Internal Audit and Compliance - Health Care Compliance Association

Volume Eight
Number Eleven
November 2006
Published Monthly
Earn CEU
credit
See insert
Meet
Marti Arvin
Privacy Officer,
University of Louisville
page 15
Save the Date!
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Employee
education
about
False Claims
Recovery
page 4
Also:
Practical advice on data
breach notification laws
page 41
November 2006

The Health Care
Compliance Association
has moved to its new
headquarters, located
at:
6500 Barrie Road,
Suite 250
Minneapolis, MN 55435
Our address has changed,
but our telephone
and fax numbers remain
the same:
Toll-free phone:
888/580-8373
Local phone:
952/988-0141
Fax:
952/988-0146
And you can always
reach us via e-mail at
info@hcca-info.org
or on our Web site at
www.hcca-info.org
Health Care
Auditing &
Monitoring
Tools
Buy Now and
Receive One Year of Updates
Free!
The Health Care Auditing & Monitoring
Tools manual is a compilation of excellent
resources donated by HCCA members to
help others with their compliance programs.
This valuable resource assists health care
compliance professionals who want to save
time and money by offering examples of
what their colleagues are doing to address
similar auditing and monitoring issues.
Just as auditing and monitoring are
ongoing activities, this manual is an
evolving resource that will be updated
twice a year to reflect new regulations
and additional compliance concerns.
Subscribers to updates will receive more
auditing and monitoring tools, policies,
and advice.
The original purchase of Health Care Auditing &
Monitoring Tools is $395, which includes the first
two updates free. Afterwards, HCCA members can
subscribe to annual updates for $195.
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373
FAX 952-988-0146
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

ASK
John asks the leadership
your questions
Editors note: John Falcetano is Chief
Audit/Compliance Officer for University
Health Systems of Eastern Carolina
and a long-time member of HCCA.
This column has been created to give
members the opportunity to submit their questions by e-mail to
Jfalcetano@cox.net and have John contact members of HCCA
leadership for their response.
L E A D E R S H I P
John Falcetano
Q: What part does Internal Audit play in a compliance program?
The answer below was provided by M. Ruppert and A. Rolein.
Much like HCCA and the health care compliance profession
in 1996, the Institute of Internal Auditors (IIA) was established
in 1941, marking the formal birth of the internal
audit profession. The primary role of an internal auditor is to provide
independent, objective assessments of governance, risk, and control.
Internal control systems overlay the typical operational systems of an
organization to ensure management objectives are being met. Internal
audit has, since its inception, audited compliance to help boards and
management ensure achievement of key regulatory requirements.
In this regard, internal auditors have traditionally assessed the spirit of
the seven elements of the federal Sentencing Guidelines, though they
have referred to the elements somewhat differently (e.g., tone at the
top, current standard operating procedures, fraud hotlines, etc.) The
advent of corporate compliance in health care has not changed the role
of the internal auditor; it has changed government focus on enforcement
and, thereby, health care focus on regulatory compliance. The focus
on compliance has resulted in the assimilation of the seven elements
into corporate compliance programs under the oversight of compliance
professionals, although compliance remains a management responsibility,
much like internal controls remain a management responsibility.
Given limited resources, it is imperative that the Internal Audit and
Compliance departments create collaborative partnerships to best serve
organizational boards with these limited resources.
In past issues of Compliance Today, the AHIA/HCCA Auditing
& Monitoring Focus Group issued various articles on auditing and
Continued on page
Health Care Compliance Association
2006 Conferences:
San Diego, CA
■ Compliance Academy
December 4-7
Orlando, FL
■ Compliance Academy
November 6-9
T H E
Louisville, KY
■ Tri-State Area Compliance Conference
November 3
Nashville, TN
■ South Central Area Meeting
November 10
2007 Conferences:
Scottsdale, AZ
■ Compliance Academy
June 4-7
San Francisco, CA
■ Compliance Academy
February 5-8
■ Advanced Academy
June 25-28
Orlando, FL
■ Compliance Academy
November 5-8
Chicago, IL
■ Compliance Institute
April 22-25
Dallas, TX
■ Compliance Academy
March 19-22
■ National Corporate
Compliance Week
May 20-26
ON
C A L E N D A R
INSIDE
3 Ask leadership
4 Employee education
& FCA
10 Government enforcement
of quality
15 Meet Marti Arvin
18 CEO letter
22 Go local
24 Internal investigations
30 Getting the most from
your CIA
34 Compliance 101
41 Practical advice on data
breach laws
44 Weblinks
45 New members
888-580-8373 • www.hcca-info.org
November 2006

Darrell W. Contreras is the Chief Compliance
Officer at Maricopa Integrated Health
System in Phoenix. He may be reached by
phone at 602/344-5915 or by e-mail at
darrell.contreras@hcs.maricopa.gov
The Deficit Reduction Act of 2005
(DRA) included section 6032
entitled, “Employee Education
About False Claims Recovery” (hereinafter
referred to as “Section 6032”). 1 With this
section, health care organizations that receive
annual Medicaid payments of at least $5
million are statutorily required to implement
elements of a compliance program to continue
participation in the Medicaid program.
As such, this legislation has been viewed as
the first statutory requirement for a compliance
program. The good news is, most health
care organizations already have an existing
compliance program. The bad news is that
this section uses the words “detailed information,”
“detailed provisions,” and a “specific
discussion” to define how to comply with the
requirements of the law. This requirement
raises just one simple question—”How much
‘detail’ is enough?”
Unlike the good ol’ days when we, as
compliance officers, were toiling to implement
the Health Insurance Portability
and Accountability Act (HIPAA) Privacy
Regulations, where every requirement was
By Darrell W. Contreras, JD
spelled out, Section 6032 leaves to the
imagination of the compliance community
the definitions of “detailed” and “specific.”
But, as compliance officers, we have been
here before. In drafting a Code or Standards
of Conduct document for a health
care organization, there has always been the
question of what to include and whether
the included material was good enough to
be both simple for all levels of employees to
understand, yet detailed enough to provide
adequate guidance. In the end, the best
answer for the “Standards of Conduct” was
to use available statutes and publications
as a guide, and create the best document
possible. The same principle applies to
compliance with Section 6032. Without
specific guidance to define “detailed provisions”
and “specific discussion,” compliance
officers must use the available resources to
make best efforts to comply with Section
6032. At Maricopa Integrated Health
System (MIHS), we used a step-by-step
breakdown to review the previously undefined
requirements of Section 6032.
The Deficit Reduction Act – What is
required?
The first step to compliance is to review the
requirements of the Section 6032. The turmoil
caused by three small paragraphs of the DRA
can be broken down into a few key elements.
Under the Act, a health care entity must:
1. Establish written policies applicable to all
employees and contractors that provide
“detailed information” about:
a. The federal False Claims Act
b. Administrative remedies under the
Act
c. Any state laws pertaining to civil or
criminal penalties for false claims
and statements, and
d. Include whistleblower protections under
such laws, with a specific focus on preventing
and detecting fraud, waste, and abuse;
2. Include in the written policies “detailed
provisions regarding the entity’s policies
and procedures for detecting and preventing
fraud, waste, and abuse;”
3. Include in the employee handbook a “specific
discussion” of the federal and state
False Claims Act laws, the whistleblower
protections afforded to employees who
make reports of potential false claims, “and
the entity’s policies and procedures for
detecting and preventing fraud, waste, and
abuse,” and
4. Implement all of this by January 1, 2007.
The False Claims Act policy
Based on the elements set forth above, a
health care entity must create a False Claims
Act policy, based on the federal False Claims
Act. 2 This Act includes definitions to be
included in the policy, the elements for the
prima facie case, and the penalties associated
with violations of the federal False Claims
Act. It is worth noting that the federal False
Claims Act applies beyond health care. As
such, some of the provisions may not apply
to health care entities. As long as the entity
includes the elements that explain the federal
False Claims Act as it applies to the entity, the
requirement is satisfied.
When the federal False Claims Act provisions
are delineated in the policy, the next
Continued on page
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

You’re a compliance professional, which means
you can’t rest at simply knowing one or two
key areas when it comes to compliance matters.
With the CCH Health Care Compliance Portfolio
Deluxe you get the need-to-know information
that affects every aspect of health care compliance.
It comes as four resources (Health Care
Compliance Professional’s Manual, Journal of
Health Care Compliance, Health Care Compliance
Reporter, and the Health Care Compliance Letter)
that are designed to work seamlessly together.
Visit health.cch.com or call 888-224-7377.
When your company’s
compliance steps rest
on your decisions,
look to Wolters Kluwer.
Presenting the CCH Health Care
Compliance Portfolio Deluxe.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
© 2006 Wolters Kluwer Law & Business. All rights reserved.

