong>care Corporation<br />
Reach Divestiture Agreement to Address Exclusion of Redding<br />
Medical Center, OIG News, Dec. 11, 2003.<br />
27 Tenet <strong>Health</strong>care agrees to pay $54 Million Settlement over Alleged<br />
Unnecessary Surgeries at Redding Hospital, California <strong>Health</strong>line, Aug. 7,<br />
2003, http://www.californiahealthline.org/index.cfm?Action=dspItem&ite<br />
mID=95253&classcd=CL350.<br />
28 See, for example, United States ex rel. Swan v. Covenant <strong>Care</strong>, Inc., Case<br />
No. Civ. S‐99-1981, DFL JFM (E.D. Cal. June 20, 2000 <strong>and</strong> United States<br />
v. NHC <strong>Health</strong>care Corp., 115 F. Supp 2d 1149 (W.D. Mo. Aug. 30,<br />
2000).<br />
29 United States Attorney’s Office Eastern District of Pennsylvania, U.S.<br />
Attorney’s Office Reaches Agreement with Hospital to Failure of <strong>Care</strong><br />
Allegations Stemming from Improper Use of Patient Restraints, News<br />
Release, July 25, 2005.<br />
30 Quality of <strong>Care</strong> Issues to Remain Focus of False Claims Act Cases, Sheehan<br />
Says, 10 BNA’s <strong>Health</strong> <strong>Care</strong> Fraud Report, BNA’s <strong>Health</strong> <strong>Care</strong> Fraud<br />
Report, 169 (2006.).<br />
31 Id.<br />
32 OIG’s Morris Tells AHLA to Watch For Increase in False Claims Act Cases,<br />
10 BNA <strong>Health</strong> <strong>Care</strong> Fraud Report, 524 (2006).<br />
33 Deficit Reduction Act of 2005 at § 6031.<br />
34 Deficit Reduction Act of 2005, Pub. Law 109-171, § 6032.<br />
35 Testimony of Daniel R. Levinson, Inspector General, Hearing before the<br />
S. Comm. on Homel<strong>and</strong> Sec. <strong>and</strong> Gov’t Affairs, Subcomm. on Fed. Fin.<br />
Mgmt., Gov’t Info., <strong>and</strong> Intn’l Sec., 109th Cong. 1, 2 (2006.)<br />
November 2006<br />
14<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
feature<br />
Editor’s note: This interview with Marti<br />
Arvin, JD, CHC, CIPP/G, CCEP, CPC<br />
Privacy Officer, University of Louisville<br />
was conducted this past September by<br />
HCCA Board Member F. Lisa Murtha,<br />
Managing Director, Huron Consulting<br />
Group. Marti Arvin may be reached by<br />
telephone at 502/852-3803.<br />
LM: What is your professional background?<br />
MA: I am an attorney <strong>and</strong>, prior to my<br />
compliance career, I spent five years in the<br />
Indiana Attorney General’s Office litigating<br />
civil rights <strong>and</strong> employment law cases in<br />
federal court. I also have degrees in respiratory<br />
therapy <strong>and</strong> accounting.<br />
LM: How did you originally become<br />
involved in “compliance”?<br />
MA: Fate got me involved in health care<br />
compliance. I was looking to make a career<br />
move from my position at the Attorney<br />
General’s Office. I wasn’t looking for a<br />
position in compliance, because I had never<br />
heard of the profession at that time. By<br />
chance, I received a call from a colleague I<br />
had worked with in the Indiana University<br />
Hospital’s accounting department. She<br />
had been discussing a new position at the<br />
Indiana University School of Medicine with<br />
a member of the search committee. The<br />
new position was <strong>Compliance</strong> Officer. The<br />
search committee was looking for someone<br />
with a clinical background, who understood<br />
the financial side, <strong>and</strong> they wanted an<br />
attorney. She immediately thought of me.<br />
I l<strong>and</strong>ed the position <strong>and</strong> have never look<br />
back. Given that I went from respiratory<br />
therapy to accounting to law, health care<br />
article<br />
compliance has allowed me to utilize all<br />
aspects of my background.<br />
LM: What was your first compliance<br />
position?<br />
MA: In 1998, I became the first compliance<br />
officer for the Indiana University School<br />
of Medicine. I implemented their fraud <strong>and</strong><br />
abuse compliance program. Later I was appointed<br />
to act as their privacy officer as well.<br />
LM: Can you explain any differences that<br />
you have observed in compliance programs<br />
today versus when you first began working<br />
in compliance?<br />
MA: When I began my first position as a<br />
compliance professional, like many people at<br />
that time, I knew nothing. I was scrambling<br />
for resources <strong>and</strong> found many people in the<br />
same boat. Fortunately, I was able to contact<br />
people at other academic medical centers<br />
who had been doing this a little longer than<br />
me. Debbie Troklus <strong>and</strong> others were very<br />
generous with their time <strong>and</strong> willingness to<br />
share their compliance plans, policies, <strong>and</strong><br />
procedures. I am eternally grateful for the<br />
help I received. The programs I encountered<br />
at that time were in their infancy. When I<br />
contrast that with the environment today, I<br />
see a completely different l<strong>and</strong>scape. Many<br />
organizations today have mature programs<br />
that have exp<strong>and</strong>ed in oversight <strong>and</strong> structure.<br />
Do a Google search for “compliance”<br />
today <strong>and</strong> you get pages <strong>and</strong> pages of sites.<br />
Meet Marti Arvin<br />
JD, CHC, CIPP/G, CCEP, CPC<br />
Privacy Officer, University of Louisville<br />
When I started in compliance, the <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> was still in its<br />
early stages as an organization. Today it has<br />
several thous<strong>and</strong> members. I know there are<br />
still individuals who are just starting out in<br />
this profession <strong>and</strong> feel like I did back in<br />
1998. The difference is they have a much<br />
broader resource pool. There are significantly<br />
more compliance professionals they<br />
can contact for help. They are also probably<br />
going into an existing program <strong>and</strong> not developing<br />
one from the ground up. What has<br />
not changed is the willingness of colleagues<br />
to help each other by sharing information,<br />
ideas, <strong>and</strong> resources.<br />
LM: How have you seen privacy issues<br />
integrated in compliance programs?<br />
Continued on page 16<br />
November 2006<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org 15
Meet Marti Arvin ...continued from page 15<br />
November 2006<br />
16<br />
MA: I have seen it done a number of<br />
ways. Some organizations have a st<strong>and</strong> alone<br />
program. Some organizations have a st<strong>and</strong><br />
alone office, but coordinate their activities<br />
with other compliance programs to better<br />
utilize resources. Some organizations have<br />
it fully integrated within a broad, overarching<br />
program. Still others have a hybrid, with<br />
the privacy office as a separate function<br />
within the compliance program that runs its<br />
own training, audits, etc. Like any aspect of<br />
compliance, the organization has to figure<br />
out what is right for its culture <strong>and</strong> utilize the<br />
method that works best for that particular<br />
organization. One size does not fit all.<br />
LM: Can you describe your Privacy<br />
Program in detail?<br />
MA: The Privacy Office has oversight of<br />
most privacy issues at the university. I report<br />
to the provost of the university. Our program<br />
is structured to try to leverage other compliance<br />
functions. We coordinate our training<br />
<strong>and</strong> auditing efforts with the Human Subjects<br />
Protection Program Office <strong>and</strong> the Medical<br />
<strong>Compliance</strong> Office. We conducted a risk<br />
assessment this year, which we are using to<br />
create our audit plan. We have established<br />
an issues-tracking system that has permitted<br />
us to identify the types of questions <strong>and</strong><br />
other issues that come our office. We have<br />
even developed a report that ages our issues,<br />
so we know how long a file has been open,<br />
who is responsible for taking the next action<br />
(the privacy office or our client), <strong>and</strong> what<br />
type of issue it is. I provide quarterly reports<br />
to my supervisor that tell her the number of<br />
open files, the categories, the business unit<br />
or school the issue is tied to, <strong>and</strong> how many<br />
files have been open for 30, 60, 90 days, etc.<br />
Like most programs, I would like to have<br />
more resources, but we are trying to use the<br />
resources we have in the most effective <strong>and</strong><br />
efficient way possible.<br />
LM: How do you keep your program<br />
dynamic from year to year?<br />
MA: By trying to exp<strong>and</strong> the services<br />
offered to our constituents. We have tried<br />
to automate processes were possible <strong>and</strong> use<br />
other means to free up the time of our office’s<br />
staff to provide services. It is hard to stay<br />
dynamic year after year, but the more service<br />
we can provide, the more our constituents<br />
can integrate compliance into their daily<br />
activities. I recently heard Joe Murphy say it<br />
takes about ten years to change the culture of<br />
an organization, so I find myself thinking that<br />
as long as I am seeing positive progress, we are<br />
moving in the right direction.<br />
LM: What do you see as the highest risk<br />
area in privacy compliance today <strong>and</strong> why?<br />
MA: What a loaded question. I think the<br />
biggest risk is complacency. In the billing <strong>and</strong><br />
research side of compliance, we constantly<br />
see civil penalties <strong>and</strong> fines <strong>and</strong> criminal<br />
convictions. While the Privacy Rule has been<br />
enforceable for three <strong>and</strong> half years there<br />
have not been any major fines or penalties<br />
imposed. I am constantly asked “What will<br />
happen to me if I don’t do this”? The final enforcement<br />
rule became effective in March of<br />
this year. Under the rule we now know how<br />
fines will be imposed, but OCR has indicated<br />
it will try to resolve issues informally, before<br />
fines <strong>and</strong> penalties are imposed. Without<br />
constant reminders that the law requires the<br />
activities we are asking our clients to do, it is<br />
easy for people to fall back into old habits.<br />
LM: How would you recommend that<br />
organizations mitigate their privacy compliance<br />
risks today?<br />
MA: If the organization has an effective<br />
privacy compliance program in place, that is the<br />
best way to mitigate the risk. I think the most<br />
important aspect of such a program is the auditing<br />
<strong>and</strong> monitoring, which will help identify<br />
the key risk areas. The organization can then see<br />
where it needs to do additional training, create<br />
or revise policies <strong>and</strong> procedures, etc.<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
LM: What has been the single biggest<br />
factor that contributes to the success of your<br />
program at Louisville?<br />
MA: The reporting structure I have. I<br />
report to the provost of the university. She is<br />
very committed to doing the right thing. I<br />
meet with her on a regular basis <strong>and</strong> have the<br />
opportunity to keep her update-to-date on<br />
the privacy compliance program. She is also<br />
very good about thinking of how other projects<br />
within the university could have privacy<br />
compliance implications. She makes sure I<br />
am aware of these projects <strong>and</strong> can evaluate<br />
whether there are privacy implications.<br />
She would much rather ask me to review<br />
something, <strong>and</strong> find out there are no privacy<br />
issues, than for the opposite to occur.<br />
LM: What was your biggest challenge in<br />
implementing your program <strong>and</strong> how did<br />
you overcome it?<br />
MA: The biggest challenge to implementing<br />
the privacy program at the University of<br />
Louisville was coordinating this effort with<br />
other compliance activities at the university.<br />
This was a challenge because the privacy program<br />
was viewed as yet another program that<br />
was hindering the faculty <strong>and</strong> staff from doing<br />
what they were hired to do. I cannot say<br />
I have completely overcome this challenge.<br />
But, we have made progress. In my experience,<br />
when you implement a new program,<br />
it takes a year or two to change your clients’<br />
attitudes--from viewing you as a hindrance<br />
to their work to getting them to see you as<br />
a resource. It is a slow process, but we are<br />
seeing a lot more instances of individuals<br />
coming to our office for assistance before<br />
they establish a new program or engage in a<br />
new project. This allows us the opportunity<br />
to help them do it right from the beginning<br />
Continued on page 18
Earning your certification,<br />
keeping your certification current,<br />
<strong>and</strong> applying for advanced<br />
certification just got easier!<br />
Beginning with this issue of <strong>Compliance</strong> Today HCCA will offer continuing<br />
education credits (CEUs) for completing the quiz that accompanies selected<br />
articles in <strong>Compliance</strong> Today. Receive one (1) CEU for each quiz* you<br />
successfully complete. You could receive up to twelve (12) CEUs per year.<br />
To apply for credit: read the article on pages<br />
41-42 <strong>and</strong> answer the questions on the insert<br />
in this magazine. Fax your answer form to<br />
us at 952/988-0146 or mail it to us at:<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
Attn: Lisa Colbert<br />
6500 Barrie Road, Suite 250<br />
Minneapolis, MN 55435<br />
* The quiz is inserted in this issue of <strong>Compliance</strong> Today<br />
November 2006<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org 17
Silly Laws<br />
Roy Snell<br />
Over the past ten years, I have written several dozen articles. Although<br />
I attempt to make my articles interesting, they are often about serious<br />
matters. I have often wished that I could do something funny, something<br />
to lighten your load for a moment. We all have such difficult <strong>and</strong><br />
stressful jobs. I just could not think of anything that would pertain<br />
to compliance that would be tactful. Well, leave it to my 13-year-old<br />
twins to come up with an idea. They told me they were studying silly<br />
laws in school, <strong>and</strong> they mentioned a few. I went to a Web site (www.<br />
dumblaws.com) <strong>and</strong> got a few that I have listed below.<br />
n In Arizona, donkeys cannot sleep in<br />
bathtubs.<br />
n In Alabama, you may not have an ice<br />
cream cone in your back pocket at any<br />
time.<br />
n In Alabama, putting salt on a railroad track may be punishable by<br />
death.<br />
n In Alabama, it is illegal for a driver to be blindfolded while operating<br />
a vehicle.<br />
n In Idaho, riding a merry-go-round on Sundays is considered a<br />
crime.<br />
n In New Hampshire, you cannot sell the clothes you are wearing to<br />
pay off a gambling debt.<br />
n In California, it is a misdemeanor to shoot at any kind of game<br />
from a moving vehicle, unless the target is a whale.<br />
n In Indiana, a person who dyes, stains, or otherwise alters the natural<br />
coloring of a bird or rabbit commits a Class B misdemeanor.<br />
n In Indiana, check forgery can be punished with public flogging up<br />
to 100 stripes.<br />
I have no idea if they are accurate; then again, I am not sure it matters.<br />
I think you should add any that pertain to you or to your Code of<br />
Conduct. n<br />
Meet Marti Arvin ...continued from page 16<br />
<strong>and</strong> help avoid compliance issues in the future.<br />
LM: What advice would you give to individuals who are interested<br />
in a career in compliance <strong>and</strong> privacy?<br />
MA: I would recommend getting involved in the <strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> <strong>Association</strong>, networking with other compliance<br />
professionals, <strong>and</strong> taking the certification exam offered by the<br />