Employee education about False Claims Recovery ...continued from page
step is to include any state false claims laws.
The Centers for Medicare and Medicaid Services
(CMS) has created a Web page where
the public can check Medicaid Fraud Statutes
for each state. 3 By selecting the state in
which the entity operates, the search engine
pulls all the state laws related to Medicaid
fraud. If the state has a false-claims law, it
will fall under the heading of “Civil False
Claims.” This citation can then be linked to
review the specific state law(s) to evaluate
their applicability to the False Claims Act
policy. Regardless of whether the state currently
has a false claims law in effect, keep
checking the legislative activity, because the
DRA included incentives for states to create
false-claims laws that mirror the federal
False Claims Act. As a practical matter, this
provision of the DRA will likely bring many
state false-claims laws in line with the federal
False Claims Act.
The last element of the False Claims Act
policy is the whistle blower protection.
Federal whistle blower protection is specifically
addressed under the title of “Civil
actions for false claims.” 4 For purposes of the
False Claims Act policy, compliance requires
incorporating the key provisions into the
policy. To determine if a specific state has
enacted whistle-blower protection laws, the
CMS Medicaid Fraud Statutes Web page
(reference #3) provides a useful tool. If the
state has whistle blower protection laws, then
the policy should include the key provisions
of the law(s).
In drafting the MIHS False Claims Act
policy, we personalized the policy instead of
purely copying text from the statutes. In so
doing, the MIHS False Claims Act policy
reflects that MIHS will comply with or will
not engage in specific behavior. We also
included definitions and simplified the language
where possible, recognizing that this is
a policy for employees to read and not a statute.
Additionally, we structured the policy to
follow the elements required by the Section
6032. As such, the policy includes major sections
entitled:
n The Federal False Claims Act
n The State False Claims Acts
n Federal and State Penalties (Administrative,
Civil, and Criminal), and
n Federal and State Whistleblower Protection
Laws
As part of the whistle-blower protection section,
we included a discussion and reference
to the MIHS Non-Retaliation Policy to help
reinforce that, as an entity, we do not tolerate
retaliation for issues or concerns that are
raised in good faith.
Policies and procedures for detecting and
preventing fraud, waste, and abuse
Section 6032 states that as part of the False
Claims Act policy, there must be “detailed
provisions regarding the entity’s policies and
procedures for detecting and preventing
fraud, waste, and abuse.” As such, Section
6032 recognizes that there may be existing
policies and procedures in place. For many
organizations, these policies and procedures
may be part of the existing compliance
program in the Standards of Conduct
or in separate policies, such as a compliance
reporting or fraud detection policy.
Therefore, there is no need to re-draft these
policies and procedures or copy them into
the False Claims Act policy. Instead, Section
6032 requires discussion of those policies
and reference to the entity’s existing policies.
In the MIHS False Claims Act Policy, we
used the section entitled, “MIHS Programs
to Prevent and Detect Fraud” to refer to
the existing MIHS Compliance Reporting
Policy and to reaffirm the obligation of all
MIHS personnel to report suspected fraud
and abuse through the existing reporting
structure, the compliance office, or the
compliance hotline.
False Claims Acts and whistle-blower protection
in employee handbooks
Section 6032 requires that a discussion of the
federal and state False Claims Acts, as well
as the whistle-blower protection laws related
to those Acts, be included in “any employee
handbook.” For organizations that already
have a compliance program, this should
include the Standards of Conduct along with
any other employee manual. Specifically, the
Standards of Conduct should include information
about the organization’s non-retaliation
policy, which represents the organization’s
commitment to whistle blower protection.
Additionally, the Standards of Conduct should
include information about how to report
issues or concerns, specifically, the detection
and prevention of fraud, waste, and abuse.
This is one of the seven foundational elements
of the Department of Health and Human
Services Office of Inspector General (OIG)
Compliance Program Guidance. 5 Lastly, the
Standards of Conduct should include bullet
points referring to the organization’s commitment
to complying with federal and state
laws and regulations, and its commitment to
submit only those claims for which there is
accurate documentation. Many of these bullet
points can be extracted from the language in
one of the many Corporate Integrity Agreements
authored by the OIG.
At MIHS, we were in the process of revising
and republishing our Standards of Conduct.
Although we included the Standards of
Conduct language that has become standard
fare in Corporate Integrity Agreements
regarding billing and compliance with federal
and state laws and regulations, we modified
the bullet point to specifically address the
requirements of Section 6032, with reference
to the MIHS False Claims Act Policy. The
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

language we included is:
We do not tolerate making or submitting
false or misleading claims or statements
to any government agency, health care
program or payer source (See MIHS False
Claims Act Policy)
The general discussion of the False Claims
Act incorporates by reference the detailed discussion
of the federal and state False Claims
Acts, administrative remedies, and whistle
blower protections as required by Section
6032.
We also included a copy of the MIHS False
Claims Act Policy in the New Employee
handbook. In addition to providing the handbook
and policy to all new employees, we
included a brief overview of the policy as part
of the new employee orientation to ensure
that new employees are aware of the policy
and know how to locate it. Attendance at
and completion of new employee orientation
is documented, allowing us to demonstrate
compliance at a later date. New employees
are easy to educate, because they are a captive
audience. The challenge is distributing
the new policy to existing employees and
documenting their receipt of the policy. The
answer for us was to distribute the policy to
all employees as part of an organization-wide
training program.
Training employees on the False Claims Act
Does Section 6032 require that employees be
trained? Technically, no. Although Section
6032 does not state that health care entities
must provide training to all personnel on the
False Claims Act, the title of Section 6032 is,
“Employee Education About False Claims Recovery.”
Therefore, it could be argued that the
requirement to train employees on Section
6032 is implicit. In addition, the publication
of any new policy creates an obligation for
the health care entity to introduce the new
policy to affected personnel. If compliance
means following the rules, then as compliance
officers, we are obligated to inform personnel
of the rules they are expected to follow. The
same principle applies to the False Claims
Act policy. Moreover, it would be difficult to
argue compliance with Section 6032 without
training, because existing employees would
have no means by which to know or read the
new False Claims Act policy. As such, a good
faith effort for compliance with Section 6032
should include employee training on the False
Claims Act policy.
In earlier years, teaching employees how to
be whistleblowers was not viewed favorably
by many organizations. However, with the
inclusion of the effectiveness provisions of
the OIG’s Compliance Program Guidance, 6
effective compliance programs should be
evaluated based on employee knowledge of
how to appropriately report issues or concerns,
including suspected fraud, waste, and
abuse. As a result, training personnel on the
False Claims Act policy should not be viewed
as giving employees a direct line to the OIG.
Rather, training employees should be viewed
as reinforcing the existing compliance culture,
educating employees on what constitutes a
false claim, and showing them what to do if
they suspect a violation of the False Claims
Act policy.
The MIHS False Claims Act Policy training is
based on a train-the-trainer model that uses
department managers as the trainers. This
helps to ensure accountability and improve
completion percentages. The policy is the
foundation for the training, but trainers are
provided with a summary training “script”
to guide them through the training. All
employees are given a copy of the MIHS False
Claims Act Policy, and they are told where the
policy resides on the Intranet. All attendees
are required to print and sign a sign-in log to
verify attendance. Completion will be audited
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
to ensure that the compliance office has evidence
to demonstrate that all personnel were
trained on the MIHS False Claims Act Policy.
In addition to employees, Section 6032
requires that the False Claims Act Policy
apply to contractors or agents of the entity.
In the context of education, this means that
contractors and agents, and their employees,
must also receive information about the
entity’s False Claims Act Policy. Fortunately,
this is similar to requirements in Corporate
Integrity Agreements in which an entity is
required to provide its Standards of Conduct
to all vendors, contractors, physicians, and
agents. In those situations, many entities
satisfy this requirement by including a copy
of the Standards of Conduct as part of all
new contracts and sending a copy to existing
contractors. This may be burdensome, so it
would be wise to investigate other options,
such as e-mailing the policy, to make the
requirement manageable. Many organizations
have a central repository for contracts
through which all contractors can be identified.
The same concept and methodology
applies to the medical staff, some of whom
may be a part of group practice that itself
must comply with Section 6032. Looking
ahead, the MIHS False Claims Act Policy
will be included:
n In the New Employee Orientation handbook
for employees
n As part of the contracting process for all
new contracts
n As part of the medical staff credentialing
packet
What happens if you are wrong?
Even though MIHS has taken many proactive
steps to comply with Section 6032, there is
always a chance that our method is wrong.
What happens if our approach to compliance
is not what the regulators envisioned?
Continued on page
November 2006

Employee education about False Claims Recovery ...continued from page
Unfortunately, there are too many times when the fear of being wrong
is used to prevent movement in the right direction. To avoid this, we
framed the discussion as, “If we are wrong, what is the harm?” Maybe
a policy must be amended, or some similar modification needs to be
made. However, in the context of ensuring the continuity of Medicaid
payments, making a modification is a small price to pay. Certainly the
price of modification is not great enough to delay the implementation
of an entity’s False Claims Act policy. Of all the regulatory activity in the
compliance sector over the past several years, no evidence indicates that
an organization that has made a good faith effort to comply with Section
6032 is at risk for civil or administrative penalties. For that reason,
we have elected to charge forward to ensure that the January 1, 2007
compliance deadline is satisfied. n
1 Pub. L. No. 109-171 § 6032
2 31 U.S.C. § 3729
3 Centers for Medicare and Medicaid Services, Medicaid Fraud Statutes Website, http://www.cms.hhs.gov/apps/mfs/
State_Select.asp (last visited Sept. 25, 2006).
4 31 U.S.C. 3730(h)
5 See generally Publication of the OIG Compliance Program Guidance for Hospitals, 63 Fed. Reg. 8987 (February 23,
1998)
6 OIG Supplemental Compliance Program Guidance for Hospitals, 70 Fed. Reg. 4858, 4874 (January 31, 2005)
Ask Leadership ...continued from page
monitoring, the latest of which addressed the roles of compliance
and internal audit functions. First, readers should visit or revisit those
articles and second, use the following as guidelines for key roles that
internal auditors should fulfill relative to their organization’s compliance
program:
n Participate as members of the corporate compliance committee,
provide input on the annual compliance work plan, and report key
compliance findings identified in internal audits.
n Coordinate risk assessment and annual work planning processes to
avoid duplication of effort and separately manage the auditing and
monitoring components of the plan.
n Include discussions with the compliance officer when planning every
audit. Because internal auditors typically focus on risk-based audits,
this will ensure key compliance risks are addressed.
n Review all compliance-related audit “findings” with the compliance
officer to ensure corporate awareness before issues are reported.
n Assist the compliance officer in investigating certain hotline-initiated
matters.
n Participate in the analysis of conflict of interest matters.
n Share and discuss various issues frequently to ensure joint understanding
of current issues, risks, and actions being taken. n
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006

By: Janice Anderson, Cheryl Wagonhurst, and Neil Smithline, MD
Editor’s note: Janice Anderson and Cheryl a medical staff issue. Today, a hospital that
Wagonhurst are partners in the law firm provides poor-quality care can find itself the
of Foley & Lardner LLP. Janice Anderson subject of civil and criminal penalties for filing
false claims.
may be reached in Chicago by telephone at
312/832-4530. Cheryl Wagonhurst may
be reached in Los Angeles by telephone The medical staff and CEO of United
at 310/975-7839. Neil Smithline, MD, Memorial Hospital (UMH) in Greenville,
Mercer Health & Benefits, contributed Michigan learned first hand the devastating
to this article. He may be reached in San consequences that can occur from inadequate
Francisco, by telephone at 415/743-8700. quality and peer review. In 2001, UMH and
two physicians who served on the hospital
The focus on quality and safety Medical Executive Committee were indicted
in hospitals has increased dramatically
over the past several years. aid, and private insurers. The indictment was
for conspiring to defraud Medicare, Medic-
Historically, the task of monitoring the quality
of care provided by physicians has been cedures performed by an anesthesiologist on
based on unnecessary pain management pro-
delegated by hospitals to the medical staff, staff at UMH. 3 The government’s case against
and the biggest risk that hospitals faced when the hospital executive and physicians centered
confronted with a quality issue was malpractice
liability. Often, in fact, the hospital’s best be lacking, thereby protecting the significant
on peer review procedures allegedly found to
defense to malpractice lawsuits that stemmed revenue generated by the anesthesiologist who
from a poorly performing physician was to ran, what the government characterized as, a
claim that it was not responsible for malpractice
committed by members of its indepen-
UMH pled guilty and agreed to pay fines
“pain mill.” Rather than face a criminal trial,
dent medical staff. 1
totaling more than $1 million in 2003.
But, times have changed. The public is now Other cases have followed UMH. In 2002,
aware that hospitals may not always provide Redding Medical Center (RMC) in Redding,
California was served with a federal
safe medical care, that the government’s focus
on quality is on the rise, and that individuals government search warrant that alleged that
recognize the rewards available to them by the hospital allowed unnecessary procedures
filing private lawsuits (called qui tam suits) and surgeries to be performed on patients
alleging health care fraud. In fact, in 2005 in violation of the federal False Claims Act
alone, more than 1,100 health care fraud (FCA). 4 RMC paid more than $50 million to
cases were filed by individual qui tam relators settle that claim. And, in 2006, Our Lady of
alone. 2 These staggering statistics make clear Lourdes Regional Medical Center, in Baton
that hospitals no longer can consider quality Rouge, Louisiana paid over $3.8 million to
Janice Anderson
resolve health care fraud claims arising from
billing for allegedly unnecessary elective
angiograms, angioplasty, and stenting procedures
performed by a staff physician between
1999 and 2003. 5 It is now clear that hospital
peer review and quality activities are “front
and center” for government enforcers.
Hospital quality management and peer
review programs
The Medicare Conditions of Participation,
along with the laws of every state, require
hospitals to develop peer review and quality
management systems to review the professional
practices of the clinical personnel
providing services to patients. The traditional
quality assurance mechanisms found in hospitals
include the quality assurance program,
the risk management program, and the
utilization review program. Taken together,
these programs provide hospital-wide quality
reviews (including auditing of patient
records), education, and prevention.
Augmenting these hospital systems is the
medical staff peer review process that is generally
conducted by committees of physicians
and, in some cases, may involve nurses and
other practitioners. These committees conduct
screening and review of patient records,
investigate individual physician’s clinical competence,
and may make recommendations to
November 2006
10
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Cheryl Wagonhurst
the other medical staff committees or officers
(e.g., the Medical Executive Committee or the
chief of a department) for further action. Peer
review procedures rarely focus on issues of
overall quality of care, but tend to be incident
driven with a focus on individual physician
performance, rather than the general practice
patterns of all physicians in the hospital. Peer
review is conducted under procedures defined
in the medical staff bylaws.
Peer review is founded on the belief that only
physicians can evaluate physicians. It generally
focuses on whether the care provided by
an individual physician is medically necessary
and consistent with the standards of practice.
Studies show that this retrospective analysis is
often fraught with a high degree of variability.
6 The success of peer review in any specific
case depends on the commitment of each
individual hospital’s medical staff and the
extent to which they can put aside the normal
human reluctance to evaluate a peer and
engage in honest and thorough evaluation.
To encourage peer review, Congress passed
the Health Care Quality Improvement Act
of 1986 (HCQIA) 7 to give immunity to peer
review participants, so long as the participants
act in good faith and in the reasonable belief
that the peer review action furthered quality
of care. Congress hoped that by passing
the HCQIA, legitimate peer review activity
would flourish and improve the quality of
care in hospitals nationwide.
Some would argue that Congress’ best-laid
plans did not pan out. Today, traditional
quality and peer review activities may or may
not be effective in dealing with poorly performing
physicians. The peer review processes
are lengthy and depend upon physicians who
donate precious time to review the practices
of fellow physicians who may be friends or
competitors. All too often, by the time a
quality of care issue is identified and actually
dealt with, a plethora of evidence exists that
shows a pattern of poor quality care (i.e.,
substandard care, lack of medical necessity, or
over-utilization).
The quality revolution
In recent years, hospital quality activities have
changed from an informal process of auditing
and evaluating care on a case-by-case basis, to
a “science” based on quantitative analysis of
sophisticated quality data. This change was
spurred in part by the Institute of Medicine
(IOM) report, “To Err Is Human: Building a
Safer Health System.” 8 Issued in 1999, the report
concluded that up to 98,000 Americans
die each year from medical mistakes, making
preventable medical errors the eighth leading
cause of death in the United States—
surpassing vehicle accidents, breast cancer,
and AIDS. The report made headline news
and alarmed health care providers, regulators,
and the public. More disturbing than the
sheer number of preventable errors that occur
in hospitals daily was the report’s conclusion
that medical errors were caused primarily by
systemic problems in hospitals and not by the
poor performance of errant individual doctors
and nurses.
The first IOM report was followed closely
by a second report, “Crossing the Quality
Neil Smithline
Chasm: A New Health System for the 21st
Century.” 9 Issued in 2001, the second report
proposed six aims for improving patient care
(i.e., safety, effectiveness, patient centeredness,
timeliness, efficiency, and equitable
care) and ten rules to guide the redesign of
health care to achieve these aims. The report
stressed evidence-based decision making to
reduce variance in medical practice among
physicians.
Other organizations responded to the heightened
focus on patient safety and quality, and
a flurry of national quality initiatives began.
In 2000, the Leapfrog Group, an organization
formed by large purchasers of health care,
established evidenced-based patient safety
practices to reduce medical mistakes in hospitals,
and the Institute for Healthcare Improvement
(IHI) launched a “Campaign to Save
100,000 Lives” in 2004. Specialty societies,
like the Society of Thoracic Surgeons and the
American College of Cardiology, also came
out with standardized process and outcomesmeasurement
tools to guide the delivery of
safer patient care.
The Joint Commission on the Accreditation
of Health Organizations (JCAHO) began its
intensive focus on quality in 1999 when it
mandated as a condition of accreditation that
Continued on page 12
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
11

Government enforcement of quality ...continued from page 11
hospitals report on quality “core measures.” 10
Soon after, the Centers for Medicare and
Medicaid Services (CMS) joined with the
Hospital Quality Alliance (HQA), a publicprivate
collaboration of hospitals that is
designed to help hospitals improve quality by
measuring and reporting objective, easy-tounderstand
data on hospital performance. 11
In 2004, CMS and JCAHO agreed to adopt
the same standardized performance measures
for hospital reporting and began publicizing
the data on the Hospital Compare Web site 12
to help consumers improve decision making
about their health care.
Government enforcement
Historically, hospital quality and peer review
systems have existed as unrelated to the
traditional billing and finance functions of
the hospital. Recent activity by the government,
however, has linked quality of care with
billing requirements, and hospitals that fail
to deliver quality patient care may find themselves
the subject of government enforcement
for billing fraud.
The government has a powerful tool to
enforce quality care – the federal False Claims
Act (FCA). 13 Enacted during the Civil War,
the statute focuses on preventing fraud among
federal contractors. The Civil FCA imposes
penalties on any person who knowingly
presents (or causes to be presented) a false or
fraudulent claim for payment, or makes a false
statement to get a claim paid. The law uses qui
tam enforcement, which encourages private
citizens (called qui tam relators or “whistleblowers”)
to disclose false or fraudulent
activities to the government. Whistleblowers
can receive up to 25% of the total recovery or
settlement if the government prosecutes the
case, and up to 30% of the proceeds if the
government decides not to intervene, but the
qui tam relator proceeds or his or her own.
The penalties for a successful FCA case can
be exorbitant. Health care providers can face
triple damages plus civil penalties of $5,500
to $11,000 for each and every false claim.
If the plaintiff prevails, the courts will also
award reasonable costs and attorney fees
against the defendant.
Whistleblowers and the government alike
find the financial motivation compelling to
pursue allegations of false claims. Since 1986,
the federal government has recovered more
than $15 billion dollars under the FCA. 14
With a mean relator share of $1,700,153,
whistleblowers can strike gold if the government
prevails in the lawsuit. 15 These awards
have proven to be an effective incentive for
whistleblowers and an excellent investment
for the federal government. The number of
qui tam cases per year has increased exponentially
since the whistleblower provisions were
enacted, 16 and the federal government recovers
$15 for every $1 it invests in FCA whistleblower
actions involving health fraud. 17
In addition to FCA liability, whistleblower
claims often lead to charges of criminal and
civil violations under numerous other health
care fraud statutes, such as criminal charges
under 18 U.S.C. § 287 for false claims,
§ 1001 for false statements, § 1341 for mail
fraud, § 1343 for wire fraud, and § 1347 for
health care fraud. Charges can be brought
under 42 U.S.C. § 1320a-7b(a)-(e) for fraud
on federal health care programs and illegal
remuneration, 18 U.S.C. § 371 for conspiracy,
and § 1349 for attempted conspiracy. In
certain cases, the government can also bring
charges for money laundering, racketeering,
and misconduct related to Employee Retirement
Income Security Act (ERISA) plans. 18
If the case involves patient neglect or abuse,
the government can prosecute providers for
violations of a patient’s civil rights. 19
Exclusion from federal programs is another
potent weapon in the government’s arsenal.
The threat of exclusion from the Medicare
and Medicaid program (the kiss of death for
most hospitals) can be used to exert leverage
in settlement agreements with health care
providers. 20 The Health Insurance Portability
and Accountability Act of 1996 (HIPAA) 21
expanded the already extensive list of reasons
for exclusion, increased the number of offenses
for which exclusion must be imposed,
and established additional minimum periods
for which person must remain excluded. If
the provider is convicted of criminal offenses
in connection with delivery of health care
services or the neglect or abuse of a patient,
the exclusion is mandatory. 22
The FCA’s definition of a false claim is
extremely broad and creates limitless opportunities
for the prosecution of providers.
Although a substantial number of health care
FCA cases involve actions that traditionally
have been considered fraudulent, such as
billing for services that were never performed,
misrepresenting the identity of the provider
who performed the service, or “up coding”
(i.e., billing the government for more expensive
care than was delivered), 23 prosecutors
and qui tam relators now are claiming fraud
when quality is alleged to be poor, or the care
provided is determined to be unnecessary, or
both.
“Medical necessity fraud” occurs when the
procedures provided (e.g., tests, lab studies)
do not meet medical necessity criteria. Medicare
and Medicaid pay only for those services
that are reasonable, medically necessary, and
used for diagnostic and therapeutic purposes
in connection with health care services
provided to beneficiaries. Each time that a
claim is submitted, the provider certifies on a
HCFA (Health Care Financing Administration,
now CMS) 1500 or UB92 form that
November 2006
12
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