<strong>Health</strong>care <strong>Compliance</strong> Certification Board. Experienced compliance<br />
professionals are always willing to help out newcomers. Oh,<br />
<strong>and</strong> to paraphrase from Bette Davis in the movie All About Eve<br />
Full Name:<br />
Title:<br />
Organization:<br />
Address:<br />
City/State/Zip:<br />
Telephone:<br />
Fax:<br />
E-mail:<br />
Complete this coupon to order <strong>Compliance</strong> Today (CT)<br />
HCCA individual membership costs $295; corporate membership<br />
(includes 4 individual memberships, <strong>and</strong> more) costs $2,500.<br />
CT subscription is complimentary with membership.<br />
HCCA non-member subscription rate is $357/year.<br />
❑ Payment enclosed<br />
❑ Pay by charge: ❑ AmEx ❑ MasterCard ❑ Visa<br />
Card #:<br />
Signature:<br />
❑ Please bill my organization: PO#<br />
Exp. Date:<br />
Please make checks payable to HCCA <strong>and</strong> return subscription coupon to:<br />
HCCA, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435<br />
November 2006<br />
18
®<br />
SMART2.o :<br />
bringing HIM people<br />
<strong>and</strong> HIM technology<br />
together.*<br />
On one side, it’s a technology solution. On the other, a service<br />
solution. SMART2.o is more than a software tool, it’s a technology<br />
solution designed to help you continuously assess coding<br />
accuracy <strong>and</strong> data quality as an important part of your hospital’s<br />
compliance program.<br />
SMART2.o<br />
For more than 15 years, we’ve worked with HIM professionals<br />
providing affordable tools <strong>and</strong> services that help them with coding<br />
accuracy, regulatory compliance, data management <strong>and</strong> reports<br />
to monitor PPS requirements.<br />
So, whether you look at your hospital’s compliance program from<br />
a technology perspective or a service perspective, SMART2.o is<br />
a very smart, very budget-friendly way to work.<br />
To start an in-depth conversation about your particular needs,<br />
contact Doug Barry at 866-792-4920 or visit pwc.com/healthcare.<br />
*connectedthinking<br />
© 2005 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as<br />
the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate <strong>and</strong> independent legal entity. *connectedthinking<br />
<strong>and</strong> SMART2.o are trademarks of PricewaterhouseCoopers LLP (US).<br />
November 2006<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org 19
November 2006<br />
20
November 2006<br />
21
HCCA’s Annual Tri State Local Conference<br />
Friday, November 3, 2006 | Louisville, KY | Galt House, 140 North Fourth St., Louisville, KY<br />
Join your colleagues for the <strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> <strong>Association</strong>’s Tri State<br />
Local Annual Conference on November 3,<br />
2006.<br />
Explore the hot issues:<br />
n Deficient Reduction Act<br />
n The Maze of Research Billing<br />
n <strong>Compliance</strong> Effectiveness<br />
n Politics <strong>and</strong> Policy in the Post-Acute Space<br />
n <strong>Health</strong> <strong>Care</strong> Enforcement in Kentucky<br />
n Non-Physician Practitioner<br />
n <strong>Compliance</strong> Hot Topics Panel<br />
Program features an expert<br />
faculty, including:<br />
n Robert Benvenuti, III, Esq., Inspector<br />
General, Cabinet for <strong>Health</strong> <strong>and</strong> Family<br />
Services<br />
n Wesley R. Butler, General Counsel, Cabinet<br />
for <strong>Health</strong> <strong>and</strong> Family Services<br />
n Georgette Gustin, CHC, Director, PricewaterhouseCoopers<br />
n Kathie McDonald-McClure, JD, Wyatt,<br />
Tarrant & Combs, LLP<br />
n F. Lisa Murtha, JD, CHC, Managing<br />
Director, Huron Consulting Group<br />
n Raymond J. Sierpina, JD, Director of<br />
Government Programs, Kindred<br />
<strong>Health</strong>care<br />
n Roy Snell, CHC, CEO, <strong>Health</strong> <strong>Care</strong><br />
<strong>Compliance</strong> <strong>Association</strong><br />
n John Steiner, Chief <strong>Compliance</strong> Officer,<br />
UK <strong>Health</strong>care, University of Kentucky<br />
n Debbie Troklus, CHC, AVP <strong>Health</strong> Affairs/<strong>Compliance</strong>,<br />
University of Louisville,<br />
HSC<br />
n Sheryl Vacca, CHC, HCCA Board<br />
Member, Director, <strong>Health</strong> <strong>Care</strong> <strong>and</strong><br />
Life Science Regulatory Practice,<br />
Deloitte<br />
This HCCA program is sponsored by<br />
MediRegs, MC Strategies, Pershing Yoakley<br />
& Associates <strong>and</strong> Co-Sponsored by Atlantic<br />
Information Services’ (AIS’s) Report on<br />
Patient Privacy, Guide to <strong>Audit</strong> <strong>Health</strong><br />
<strong>Care</strong> Billing Practices, Report on Medicare<br />
<strong>Compliance</strong>, HIPAA Guide on Patient<br />
Privacy; <strong>and</strong> HCPro’s Strategies for <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong>, <strong>and</strong> <strong>Health</strong> <strong>Care</strong> <strong>Audit</strong>ing<br />
Strategies<br />
Continuing Education Credit:<br />
ACHE, HCCB (7.5 Credits), NASBA-CPE,<br />
AAPC<br />
Register online at<br />
www.hcca-info.org<br />
Louisville, KY<br />
November 2006<br />
22<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
HCCA’s Annual South Central Local Conference<br />
Friday, November 10, 2006 | Nashville, TN | Opryl<strong>and</strong> Resort <strong>and</strong> Convention Center<br />
Join your colleagues for the <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong>’s Annual<br />
South Central Local Conference on<br />
November 10, 2006.<br />
Explore the hot issues:<br />
n Identity Theft in <strong>Health</strong>care<br />
n Investigation Workshop: A Step-by-Step<br />
Process for Conducting an <strong>Internal</strong> Investigation<br />
n Update from the Attorney General’s Office<br />
n Regulatory Update<br />
n Effectiveness: How Do You Measure It?<br />
n Risk Assessment: The 8th Element<br />
n Research <strong>Compliance</strong><br />
Program features an expert<br />
faculty, including:<br />
n Wynelle Paige, RHIA, CCP<br />
n Tim Crabtree, Masters Forensic Science,<br />
HCA Ethics Line Case Manager<br />
n Matt Pierce, MBA, CHC, HCA Investigator<br />
n Donna K. Gilley, CHC, CCS, CCS-P,<br />
CPC, CPC-H, Senior Manager, Revenue<br />
Cycle & Regulatory <strong>Compliance</strong>, LBMC<br />
<strong>Health</strong>care Group, LLC<br />
n Andi Bosshart, VP, <strong>Compliance</strong>, Community<br />
<strong>Health</strong> Systems<br />
n Jennie Campbell, Pershing, Yoakley <strong>and</strong><br />
Associates<br />
n Eva Floyd, HCA<br />
n James Speros, JD, VHA, CBI Evaluation<br />
& Assessment Center, Washington, DC<br />
n Christine Bachrach, MS, CHC, VP, <strong>Compliance</strong>,<br />
<strong>Health</strong>south, Birmingham, AL<br />
n Kelly Willenberg, Assistant Director of<br />
Finance, Director Clinical Research Financial<br />
<strong>Compliance</strong>, V<strong>and</strong>erbilt University<br />
n Marcy Downing, MBA, MHA, CHC,<br />
CHE, <strong>Compliance</strong> Officer, VA TN Valley<br />
<strong>Health</strong>care System<br />
This HCCA program is sponsored by Meade &<br />
Roach LLP, <strong>and</strong> MediRegs <strong>and</strong> Co-Sponsored<br />
by Atlantic Information Services’ (AIS’s) Report<br />
on Patient Privacy, Guide to <strong>Audit</strong> <strong>Health</strong><br />
<strong>Care</strong> Billing Practices, Report on Medicare<br />
<strong>Compliance</strong>, <strong>and</strong> HIPAA Guide on Patient<br />
Privacy; <strong>and</strong> HCPro’s Strategies for <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong>, <strong>and</strong> <strong>Health</strong> <strong>Care</strong> <strong>Audit</strong>ing<br />
Strategies.<br />
Continuing Education Credit:<br />
ACHE, HCCB (7.8 Credits), NASBA-CPE,<br />
AAPC<br />
Register online at<br />
www.hcca-info.org<br />
Tennessee Mountains<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
23
By Stacey Gulick, Esq. <strong>and</strong> Jacqueline Finnegan, Esq.<br />
Editor’s note: Stacey Gulick <strong>and</strong> Jacqueline<br />
Finnegan are attorneys with the law firm of<br />
Garfunkel, Wild & Travis, PC. Ms. Gulick<br />
may be reached by telephone at 516/393-<br />
2264 <strong>and</strong> Ms. Finnegan may be reached at<br />
516/393-2582.<br />
For compliance officers, the h<strong>and</strong>ling<br />
of complaints <strong>and</strong> internal investigations<br />
can be both frustrating<br />
<strong>and</strong> valuable. Almost all compliance officers<br />
will be faced with this daunting task at<br />
some point during their tenure. For health<br />
care facilities <strong>and</strong> providers (collectively, the<br />
“Providers”), an internal investigation, unlike<br />
routine auditing <strong>and</strong> monitoring activities,<br />
requires the compliance officer to review<br />
allegations of potential wrongdoing to determine<br />
the scope of the review <strong>and</strong> whether<br />
any corrective actions are required. From<br />
putting together the investigative team to<br />
reviewing the results of the investigation, the<br />
compliance officer needs to keep an eye on<br />
the details <strong>and</strong> recognize that the h<strong>and</strong>ling<br />
of the internal investigation will have a direct<br />
impact on the corrective actions that are<br />
implemented, future decisions regarding voluntary<br />
disclosure, refunds, <strong>and</strong>/or professional<br />
misconduct reports, among other things.<br />
Ten tips to consider when conducting an<br />
internal investigation<br />
1. Stop questionable practices immediately<br />
While seemingly obvious, it is of paramount<br />
importance that compliance officers take<br />
steps to stop any potential wrongdoing immediately<br />
<strong>and</strong> prevent any future incidents,<br />
as soon as they have knowledge of a potential<br />
compliance problem or legal violation.<br />
While a preliminary review may be needed<br />
to confirm that there is a potential issue,<br />
when sufficient information of a potential<br />
compliance concern is discovered, steps must<br />
be taken to prevent the inaccurate submission<br />
of claims or other continued violation<br />
of applicable law. Such interim steps may be<br />
made while a complete investigation is being<br />
conducted to determine the extent of the<br />
problem. For example, if a Provider learns<br />
that it may not have sufficient documentation<br />
to bill for a certain procedure, the Provider<br />
may hold those claims while the investigation<br />
is conducted. When the investigation is<br />
complete, a decision can be made whether<br />
or not to submit the claims, <strong>and</strong> if necessary,<br />
policies can be revised to address any<br />
deficiencies identified. Regardless of the steps<br />
taken, failure to stop questionable practices,<br />
at least while the investigation is conducted,<br />
may subject the Provider to significant civil<br />
<strong>and</strong> criminal penalties if it has knowledge of a<br />
potential legal violation.<br />
2. Determine the intended scope of the<br />
investigation<br />
The U.S. Department of <strong>Health</strong> <strong>and</strong> Human<br />
Services Office of Inspector General (OIG)<br />
recommends in its Supplemental <strong>Compliance</strong><br />
Program Guidance for Hospitals (the<br />
“Supplemental Guidance”) that all allegations<br />
of possible fraud <strong>and</strong> abuse be investigated.<br />
The Supplemental Guidance, however, is<br />
silent with respect to the extent <strong>and</strong> scope of<br />
such investigation. The compliance officer<br />
is generally responsible for determining the<br />
credibility of the issues, overseeing the investigation,<br />
<strong>and</strong> establishing the scope of review.<br />
When outside legal counsel is involved, such<br />
counsel may direct the investigation, but the<br />
compliance officer or other designated individual<br />
should generally oversee the process.<br />
When deciding the scope of an investigation,<br />
it is important to consider how the alleged<br />
wrongdoing was raised <strong>and</strong> to initially gather<br />
as much information as possible. The scope<br />
of the investigation requires consideration of<br />
the specific practice at issue, which employees<br />
should be interviewed, the types of<br />
documents to be collected, <strong>and</strong> whether any<br />
audit should be conducted. With respect to<br />
conducting an audit, consideration must be<br />
given as to whether the audit should involve a<br />
retrospective or prospective review. The type<br />
of review is inherently based on the type of<br />
misconduct alleged <strong>and</strong> may change subject<br />
to the findings of the investigative team. It<br />
is also important to remember that if the<br />
Provider is under a Corporate Integrity Agreement<br />
(CIA) the Provider may have specific<br />
requirements governing the need for, <strong>and</strong><br />
scope of, the investigation. CIAs may also<br />
dictate the time frame for such investigations<br />
<strong>and</strong> require that the OIG be informed when<br />
an investigation is being conducted.<br />
3. Assemble an investigative team<br />
When needed, the compliance officer should<br />
assemble an appropriate investigative team.<br />
The OIG recommends in its Supplemental<br />
Guidance that the investigative team be<br />
comprised of representatives from the compliance,<br />
audit, <strong>and</strong> other relevant functional<br />
areas, such as departmental supervisors or<br />
staff. The composition of the team will vary,<br />
however, depending on the nature of the<br />
alleged wrongdoing. Therefore, the compliance<br />
officer must consider the nature of the<br />
allegation, the confidentiality of the issue,<br />
November 2006<br />
24<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
the affected departments or personnel,<br />
the expertise <strong>and</strong> position of the potential<br />
investigative team members, any conflict of<br />
interest, <strong>and</strong> the appropriate size team for<br />
the investigation. It is also important for the<br />
compliance officer to appreciate the balance<br />
that must be struck when selecting potential<br />
team members, especially when a matter is<br />
particularly sensitive <strong>and</strong> confidential. All<br />
members of the investigate team must be in a<br />
position to both underst<strong>and</strong> the issues related<br />
to the investigation <strong>and</strong> be able to competently<br />
<strong>and</strong> confidentially h<strong>and</strong>le the investigation,<br />
wherever it might lead.<br />
4. Consider involving outside counsel<br />
At the outset of an internal investigation, the<br />
compliance officer should consider whether<br />
the Provider would be better served by having<br />
outside counsel involved in the investigation.<br />
This requires the weighing of budgetary constraints<br />
<strong>and</strong> other financial concerns against<br />
the benefits offered by outside legal counsel.<br />
When deciding whether outside counsel<br />
should be retained, there are several things<br />
that should be considered. Most importantly,<br />
if there is any involvement or potential<br />
involvement by any state or federal regulatory<br />
agency, it is highly advisable to obtain outside<br />
legal counsel.<br />
In addition, depending upon the nature of<br />
the problem, outside counsel can provide expertise<br />
in certain specialized areas, particularly<br />
laws, regulations, <strong>and</strong> billing requirements.<br />
Outside counsel can also be important if the<br />
compliance officer finds it difficult to establish<br />
an unbiased investigative team. Bringing<br />
in outside counsel may provide the neutrality<br />
that is necessary for the team to come to an<br />
accurate, unbiased determination. For example,<br />
if the investigation involves a person in<br />
administration, such as the CFO, members of<br />
the team may fear retribution if they suggest<br />
that the CFO has engaged in wrongdoing.<br />
In this case, outside counsel can be useful in<br />
presenting objective <strong>and</strong> accurate information<br />
at the conclusion of the investigation.<br />
Finally, outside legal counsel should be involved<br />
if the situation is particularly sensitive<br />
or contentious. If properly structured <strong>and</strong><br />
h<strong>and</strong>led, having outside counsel to oversee<br />
the investigation may protect the investigation<br />
<strong>and</strong> its findings under the attorney-client<br />
privilege <strong>and</strong> attorney work product doctrine.<br />
These protections encourage the c<strong>and</strong>id<br />
exchange of information <strong>and</strong> permit a more<br />
thorough investigation so that outside counsel<br />
can appropriately advise the Provider on how<br />
to h<strong>and</strong>le any findings of wrongdoing to the<br />
extent they are detected. We note, however,<br />
that these privileges should never be used<br />
to mask wrongdoing. <strong>Compliance</strong> officers<br />
should be aware that there is an increasing<br />
trend for the protections offered by the<br />
attorney-client privilege <strong>and</strong> attorney work<br />
product doctrine to be waived upon request<br />
of federal <strong>and</strong>/or state regulatory agencies.<br />
5. Preserve <strong>and</strong> secure documents <strong>and</strong> data<br />
Once the investigative team has been assembled<br />
<strong>and</strong> the scope of the investigation<br />
determined, immediate steps must be taken<br />
to preserve <strong>and</strong> secure any <strong>and</strong> all documents<br />
<strong>and</strong> data that may be relevant to the<br />
investigation. This is particularly important<br />
when there is a risk of a possible government<br />
investigation or a chance that the entity will<br />
end up making a voluntary disclosure.<br />
The first step in this process is identifying<br />
the universe of documents that may be<br />
relevant to the investigation. As soon as these<br />
documents are identified, the employees in<br />
possession of them must be notified that<br />
they are not to be destroyed. Once all of<br />
the documents are collected, they should be<br />
maintained in a secure location, such as the<br />
compliance officer’s office. The investigative<br />
team will then be charged with reviewing<br />
these documents as part of conducting the<br />
internal investigation. During this process,<br />
careful consideration must be paid to how the<br />
overall investigation is being conducted, <strong>and</strong><br />
in particular, how the documents are being<br />
gathered, secured <strong>and</strong> preserved. The investigative<br />
team should always be cognizant of the<br />
possibility of a government investigation <strong>and</strong><br />
should make sure that the actions it takes in<br />
conducting the internal investigation cannot<br />
later be alleged as an obstruction of justice by<br />
the government.<br />
6. Interview employees <strong>and</strong> other involved<br />
parties<br />
At the same time documents <strong>and</strong> data are<br />
being collected, key employees <strong>and</strong> other<br />
involved parties should be identified <strong>and</strong><br />
interviewed by members of the investigative<br />
team. It is without question that an interview<br />
conducted by a team of senior management<br />
can cause fear in employees, especially if<br />
legal counsel is involved. Unfortunately, this<br />
fear may hinder the open dialogue <strong>and</strong> free<br />
flow of discussion that is essential to the<br />
effectiveness of the investigation. Therefore,<br />
the type <strong>and</strong> number of persons conducting<br />
the interview are key factors in making the<br />
employee feel at ease. For instance, a laboratory<br />
technician may be less likely to openly<br />
communicate when he or she is seated across<br />
a table from five members of senior management<br />
who comprise the investigative team,<br />
but may be more forthcoming if interviewed<br />
by two less-intimidating team members.<br />
<strong>Compliance</strong> officers should, however, always<br />
include at least two interviewers when<br />
meeting with staff. Although one-on-one<br />
interviews may seem less intimidating, when<br />
two interviewers are involved, it is more likely<br />
that the information will be interpreted <strong>and</strong><br />
remembered correctly. The location of the<br />
Continued on page 27<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
25
November 2006<br />
26<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
When you receive a compliant ...continued from page 25<br />
interview should also be taken into consideration.<br />
An individual may be more comfortable<br />
in his or her office, or a private room on<br />
the employee’s unit. While the comfort of the<br />
employee is a significant consideration, the<br />
primary consideration is that the interview be<br />
conducted in a manner <strong>and</strong> place so as to preserve<br />
the confidentiality of the investigation.<br />
It is also important to note that at the beginning<br />
of the interview, the employee must be<br />
notified that the loyalties of the interviewer<br />
lie with the Provider. In particular, if the<br />
interview is being conducted by outside counsel,<br />
the attorney must advise the employee<br />
that he or she is employed by <strong>and</strong> represents<br />
the Provider, <strong>and</strong> not the individual employee.<br />
This also presents an opportunity for<br />
an appropriate dialogue to ease the employee’s<br />
concern of his or her own legal liability.<br />
7. Prepare a report of the investigation<br />
Upon the conclusion of an internal investigation,<br />
the results should be reported to<br />
the compliance officer (if he or she was not<br />
part of the investigative team), the <strong>Compliance</strong><br />
Committee (if there is one), <strong>and</strong> the<br />
governing board of the Provider, or a committee<br />
thereof. Typically, the initial report<br />
includes: (1) a statement about what caused<br />
the investigation; (2) the actions taken by<br />
the investigative team; <strong>and</strong> (3) the findings<br />
that were ascertained during the investigation,<br />
including where necessary, a chronology<br />
of events. Subsequent reports should also<br />
include an assessment of the potential legal<br />
<strong>and</strong> regulatory exposure, proposed corrective<br />
actions, proposed monitoring of the practice<br />
that caused the investigation, <strong>and</strong> recommendations<br />
for whether the Provider should make<br />
a voluntary refund or self-disclosure.<br />
The form of this report, however, warrants<br />
careful consideration. The compliance officer<br />
or legal counsel must determine, based on<br />
the particular facts <strong>and</strong> circumstances of the<br />
investigation, whether the report should be<br />
in written or oral form. To the extent that<br />
a written report is prepared, it should be<br />
drafted with full knowledge that this document<br />
may ultimately be read <strong>and</strong>/or used by<br />
the government if the government elects to<br />
conduct its own review <strong>and</strong> the attorney-client<br />
privilege has been waived.<br />
8. Determine whether any voluntary disclosure<br />
or repayment is required<br />
Where the investigation involves an error in<br />
billing third party payors (e.g., federal health<br />
care programs, commercial payors) <strong>and</strong> it is<br />
determined that the Provider has received<br />
monies to which it was not entitled (i.e.,<br />
overpayments), the compliance officer or legal<br />
counsel will be required to determine the<br />
amount of overpayment <strong>and</strong> must consider<br />
whether a voluntary disclosure or repayment<br />
is warranted. Self-disclosure, however, carries<br />
with it certain risks. While a full examination<br />
of the risks <strong>and</strong> benefits of self-disclosure <strong>and</strong><br />
repayment are beyond the scope of this article,<br />
we will summarize some of the primary<br />
considerations.<br />
Generally speaking, if a Provider has received<br />
monies to which it was not entitled <strong>and</strong> it has<br />
knowledge of such overpayments, the monies<br />
may need to be refunded <strong>and</strong>/or the overpayment<br />
disclosed. For example, under the Social<br />
Security Law (42 USC § 1320a-7b), it is a<br />
criminal offense to not disclose information<br />
when an individual has knowledge of an<br />
event affecting the Provider’s continued right<br />
to payment with respect to federal health care<br />
programs. The government has taken the position<br />
that this, therefore, requires the alleged<br />
overpayment to be refunded. That said, it is<br />
advisable that, if not already involved in the<br />
investigation, in-house or outside counsel be<br />
consulted before any repayment or disclosure<br />
is made, as the applicable laws may be interpreted<br />
differently depending upon the facts<br />
<strong>and</strong> circumstances of the situation. Furthermore,<br />
the Provider’s subsequent actions may<br />
have the potential to implicate several federal<br />
<strong>and</strong> state laws that carry with them substantial<br />
criminal, civil, <strong>and</strong> administrative penalties.<br />
This is of particular importance when<br />
the investigation reveals indicia of intentional<br />
wrongdoing.<br />
It should be noted that, even when an inadvertent<br />
billing error is discovered, the submission<br />
of a refund to the applicable payor<br />
(e.g., fiscal intermediary, Medicaid, other<br />
government payor, or commercial payor), can<br />
still have ramifications. For example, fiscal<br />
intermediaries or other third party payors<br />
who receive refunds may be obligated to<br />
question the Provider about the process used<br />
to evaluate the need for the refund <strong>and</strong> the<br />
corrective actions the Provider has taken to<br />
prevent such error from occurring in the future.<br />
Payors may also refer the refund over to<br />
the OIG or other relevant agency for further<br />
investigation.<br />
If, however, the compliance issues involve<br />
fraudulent misconduct, the stakes are higher<br />
<strong>and</strong> the potential penalties more significant.<br />
If a voluntary disclosure is contemplated,<br />
there must be careful consideration of how<br />
<strong>and</strong> to whom (e.g., fiscal intermediary,<br />
CMS, OIG, US Attorney’s Office, or State<br />
Attorneys General), the disclosure should be<br />
made. One available option when the error<br />
involves federal health care programs is the<br />
OIG’s Provider Self-Disclosure Protocol (Protocol)<br />
which outlines how providers should<br />
approach the government when they discover<br />
evidence of violation of Federal criminal,<br />
civil, or administrative laws. The OIG has<br />
stated that when a provider discloses potential<br />
violations pursuant to the Protocol <strong>and</strong> fully<br />
cooperates with the government, there may<br />
Continued on page 28<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
27
When you receive a compliant<br />
...continued from page 27<br />
November 2006<br />
28<br />
be reduced exposure to criminal,<br />
civil <strong>and</strong>/or administrative fines<br />
<strong>and</strong> penalties; however, this is<br />
not definitive. Therefore, it is<br />
very important that compliance<br />
officers are aware of all of the penalties<br />
that could potentially be imposed when making<br />
a disclosure.<br />
9. Implement corrective action<br />
Reporting to the governing board <strong>and</strong> making a<br />
voluntary repayment or disclosure does not end the<br />
Provider’s or compliance officer’s responsibilities<br />
with respect to acting on the findings of an internal<br />
investigation. Part of overseeing a Provider’s compliance<br />
program requires that appropriate policies <strong>and</strong><br />
procedures are in place to prevent potential compliance<br />
problems from arising in the future. This may<br />
involve the creation of new policies <strong>and</strong> procedures<br />
or revising existing policies <strong>and</strong> procedures when<br />
they are found to be insufficient to detect or prevent<br />
problems or errors.<br />
Restructuring the Provider’s policies <strong>and</strong> procedures<br />
is an important step in taking appropriate corrective<br />
action, but it is ineffective unless staff who are<br />
affected by the changes are educated on the new<br />
or revised policies <strong>and</strong> procedures. Therefore, the<br />
compliance officer should ensure that affected staff<br />
are receiving appropriate education <strong>and</strong> training<br />
whenever policies <strong>and</strong> procedures are developed<br />
or revised, <strong>and</strong> that this education <strong>and</strong> training is<br />
adequately documented.<br />
It may be necessary to discipline staff who engaged<br />
in the wrongdoing. The affected department’s<br />
director or supervisor, in conjunction with the<br />
compliance officer, should determine the appropriate<br />
course of action. This may include retraining the<br />
person or instituting disciplinary action. The extent<br />
of the disciplinary action will depend on the nature<br />
of the error, <strong>and</strong> may include a warning, suspension,<br />
or even termination. To the extent the employee<br />
remains employed in his or her same capacity, the<br />
Continued on page 29<br />
CHC<br />
The <strong>Health</strong>care<br />
<strong>Compliance</strong> Certification<br />
Board (HCCB) compliance certification<br />
examination is available in<br />
all 50 states. Join your peers <strong>and</strong><br />
become Certified in <strong>Health</strong>care<br />
<strong>Compliance</strong> (CHC).<br />
certified in<br />
healthcare<br />
compliance<br />
The <strong>Compliance</strong><br />
Professional’s Certification<br />
Congratulations on achieving<br />
CHC status! The <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
Certification Board announces that<br />
the following individuals have recently<br />
successfully completed the Certified in<br />
<strong>Health</strong>care <strong>Compliance</strong> (CHC) examination,<br />
earning CHC designation:<br />
CHC certification benefits:<br />
■ Enhances the credibility of the<br />
compliance practitioner<br />
■ Enhances the credibility of the<br />
compliance programs staffed by<br />
these certified professionals<br />
■ Assures that each certified<br />
compliance practitioner has the<br />
broad knowledge base necessary<br />
to perform the compliance<br />
function<br />
■ Establishes professional st<strong>and</strong>ards<br />
<strong>and</strong> status for compliance<br />
professionals<br />
■ Facilitates compliance work<br />
for compliance practitioners in<br />
dealing with other professionals<br />
in the industry, such as physicians <strong>and</strong> attorneys<br />
■ Demonstrates the hard work <strong>and</strong> dedication necessary to perform the<br />
compliance task<br />
Arlene J. Arellano-Brown<br />
Anne E. Karas<br />
Patricia Anne Weicker<br />
Gabrielle T. Langlinais<br />
Natalie Nichols Banks<br />
S<strong>and</strong>ra L. Sessoms<br />
CHC certification, developed <strong>and</strong> managed by HCCB, became available June<br />
26, 2000. Since that time, hundreds of your colleagues have become Certified<br />
in <strong>Health</strong>care <strong>Compliance</strong>. Linda Wolverton, CHC, says that she sought CHC<br />
certification because “many knowledgeable people work in compliance, <strong>and</strong> I<br />
wanted my peers to recognize me as ‘one of their own’.” With certification she<br />
is “recognized as having taken the profession seriously, having met the national<br />
professional st<strong>and</strong>ard.”<br />
For more information on how you can become CHC Certified,<br />
please call 888/580-8373, e-mail hccb@hcca-info.org, or visit the<br />
HCCA Web site at www.hcca-info.org <strong>and</strong> click on the HCCB Certification<br />
button on the left.<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • www.hcca-info.org
When you receive a compliant<br />
...continued from page 28<br />
compliance officer should make sure that the employee’s work is monitored<br />