the services are “medically necessary and
indicated for the health of the patient.” If,
contrary to the certification, the services are
unnecessary, the certification is false and the
submission of the claim violates the FCA. 24
In the UMH case, the relator alleged that the
hospital and medical staff committees failed
to act on information generated through peer
review that demonstrated that a staff anesthesiologist
was running a “pain mill” at the
hospital by providing medically unnecessary
pain management procedures. As a result, the
anesthesiologist and the hospital were charged
with falsely certifying compliance with
Medicare’s medical necessity requirements.
The initial investigation led to a first-of-its
kind criminal prosecution against the hospital.
The federal prosecutors obtained a 31-
count criminal indictment against UMH and
the chiefs of the medical staff and emergency
medicine for mail fraud, wire fraud, and
conspiracy to commit mail and/or wire fraud
relating to the allegedly unnecessary medical
procedures performed by the anesthesiologist.
The crux of the government’s case was
that, notwithstanding information learned
through peer review and many complaints
from patients received by the hospital, the
hospital continued to bill and collect its fees,
certifying each time that the services were
medically necessary when, in fact, the hospital
knew through its peer review procedures they
were not. The hospital pled guilty to a single
felony charge of wire fraud in a settlement
agreement, paid a fine of more than $1 million,
and agreed to reimburse approximately
$750,000 to Medicare, Medicaid, and two
private insurers.
In the Redding Medical Center case,
whistleblowers alleged that the performance of
unnecessary heart catherizations, angioplasty,
and open-heart surgeries violated the FCA.
Tenet Healthcare Corporation, the parent
of Redding, ultimately signed a $54 million
settlement agreement with the Department
of Justice (DOJ) in 2003. This was the largest
recovery to date from a hospital in an alleged
case of lack of medical necessity. 25 Shortly
thereafter, in 2004, Tenet agreed to divest itself
of RMC and sell the assets to an unrelated
third party to avoid RMC’s exclusion from
the Medicare and Medicaid programs. 26 Tenet,
RMC, and two physicians also faced over 100
civil lawsuits filed by individuals who said that
they or their families underwent unnecessary
surgeries, and Tenet set up a $395 million
fund to settle these civil lawsuits. 27
In addition to challenging a hospital’s right to
bill for services that are deemed medically unnecessary,
the government also has attempted
to take the FCA one step further by challenging
the legitimacy of claims submitted for
substandard or poor quality care. According to
the government, a provider “impliedly certifies”
at the time it submits a claim that the
care provided meets all published rules, regulations,
and standards. If the care provided does
not meet quality standards, submitting a claim
for reimbursement is tantamount to fraud.
Based on this “implied certification” theory,
several courts have found nursing homes
to be liable under the FCA when the care
provided was found to be so substandard
that it was deemed to be “worthless.” 28 This
theory was applied in July 2005, when the
U.S. Attorney’s Office announced a first-ofits-kind
settlement with Central Montgomery
Medical Center (CMMC), a hospital located
in Lansdale, Pennsylvania, and the hospital’s
management company. 29 The government
alleged that from February through August
2002, CMMC knowingly billed the government
for numerous patients who were improperly
physically and chemically restrained
in violation of the Medicare Conditions of
Participation. Although CMMC denied any
wrongdoing, it agreed to pay the government
$200,000 to settle the claim. The case is the
first instance where the federal government
successfully pursued a hospital under the
FCA for failing to comply with the Medicare
Conditions of Participation.
Federal prosecutors have said that they will
continue to use the FCA to pursue patient
abuse and neglect cases and other quality
of care violations in nursing homes and
hospitals. According to James G. Sheehan,
Associate U.S. Attorney, Eastern District of
Pennsylvania, the DOJ will continue to target
cases involving:
(1) patient abuse and neglect
(2) falsification of records
(3) failure to report adverse events as required
by state laws
(4) improper use of physical or chemical
restraints on patients in violation of federal
regulations
(5) intentional misconduct. 30
Sheehan predicts that future health care fraud
enforcement will focus squarely on quality,
safety, and patient dignity. 31
Lewis Morris, Deputy Chief Counsel for the
HHS Inspector General, also has predicted
that health care fraud cases are likely to
increase dramatically. 32 The Deficit Reduction
Act of 2005 (DRA) gives states an
incentive to enact state false-claims laws by
allowing them to retain an extra 10% of
recovered Medicaid funds, if the state adopts
a false-claims statute modeled after the federal
statute. 33 It also mandates that entities that
annually receive or make $5 million dollars in
Medicaid payments be required to implement
policies and revise employee handbooks
to inform their workforce about the federal
and state False Claim Acts and their whistle
blower protections. 34 Coupled with the
Continued on page 14
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
13

Government enforcement of quality ...continued from page 13
fact that Congress has increased the OIG’s
matching-grant money by $25 million each
year for the next five years for bolstering state
Medicaid Fraud Control Units, fraud cases
focused on the quality of patient care can
only be expected to increase. 35
Integrating quality and compliance
What does this mean for providers today, and
how does this change the role of compliance
officers? It is clear that hospitals can no longer
consider quality an issue that can be addressed
through its normal peer review and quality programs.
Unless hospitals link compliance with
quality and peer review programs, they may well
find themselves defending a fraud case for filing
claims for services ultimately deemed medically
unnecessary or of poor quality. Health care
fraud cases present a far greater risk to hospitals
than malpractice claims (the historical risk faced
by hospitals when care was challenged as substandard
or unnecessary). Fraud claims are not
covered by insurance, cost thousands to defend
and millions to settle, gain public notoriety,
may lead to both criminal and civil penalties,
and undermine public confidence in the quality
of care provided by the hospital.
So, what should hospitals do now? First and
foremost, hospital compliance officers must
work hand-in-hand with hospital administration,
risk managers, quality officers, the
medical staff office, and medical staff peer
review committees. Lack of medical necessity
and substandard care should be recognized
as potential compliance issues, and should be
included among the other issues addressed by
compliance. Environmental risk assessments
(a component of most hospital compliance
programs), compliance policies, and standards
of conduct should all be revised to tie together
quality, risk management, peer review,
and compliance.
Second, compliance education programs
should include information about the link
between the delivery of quality, medically
necessary care, and the requirements that
must be met to bill for services. Quality and
risk management officials need to know
whom to contact in the compliance department
when they uncover instances of poor
quality or unnecessary care, and compliance
personnel need to know when to contact legal
counsel to determine whether a risk of health
care fraud may exist, and if so, what actions
should be taken.
Finally, compliance auditing and monitoring
programs need to be integrated with quality
chart reviews, risk management incident
reporting systems, and peer review investigations
to ensure that patterns of poor quality
or medically unnecessary care are identified
quickly and corrected. Part of any corrective
action plan developed to address a pattern of
unnecessary or poor quality care should also
evaluate the impact on reimbursement and
determine whether any repayment obligation
may exist.
The government’s focus on quality will grow
in the coming years. Faced with the increasing
pressure to hold down costs while making
the American health care system safer, the
government likely will use the FCA more
often to challenge poor quality or unnecessary
care. Unless proper steps are taken to integrate
quality into the compliance program, a
hospital could face disastrous consequences,
including fines, penalties, damage to reputation,
and a loss of confidence by physicians
and patients. And, unlike many of the other
compliance issues that hospitals face, allegations
of unnecessary or poor quality care can
take years to overcome.
Sophisticated hospital compliance officers
will make sure that quality and peer review
are integrated into the hospital’s compliance
program, so that circumstances that could
give rise to FCA liability can be addressed
before the government, the press, or other
critics intervene. n
1 In most jurisdictions, a hospital is held liable for malpractice committed
by members of its independent medical staff only if the hospital itself was
negligent because it either failed to respond appropriately when it knew or
should have known of the risk to a patient or because it failed to establish
and follow appropriate policies to guide quality of care. See Andrea G.
Nadel, J.D., Hospital’s Liability For Negligence In Failing To Review Or
Supervise Treatment Given By Doctor Or Require Consultation, 12 A.L.R.
4th 57 (1982).
2 Information on False Claims Act Litigation, GAO Briefing for Congressional
Requesters, December 15, 2005, p. 28.
3 United States v. United Memorial Hospital., WL 33001119 (D. Mich.
2002) (denying defendant’s motion to dismiss).
4 Tenet Healthcare Agrees to Pay $54 Million Settlement Over Alleged
Unnecessary Surgeries at Redding Hospital, California Healthline, Aug. 7,
2003, http://www.californiahealthline.org/index.cfm?Action=dspItem&ite
mID=95253&classed=CL350.
5 Louisiana Hospital Settles Federal Claims of Billing for Medically Unnecessary
Services, 10 BNA Health Care Fraud Reporter 679 (September 13,
2006).
6 See, e.g., A.M. Smith et al., Peer Review of the Quality of Care: Reliability
and Sources of Variability for Outcome and Process Assessments, 278 J.
Am. Med. Ass’n. 1573 (1997).
7 Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101.
8 Committee on Quality of Health Care in America Committee on Institute
of Medicine, To Err is Human: Building a Safer Health System (1999).
9 Committee on Quality of Health Care in America, Institute of Medicine,
Crossing the Quality Chasm: A New Health System for the 21st Century
(2001).
10 JCAHO’s launch of reporting on core measures was an outgrowth of its
ORYX initiative which began in 1997 to integrate the use of outcome and
other performance measures into the accreditation process. See http://www.
jointcommission.org/Jointcommission/Templates/GeneralInformation.asp.
11 Center for Medicare and Medicaid Services, Hospital Quality Initiative
Overview (Dec. 2005), http://www.cms.hhs.gov/HospitalQualityInits/
downloads/HospitalOverview200512.pdf.
12 www.hospitalcompare.com.
13 False Claims Act, 31 U.S.C. §§ 3729-3733.
14 GAO Report at 5.
15 Id. at 32.
16 Id. at 25.
17 False Claims Act Advocate Says Prosecuting FCA Cases is Good Investment
for Government, 10 BNA Health Care Fraud Report 478 (2006).
18 John J. Meyer et al., Health Care Fraud and Abuse: Enforcement and
Compliance, BNA’s Health Law & Business Series (2006).
19 Civil Rights of Institutionalized Persons Act (CRIPA), 42 U.S.C. § 1997.
20 Meyer, supra, at 2600:0328.
21 Health Insurance Portability and Accountability Act of 1996, 18 U.S.C. §
1347.
22 Meyer, supra, at 2600:0328(a).
23 See John T. Boese, Civil False Claims and Qui tam Actions, (3rd Ed.
Aspen Publishers (2006); Joan K. Krause, “Promises to Keep”: Health Care
Providers and the Civil False Claims Act, 23 Cardozo L. Rev. 1363, 1382
(2002); Joan K. Krause, Health Care Fraud and Quality of Care: a Patient-
Centered Approach, 37 J. Health L. 161 (2004).
24 See John T. Boese, When Angry Patients Become Angry Prosecutors:
Medical Necessity, 43 St. Louis U. L. J. 53 (1999); Meyer, supra, at
200:0316.
25 U.S. Attorney Eastern District of California, RMC/Tenet Settlement Fact
Sheet.
26 U.S. Office of the Attorney General, OIG and Tenet Healthcare Corporation
Reach Divestiture Agreement to Address Exclusion of Redding
Medical Center, OIG News, Dec. 11, 2003.
27 Tenet Healthcare agrees to pay $54 Million Settlement over Alleged
Unnecessary Surgeries at Redding Hospital, California Healthline, Aug. 7,
2003, http://www.californiahealthline.org/index.cfm?Action=dspItem&ite
mID=95253&classcd=CL350.
28 See, for example, United States ex rel. Swan v. Covenant Care, Inc., Case
No. Civ. S‐99-1981, DFL JFM (E.D. Cal. June 20, 2000 and United States
v. NHC Healthcare Corp., 115 F. Supp 2d 1149 (W.D. Mo. Aug. 30,
2000).
29 United States Attorney’s Office Eastern District of Pennsylvania, U.S.
Attorney’s Office Reaches Agreement with Hospital to Failure of Care
Allegations Stemming from Improper Use of Patient Restraints, News
Release, July 25, 2005.
30 Quality of Care Issues to Remain Focus of False Claims Act Cases, Sheehan
Says, 10 BNA’s Health Care Fraud Report, BNA’s Health Care Fraud
Report, 169 (2006.).
31 Id.
32 OIG’s Morris Tells AHLA to Watch For Increase in False Claims Act Cases,
10 BNA Health Care Fraud Report, 524 (2006).
33 Deficit Reduction Act of 2005 at § 6031.
34 Deficit Reduction Act of 2005, Pub. Law 109-171, § 6032.
35 Testimony of Daniel R. Levinson, Inspector General, Hearing before the
S. Comm. on Homeland Sec. and Gov’t Affairs, Subcomm. on Fed. Fin.
Mgmt., Gov’t Info., and Intn’l Sec., 109th Cong. 1, 2 (2006.)
November 2006
14
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