<strong>and</strong> checked on a regular basis until such time that the employee’s<br />
superiors believe the employee no longer poses a risk with respect to the<br />
problem.<br />
10. Monitor ongoing compliance<br />
Providers should have general monitoring <strong>and</strong> auditing processes in<br />
place. Indeed, in many of the OIG’s compliance-related guidances, <strong>and</strong><br />
in the most recent open letter to providers, the OIG has articulated that<br />
the existence of effective internal auditing <strong>and</strong> monitoring systems is essential<br />
to the operation of an effective compliance program. Therefore,<br />
the compliance officer should make sure that the systems currently in<br />
place for monitoring <strong>and</strong> auditing the Provider’s processes are sufficient<br />
to detect <strong>and</strong> prevent the types of problems that caused the investigation.<br />
In additional to regular, routine monitoring, specific monitoring of the<br />
identified error should be incorporated into the corrective action plan.<br />
This is necessary to ensure that the same mistakes do not happen again.<br />
If, upon re-review, stated goals are not met, the corrective action needs<br />
to be modified <strong>and</strong> again reviewed, until the compliance officer has<br />
determined that the questionable practice has been corrected. It may be<br />
easy to explain away a mistake the first time, but subsequent errors of<br />
the same kind will be looked at with less leniency. n<br />
Getting Your CHC CEUs<br />
Inserted in this issue of <strong>Compliance</strong> Today is a<br />
quiz related to the article – “Practical advice on<br />
data breach notification laws for credit <strong>and</strong> collections<br />
organizations” by Leslie C. Bender, CIPP<br />
The new edition of this essential guide to<br />
health care compliance is now available<br />
Author Debbie Troklus<br />
has revised <strong>and</strong> updated<br />
<strong>Compliance</strong> 101 to reflect<br />
recent developments in<br />
compliance.<br />
The second<br />
edition includes:<br />
• Up-to-date<br />
compliance<br />
information<br />
• A br<strong>and</strong>-new chapter dedicated to<br />
HIPAA regulations<br />
• An exp<strong>and</strong>ed glossary with additional<br />
new terms <strong>and</strong> definitions<br />
• Exp<strong>and</strong>ed appendixes, including<br />
a selection of additional new <strong>and</strong><br />
user-friendly sample documents<br />
If you’re planning to become Certified in<br />
<strong>Health</strong>care <strong>Compliance</strong>, <strong>Compliance</strong> 101 is an<br />
invaluable study aid for the CHC examination.<br />
When you read the article on page 41 <strong>and</strong> take<br />
the quiz, make sure to print your name at the top<br />
of the form. Fax it to Lisa Colbert at 952/988-<br />
0146 or mail it to Lisa’s attention at HCCA, 6500<br />
Barrie Road, Suite 250, Minneapolis, MN 55435<br />
Debbie Troklus<br />
Greg Warner<br />
Call Lisa Colbert with any questions you may<br />
have at 888/580-8373<br />
To order, visit the HCCA Web site<br />
at www.hcca-info.org.<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
29
n Providing training to staff that is in addition<br />
to the current training schedule;<br />
n Engaging an independent review organization<br />
(IRO) to review the areas that the<br />
OIG has determined to be problematic.<br />
By Julie Katich <strong>and</strong> Karolyn Woo<br />
Editor’s note: Julie Katich <strong>and</strong> Karolyn <strong>and</strong> determine to what degree each of the<br />
Woo are with Deloitte & Touche, LLP. seven elements will be implemented; therefore,<br />
Julie can be reached by e-mail at<br />
compliance programs <strong>and</strong> their effectiveness are<br />
jkatich@deloitte.com <strong>and</strong> Karolyn can be as varying in nature as the organizations themselves.<br />
In some situations, it takes a government<br />
reached by e-mail at kwoo@deloitte.com.<br />
intervention, such as the issuance of a Corporate<br />
In an effort to protect against potential Integrity Agreement (CIA), to enhance the<br />
instances of fraud <strong>and</strong> abuse, many health organization’s compliance program.<br />
care organizations have adopted voluntary<br />
compliance programs. Using the various It is no surprise that when an organization<br />
Office of Inspector General’s (OIG) guidances<br />
for health care <strong>and</strong> life sciences orgative<br />
view of the agreement from a cost <strong>and</strong><br />
enters a CIA, it will often have a neganizations<br />
<strong>and</strong> the U.S. Federal Sentencing resource perspective. If the organization<br />
Guidelines, organizational compliance programs<br />
typically include the following seven the program may not be as effective <strong>and</strong><br />
already has a compliance program in place,<br />
elements:<br />
robust as the OIG expects when compared<br />
1. Governance <strong>and</strong> Oversight<br />
to industry st<strong>and</strong>ards <strong>and</strong> government guidance.<br />
Additionally, the program likely does<br />
2. Policies <strong>and</strong> Procedures<br />
3. Reporting System<br />
not fulfill all of the requirements contained<br />
4. Training <strong>and</strong> Education<br />
within the CIA. Typically, the organization<br />
5. Enforcement<br />
must implement new practices <strong>and</strong> modify<br />
6. Response <strong>and</strong> Prevention<br />
existing ones to meet the numerous m<strong>and</strong>ates<br />
of a CIA. This is often an onerous<br />
7. <strong>Audit</strong>ing <strong>and</strong> Monitoring<br />
process. Common CIA requirements include<br />
Because health care organizations are so diverse, enhancements to the compliance program,<br />
no optimal or st<strong>and</strong>ard compliance program such as:<br />
best suits all organizations. Rather, organizations<br />
are free to adopt programs that reflect guide the compliance officer <strong>and</strong> compli-<br />
n Activating a compliance committee to<br />
their commitment to compliance <strong>and</strong> take into ance program <strong>and</strong> set the tone at the top<br />
account government guidance <strong>and</strong> industry of the organization <strong>and</strong> demonstrate board<br />
practices. An organization’s compliance program <strong>and</strong> senior management commitment to<br />
should promote integrity <strong>and</strong> minimize the the program;<br />
risk of fraudulent activities. It is up to each n Revamping the training <strong>and</strong> education<br />
organization to assess its unique characteristics content to address the alleged misconduct;<br />
Unexpected benefits of a CIA <strong>and</strong> an IRO<br />
When an organization implements its CIA,<br />
it is not unusual for the organization to<br />
either re-allocate existing resources or acquire<br />
new personnel to support the compliance<br />
program. The organization is often forced<br />
to adopt a more comprehensive program<br />
(sometimes in several of the seven elements<br />
<strong>and</strong> sometimes only a few) that is maintained<br />
by dedicated resources <strong>and</strong> supported from<br />
the top level down.<br />
Sometimes, these changes result in unexpected<br />
benefits for the organization. That is,<br />
an organization that is subject to a CIA often<br />
finds itself with a more robust <strong>and</strong> effective<br />
compliance program than prior to the CIA.<br />
An additional benefit is that when the CIA<br />
requires an IRO, the IRO provides valuable<br />
insight into industry leading practices <strong>and</strong><br />
makes suggestions for operational enhancements<br />
for the organization. As an organization<br />
makes changes in accordance with the<br />
CIA requirements, it also will benefit from<br />
suggested changes or modifications that are<br />
made or recommended by the IRO.<br />
From an operational perspective, an effective<br />
compliance program will, in turn, improve<br />
organizational communication, teamwork,<br />
<strong>and</strong> overall operational efficiency. Similarly,<br />
the m<strong>and</strong>atory reporting requirements of<br />
the compliance activities often serve to<br />
improve the internal controls environment<br />
<strong>and</strong> reduce the likelihood of fraud, especially<br />
given the increased focus on the compliance<br />
environment as related to the Sarbanes-Oxley<br />
legislation.<br />
Continued on page 32<br />
November 2006<br />
30<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
31
Getting the most from your CIA ...continued from page 30<br />
Synergies between <strong>Compliance</strong>, <strong>Internal</strong><br />
<strong>Audit</strong> <strong>and</strong> Risk Management often occur<br />
as a result of IRO activities. An IRO review<br />
typically functions much like a compliance<br />
audit, with the goal of identifying areas for<br />
improvement. Whether or not regulatory<br />
issues are found, it is common for the review<br />
to include recommendations outside the<br />
CIA requirements. Organizations can use<br />
these IRO recommendations to create more<br />
effective <strong>and</strong> efficient systems <strong>and</strong> processes<br />
which assist the compliance officer in meeting<br />
overall compliance goals. The organization<br />
should draw on the experience <strong>and</strong> expertise<br />
of the IRO to provide valuable insights that<br />
the organization may not otherwise see.<br />
Critical success factors for an IRO<br />
engagement<br />
Several critical success factors affect the overall<br />
IRO review process <strong>and</strong> drive the success<br />
of the engagement. There are many factors to<br />
consider in the first step, the selection of an<br />
IRO, including the expertise of the firm, level<br />
of experience, cost of services, <strong>and</strong> the IRO’s<br />
willingness to partner with the organization.<br />
From a strategic perspective, if you are able<br />
to develop a strong working relationship<br />
<strong>and</strong> comfort level with your IRO, the overall<br />
review process will likely be more effective.<br />
The IRO has a job to perform based upon the<br />
requirements of the CIA, but that does not<br />
mean that the organization should not benefit<br />
greatly from the overall process.<br />
Having a dedicated individual from the<br />
organization to h<strong>and</strong>le the day-to-day communication<br />
with the IRO is the initial step<br />
in building a meaningful relationship with<br />
the IRO. An organization that encourages<br />
upfront communication with the IRO will be<br />
more likely to have an IRO that thoroughly<br />
underst<strong>and</strong>s the organizational issues impacting<br />
the CIA. This should lead to a more<br />
thorough <strong>and</strong> complete underst<strong>and</strong>ing of the<br />
organization <strong>and</strong> more innovative recommendations<br />
or solutions if findings are identified<br />
during the review.<br />
From a strategic st<strong>and</strong>point, investing time<br />
<strong>and</strong> resources in the planning phase often<br />
pays significant dividends throughout the<br />
engagement, if the compliance officer can:<br />
n Work together with the IRO to develop the<br />
work plan;<br />
n Educate the IRO on the organization, policies,<br />
procedures, <strong>and</strong> processes;<br />
n Prepare for the IRO review - you know<br />
they are coming <strong>and</strong> you have the rare<br />
opportunity to “get your house in order”<br />
before they arrive;<br />
n Conduct audits prior to the IRO review,<br />
<strong>and</strong> take corrective action as needed to<br />
address weakness in the organizations<br />
systems <strong>and</strong> processes;<br />
n Educate your workforce – they need to<br />
know that you are committed to compliance<br />
for the purpose of doing the right<br />
thing, rather than just to satisfy the CIA;<br />
n Expect your employees to know <strong>and</strong> underst<strong>and</strong><br />
your policies <strong>and</strong> procedure <strong>and</strong><br />
processes – the IRO will; <strong>and</strong><br />
n Look for win-win interactions with the<br />
IRO – they will likely see things that you<br />
do not <strong>and</strong> can provide you with information<br />
<strong>and</strong> recommendations based upon<br />
leading practices.<br />
Lessons learned<br />
Whether you are subject to an IRO process<br />
or not, we have found that organizations<br />
should consider the following lessons learned<br />
from an IRO perspective <strong>and</strong> consider implementing<br />
these suggestions in your organization:<br />
n Conduct a consistency review of all policies<br />
<strong>and</strong> go through the same process of checking<br />
for consistency when developing new<br />
policies or revisions to existing policies;<br />
n Review all procedures, tools, <strong>and</strong> work<br />
force guidance to ensure consistency with<br />
policies <strong>and</strong> with each other. Include this<br />
process during the development of or revisions<br />
to procedures, tools <strong>and</strong> work force<br />
guidance;<br />
n Assess existing committees <strong>and</strong> streamline<br />
them to enhance effectiveness, prevent<br />
overlap, <strong>and</strong> develop committee member<br />
expertise;<br />
n Establish an “Ask the compliance officer”<br />
e-mail box <strong>and</strong> encourage employees<br />
to ask questions <strong>and</strong> ask for guidance.<br />
Prompt responsiveness <strong>and</strong> the sharing of<br />
questions that are likely to be applicable to<br />
others creates an openness that can make<br />
your compliance program more effective.<br />
Employees will be better educated <strong>and</strong><br />
equipped to h<strong>and</strong>le challenging situations;<br />
n Look for ways to seamlessly integrate IRO<br />
procedures into the day-to-day health care<br />
operations. The IRO tools should become<br />
the auditing <strong>and</strong> monitoring tools of the<br />
compliance officer;<br />
n Designate a compliance officer who is<br />
responsible for constantly monitoring the<br />
requirements of the CIA <strong>and</strong> the effectiveness<br />
of the compliance program. Similarly,<br />
a compliance officer (or designee) who is<br />
in constant communication <strong>and</strong> is responsible<br />
for maintaining a close relationship<br />
with the IRO will foster a much more<br />
effective <strong>and</strong> efficient process than if this is<br />
not the case;<br />
n If the review includes cost reporting:<br />
n Conduct a thorough review of the<br />
cost report in advance of the IRO<br />
review <strong>and</strong> ensure that documentation<br />
exists for all items on the<br />
cost report. If any exceptions are<br />
noted, make sure that there is an<br />
explanation as to why the exception<br />
occurred. Have a corrective<br />
action plan in place to show that it<br />
was identified, <strong>and</strong> that it will not<br />
happen again.<br />
November 2006<br />
32<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
n Assume a very conservative approach<br />
when reviewing previously<br />
filed cost reports or claims<br />
to be submitted to the Medicare<br />
program. If there are any questions,<br />
err on the side of reporting<br />
questionable items to the fiscal<br />
intermediary to avoid potential<br />
issues during the cost review for<br />
unallowable items or any claims<br />
denials.<br />
n Establish an internal process to<br />
identify the root cause of any<br />
exceptions. This process is imperative<br />
<strong>and</strong> should include identifying<br />
all the reasons why the claim was<br />
identified as an exception. Create<br />
specific corrective action plans to<br />
prevent future occurrences.<br />
n Stay in frequent communication with the<br />
IRO. This allows the compliance officer or<br />
his/her designee to become aware of issues<br />
as early in the process as possible. This also<br />
allows the organization to work with the<br />
IRO to clarify <strong>and</strong>/or remediate issues as<br />
soon as possible.<br />
Can I benefit if I am not under a CIA?<br />
Organizations that are not subject to a m<strong>and</strong>ated<br />
IRO review can benefit in many ways<br />
from an informal review. Reassessing your<br />
current compliance program <strong>and</strong> making any<br />
necessary modifications to ensure effectiveness<br />
often leads to positive results <strong>and</strong> is<br />
always a good defensive position.<br />
Examples of CIAs that are applicable to your<br />
type of organization are available from the<br />
OIG website (http://oig.hhs.gov/fraud/cia/<br />
index.html). You can review <strong>and</strong> assess your<br />
compliance program in accordance with the<br />
OIG requirements. By following the organizational<br />
guidance set forth in an example<br />
CIA, you can make sure that your processes<br />
<strong>and</strong> documentation would satisfy a review if<br />
conducted by an IRO. This may seem like a<br />
laborious process when not m<strong>and</strong>ated by the<br />
OIG, but developing <strong>and</strong> strengthening the<br />
various elements of an existing compliance<br />
program will not only improve operational<br />
efficiencies; it will also help to mitigate the<br />
risk of any future governmental investigations.<br />
Organizations that can demonstrate<br />
that they have a comprehensive <strong>and</strong> effective<br />
compliance program in place can commonly<br />
negotiate a less onerous CIA that is reduced<br />
in scope <strong>and</strong> term. To successfully negotiate,<br />
however, there must be documentation, <strong>and</strong><br />
staff awareness to show that the compliance<br />
program is effective. Lastly, talk with your<br />
peers who are under a CIA, <strong>and</strong> learn what<br />
you can do to improve your current compliance<br />
program.<br />
It takes time <strong>and</strong> effort to implement an effective<br />
compliance program <strong>and</strong> the st<strong>and</strong>ard<br />
is subjective. However, learning from peers is<br />
a good place to start. n<br />
The authors would like to thank Terri<br />
Kraemer <strong>and</strong> John Valenta with Deloitte &<br />
Touche, LLP for their guidance.<br />
Additional Academy Added!<br />
HCCA will hold an additional <strong>Compliance</strong> Academy on<br />
December 4–7, 2006, Westin Horton Plaza, San Diego, CA<br />
Register online at www.hcca-info.org<br />
Questions? Contact Lizza Catalano at 888-580-8373 or lizza.catalano@hcca-info.org<br />
registration is limited—register now<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
33
COMPLIANCE<br />
101<br />
Hitting the ground running—What every<br />
new (or wannabe) compliance professional<br />
needs to know<br />
By Kathleen Duffett, RN, JD<br />
Editor’s Note: Kathleen Duffett is an attorney<br />
in private practice. She can be reached<br />
by telephone at 845/265-3965 or by e-mail<br />
at kduffett@optonline.net.<br />
In the beginning…<br />
About ten years ago, I was working in the risk<br />
management department of a major medical<br />
center. Although I enjoyed my job, I wanted to<br />
branch out into something new <strong>and</strong>, if possible,<br />
make a few more dollars. As I started to get the<br />
word out that I was looking, a friend of mine<br />
who worked for a large consulting firm called<br />
me. “We do corporate compliance work for<br />
health care businesses – why don’t you submit<br />
your resume?” Not knowing much about<br />
corporate compliance, but interested in a new<br />
opportunity, I sent in my resume <strong>and</strong> got an interview.<br />
Now I needed to beef up on corporate<br />
compliance issues, fast! I relied on some materials<br />
I had received at a fraud <strong>and</strong> abuse law conference<br />
I had attended a couple of years earlier.<br />
That got me through the interview (barely, I am<br />
sure) <strong>and</strong> I got the job. Now I needed a crash<br />
course in compliance basics a.s.a.p.! Although<br />
I found plenty of sophisticated articles about<br />
specific corporate compliance issues, it was<br />
almost impossible to find “beginner’s information”<br />
regarding common corporate compliance<br />
issues. This article is just that—a down <strong>and</strong><br />
dirty primer on corporate compliance issues for<br />
the new (or wannabe) compliance professional.<br />
Brief history of health care compliance<br />
<strong>Health</strong> care fraud <strong>and</strong> abuse became the<br />
focus of the federal government in the<br />
1990s. With medical costs escalating, the<br />
federal government was paying out big<br />
bucks through its health care programs <strong>and</strong><br />
wanted to ensure that its increasing costs<br />
were not the result of fraud <strong>and</strong> abuse. In the<br />
mid-1990s, the Department of Justice (DOJ)<br />
announced that combating health care fraud<br />
was its number two priority, second only to<br />
combating violent crime.<br />
Most of the federal health care-related legislation<br />
passed in the 1990s, in particular the<br />
<strong>Health</strong> Insurance Portability <strong>and</strong> Accountability<br />
Act of 1996 (HIPAA), included antifraud<br />
<strong>and</strong> abuse measures. This legislative<br />
trend has continued into the present. In addition,<br />
since the 1990s, most fraud <strong>and</strong> abuse<br />
legislation includes appropriations to fund<br />
prevention activities. State governments have<br />
also become more active in the fight against<br />
fraud <strong>and</strong> abuse in relation to their Medicaid<br />
<strong>and</strong> other state run programs.<br />
<strong>Health</strong> care organizations have responded to<br />
all this federal <strong>and</strong> state activity by instituting<br />
corporate compliance programs. Why? In the<br />
event that a health care organization is found<br />
guilty of wrongdoing, an effective compliance<br />
program can reduce the organization’s<br />
exposure to criminal sanctions, civil damages<br />
<strong>and</strong> penalties, <strong>and</strong> administrative remedies.<br />
Federal & State agencies involved in<br />
combating fraud<br />
A multitude of federal <strong>and</strong> state agencies are<br />
involved in the fight against fraud <strong>and</strong> abuse.<br />
The agencies on the forefront of this effort<br />
include:<br />
Office of the Inspector General (OIG)<br />
of the U.S. Department of <strong>Health</strong> <strong>and</strong><br />
Human Services (HHS)<br />
The OIG is an independent unit within<br />
HHS. It functions as a watchdog. The responsibilities<br />
of the OIG include conducting<br />
audits <strong>and</strong> investigations related to HHS operations<br />
<strong>and</strong> programs (such as Medicare <strong>and</strong><br />
Medicaid); preventing <strong>and</strong> detecting fraud<br />
<strong>and</strong> abuse; issuing guidelines <strong>and</strong> parameters<br />
outlining activities that constitute fraud <strong>and</strong><br />
abuse; <strong>and</strong> keeping the Secretary of HHS<br />
<strong>and</strong> Congress informed about problems <strong>and</strong><br />
issues related to the administration <strong>and</strong><br />
operations of HHS programs.<br />
The OIG is an extremely active agency <strong>and</strong> is<br />
a leading authority on health care fraud <strong>and</strong><br />
abuse issues.<br />
The U.S. Department of Justice (DOJ)<br />
Most people associate the DOJ with terrorism<br />
<strong>and</strong> related matters. However, the DOJ<br />
is actively involved in combating health care<br />
fraud <strong>and</strong> abuse. Historically, the primary<br />
focus of the DOJ has been the investigation<br />
<strong>and</strong> prosecution of health care organizations<br />
for violations of the federal False Claims Act.<br />
State Medicaid Fraud Control Units<br />
(MFCUs)<br />
Almost every state has its own MFCU. New<br />
York State has the largest (<strong>and</strong> most highly<br />
regarded) MFCU. The MFCUs are involved<br />
in the investigation <strong>and</strong> prosecution (or<br />
referral for prosecution) of various illegal<br />
activities, such as kickbacks <strong>and</strong> improper<br />
billings, perpetrated by health care providers<br />
<strong>and</strong> others who participate in a state’s<br />
Medicaid program. Most MFCUs are part<br />
of the state attorney general’s office. A small<br />
number of the units are located in various<br />
other state agencies.<br />
State Attorneys General Offices<br />
In addition to running MFCUs, many state<br />
attorneys general get involved in fraud <strong>and</strong><br />
abuse issues, particularly in managed care.<br />
Using consumer protection <strong>and</strong> other applicable<br />
state laws, they target health plans,<br />
providers, <strong>and</strong> other players in the health care<br />
November 2006<br />
34<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
industry who engage in fraudulent, misleading,<br />
deceptive, or illegal practices.<br />
Seven basic elements in all compliance<br />
programs<br />
In the federal court system, wrongdoers are<br />
punished in accordance with the Federal<br />
Sentencing Guidelines (FSGs). Under the<br />
FSGs, an organization that has an effective<br />
compliance program can reduce its exposure<br />
to civil damages, penalties, criminal sanctions,<br />
<strong>and</strong> administrative penalties (e.g.,<br />
exclusion from participation in federal<br />
health care programs). The OIG’s voluntary<br />
<strong>Compliance</strong> Program Guidances (CPGs),<br />
which provide the OIG’s perspective on what<br />
constitutes an effective compliance program,<br />
are based on the FSG’s seven basic elements:<br />
1. Establishing written compliance st<strong>and</strong>ards<br />
<strong>and</strong> procedures to be followed by<br />
employees <strong>and</strong> other agents (e.g., policies<br />
<strong>and</strong> procedures, code of conduct);<br />
2. Making high-level personnel responsible<br />
for overseeing compliance (e.g., compliance<br />
officer, compliance committee);<br />
3. Developing <strong>and</strong> implementing training<br />
<strong>and</strong> education programs for all employees;<br />
4. Developing effective lines of communication<br />
(e.g., hotlines, protection for whistleblowers);<br />
5. Taking reasonable steps to achieve compliance<br />
with st<strong>and</strong>ards, including use of<br />
monitoring <strong>and</strong> auditing systems;<br />
6. Consistently enforcing the st<strong>and</strong>ards<br />
through appropriate disciplinary mechanisms;<br />
<strong>and</strong><br />
7. Responding promptly to detected offenses<br />
<strong>and</strong> taking all reasonable steps to respond<br />
appropriately <strong>and</strong> prevent further similar<br />
offenses.<br />
How these seven elements are incorporated<br />
into an organization’s compliance program<br />
depends on many things. For example, the<br />
particulars of a hospital’s compliance program<br />
will not be identical to a managed care organization’s<br />
compliance program because their activities,<br />
<strong>and</strong> therefore their risk areas, differ in<br />
various respects. Similarly, a small community<br />
hospital will not have the exact same compliance<br />
program as an academic medical center.<br />
Fortunately, the OIG has issued several CPGs<br />
for various sectors of the health care industry<br />
that are excellent resources when establishing<br />
(or learning about) compliance programs. The<br />
CPGs are available at http://www.oig.hhs.<br />
gov/fraud/complianceguidance.html.<br />
Key laws every compliance professional<br />
should know<br />
The variety <strong>and</strong> complexity of laws <strong>and</strong><br />
regulations that touch on an organization’s<br />
compliance program can be mind-boggling.<br />
Fear not! You will become familiar with all of<br />
them in time. But there are some laws that<br />
every compliance officer should be familiar<br />
with right from the start.<br />
1. The Anti-kickback (AKB) Statute – 42<br />
United States Code (U.S.C.) Section<br />
1320a-7b<br />
The AKB Statute makes it a criminal offense<br />
to knowingly <strong>and</strong> willfully offer, pay, solicit,<br />
or receive any “remuneration” to induce or<br />
reward referrals of items or services reimbursable<br />
by a federal health care program.<br />
“Remuneration” is not limited to cash<br />
payment for referrals. Rather, if anything of<br />
value is exchanged (e.g., referral fees, payment<br />
of travel or conference expenses, tickets to<br />
sporting events, free or below market value<br />
rental space) between a referral source (e.g., a<br />
physician) <strong>and</strong> a party who provides items or<br />
services that are covered in whole or in part<br />
by Medicare or Medicaid (e.g., a hospital or<br />
DME vendor), the AKB Statute is implicated.<br />
Some courts have held that the AKB<br />
Statute is violated if even one purpose of the<br />
remuneration is to induce further referrals.<br />
Notably, the statute attributes liability to<br />
both parties involved in an impermissible<br />
kickback. Consequently, business practices<br />
that are common in other industries, such as<br />
taking clients to sporting events or paying for<br />
dinners or golf outings, can be construed as<br />
kickbacks when exchanged between Medicare/Medicaid<br />
referral sources <strong>and</strong> Medicare/<br />
Medicaid service providers.<br />
The DOJ prosecutes criminal AKB cases. The<br />
OIG has civil authority to exclude from the<br />
Medicare <strong>and</strong> Medicaid programs a provider<br />
who has participated in a kickback scheme<br />
but has not been convicted under the criminal<br />
AKB statute. The OIG may also impose<br />
a civil monetary penalty (CMP) for an act<br />
described in the AKB Statute.<br />
The OIG has the authority to promulgate<br />
safe harbors to the AKB Statue. Safe harbors<br />
are certain payment arrangements <strong>and</strong> business<br />
practices which, although potentially capable<br />
of inducing referrals of business under<br />
the Medicare <strong>and</strong> Medicaid programs, will<br />
not be treated as criminal offenses under the<br />
AKB Statute <strong>and</strong> will not serve as a basis for<br />
program exclusion. However, arrangements<br />
that don’t meet a safe harbor are not illegal<br />
per se–they may or may not be, depending on<br />
the circumstances. The current safe harbors<br />
are located at 42 Code of Federal Regulations<br />
(CFR) Section 1001.952, which is available<br />
at http://www.access.gpo.gov/nara/cfr/<br />
waisidx_05/42cfr1001_05.html<br />
Criminal penalties for violating the AKB<br />
Statute include a $25,000 fine <strong>and</strong> up to five<br />
years imprisonment. As mentioned earlier, the<br />
OIG can impose CMPs for AKB activities, as<br />
well as exclude the perpetrator from involvement<br />
in federal health care programs.<br />
2. The Civil Monetary Penalties Law<br />
(CMPL) - 42 U.S.C. Section 1320a-7a<br />
Continued on page 36<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
35
<strong>Compliance</strong> 101 ...continued from page 35<br />
The CMPL allows the OIG to impose<br />
monetary fines <strong>and</strong> assessments for a number<br />
of unacceptable practices. Examples include<br />
submitting false claims, accepting kickbacks<br />
<strong>and</strong> offering or providing inducements to<br />
Medicare <strong>and</strong> Medicaid beneficiaries that are<br />
likely to influence their choice of a Medicare<br />
or Medicaid provider. The full list of actions<br />
that can result in imposition of CMPs by the<br />
OIG is located at 42 CFR Section 1003.102,<br />
which is available at http://www.access.gpo.<br />
gov/nara/cfr/waisidx_05/42cfr1003_05.html<br />
The OIG is authorized to seek different<br />
amounts of CMPs <strong>and</strong> assessments based on<br />
the type of violation at issue. For example, in<br />
a case of false or fraudulent claims, the OIG<br />
may seek a penalty of up to $10,000 for each<br />
item or service improperly claimed, <strong>and</strong> an<br />
assessment of up to three times the amount<br />
improperly claimed. In a kickback case, the<br />
OIG may seek a penalty of up to $50,000 for<br />