feature
Editor’s note: This interview with Marti
Arvin, JD, CHC, CIPP/G, CCEP, CPC
Privacy Officer, University of Louisville
was conducted this past September by
HCCA Board Member F. Lisa Murtha,
Managing Director, Huron Consulting
Group. Marti Arvin may be reached by
telephone at 502/852-3803.
LM: What is your professional background?
MA: I am an attorney and, prior to my
compliance career, I spent five years in the
Indiana Attorney General’s Office litigating
civil rights and employment law cases in
federal court. I also have degrees in respiratory
therapy and accounting.
LM: How did you originally become
involved in “compliance”?
MA: Fate got me involved in health care
compliance. I was looking to make a career
move from my position at the Attorney
General’s Office. I wasn’t looking for a
position in compliance, because I had never
heard of the profession at that time. By
chance, I received a call from a colleague I
had worked with in the Indiana University
Hospital’s accounting department. She
had been discussing a new position at the
Indiana University School of Medicine with
a member of the search committee. The
new position was Compliance Officer. The
search committee was looking for someone
with a clinical background, who understood
the financial side, and they wanted an
attorney. She immediately thought of me.
I landed the position and have never look
back. Given that I went from respiratory
therapy to accounting to law, health care
article
compliance has allowed me to utilize all
aspects of my background.
LM: What was your first compliance
position?
MA: In 1998, I became the first compliance
officer for the Indiana University School
of Medicine. I implemented their fraud and
abuse compliance program. Later I was appointed
to act as their privacy officer as well.
LM: Can you explain any differences that
you have observed in compliance programs
today versus when you first began working
in compliance?
MA: When I began my first position as a
compliance professional, like many people at
that time, I knew nothing. I was scrambling
for resources and found many people in the
same boat. Fortunately, I was able to contact
people at other academic medical centers
who had been doing this a little longer than
me. Debbie Troklus and others were very
generous with their time and willingness to
share their compliance plans, policies, and
procedures. I am eternally grateful for the
help I received. The programs I encountered
at that time were in their infancy. When I
contrast that with the environment today, I
see a completely different landscape. Many
organizations today have mature programs
that have expanded in oversight and structure.
Do a Google search for “compliance”
today and you get pages and pages of sites.
Meet Marti Arvin
JD, CHC, CIPP/G, CCEP, CPC
Privacy Officer, University of Louisville
When I started in compliance, the Health
Care Compliance Association was still in its
early stages as an organization. Today it has
several thousand members. I know there are
still individuals who are just starting out in
this profession and feel like I did back in
1998. The difference is they have a much
broader resource pool. There are significantly
more compliance professionals they
can contact for help. They are also probably
going into an existing program and not developing
one from the ground up. What has
not changed is the willingness of colleagues
to help each other by sharing information,
ideas, and resources.
LM: How have you seen privacy issues
integrated in compliance programs?
Continued on page 16
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 15

Meet Marti Arvin ...continued from page 15
November 2006
16
MA: I have seen it done a number of
ways. Some organizations have a stand alone
program. Some organizations have a stand
alone office, but coordinate their activities
with other compliance programs to better
utilize resources. Some organizations have
it fully integrated within a broad, overarching
program. Still others have a hybrid, with
the privacy office as a separate function
within the compliance program that runs its
own training, audits, etc. Like any aspect of
compliance, the organization has to figure
out what is right for its culture and utilize the
method that works best for that particular
organization. One size does not fit all.
LM: Can you describe your Privacy
Program in detail?
MA: The Privacy Office has oversight of
most privacy issues at the university. I report
to the provost of the university. Our program
is structured to try to leverage other compliance
functions. We coordinate our training
and auditing efforts with the Human Subjects
Protection Program Office and the Medical
Compliance Office. We conducted a risk
assessment this year, which we are using to
create our audit plan. We have established
an issues-tracking system that has permitted
us to identify the types of questions and
other issues that come our office. We have
even developed a report that ages our issues,
so we know how long a file has been open,
who is responsible for taking the next action
(the privacy office or our client), and what
type of issue it is. I provide quarterly reports
to my supervisor that tell her the number of
open files, the categories, the business unit
or school the issue is tied to, and how many
files have been open for 30, 60, 90 days, etc.
Like most programs, I would like to have
more resources, but we are trying to use the
resources we have in the most effective and
efficient way possible.
LM: How do you keep your program
dynamic from year to year?
MA: By trying to expand the services
offered to our constituents. We have tried
to automate processes were possible and use
other means to free up the time of our office’s
staff to provide services. It is hard to stay
dynamic year after year, but the more service
we can provide, the more our constituents
can integrate compliance into their daily
activities. I recently heard Joe Murphy say it
takes about ten years to change the culture of
an organization, so I find myself thinking that
as long as I am seeing positive progress, we are
moving in the right direction.
LM: What do you see as the highest risk
area in privacy compliance today and why?
MA: What a loaded question. I think the
biggest risk is complacency. In the billing and
research side of compliance, we constantly
see civil penalties and fines and criminal
convictions. While the Privacy Rule has been
enforceable for three and half years there
have not been any major fines or penalties
imposed. I am constantly asked “What will
happen to me if I don’t do this”? The final enforcement
rule became effective in March of
this year. Under the rule we now know how
fines will be imposed, but OCR has indicated
it will try to resolve issues informally, before
fines and penalties are imposed. Without
constant reminders that the law requires the
activities we are asking our clients to do, it is
easy for people to fall back into old habits.
LM: How would you recommend that
organizations mitigate their privacy compliance
risks today?
MA: If the organization has an effective
privacy compliance program in place, that is the
best way to mitigate the risk. I think the most
important aspect of such a program is the auditing
and monitoring, which will help identify
the key risk areas. The organization can then see
where it needs to do additional training, create
or revise policies and procedures, etc.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
LM: What has been the single biggest
factor that contributes to the success of your
program at Louisville?
MA: The reporting structure I have. I
report to the provost of the university. She is
very committed to doing the right thing. I
meet with her on a regular basis and have the
opportunity to keep her update-to-date on
the privacy compliance program. She is also
very good about thinking of how other projects
within the university could have privacy
compliance implications. She makes sure I
am aware of these projects and can evaluate
whether there are privacy implications.
She would much rather ask me to review
something, and find out there are no privacy
issues, than for the opposite to occur.
LM: What was your biggest challenge in
implementing your program and how did
you overcome it?
MA: The biggest challenge to implementing
the privacy program at the University of
Louisville was coordinating this effort with
other compliance activities at the university.
This was a challenge because the privacy program
was viewed as yet another program that
was hindering the faculty and staff from doing
what they were hired to do. I cannot say
I have completely overcome this challenge.
But, we have made progress. In my experience,
when you implement a new program,
it takes a year or two to change your clients’
attitudes--from viewing you as a hindrance
to their work to getting them to see you as
a resource. It is a slow process, but we are
seeing a lot more instances of individuals
coming to our office for assistance before
they establish a new program or engage in a
new project. This allows us the opportunity
to help them do it right from the beginning
Continued on page 18