each improper act <strong>and</strong> an assessment of up to<br />
three times the amount of remuneration at<br />
issue. Administrative remedies include exclusion<br />
from federal health care programs.<br />
3. The Civil False Claims Act – 31 U.S.C.<br />
Sections 3729 -3733<br />
Signed by President Lincoln in 1863, the<br />
civil False Claims Act (FCA) makes it illegal<br />
to present (or cause to be presented) a claim<br />
to the federal government for payment or<br />
approval when the person or entity submitting<br />
the claim knows that the claim is false or<br />
fraudulent. Amendments to the FCA in 1986<br />
strengthened its efficacy <strong>and</strong> led to its use in<br />
the health care industry, particularly in billing<br />
<strong>and</strong> coding areas (e.g., upcoding, unbundling,<br />
billing for medically unnecessary services, etc.)<br />
“Claim” is any request or dem<strong>and</strong> for money<br />
if the federal government provides any portion<br />
of the sum requested. Therefore, when a<br />
doctor or hospital bills Medicare for a service,<br />
a claim has been submitted to the federal<br />
government for payment.<br />
The required intent is actual knowledge,<br />
deliberate ignorance, or reckless disregard of<br />
the truth or falsity of the claim. For example,<br />
when the DOJ suspects that a hospital has<br />
been upcoding its diagnosis-related group<br />
codes, (a potential FCA situation), the DOJ<br />
will ask if the hospital was aware of Medicare<br />
fiscal intermediary bulletins on this issue, is<br />
the Medicare rule underst<strong>and</strong>able, did the<br />
hospital ever contact the Centers for Medicare<br />
<strong>and</strong> Medicaid Services (CMS) for guidance<br />
on the issue, <strong>and</strong> so on. These questions are<br />
asked to assess intent.<br />
Mere submission of a claim is sufficient to<br />
sustain an action under the FCA. Actual payment<br />
or approval of a claim is not required.<br />
Penalties of $5,500- $11,000 per claim can<br />
be imposed, as well as an assessment of up<br />
to three times the damages sustained by the<br />
government as a result of the false claim.<br />
Administrative remedies include program<br />
exclusion or a government-imposed compliance<br />
program.<br />
Under the FCA, a private person, known as<br />
a qui tam relator, can initiate an FCA action<br />
on behalf of the federal government. The<br />
primary purpose of this provision is to give<br />
whistleblowers incentives to help the government<br />
discover <strong>and</strong> prosecute fraudulent<br />
claims by sharing a percentage of the recovery.<br />
If the government decides to proceed with<br />
a case initiated by a qui tam relator, <strong>and</strong><br />
if the government is successful in winning<br />
the action, the relator gets 15%-25% of<br />
the proceeds. If the government declines to<br />
proceed with the case, but the relator wins or<br />
settles the case on his or her own, he or she<br />
is entitled to 25%-30% of the proceeds, plus<br />
reasonable costs <strong>and</strong> attorney’s fees. Disgruntled<br />
current <strong>and</strong> former employees <strong>and</strong><br />
competitors are common qui tam relators.<br />
4. The <strong>Health</strong> Insurance Portability <strong>and</strong><br />
Accountability Act (HIPAA) – Public<br />
Law 104-191; Social Security Act Section<br />
1128C(a)<br />
Nowadays, when you say “HIPAA,” everyone<br />
in health care thinks of the confidentiality of<br />
patient information. But the HIPAA statute<br />
of 1996 was very broad <strong>and</strong> touched on a<br />
number of areas, including fraud <strong>and</strong> abuse.<br />
Among its anti-fraud <strong>and</strong> abuse measures,<br />
HIPAA appropriated dedicated funding to<br />
fight fraud <strong>and</strong> abuse <strong>and</strong> created new federal<br />
criminal offenses for health care fraud regardless<br />
of payer. It also required the establishment<br />
of a national <strong>Health</strong> <strong>Care</strong> Fraud <strong>and</strong><br />
Abuse Control Program (HCFAC). HCFAC<br />
is under the joint direction of the Attorney<br />
General of the DOJ <strong>and</strong> the Secretary of<br />
HHS, the latter acting through the OIG. The<br />
HCFAC program is designed to coordinate<br />
federal, state, <strong>and</strong> local law enforcement<br />
activities with respect to health care fraud <strong>and</strong><br />
abuse. Under HIPAA, an amount equaling<br />
recoveries from health care investigations (i.e.,<br />
criminal fines, forfeitures, civil settlements<br />
<strong>and</strong> judgments, <strong>and</strong> administrative penalties)<br />
must be deposited in the Medicare Trust<br />
Fund. HHS <strong>and</strong> DOJ issue annual reports<br />
detailing the amounts deposited <strong>and</strong> appropriated<br />
to the trust fund <strong>and</strong> the source of<br />
such deposits. More information on HCFAC,<br />
is available at http://oig.hhs.gov/publications/<br />
hcfac.html#1<br />
5. The Physician Self-Referral Act (Stark<br />
Law) – 42 U.S.C. Section 1395nn<br />
The Physician Self-Referral Law (known<br />
as the Stark Law because its sponsor was<br />
Congressman Pete Stark) prohibits a physician<br />
from referring Medicare <strong>and</strong> Medicaid<br />
patients for certain designated health services<br />
Continued on page 38<br />
November 2006<br />
36<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
Consult with our team<br />
of national experts on compliance issues.<br />
<strong>Compliance</strong> Effectiveness | Medicare & Medicaid Fraud Defense | Corporate Integrity Agreements<br />
Pharmaceutical Contracts | Research <strong>Compliance</strong> & Billing<br />
Revenue Cycle Analysis | Sarbanes Oxley & <strong>Internal</strong> <strong>Audit</strong> Services<br />
Coder Certification & Training | Charge Master Analysis & Implementation<br />
Serving clients in 45 states since 1985.<br />
For more information, contact our specialists:<br />
John Beattie, CPA, CFE Victor Blanchard, CISA James Cesare John Foley, CPA<br />
717.540.4709 215.972.2392 717.540.4702 570.820.0126<br />
jbeattie@parentenet.com vblanchard@parentenet.com jcesare@parentenet.com jfoley@parentenet.com<br />
www.parentehealthcare.com<br />
An Independent Member of Baker Tilly International<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
37
<strong>Compliance</strong> 101 ...continued from page 36<br />
(DHS) to entities with which the physician or<br />
the physician’s immediate family member has<br />
a financial relationship, unless an exception<br />
applies. The DHS list is quite comprehensive<br />
<strong>and</strong> includes laboratory services, physical<br />
therapy, occupational therapy, speech therapy,<br />
<strong>and</strong> inpatient <strong>and</strong> outpatient hospital services<br />
(see 42 CFR Section 411.351 for the full<br />
DHS list). Likewise, the statutory definitions<br />
of “physician,” “immediate family member,”<br />
“referral,” <strong>and</strong> “financial relationship” are of<br />
consequence. Much like the AKB Statute, a<br />
“financial relationship” exists whenever anything<br />
of value (“remuneration”) passes from<br />
the DHS-provider to the physician.<br />
In addition to penalizing the physician, the<br />
Stark Law also prohibits the DHS provider<br />
from billing for any services rendered or<br />
goods delivered as a result of a prohibited<br />
referral. The goal of the law is to ensure that<br />
a physician’s decision to refer is based on<br />
the best interest of the patient <strong>and</strong> not the<br />
physician’s financial interest in the entity that<br />
provides the services or items. As “they” say,<br />
the road to hell is paved with good intentions.<br />
The complexity of the regulations implementing<br />
the Stark Law (see 42 CFR Sections<br />
411.350-361) bears this out.<br />
Stark is a strict liability statute. This means<br />
that the law is violated if a prohibited referral<br />
is made <strong>and</strong> does not meet the specific<br />
requirements of the applicable exception.<br />
Whether the physician or DHS provider<br />
intended to violate the statute is irrelevant.<br />
The current exceptions, which are similar but<br />
not identical to the AKB safe harbors, are<br />
available at 42 CFR Section 411.355 -357.<br />
Sanctions for Stark violations include:<br />
(1) denial of payment for services resulting<br />
from prohibited referral;<br />
(2) refund of any payment made by CMS to<br />
an entity furnishing DHS as a result of a<br />
prohibited referral;<br />
(3) CMP of up to $15,000 per service plus an<br />
assessment of not more than three times<br />
the amount claimed;<br />
(4) CMP of up to $100,000 for circumvention<br />
schemes;<br />
(5) CMP of not more than $10,000 per day<br />
for failure to comply with certain reporting<br />
requirements;<br />
(6) program exclusion; <strong>and</strong><br />
(7) potential prosecution under the FCA.<br />
With the exception of lawyers, most<br />
compliance professionals are not required<br />
to underst<strong>and</strong> the complexities of the Stark<br />
Law. <strong>Compliance</strong> professionals do need to<br />
recognize situations where the Stark Law is<br />
implicated (almost any relationship with a<br />
DHS referral-generating physician where<br />
remuneration of some sort is involved) <strong>and</strong><br />
bring these situations to the attention of a<br />
knowledgeable attorney who can advise as to<br />
the application of the law in that scenario.<br />
When analyzing the Stark Law, the questions<br />
to ask include:<br />
n Is there a financial relationship between the<br />
physician (or immediate family member)<br />
<strong>and</strong> the entity providing DHS services?<br />
n If so, does the physician make referrals to<br />
the entity for DHS?<br />
n If so, are the services payable or paid by<br />
Medicare or Medicaid?<br />
n If so, do any of the Stark statutory exceptions<br />
apply?<br />
n If so, does the arrangement meet all of the<br />
qualifications of the applicable exception?<br />
CMS, which is responsible for the regulations<br />
implementing the Stark Law, has a Physician<br />
Self-Referral Home Page, available at http://<br />
www.cms.hhs.gov/PhysicianSelfReferral/.<br />
Note: The Stark Law <strong>and</strong> the AKB Statute are<br />
NOT identical. It is possible to be in compliance<br />
with one while simultaneously violating<br />
the other. Transactions between physicians<br />
<strong>and</strong> other entities must be analyzed separately<br />
under each statute.<br />
Valuable Internet resources<br />
(<strong>and</strong> how to use them)<br />
Once you master the basics of compliance,<br />
the challenge is to stay on top of compliancerelated<br />
issues in your segments of the health<br />
care industry. Of course, joining a professional<br />
organization—such as HCCA—is an<br />
excellent way of staying up to date.<br />
Another extremely useful practice is to develop<br />
a list of Internet sites that address issues<br />
that you are responsible for <strong>and</strong> consult them<br />
on a regular basis (daily if necessary). Your<br />
list will typically include federal <strong>and</strong> state<br />
agencies that regulate health care in some way<br />
(e.g., CMS, OIG, or state departments of<br />
health or insurance) as well as law firms <strong>and</strong><br />
professional or trade organizations that monitor<br />
issues that are important to your industry.<br />
Once you start using the Internet for this<br />
purpose, you will find plenty of useful Web<br />
sites to include on your list!<br />
A majority of my clients are health care institutions<br />
(i.e., hospitals, home care agencies,<br />
managed care organizations, etc.) <strong>and</strong> their<br />
businesses are involved with federal, state,<br />
<strong>and</strong> private health care insurance programs.<br />
HIPAA is also an issue for my clients. Here is<br />
a partial list of Web sites <strong>and</strong> recommendations<br />
for how often to use them. You may use<br />
this list as a jumping off point to start yours.<br />
Visit daily<br />
n Federal Register - http://www.access.gpo.<br />
gov/su_docs/fedreg/frcont06.html<br />
Note: The Federal Register is the official document<br />
that the federal agencies use to promulgate<br />
new or revised rules <strong>and</strong> regulations. It is<br />
the first Web site I go to every day. I typically<br />
November 2006<br />
38<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
scroll down to the CMS <strong>and</strong> HHS sections,<br />
the latter of which includes OIG notices.<br />
n CMS - http://www.cms.hhs.gov/apps/media/<br />
Note: I routinely search the press releases <strong>and</strong><br />
fact sheets for current information.<br />
n Medicare Advantage What’s New<br />
Home Page - http://www.cms.hhs.<br />
gov/<strong>Health</strong>PlansGenInfo/02_WhatsNew.<br />
asp#TopOfPage<br />
n OIG What’s New Home Page - http://<br />
www.oig.hhs.gov/w-new.html<br />
n HHS http://www.hhs.gov/ (Hint: look to<br />
right for “News”)<br />
n American <strong>Health</strong> Lawyers <strong>Association</strong><br />
http://www.healthlawyers.org/ (Hint: click<br />
on the News Center tab <strong>and</strong> then on the<br />
“Of Note” drop down)<br />
n Kaiser Network - http://www.kaisernetwork.org/<br />
(Daily Reports)<br />
n <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
http://www.hcca-info.org/am/Template.<br />
cfm?Section=Home<br />
n Isl<strong>and</strong> Peer Review Organization (IPRO)<br />
http://providers.ipro.org/index<br />
n NYS Attorney General <strong>Health</strong> Bureau<br />
Home Page - http://www.oag.state.ny.us/<br />
health/health_care.html<br />
n NYS Department of <strong>Health</strong> - http://www.<br />
health.state.ny.us/<br />
n NYS Department of Insurance Circular<br />
Letter Index - http://www.ins.state.ny.us/<br />
circindx.htm<br />
n NYS Department of Insurance, Opinions<br />
of the Office of General Counsel - http://<br />
www.ins.state.ny.us/ropi2006.htm<br />
n NYS Register - http://www.dos.state.<br />
ny.us/info/register/2006.htm<br />
n NYS Senate <strong>and</strong> Assembly Floor Calendars<br />
http://public.leginfo.state.ny.us/menugetf.<br />
cgi?COMMONQUERY=CALENDAR<br />
n Office for Civil Rights HIPAA Privacy<br />
Home Page - http://www.hhs.gov/ocr/<br />
hipaa/<br />
Note: Internet access to the various parts of<br />
Volume 42 of the CFR is available by going<br />
to - http://www.access.gpo.gov/nara/cfr/<br />
waisidx_05/42cfrv2_05.html<br />
October (or thereabout). Consequently, on<br />
or after October 2006, the “waisidx_05” <strong>and</strong><br />
the “05.html” within the URL will need to be<br />
changed to “waisidx_06” “06.html” in order<br />
to get the current version of the regulations. n<br />
Correction!<br />
The ad in the October 2006<br />
issue of <strong>Compliance</strong> Today<br />
on page 37 announcing the<br />
new Continuing Education<br />
Units (CUE) program mistakenly<br />
says that CEU credits<br />
are only available to members.<br />
This benefit is open to everyone.<br />
We hope you will take<br />
advantage of this new way to<br />
earn credits for certification.<br />
Visit weekly<br />
Please Note: The CFR is updated every<br />
HCCA’s <strong>Compliance</strong> Institute<br />
NEW HOTEL AND DATES<br />
Register online today <strong>and</strong> save! HCCA will<br />
hold its 11th Annual <strong>Compliance</strong> Institute in<br />
Chicago, IL, at the Sheraton Chicago Hotel<br />
<strong>and</strong> Towers, April 22–25, 2007.<br />
Go to www.compliance-institute.org to register.<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
39
December 4–7, 2006<br />
The Westin Horton Plaza<br />
San Diego, CA<br />
February 5–8, 2007<br />
Argonaut Hotel<br />
San Francisco, CA<br />
March 19–22, 2007<br />
Hilton Dallas Lincoln Centre<br />
Dallas, TX<br />
June 25–28, 2007<br />
Hyatt at Fisherman’s Wharf<br />
San Francisco, CA<br />
Visit www.hcca-info.org to register<br />
November 2006<br />
40<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
assure that creditor clients can remain confident<br />
that collection agencies are trustworthy<br />
h<strong>and</strong>lers of sensitive consumer information,<br />
collection agencies must navigate a steady<br />
course through the waters of the various state<br />
data breach laws <strong>and</strong> must chart a responsible<br />
course for action.<br />
Editor’s note: Leslie C. Bender, CIPP is an<br />
attorney practicing in Timonium, Maryl<strong>and</strong>.<br />
She may be reached by telephone at<br />
410/453-4123 or by e-mail at<br />
LBender@theROI.com.<br />
In July 2003, California led the nation<br />
by enacting Senate Bill 1386, a law<br />
requiring companies to notify consumers<br />
when their electronic data had been<br />
compromised. Although Congress was unable<br />
to reach agreement on any of the dozens of<br />
data security breach notification acts or data<br />
security bills proposed in 2005, most of the<br />
states considered legislation, <strong>and</strong> 22 states<br />
enacted legislation.<br />
Despite the absence of a data breach notification<br />
requirement in all states or at the national<br />
level, the reach of California’s law beyond<br />
its borders is evident. In 2005, more than 130<br />
companies publicly <strong>and</strong> voluntarily reported<br />
security breach incidents. Since ChoicePoint<br />
notified the public regarding its data security<br />
breach in February 2005, other companies<br />
have, of their own accord, provided notifications<br />
of data security breaches that affected<br />
more than 53 million consumers. On average,<br />
39% of all banks <strong>and</strong> other financial institutions<br />
annually report some type of security<br />
breach. Nearly 20% of those breaches were<br />
caused by external sources, 10% by internal,<br />
<strong>and</strong> another 13% from both. Analysts agree<br />
that data security breaches are on the rise, are<br />
By Leslie C. Bender, CIPP<br />
costly to businesses who regularly h<strong>and</strong>le consumers’<br />
information, <strong>and</strong> are of grave concern<br />
to consumers (i.e., voters).<br />
Many companies doing business nationally<br />
have chosen to use California’s law as their<br />
baseline for compliance while they patiently<br />
await passage of a law establishing a national<br />
st<strong>and</strong>ard. Congress is expected to pass a<br />
national data security breach law in 2006.<br />
Consumers expect to know when <strong>and</strong> how<br />
their sensitive non-public information may<br />
have been improperly used, accessed, or even<br />
misplaced. The cost of underst<strong>and</strong>ing <strong>and</strong><br />
complying with what analysts call a “smorgasbord<br />
of state laws poses a growing problem,<br />
because the [state laws] often specify different<br />
triggers for notifications <strong>and</strong> set varying<br />
requirements on what needs to be disclosed,<br />
to whom, <strong>and</strong> when.”<br />
Under national privacy laws, such as the<br />
Gramm Leach Bliley Financial Modernization<br />
Act of 1999 (GLBA) or the <strong>Health</strong> Insurance<br />
Portability <strong>and</strong> Accountability Act of 1996<br />
<strong>and</strong> the regulations promulgated under it<br />
(collectively known as HIPAA), companies<br />
may have an obligation to mitigate known<br />
harmful effects flowing from data security<br />
breaches – but, no express m<strong>and</strong>ate that they<br />
give notice of security breaches to consumers.<br />
Collection agencies <strong>and</strong> debt buyers are directly<br />
regulated under the GLBA <strong>and</strong>, if they<br />
h<strong>and</strong>le the resolution of medical receivables,<br />
they are indirectly regulated as “business<br />
associates” under HIPAA. Nonetheless, to<br />
Top 10 List<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
We have developed 10 steps for protecting the<br />
sensitive consumer data that is entrusted to<br />
your care.<br />
First, determine which of the states where<br />
you do business have enacted data security<br />
laws. Evaluate the applicable state laws <strong>and</strong><br />
develop an information grid that will help<br />
you quickly go through the requirements of<br />
each state’s laws. Know what circumstances<br />
will trigger your requirement to notify consumers<br />
of a breach. Determine in advance<br />
how you will decide when to notify your<br />
clients <strong>and</strong> solicit their input before notifying<br />
consumers. Underst<strong>and</strong> what alternatives are<br />
available for giving notice (e.g., study sample<br />
forms posted on the Internet or on the Federal<br />
Trade Commission’s website).<br />
Second, using the grid of applicable laws,<br />
conduct a risk assessment or, if appropriate,<br />
engage the services of a knowledgeable outside<br />
professional to conduct a risk assessment<br />
for you. Use the findings of the risk assessment<br />
to identify gaps or risks in your data<br />
security, <strong>and</strong> design a workable compliance<br />
program to fill the gaps.<br />
Third, underst<strong>and</strong> how sensitive consumer<br />
information comes to your collection agency,<br />
how it enters your information systems or<br />
other computerized records, how it is accessed,<br />
<strong>and</strong> under what circumstances it is<br />
disclosed--either to the consumer directly or<br />
to some other third parties.<br />
Continued on page 42<br />
November 2006<br />
41
Data Breach Notification Laws ...continued from page 41<br />
Fourth, adopt “least reasonable use principles.”<br />
In other words, play out scenarios<br />
<strong>and</strong> create general guidelines on how much information<br />
is generally appropriate to disclose<br />
<strong>and</strong> under what circumstances. Ask yourself,<br />
what is the least information that will meet<br />
reasonable <strong>and</strong> “authorized” requests for disclosure.<br />
Engage members of your workforce in<br />
brainstorming sessions. Educate members of<br />
your workforce about situations in which it is<br />
best to obtain a consumer’s written permission<br />
or authorization before making a questionable<br />
release or disclosure (e.g., to an aggressive<br />
mortgage refinancing company dem<strong>and</strong>ing<br />
sensitive financial information in time for an<br />
upcoming settlement). Don’t underestimate<br />
your employees’ desire to be helpful <strong>and</strong> that<br />
they may err by improperly disclosing sensitive<br />
information out of a misguided intent<br />
to be helpful. Provide one or more forms for<br />
documenting a consumer’s permission, <strong>and</strong><br />
offer tips or a sample script for explaining<br />
to consumers why their permission is being<br />
sought. Prepare a matrix or simple guidelines<br />
that members of your workforce can<br />
underst<strong>and</strong> <strong>and</strong> follow, thus allowing them<br />
to make good decisions on their own <strong>and</strong> to<br />
seek advice only when requests for release or<br />
disclosure do not match those guidelines.<br />
Fifth, underst<strong>and</strong> when data is no longer<br />
needed <strong>and</strong> develop a plan for encrypting it,<br />
returning it, or destroying it. Know what uses<br />
of historic data are reasonable <strong>and</strong> appropriate,<br />
<strong>and</strong> eliminate data from your systems<br />
that has outlived its usefulness. Encryption<br />
may seem an ideal solution for protecting<br />
data at rest, but it may prove to be an<br />
expensive <strong>and</strong> unwieldy solution when you<br />
balance protecting the confidentiality of the<br />
information against ensuring its availability<br />
for legitimate uses <strong>and</strong> disclosures. Avoid<br />
contracting to encrypt all data – or at least<br />
the data you currently need to use. Evaluate<br />
alternatives for securely exchanging electronic<br />
data with clients <strong>and</strong> others. Data at rest<br />
(or data transferred electronically without<br />
being zipped up, downloaded into password<br />
protected files, or encrypted) may prove to be<br />
your most vulnerable information, because it<br />
is no longer regularly monitored <strong>and</strong> remains<br />
ripe for harvesting or getting misplaced. Back<br />
up your critical information systems <strong>and</strong> ensure<br />
you can restore both data <strong>and</strong> software, if<br />
your hardware fails or becomes damaged.<br />
Sixth, prevent data security breaches by<br />
creating access controls that limit access to<br />
data to those with a business reason to use<br />
the information. Further, establish guidelines<br />
for who is permitted to release or disclose<br />
information, for permissions that must be<br />
obtained, <strong>and</strong> for protections to ensure<br />
that the proper information is released only<br />
under appropriate circumstances. Passwords,<br />
electronic monitoring of high risk accounts<br />
(e.g., accounts of celebrities, co-workers, family<br />
members), <strong>and</strong> sanctions are inexpensive<br />
tools to help detect risks of data breaches.<br />
Simple confidentiality pledge documents are<br />
meaningful reminders of the responsibility to<br />
properly use <strong>and</strong> disclose information; have<br />
them signed by each of your employees when<br />
they receive passwords that allow them access<br />
to your information systems.<br />
Seventh, establish an accessible hotline or<br />
other notice mechanism that makes your employees<br />
(or contractors or clients) your eyes<br />
<strong>and</strong> ears <strong>and</strong> gives them the ability to quickly<br />
report to you any known or suspected misuses<br />
of consumer data. Record, investigate, <strong>and</strong><br />
resolve all complaints related to known<br />
or suspected misuses of consumer data,<br />
<strong>and</strong> track <strong>and</strong> trend all incidents. Take all<br />
complaints seriously, avoid retaliating against<br />
whistleblowers, <strong>and</strong> reinforce workforce<br />
underst<strong>and</strong>ing with meaningful updates.<br />
Keep your workforce advised of the consequences<br />
of data security issues (e.g., arrests<br />
<strong>and</strong> prosecution of identity thieves, rewards<br />
for innovators who identify weaknesses in the<br />
links in your data security program <strong>and</strong> those<br />
who propose workable solutions). Update<br />
or revise information security compliance<br />
guidelines to continuously improve your data<br />
security program.<br />
Eighth, put a person or group of persons<br />
in charge of your data security who are<br />
knowledgeable about information security as<br />
well as your operations, <strong>and</strong> give them an appropriate<br />
level of authority to be responsible<br />
for administering your data security program.<br />
Provide them with regular access to continuing<br />
professional education programs so they<br />
remain current <strong>and</strong> advise you on new technologies,<br />
training, or awareness programs to<br />
keep your agency up to date on risks <strong>and</strong> how<br />
to manage them. Know who your clients’ “go<br />
to” people are for data security <strong>and</strong> link your<br />
own security official with theirs.<br />
Ninth, know <strong>and</strong> document what data<br />
security requirements your clients have.<br />
Ensure your own data security is appropriately<br />
matched to your clients’ expectations. Let<br />
your clients know that you have made a meaningful<br />
investment in assuming responsibility<br />
for safeguarding consumer data <strong>and</strong> that you<br />
strive to be trustworthy business partners.<br />
Tenth, be practical <strong>and</strong> keep it simple <strong>and</strong><br />
straightforward. A data security solution for<br />
one collection agency may not be sized to fit<br />
your agency. For example, the most robust<br />
data security policies <strong>and</strong> procedures may<br />
meet the letter of the law, but if they are<br />
written in technical language or legalese, they<br />
may be so cumbersome that your workforce is<br />
unable to gain a working knowledge of them.<br />
Simple, to-the-point policies <strong>and</strong> procedures<br />
that apply directly to situations members of<br />
your workforce may actually face are much<br />
more likely to be read <strong>and</strong> followed. n<br />
November 2006<br />
42<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
Your HCCA Staff<br />
The <strong>Association</strong> for <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> Professionals<br />
888-580-8373 | 952-988-0141 | fax 952-988-0146<br />
Sarah Anondson<br />
Graphic Artist<br />
sarah.anondson@hcca-info.org<br />
Jennifer Bauer<br />
Office Manager<br />
jennifer.bauer@hcca-info.org<br />
Lizza Catalano<br />
Conference Planner<br />
lizza.bisek@hcca-info.org<br />
Lisa Colbert<br />
Certification Coordinator<br />
lisa.colbert@hcca-info.org<br />
Gary DeVaan<br />
Graphic Services Manager<br />
gary.devaan@hcca-info.org<br />
Margaret Dragon<br />
Director of Communications<br />
margaret.dragon@hcca-info.org<br />
Darin Dvorak<br />
Director of Conferences<br />
darin.dvorak@hcca-info.org<br />
Wilma Eisenman<br />
Member Relations<br />
wilma.eisenman@hcca-info.org<br />
Nancy G. Gordon<br />
Managing Editor<br />
nancy.gordon@hcca-info.org<br />
Karrie Hakenson<br />
Project Specialist<br />
karrie.hakenson@hcca-info.org<br />
Patti Hoskin<br />
Database Associate<br />
patti.eide@hcca-info.org<br />
Jennifer Hultberg<br />
Conference Planner<br />
jennifer.hultberg@hcca-info.org<br />
April Kiel<br />
Database Administrator<br />
Member Relations<br />
april.kiel@hcca-info.org<br />
Caroline Lee Bivona<br />
Accountant<br />
caroline.leebivona@hcca-info.org<br />
Patricia Mees<br />
Communications Editor<br />
patricia.mees@hcca-info.org<br />
Beckie Smith<br />
Conference Planner<br />
beckie.smith@hcca-info.org<br />
Roy Snell<br />
Chief Executive Officer<br />
roy.snell@hcca-info.org<br />
Charlie Thiem<br />
Chief Financial Officer<br />
charlie.thiem@hcca-info.org<br />
Nancy Vang<br />
Administrative Assistant<br />
nancy.vang@hcca-info.org<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
43
WEBLINKS<br />
<strong>Health</strong> <strong>Care</strong> Fraud <strong>and</strong> Abuse Control<br />
(HCFAC) Program annual report for FY 2005. To get to the full<br />
document:<br />
http://oig.hhs.gov/publications/docs/hcfac/hcfacreport2005.pdf<br />
MFCU (Medicaid Fraud Control Units) Contact Directory<br />
http://oig.hhs.gov/publications/mfcu.html#1<br />
Work Plan for Fiscal Year 2007<br />
http://oig.hhs.gov/publications/docs/workplan/2007/Work Plan<br />
2007.pdf<br />
Recent OIG Advisory Opinions<br />
Use this link - http://oig.hhs.gov/w-new.html - for:<br />
Advisory Opinion 06-15 PDF (concerning an arrangement under<br />
which a managed care company will disburse pay-for-performance<br />
financial incentives on behalf of a State’s Medicaid program)<br />
Advisory Opinion 06-14 PDF (concerning a pharmaceutical manufacturer’s<br />
proposal to establish a patient assistance program to provide<br />
the company’s drugs to financially-needy Medicare Part D enrollees<br />
outside of the Part D benefit<br />
Advisory Opinion 06-13 PDF (concerning a nonprofit, tax-exempt,<br />
charitable organization’s proposal to provide financially needy persons<br />
who have [diseases redacted] with grants to defray the costs of premiums<br />
<strong>and</strong> cost-sharing obligations under Medicare Part B, Medicare<br />
Part D, Medicare Supplementary <strong>Health</strong> Insurance, <strong>and</strong> Medicare<br />
Advantage)<br />
Advisory Opinion 06-12 PDF (concerning a municipality’s exclusive<br />
contract arrangement for non-emergency inter-facility ambulance<br />
transport services)<br />
Advisory Opinion 06-11 PDF (concerning a municipality’s exclusive<br />
contract arrangement for non-emergency inter-facility ambulance<br />
transport services)<br />
Publisher:<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong>, 888-580-8373<br />
Executive Editor:<br />
Roy Snell, CEO, HCCA, roy.snell@hcca-info.org<br />
Contributing Editor:<br />
Dan Roach, President, HCCA, 888-580-8373<br />
Manager, Articles <strong>and</strong> Advertisments:<br />