Earning your certification,
keeping your certification current,
and applying for advanced
certification just got easier!
Beginning with this issue of Compliance Today HCCA will offer continuing
education credits (CEUs) for completing the quiz that accompanies selected
articles in Compliance Today. Receive one (1) CEU for each quiz* you
successfully complete. You could receive up to twelve (12) CEUs per year.
To apply for credit: read the article on pages
41-42 and answer the questions on the insert
in this magazine. Fax your answer form to
us at 952/988-0146 or mail it to us at:
Health Care Compliance Association
Attn: Lisa Colbert
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
* The quiz is inserted in this issue of Compliance Today
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 17

Silly Laws
Roy Snell
Over the past ten years, I have written several dozen articles. Although
I attempt to make my articles interesting, they are often about serious
matters. I have often wished that I could do something funny, something
to lighten your load for a moment. We all have such difficult and
stressful jobs. I just could not think of anything that would pertain
to compliance that would be tactful. Well, leave it to my 13-year-old
twins to come up with an idea. They told me they were studying silly
laws in school, and they mentioned a few. I went to a Web site (www.
dumblaws.com) and got a few that I have listed below.
n In Arizona, donkeys cannot sleep in
bathtubs.
n In Alabama, you may not have an ice
cream cone in your back pocket at any
time.
n In Alabama, putting salt on a railroad track may be punishable by
death.
n In Alabama, it is illegal for a driver to be blindfolded while operating
a vehicle.
n In Idaho, riding a merry-go-round on Sundays is considered a
crime.
n In New Hampshire, you cannot sell the clothes you are wearing to
pay off a gambling debt.
n In California, it is a misdemeanor to shoot at any kind of game
from a moving vehicle, unless the target is a whale.
n In Indiana, a person who dyes, stains, or otherwise alters the natural
coloring of a bird or rabbit commits a Class B misdemeanor.
n In Indiana, check forgery can be punished with public flogging up
to 100 stripes.
I have no idea if they are accurate; then again, I am not sure it matters.
I think you should add any that pertain to you or to your Code of
Conduct. n
Meet Marti Arvin ...continued from page 16
and help avoid compliance issues in the future.
LM: What advice would you give to individuals who are interested
in a career in compliance and privacy?
MA: I would recommend getting involved in the Health Care
Compliance Association, networking with other compliance
professionals, and taking the certification exam offered by the
Healthcare Compliance Certification Board. Experienced compliance
professionals are always willing to help out newcomers. Oh,
and to paraphrase from Bette Davis in the movie All About Eve
Full Name:
Title:
Organization:
Address:
City/State/Zip:
Telephone:
Fax:
E-mail:
Complete this coupon to order Compliance Today (CT)
HCCA individual membership costs $295; corporate membership
(includes 4 individual memberships, and more) costs $2,500.
CT subscription is complimentary with membership.
HCCA non-member subscription rate is $357/year.
❑ Payment enclosed
❑ Pay by charge: ❑ AmEx ❑ MasterCard ❑ Visa
Card #:
Signature:
❑ Please bill my organization: PO#
Exp. Date:
Please make checks payable to HCCA and return subscription coupon to:
HCCA, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435
November 2006
18

®
SMART2.o :
bringing HIM people
and HIM technology
together.*
On one side, it’s a technology solution. On the other, a service
solution. SMART2.o is more than a software tool, it’s a technology
solution designed to help you continuously assess coding
accuracy and data quality as an important part of your hospital’s
compliance program.
SMART2.o
For more than 15 years, we’ve worked with HIM professionals
providing affordable tools and services that help them with coding
accuracy, regulatory compliance, data management and reports
to monitor PPS requirements.
So, whether you look at your hospital’s compliance program from
a technology perspective or a service perspective, SMART2.o is
a very smart, very budget-friendly way to work.
To start an in-depth conversation about your particular needs,
contact Doug Barry at 866-792-4920 or visit pwc.com/healthcare.
*connectedthinking
© 2005 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as
the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinking
and SMART2.o are trademarks of PricewaterhouseCoopers LLP (US).
November 2006
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 19

November 2006
20

November 2006
21

HCCA’s Annual Tri State Local Conference
Friday, November 3, 2006 | Louisville, KY | Galt House, 140 North Fourth St., Louisville, KY
Join your colleagues for the Health Care
Compliance Association’s Tri State
Local Annual Conference on November 3,
2006.
Explore the hot issues:
n Deficient Reduction Act
n The Maze of Research Billing
n Compliance Effectiveness
n Politics and Policy in the Post-Acute Space
n Health Care Enforcement in Kentucky
n Non-Physician Practitioner
n Compliance Hot Topics Panel
Program features an expert
faculty, including:
n Robert Benvenuti, III, Esq., Inspector
General, Cabinet for Health and Family
Services
n Wesley R. Butler, General Counsel, Cabinet
for Health and Family Services
n Georgette Gustin, CHC, Director, PricewaterhouseCoopers
n Kathie McDonald-McClure, JD, Wyatt,
Tarrant & Combs, LLP
n F. Lisa Murtha, JD, CHC, Managing
Director, Huron Consulting Group
n Raymond J. Sierpina, JD, Director of
Government Programs, Kindred
Healthcare
n Roy Snell, CHC, CEO, Health Care
Compliance Association
n John Steiner, Chief Compliance Officer,
UK Healthcare, University of Kentucky
n Debbie Troklus, CHC, AVP Health Affairs/Compliance,
University of Louisville,
HSC
n Sheryl Vacca, CHC, HCCA Board
Member, Director, Health Care and
Life Science Regulatory Practice,
Deloitte
This HCCA program is sponsored by
MediRegs, MC Strategies, Pershing Yoakley
& Associates and Co-Sponsored by Atlantic
Information Services’ (AIS’s) Report on
Patient Privacy, Guide to Audit Health
Care Billing Practices, Report on Medicare
Compliance, HIPAA Guide on Patient
Privacy; and HCPro’s Strategies for Health
Care Compliance, and Health Care Auditing
Strategies
Continuing Education Credit:
ACHE, HCCB (7.5 Credits), NASBA-CPE,
AAPC
Register online at
www.hcca-info.org
Louisville, KY
November 2006
22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

HCCA’s Annual South Central Local Conference
Friday, November 10, 2006 | Nashville, TN | Opryland Resort and Convention Center
Join your colleagues for the Health
Care Compliance Association’s Annual
South Central Local Conference on
November 10, 2006.
Explore the hot issues:
n Identity Theft in Healthcare
n Investigation Workshop: A Step-by-Step
Process for Conducting an Internal Investigation
n Update from the Attorney General’s Office
n Regulatory Update
n Effectiveness: How Do You Measure It?
n Risk Assessment: The 8th Element
n Research Compliance
Program features an expert
faculty, including:
n Wynelle Paige, RHIA, CCP
n Tim Crabtree, Masters Forensic Science,
HCA Ethics Line Case Manager
n Matt Pierce, MBA, CHC, HCA Investigator
n Donna K. Gilley, CHC, CCS, CCS-P,
CPC, CPC-H, Senior Manager, Revenue
Cycle & Regulatory Compliance, LBMC
Healthcare Group, LLC
n Andi Bosshart, VP, Compliance, Community
Health Systems
n Jennie Campbell, Pershing, Yoakley and
Associates
n Eva Floyd, HCA
n James Speros, JD, VHA, CBI Evaluation
& Assessment Center, Washington, DC
n Christine Bachrach, MS, CHC, VP, Compliance,
Healthsouth, Birmingham, AL
n Kelly Willenberg, Assistant Director of
Finance, Director Clinical Research Financial
Compliance, Vanderbilt University
n Marcy Downing, MBA, MHA, CHC,
CHE, Compliance Officer, VA TN Valley
Healthcare System
This HCCA program is sponsored by Meade &
Roach LLP, and MediRegs and Co-Sponsored
by Atlantic Information Services’ (AIS’s) Report
on Patient Privacy, Guide to Audit Health
Care Billing Practices, Report on Medicare
Compliance, and HIPAA Guide on Patient
Privacy; and HCPro’s Strategies for Health
Care Compliance, and Health Care Auditing
Strategies.
Continuing Education Credit:
ACHE, HCCB (7.8 Credits), NASBA-CPE,
AAPC
Register online at
www.hcca-info.org
Tennessee Mountains
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
23

By Stacey Gulick, Esq. and Jacqueline Finnegan, Esq.
Editor’s note: Stacey Gulick and Jacqueline
Finnegan are attorneys with the law firm of
Garfunkel, Wild & Travis, PC. Ms. Gulick
may be reached by telephone at 516/393-
2264 and Ms. Finnegan may be reached at
516/393-2582.
For compliance officers, the handling
of complaints and internal investigations
can be both frustrating
and valuable. Almost all compliance officers
will be faced with this daunting task at
some point during their tenure. For health
care facilities and providers (collectively, the
“Providers”), an internal investigation, unlike
routine auditing and monitoring activities,
requires the compliance officer to review
allegations of potential wrongdoing to determine
the scope of the review and whether
any corrective actions are required. From
putting together the investigative team to
reviewing the results of the investigation, the
compliance officer needs to keep an eye on
the details and recognize that the handling
of the internal investigation will have a direct
impact on the corrective actions that are
implemented, future decisions regarding voluntary
disclosure, refunds, and/or professional
misconduct reports, among other things.
Ten tips to consider when conducting an
internal investigation
1. Stop questionable practices immediately
While seemingly obvious, it is of paramount
importance that compliance officers take
steps to stop any potential wrongdoing immediately
and prevent any future incidents,
as soon as they have knowledge of a potential
compliance problem or legal violation.
While a preliminary review may be needed
to confirm that there is a potential issue,
when sufficient information of a potential
compliance concern is discovered, steps must
be taken to prevent the inaccurate submission
of claims or other continued violation
of applicable law. Such interim steps may be
made while a complete investigation is being
conducted to determine the extent of the
problem. For example, if a Provider learns
that it may not have sufficient documentation
to bill for a certain procedure, the Provider
may hold those claims while the investigation
is conducted. When the investigation is
complete, a decision can be made whether
or not to submit the claims, and if necessary,
policies can be revised to address any
deficiencies identified. Regardless of the steps
taken, failure to stop questionable practices,
at least while the investigation is conducted,
may subject the Provider to significant civil
and criminal penalties if it has knowledge of a
potential legal violation.
2. Determine the intended scope of the
investigation
The U.S. Department of Health and Human
Services Office of Inspector General (OIG)
recommends in its Supplemental Compliance
Program Guidance for Hospitals (the
“Supplemental Guidance”) that all allegations
of possible fraud and abuse be investigated.
The Supplemental Guidance, however, is
silent with respect to the extent and scope of
such investigation. The compliance officer
is generally responsible for determining the
credibility of the issues, overseeing the investigation,
and establishing the scope of review.
When outside legal counsel is involved, such
counsel may direct the investigation, but the
compliance officer or other designated individual
should generally oversee the process.
When deciding the scope of an investigation,
it is important to consider how the alleged
wrongdoing was raised and to initially gather
as much information as possible. The scope
of the investigation requires consideration of
the specific practice at issue, which employees
should be interviewed, the types of
documents to be collected, and whether any
audit should be conducted. With respect to
conducting an audit, consideration must be
given as to whether the audit should involve a
retrospective or prospective review. The type
of review is inherently based on the type of
misconduct alleged and may change subject
to the findings of the investigative team. It
is also important to remember that if the
Provider is under a Corporate Integrity Agreement
(CIA) the Provider may have specific
requirements governing the need for, and
scope of, the investigation. CIAs may also
dictate the time frame for such investigations
and require that the OIG be informed when
an investigation is being conducted.
3. Assemble an investigative team
When needed, the compliance officer should
assemble an appropriate investigative team.
The OIG recommends in its Supplemental
Guidance that the investigative team be
comprised of representatives from the compliance,
audit, and other relevant functional
areas, such as departmental supervisors or
staff. The composition of the team will vary,
however, depending on the nature of the
alleged wrongdoing. Therefore, the compliance
officer must consider the nature of the
allegation, the confidentiality of the issue,
November 2006
24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

the affected departments or personnel,
the expertise and position of the potential
investigative team members, any conflict of
interest, and the appropriate size team for
the investigation. It is also important for the
compliance officer to appreciate the balance
that must be struck when selecting potential
team members, especially when a matter is
particularly sensitive and confidential. All
members of the investigate team must be in a
position to both understand the issues related
to the investigation and be able to competently
and confidentially handle the investigation,
wherever it might lead.
4. Consider involving outside counsel
At the outset of an internal investigation, the
compliance officer should consider whether
the Provider would be better served by having
outside counsel involved in the investigation.
This requires the weighing of budgetary constraints
and other financial concerns against
the benefits offered by outside legal counsel.
When deciding whether outside counsel
should be retained, there are several things
that should be considered. Most importantly,
if there is any involvement or potential
involvement by any state or federal regulatory
agency, it is highly advisable to obtain outside
legal counsel.
In addition, depending upon the nature of
the problem, outside counsel can provide expertise
in certain specialized areas, particularly
laws, regulations, and billing requirements.
Outside counsel can also be important if the
compliance officer finds it difficult to establish
an unbiased investigative team. Bringing
in outside counsel may provide the neutrality
that is necessary for the team to come to an
accurate, unbiased determination. For example,
if the investigation involves a person in
administration, such as the CFO, members of
the team may fear retribution if they suggest
that the CFO has engaged in wrongdoing.
In this case, outside counsel can be useful in
presenting objective and accurate information
at the conclusion of the investigation.
Finally, outside legal counsel should be involved
if the situation is particularly sensitive
or contentious. If properly structured and
handled, having outside counsel to oversee
the investigation may protect the investigation
and its findings under the attorney-client
privilege and attorney work product doctrine.
These protections encourage the candid
exchange of information and permit a more
thorough investigation so that outside counsel
can appropriately advise the Provider on how
to handle any findings of wrongdoing to the
extent they are detected. We note, however,
that these privileges should never be used
to mask wrongdoing. Compliance officers
should be aware that there is an increasing
trend for the protections offered by the
attorney-client privilege and attorney work
product doctrine to be waived upon request
of federal and/or state regulatory agencies.
5. Preserve and secure documents and data
Once the investigative team has been assembled
and the scope of the investigation
determined, immediate steps must be taken
to preserve and secure any and all documents
and data that may be relevant to the
investigation. This is particularly important
when there is a risk of a possible government
investigation or a chance that the entity will
end up making a voluntary disclosure.
The first step in this process is identifying
the universe of documents that may be
relevant to the investigation. As soon as these
documents are identified, the employees in
possession of them must be notified that
they are not to be destroyed. Once all of
the documents are collected, they should be
maintained in a secure location, such as the
compliance officer’s office. The investigative
team will then be charged with reviewing
these documents as part of conducting the
internal investigation. During this process,
careful consideration must be paid to how the
overall investigation is being conducted, and
in particular, how the documents are being
gathered, secured and preserved. The investigative
team should always be cognizant of the
possibility of a government investigation and
should make sure that the actions it takes in
conducting the internal investigation cannot
later be alleged as an obstruction of justice by
the government.
6. Interview employees and other involved
parties
At the same time documents and data are
being collected, key employees and other
involved parties should be identified and
interviewed by members of the investigative
team. It is without question that an interview
conducted by a team of senior management
can cause fear in employees, especially if
legal counsel is involved. Unfortunately, this
fear may hinder the open dialogue and free
flow of discussion that is essential to the
effectiveness of the investigation. Therefore,
the type and number of persons conducting
the interview are key factors in making the
employee feel at ease. For instance, a laboratory
technician may be less likely to openly
communicate when he or she is seated across
a table from five members of senior management
who comprise the investigative team,
but may be more forthcoming if interviewed
by two less-intimidating team members.
Compliance officers should, however, always
include at least two interviewers when
meeting with staff. Although one-on-one
interviews may seem less intimidating, when
two interviewers are involved, it is more likely
that the information will be interpreted and
remembered correctly. The location of the
Continued on page 27
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
25

November 2006
26
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

When you receive a compliant ...continued from page 25
interview should also be taken into consideration.
An individual may be more comfortable
in his or her office, or a private room on
the employee’s unit. While the comfort of the
employee is a significant consideration, the
primary consideration is that the interview be
conducted in a manner and place so as to preserve
the confidentiality of the investigation.
It is also important to note that at the beginning
of the interview, the employee must be
notified that the loyalties of the interviewer
lie with the Provider. In particular, if the
interview is being conducted by outside counsel,
the attorney must advise the employee
that he or she is employed by and represents
the Provider, and not the individual employee.
This also presents an opportunity for
an appropriate dialogue to ease the employee’s
concern of his or her own legal liability.
7. Prepare a report of the investigation
Upon the conclusion of an internal investigation,
the results should be reported to
the compliance officer (if he or she was not
part of the investigative team), the Compliance
Committee (if there is one), and the
governing board of the Provider, or a committee
thereof. Typically, the initial report
includes: (1) a statement about what caused
the investigation; (2) the actions taken by
the investigative team; and (3) the findings
that were ascertained during the investigation,
including where necessary, a chronology
of events. Subsequent reports should also
include an assessment of the potential legal
and regulatory exposure, proposed corrective
actions, proposed monitoring of the practice
that caused the investigation, and recommendations
for whether the Provider should make
a voluntary refund or self-disclosure.
The form of this report, however, warrants
careful consideration. The compliance officer
or legal counsel must determine, based on
the particular facts and circumstances of the
investigation, whether the report should be
in written or oral form. To the extent that
a written report is prepared, it should be
drafted with full knowledge that this document
may ultimately be read and/or used by
the government if the government elects to
conduct its own review and the attorney-client
privilege has been waived.
8. Determine whether any voluntary disclosure
or repayment is required
Where the investigation involves an error in
billing third party payors (e.g., federal health
care programs, commercial payors) and it is
determined that the Provider has received
monies to which it was not entitled (i.e.,
overpayments), the compliance officer or legal
counsel will be required to determine the
amount of overpayment and must consider
whether a voluntary disclosure or repayment
is warranted. Self-disclosure, however, carries
with it certain risks. While a full examination
of the risks and benefits of self-disclosure and
repayment are beyond the scope of this article,
we will summarize some of the primary
considerations.
Generally speaking, if a Provider has received
monies to which it was not entitled and it has
knowledge of such overpayments, the monies
may need to be refunded and/or the overpayment
disclosed. For example, under the Social
Security Law (42 USC § 1320a-7b), it is a
criminal offense to not disclose information
when an individual has knowledge of an
event affecting the Provider’s continued right
to payment with respect to federal health care
programs. The government has taken the position
that this, therefore, requires the alleged
overpayment to be refunded. That said, it is
advisable that, if not already involved in the
investigation, in-house or outside counsel be
consulted before any repayment or disclosure
is made, as the applicable laws may be interpreted
differently depending upon the facts
and circumstances of the situation. Furthermore,
the Provider’s subsequent actions may
have the potential to implicate several federal
and state laws that carry with them substantial
criminal, civil, and administrative penalties.
This is of particular importance when
the investigation reveals indicia of intentional
wrongdoing.
It should be noted that, even when an inadvertent
billing error is discovered, the submission
of a refund to the applicable payor
(e.g., fiscal intermediary, Medicaid, other
government payor, or commercial payor), can
still have ramifications. For example, fiscal
intermediaries or other third party payors
who receive refunds may be obligated to
question the Provider about the process used
to evaluate the need for the refund and the
corrective actions the Provider has taken to
prevent such error from occurring in the future.
Payors may also refer the refund over to
the OIG or other relevant agency for further
investigation.
If, however, the compliance issues involve
fraudulent misconduct, the stakes are higher
and the potential penalties more significant.
If a voluntary disclosure is contemplated,
there must be careful consideration of how
and to whom (e.g., fiscal intermediary,
CMS, OIG, US Attorney’s Office, or State
Attorneys General), the disclosure should be
made. One available option when the error
involves federal health care programs is the
OIG’s Provider Self-Disclosure Protocol (Protocol)
which outlines how providers should
approach the government when they discover
evidence of violation of Federal criminal,
civil, or administrative laws. The OIG has
stated that when a provider discloses potential
violations pursuant to the Protocol and fully
cooperates with the government, there may
Continued on page 28
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
27