Margaret R. Dragon, HCCA, 781-593-4924, margaret.dragon@hcca-info.org<br />
Copy Editor/Proofreader:<br />
Patricia Mees, HCCA, 888-580-8373, patricia.mees@hcca-info.org<br />
Style Editor:<br />
Sarah Anondson, HCCA, 888-580-8373, sarah.anondson@hcca-info.org<br />
Layout:<br />
Gary Devaan, HCCA, 888-580-8373, gary.devaan@hcca-info.org<br />
HCCA Officers:<br />
Daniel Roach, Esq.<br />
HCCA President<br />
VP & Corporate <strong>Compliance</strong> Officer<br />
Catholic <strong>Health</strong>care West<br />
Steven Ortquist, CHC<br />
HCCA 1st Vice President<br />
Senior Vice President, Ethics <strong>and</strong><br />
<strong>Compliance</strong>/Chief <strong>Compliance</strong> Officer<br />
Tenet <strong>Health</strong>care Corporation<br />
Rory Jaffe, MD, MBA, CHC<br />
HCCA 2nd Vice President<br />
Executive Director–Medical Services<br />
University of California<br />
Julene Brown, RN, BSN, CHC, CPC<br />
HCCA Treasurer<br />
Merit<strong>Care</strong> <strong>Health</strong> System<br />
Jennifer O’Brien<br />
HCCA Secretary<br />
VP Corporate <strong>Compliance</strong><br />
Allina Hospitals & Clinics<br />
Odell Guyton<br />
HCCA Immediate Past President<br />
Senior Corporate Attorney,<br />
Director of <strong>Compliance</strong>,<br />
U.S. Legal–Finance & Operations<br />
Microsoft Corporation<br />
Frank Sheeder<br />
Non-Officer Board Member of<br />
Executive Committee<br />
Partner<br />
Jones Day<br />
CEO/Executive Director:<br />
Roy Snell, CHC<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
Counsel:<br />
Keith Hallel<strong>and</strong>, Esq.<br />
Hallel<strong>and</strong> Lewis Nilan Sipkins & Johnson<br />
Board of Directors:<br />
Urton Anderson<br />
Associate Dean for Undergraduate Programs<br />
at McCombs School of Business<br />
University of Texas<br />
Cynthia Boyd, MD, FACP, MBA<br />
Chief <strong>Compliance</strong> Officer<br />
Rush University Medical Center<br />
Anne Doyle<br />
Director of Public Policy, Government Affairs<br />
<strong>and</strong> <strong>Compliance</strong><br />
Tufts <strong>Health</strong> Plan<br />
Gabriel Imperato<br />
Managing Partner<br />
Broad <strong>and</strong> Cassel<br />
Al W. Josephs, CHC<br />
Senior Director Policies <strong>and</strong> Training<br />
Tenet <strong>Health</strong>care Corporation<br />
Joseph Murphy<br />
Partner, <strong>Compliance</strong> Systems Legal Group<br />
Chairman, Integrity Interactive Corp<br />
F. Lisa Murtha, Esq., CHC<br />
Managing Director<br />
Huron Consulting Group<br />
Mark Ruppert, CPA, CIA, CISA, CHFP<br />
Director, <strong>Internal</strong> <strong>Audit</strong><br />
Cedars-Sinai <strong>Health</strong> System<br />
Debbie Troklus, CHC<br />
Assistant Vice President for <strong>Health</strong> Affairs/<br />
<strong>Compliance</strong><br />
University of Louisville, School of Medicine<br />
Sheryl Vacca, CHC<br />
Director, National <strong>Health</strong> <strong>Care</strong><br />
Regulatory Practice, Deloitte & Touche<br />
Cheryl Wagonhurst<br />
Partner, Foley & Lardner LLP<br />
Greg Warner, CHC<br />
Director for <strong>Compliance</strong><br />
Mayo Clinic<br />
Advisory Opinion 06-10 PDF (concerning a nonprofit, tax-exempt,<br />
<strong>Compliance</strong> Today (CT) (ISSN 1523-8466) is published by the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
<strong>Association</strong> (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $357 a<br />
charitable organization’s practice of providing certain therapy management<br />
services <strong>and</strong> assistance with Medicare cost-sharing obligations to<br />
year for nonmembers. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes<br />
to <strong>Compliance</strong> Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2006<br />
the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong>. All rights reserved. Printed in the USA. Except where specifically<br />
encouraged, no part of this publication may be reproduced, in any form or by any means without prior written<br />
financially needy Medicare beneficiaries undergoing medical treatment<br />
consent of the HCCA. For subscription information <strong>and</strong> advertising rates, call Margaret Dragon at 781-593-<br />
for certain diseases)<br />
4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908. Opinions expressed are not those of<br />
this publication or the HCCA. Mention of products <strong>and</strong> services does not constitute endorsement. Neither the<br />
HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers<br />
should consult professional counsel or other professional advisors for specific legal or ethical questions.<br />
November 2006<br />
44 <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
The <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
welcomes the following new members <strong>and</strong><br />
organizations. Please update any contact<br />
information using the Member Center on<br />
the Web site, or e-mail Karrie Hakenson<br />
(karrie.hakenson@hcca-info.org) with<br />
changes or corrections.<br />
Missouri<br />
■ Kathy M. Boschert, BJC <strong>Health</strong><strong>Care</strong><br />
■ Mitchell Dobson, Hanger P & O<br />
■ Lawrence Fogel, BKD, LLP<br />
■ Lorinda S. Johnson, St John's <strong>Health</strong> Sys.<br />
■ Debbie LaVelle, Mallinckrodt Inc.<br />
■ Staci McGivern, Hanger P & O<br />
■ Kathleen Merlo, Saint Louis University<br />
■ Penny Nunley, Hannibal Regional Hosp.<br />
■ Milissa A. Smith, St. Johns <strong>Health</strong> System<br />
■ Donna Walter, Northwest Medical Center<br />
■ Joseph Watt, CPA, BKD, LLP<br />
■ Teresa R. Wetzel, Express Scripts<br />
■ Pam R. Winslow, Des Peres Hospital<br />
■ Barbara Zubeck, Truman Medical Centers<br />
Mississippi<br />
■ Cathy Bridge, King's Daughters Medical<br />
Center<br />
■ Andy Caldwell, George County Hospital<br />
■ Stell<strong>and</strong>a M. Davis, Dr. Arenia C. Mallory<br />
Community <strong>Health</strong> Center<br />
■ Kim Monson, Singing River Hospital Sys.<br />
Montana<br />
■ Cheryl Dorsman, RN, St. Patrick Hospital<br />
■ Marilyn Sparks, Central Montana Medical<br />
Center<br />
Nebraska<br />
■ Kris Maples, Mosaic<br />
■ Jennifer L. Martinez, RHIA, CCS, CPC,<br />
UNMC Physicians<br />
■ Angela R. Peters, Alegent <strong>Health</strong><br />
■ Reta L. Studnicka, Alegent <strong>Health</strong><br />
■ Dorothy A. Zimmerman, RN, MSHCA,<br />
Beatrice Com. Hosp. & Hlth. Ctr.<br />
Nevada<br />
■ Tamara Bradshaw, Saint Mary's<br />
■ Lane D. Edenburn, <strong>Health</strong>DataInsights,<br />
Inc.<br />
■ Leean Hern<strong>and</strong>ez, West Valley Imaging<br />
■ Roberta Houchen, MHA, NV Cancer<br />
Institute<br />
■ Melinda C. Lyons, Washoe Medical Ctr.<br />
New Hampshire<br />
■ Sean O'Neil, Core Physician Services<br />
■ Kenneth Spence, CFE, <strong>Association</strong> of<br />
Hlthcare <strong>Internal</strong> <strong>Audit</strong>ors<br />
■ Katherine St. Jean, RN,BS, CMAS, Elliot<br />
Hospital<br />
■ Melinda H. Tobin, Long Term <strong>Care</strong><br />
Partners, LLC<br />
New Jersey<br />
■ Mary Beth Barone, McKesson Provider<br />
Technologies<br />
■ Nancy Bisco, RN, MPA, Catholic <strong>Health</strong><br />
& Human Svcs<br />
■ Emalie Burks, Johnson & Johnson<br />
■ Jeffrey P. Davis, JD, LLM, Columbia Univ<br />
Medical Ctr.<br />
■ Cecelia Demarest, Univ Physician<br />
Associates<br />
■ Maureen K. Dempsey, Medco Hlth Solutions,<br />
Inc.<br />
■ Jigar H. Desai, Quality & <strong>Compliance</strong><br />
Specialist, LLC<br />
■ David Haier, Univ Physician Associates<br />
■ Michael Hopson, Univ Physician Associates<br />
■ Forrest Kinzli, Hackettstown Regional<br />
Med Ctr.<br />
■ Susan S. Kuper, Atlantic <strong>Health</strong> System<br />
■ Cheryl London, RHIT, CCS, Palisades<br />
Medical Ctr.<br />
■ Stephanie Macholtz<br />
■ Marc Mayer, Englewood Hosp & Medical<br />
Ctr.<br />
■ Darryl S. Neier, CFE, MS-ECM, Sobel &<br />
Co, LLC<br />
■ Ronald Pearce, DP Software<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
■ Kerry G. Rothschild, Celgene Corporation<br />
■ Rowena Spigarelli, Saint Barnabas <strong>Health</strong><br />
<strong>Care</strong> System<br />
New Mexico<br />
■ Mary Harding, Gerald Champion Regional<br />
Medical Center<br />
■ S<strong>and</strong>ra O. Saunders, Presbyterian <strong>Health</strong>care<br />
Services<br />
New York<br />
■ Gerald F. Anello, Elderplan Inc<br />
■ Robert Belfort, Manatt, Phelps & Phillips,<br />
LLP<br />
■ Denise Berdebes, Mt Sinai Medical Center<br />
■ Kristy Biswas, Allied Urological Services,<br />
LLC<br />
■ Donna Freedman Borgstrom<br />
■ Audrey Brahamsha, Royal <strong>Health</strong> <strong>Care</strong><br />
■ Deborah Brown, Greater NY Hosp.<br />
<strong>Association</strong><br />
■ John N. Camperlengo, Gentiva<br />
<strong>Health</strong> <strong>Care</strong><br />
■ Bernadette Catanzaro, Esq., RPA, St<br />
Francis Hospital<br />
■ Barbara Fogarty, Putnam Hospital Center<br />
■ Derek George, CNR <strong>Health</strong><br />
<strong>Care</strong> Network<br />
■ Adam Gordon, Developmental Disabilities<br />
Institute<br />
■ Christine Helzner, <strong>Health</strong>first, Inc.<br />
■ Matthew Johnston, Fulton County Chapter<br />
NYSARC, Inc. D/b/a Lexington Center<br />
■ Laraine Kelly<br />
■ Robert Kertulis, Crouse Hospital<br />
■ Grace R. Langan, RN, Lutheran Medical<br />
Center<br />
■ Theresa Lillis, St Vincents Catholic<br />
Medical Center<br />
■ Robert J. Locke, Thompson <strong>Health</strong><br />
■ Joseph M. Lurin, MBA, Group <strong>Health</strong><br />
Incorporated<br />
■ David B. M<strong>and</strong>el, Allied Urological Svcs,<br />
LLC<br />
■ John A. Mangona, Saratoga Hospital<br />
November 2006<br />
45
■ Michael J. Manza, LCSW, Vassar Brothers<br />
Medical Center<br />
■ Caridad Martinez, Aptium Oncology<br />
■ Kerry McDonald, Liberty <strong>Health</strong> Advantage<br />
■ Leah L. Neely, Claxton Hepburn<br />
Medical Ctr.<br />
■ Margo Nemet, Gentiva <strong>Health</strong> Services<br />
■ Mary Nicholson, Visitng Nurse Service<br />
■ Jacci O'Brien, Elderplan, Inc.<br />
■ Mitchelle Pierre, Reed Smith, LLP<br />
■ Lorilyn Marie C. Rosales-Menzel, Esq,<br />
Liberty <strong>Health</strong> Advantage, Inc.<br />
■ Arlene Santiago, RN, MS, SPHR,<br />
North Shore - LIJ <strong>Health</strong> System<br />
■ Ellen Silverstein, Northern Dutchess<br />
Hospital<br />
■ Linda Smith, North Bronx <strong>Health</strong>care<br />
Network<br />
■ Sherryann Sookraj, BS, Aptium<br />
Oncology, Inc.<br />
■ Florence E. Stassi, Syracuse Hematology/<br />
Oncology<br />
■ Sarah D. Strum, Catholic <strong>Health</strong> <strong>Care</strong><br />
System<br />
■ Joanne M. Todd, Claxton-Hepburn Med<br />
Center<br />
■ Jon Wilkenfeld, Potomac River Partners<br />
■ Karl Williams, Mckesson<br />
■ Keith Wolf, St. Barnabas Hospital<br />
■ Taryn M. Zingaro, CPA, Elderplan, Inc.<br />
■ Pamela Zoumadakis, HCCS<br />
North Carolina<br />
■ Irving A. Bassett, Strategic Management<br />
Systems, Inc.<br />
■ Robert Casey, The Assurance Group, Inc.<br />
■ Lillian F. Chinault, NP, MHA, Duke Univ.<br />
<strong>Health</strong> System<br />
■ Jennifer C. Davis, Mission Hospitals<br />
■ Denice Denzin<br />
■ Myra Fields, Mission Hospitals Laboratory<br />
■ Mary Ellen Haynes, Sterling <strong>Health</strong>care<br />
■ Francine L. Hill, MBA, Mission Hospitals<br />
■ Joan A. Kavuru, East Carolina Univ. Brody<br />
School of Med.<br />
■ Tracy Killette, BA, Duke <strong>Health</strong> Raleigh<br />
Hospital<br />
■ Yates Lackey, North Carolina Baptist<br />
Hospital<br />
■ Gary D. Lankton, VA Medical Center<br />
■ Jean P. Lee, 3HC<br />
■ Kay Murray, BSN, RN, Mission Hospitals<br />
■ Kelly W. Patterson, RHIA, CPC,<br />
Novant <strong>Health</strong><br />
■ Mark Payne, Blue Cross <strong>and</strong> Blue Shield of<br />
North Carolina<br />
■ Christopher Royal, GlaxoSmithKline<br />
■ Sherry R. Rumbough, MT, MPA,<br />
Carolinas Pathology Group, PA<br />
■ Thomas Whalen, Franklin Regional<br />
Medical Center<br />
North Dakota<br />
■ W<strong>and</strong>a E. Hodnefield, Fargo VAMC<br />
Ohio<br />
■ Alonzo Blackwell, UHHS Bedford<br />
Medical Ctr.<br />
■ Dawn Blaylock, EMH Regional<br />
<strong>Health</strong>care System<br />
■ Paul J. Blubaugh, Mid-Ohio Heart Clinic<br />
Inc.<br />
■ Brooke Brady, Northeastern Ohio Universities<br />
College of Medicine (NEOUCOM)<br />
■ Megan R. Brickner, MSA, Kettering<br />
Adventist <strong>Health</strong>care<br />
■ Barbara Cluster, McCullough-Hyde Memorial<br />
Hospital<br />
■ Frances Coleman, Anthem BCBS<br />
■ Martin J. Fallon, Esq, Emergency<br />
Medicine Physicians<br />
■ Karen Flanagan, University Urologists of<br />
Clevel<strong>and</strong>, Inc.<br />
■ Michael Frank, EMP Management<br />
Group, LTD.<br />
■ Beth Hickman, Mercy <strong>Health</strong> Partners<br />
■ Suzanne Inglis, RN, BA, Midohio Cardiology<br />
<strong>and</strong> Vascular Consultants<br />
■ Melody Knapp, RN, BSN, MBA, Southern<br />
OH Medical Ctr.<br />
■ Meredith A. Krisher, The Ohio State<br />
University<br />
■ Sharalyn Milliken<br />
■ Lori Oberholzer, OSU Physicians, Inc.<br />
■ Maureen Pallas, Kaiser Permanente<br />
■ Am<strong>and</strong>a J. Peterson, Envision<br />
Pharmaceutical Svcs.<br />
■ Carolyn Petty, Medical Mutual Of Ohio<br />
■ Arlene Piersall, CCP, Kettering Med.<br />
Center Network<br />
■ Edward Ries, Anthem BCBS<br />
■ Richard Schuster, PhD, JD, Mercy <strong>Health</strong><br />
Partners<br />
■ Linda C. Shelton, Catholic <strong>Health</strong>care<br />
Partners<br />
■ Carl Shiltz, CMPM, Inc.<br />
■ Todd Shuttleworth, Adena <strong>Health</strong> System<br />
■ June Simmons, AtriCure, Inc.<br />
■ Donald A. Sinko, Clevel<strong>and</strong> Clinic <strong>Health</strong><br />
System<br />
■ Michael Stagar, MBA,CPA, CGS<br />
■ Cheryl Wahl, JD, Univ Hospitals Hlty.<br />
System<br />
■ Leigh A. Wolfrey, Summa <strong>Health</strong> System<br />
■ Steven Worster, Cardinal <strong>Health</strong><br />
Oklahoma<br />
■ Sue Brown, Jane Phillips Medical Ctr.<br />
■ Gayle Burden, Jane Phillips Medical<br />
Center<br />
■ Blanca Butcher, OU Medical Center<br />
■ LaDonn J. Harbour, Perry Memorial<br />
Hospital<br />
■ Vi Le, Global<strong>Health</strong> Inc.<br />
■ Lee McCarty, Janes Phillips Medical Ctr.<br />
■ Elizabeth Tejada, Saint Francis Heart<br />
Hospital<br />
■ Scott A. Washam, OU Medical Center<br />
November 2006<br />
46<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org
FloraSure Financial<br />
Liability<br />
of<br />
Research<br />
Analysis<br />
To get the right answers,<br />
you must ask the right questions.<br />
FloraSure is a web-based tool designed to walk you through the key rules<br />
<strong>and</strong> regulations related to reimbursement <strong>and</strong> clinical trials. This program<br />
provides a systematic approach to conducting a financial liability analysis<br />
<strong>and</strong> assigning responsibility for coverage of items <strong>and</strong> services in a<br />
clinical trial – preferably before entering into an agreement with the<br />
sponsor <strong>and</strong> more importantly, prior to submitting claims to third party<br />
payors. Throughout the program, links to rules, regulations, <strong>and</strong> other<br />
helpful information are provided that are pertinent to the question at h<strong>and</strong>.<br />
Another key feature of FloraSure is the parallel function for creating a billing<br />
template while conducting the financial liability analysis. This billing<br />
template serves many important functions, such as providing valuable<br />
information during contract negotiations <strong>and</strong> serving as a guide for the<br />
Billing Office as claims are prepared for submission.<br />
Le t u s h elp you<br />
take t he steps<br />
to <strong>Compliance</strong><br />
Info@florasure.com Kahu <strong>Health</strong> LLC 625 N. Michigan Ave. Suite 2575 Chicago, IL 60611 (312) 893-7024<br />
www.florasure.com<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> • 888-580-8373 • www.hcca-info.org<br />
November 2006<br />
47
HCCA’s <strong>Compliance</strong> Institute<br />
NEW HOTEL AND DATES<br />
Register Online Today <strong>and</strong> Save! HCCA will hold its<br />
11th Annual <strong>Compliance</strong> Institute in Chicago, IL, at the<br />
Sheraton Chicago Hotel <strong>and</strong> Towers, April 22–25, 2007.<br />
Go to www.compliance-institute.org to register.