When you receive a compliant
...continued from page 27
November 2006
28
be reduced exposure to criminal,
civil and/or administrative fines
and penalties; however, this is
not definitive. Therefore, it is
very important that compliance
officers are aware of all of the penalties
that could potentially be imposed when making
a disclosure.
9. Implement corrective action
Reporting to the governing board and making a
voluntary repayment or disclosure does not end the
Provider’s or compliance officer’s responsibilities
with respect to acting on the findings of an internal
investigation. Part of overseeing a Provider’s compliance
program requires that appropriate policies and
procedures are in place to prevent potential compliance
problems from arising in the future. This may
involve the creation of new policies and procedures
or revising existing policies and procedures when
they are found to be insufficient to detect or prevent
problems or errors.
Restructuring the Provider’s policies and procedures
is an important step in taking appropriate corrective
action, but it is ineffective unless staff who are
affected by the changes are educated on the new
or revised policies and procedures. Therefore, the
compliance officer should ensure that affected staff
are receiving appropriate education and training
whenever policies and procedures are developed
or revised, and that this education and training is
adequately documented.
It may be necessary to discipline staff who engaged
in the wrongdoing. The affected department’s
director or supervisor, in conjunction with the
compliance officer, should determine the appropriate
course of action. This may include retraining the
person or instituting disciplinary action. The extent
of the disciplinary action will depend on the nature
of the error, and may include a warning, suspension,
or even termination. To the extent the employee
remains employed in his or her same capacity, the
Continued on page 29
CHC
The Healthcare
Compliance Certification
Board (HCCB) compliance certification
examination is available in
all 50 states. Join your peers and
become Certified in Healthcare
Compliance (CHC).
certified in
healthcare
compliance
The Compliance
Professional’s Certification
Congratulations on achieving
CHC status! The Health Care Compliance
Certification Board announces that
the following individuals have recently
successfully completed the Certified in
Healthcare Compliance (CHC) examination,
earning CHC designation:
CHC certification benefits:
■ Enhances the credibility of the
compliance practitioner
■ Enhances the credibility of the
compliance programs staffed by
these certified professionals
■ Assures that each certified
compliance practitioner has the
broad knowledge base necessary
to perform the compliance
function
■ Establishes professional standards
and status for compliance
professionals
■ Facilitates compliance work
for compliance practitioners in
dealing with other professionals
in the industry, such as physicians and attorneys
■ Demonstrates the hard work and dedication necessary to perform the
compliance task
Arlene J. Arellano-Brown
Anne E. Karas
Patricia Anne Weicker
Gabrielle T. Langlinais
Natalie Nichols Banks
Sandra L. Sessoms
CHC certification, developed and managed by HCCB, became available June
26, 2000. Since that time, hundreds of your colleagues have become Certified
in Healthcare Compliance. Linda Wolverton, CHC, says that she sought CHC
certification because “many knowledgeable people work in compliance, and I
wanted my peers to recognize me as ‘one of their own’.” With certification she
is “recognized as having taken the profession seriously, having met the national
professional standard.”
For more information on how you can become CHC Certified,
please call 888/580-8373, e-mail hccb@hcca-info.org, or visit the
HCCA Web site at www.hcca-info.org and click on the HCCB Certification
button on the left.
Health Care Compliance Association • www.hcca-info.org

When you receive a compliant
...continued from page 28
compliance officer should make sure that the employee’s work is monitored
and checked on a regular basis until such time that the employee’s
superiors believe the employee no longer poses a risk with respect to the
problem.
10. Monitor ongoing compliance
Providers should have general monitoring and auditing processes in
place. Indeed, in many of the OIG’s compliance-related guidances, and
in the most recent open letter to providers, the OIG has articulated that
the existence of effective internal auditing and monitoring systems is essential
to the operation of an effective compliance program. Therefore,
the compliance officer should make sure that the systems currently in
place for monitoring and auditing the Provider’s processes are sufficient
to detect and prevent the types of problems that caused the investigation.
In additional to regular, routine monitoring, specific monitoring of the
identified error should be incorporated into the corrective action plan.
This is necessary to ensure that the same mistakes do not happen again.
If, upon re-review, stated goals are not met, the corrective action needs
to be modified and again reviewed, until the compliance officer has
determined that the questionable practice has been corrected. It may be
easy to explain away a mistake the first time, but subsequent errors of
the same kind will be looked at with less leniency. n
Getting Your CHC CEUs
Inserted in this issue of Compliance Today is a
quiz related to the article – “Practical advice on
data breach notification laws for credit and collections
organizations” by Leslie C. Bender, CIPP
The new edition of this essential guide to
health care compliance is now available
Author Debbie Troklus
has revised and updated
Compliance 101 to reflect
recent developments in
compliance.
The second
edition includes:
• Up-to-date
compliance
information
• A brand-new chapter dedicated to
HIPAA regulations
• An expanded glossary with additional
new terms and definitions
• Expanded appendixes, including
a selection of additional new and
user-friendly sample documents
If you’re planning to become Certified in
Healthcare Compliance, Compliance 101 is an
invaluable study aid for the CHC examination.
When you read the article on page 41 and take
the quiz, make sure to print your name at the top
of the form. Fax it to Lisa Colbert at 952/988-
0146 or mail it to Lisa’s attention at HCCA, 6500
Barrie Road, Suite 250, Minneapolis, MN 55435
Debbie Troklus
Greg Warner
Call Lisa Colbert with any questions you may
have at 888/580-8373
To order, visit the HCCA Web site
at www.hcca-info.org.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
29

n Providing training to staff that is in addition
to the current training schedule;
n Engaging an independent review organization
(IRO) to review the areas that the
OIG has determined to be problematic.
By Julie Katich and Karolyn Woo
Editor’s note: Julie Katich and Karolyn and determine to what degree each of the
Woo are with Deloitte & Touche, LLP. seven elements will be implemented; therefore,
Julie can be reached by e-mail at
compliance programs and their effectiveness are
jkatich@deloitte.com and Karolyn can be as varying in nature as the organizations themselves.
In some situations, it takes a government
reached by e-mail at kwoo@deloitte.com.
intervention, such as the issuance of a Corporate
In an effort to protect against potential Integrity Agreement (CIA), to enhance the
instances of fraud and abuse, many health organization’s compliance program.
care organizations have adopted voluntary
compliance programs. Using the various It is no surprise that when an organization
Office of Inspector General’s (OIG) guidances
for health care and life sciences orgative
view of the agreement from a cost and
enters a CIA, it will often have a neganizations
and the U.S. Federal Sentencing resource perspective. If the organization
Guidelines, organizational compliance programs
typically include the following seven the program may not be as effective and
already has a compliance program in place,
elements:
robust as the OIG expects when compared
1. Governance and Oversight
to industry standards and government guidance.
Additionally, the program likely does
2. Policies and Procedures
3. Reporting System
not fulfill all of the requirements contained
4. Training and Education
within the CIA. Typically, the organization
5. Enforcement
must implement new practices and modify
6. Response and Prevention
existing ones to meet the numerous mandates
of a CIA. This is often an onerous
7. Auditing and Monitoring
process. Common CIA requirements include
Because health care organizations are so diverse, enhancements to the compliance program,
no optimal or standard compliance program such as:
best suits all organizations. Rather, organizations
are free to adopt programs that reflect guide the compliance officer and compli-
n Activating a compliance committee to
their commitment to compliance and take into ance program and set the tone at the top
account government guidance and industry of the organization and demonstrate board
practices. An organization’s compliance program and senior management commitment to
should promote integrity and minimize the the program;
risk of fraudulent activities. It is up to each n Revamping the training and education
organization to assess its unique characteristics content to address the alleged misconduct;
Unexpected benefits of a CIA and an IRO
When an organization implements its CIA,
it is not unusual for the organization to
either re-allocate existing resources or acquire
new personnel to support the compliance
program. The organization is often forced
to adopt a more comprehensive program
(sometimes in several of the seven elements
and sometimes only a few) that is maintained
by dedicated resources and supported from
the top level down.
Sometimes, these changes result in unexpected
benefits for the organization. That is,
an organization that is subject to a CIA often
finds itself with a more robust and effective
compliance program than prior to the CIA.
An additional benefit is that when the CIA
requires an IRO, the IRO provides valuable
insight into industry leading practices and
makes suggestions for operational enhancements
for the organization. As an organization
makes changes in accordance with the
CIA requirements, it also will benefit from
suggested changes or modifications that are
made or recommended by the IRO.
From an operational perspective, an effective
compliance program will, in turn, improve
organizational communication, teamwork,
and overall operational efficiency. Similarly,
the mandatory reporting requirements of
the compliance activities often serve to
improve the internal controls environment
and reduce the likelihood of fraud, especially
given the increased focus on the compliance
environment as related to the Sarbanes-Oxley
legislation.
Continued on page 32
November 2006
30
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
31

Getting the most from your CIA ...continued from page 30
Synergies between Compliance, Internal
Audit and Risk Management often occur
as a result of IRO activities. An IRO review
typically functions much like a compliance
audit, with the goal of identifying areas for
improvement. Whether or not regulatory
issues are found, it is common for the review
to include recommendations outside the
CIA requirements. Organizations can use
these IRO recommendations to create more
effective and efficient systems and processes
which assist the compliance officer in meeting
overall compliance goals. The organization
should draw on the experience and expertise
of the IRO to provide valuable insights that
the organization may not otherwise see.
Critical success factors for an IRO
engagement
Several critical success factors affect the overall
IRO review process and drive the success
of the engagement. There are many factors to
consider in the first step, the selection of an
IRO, including the expertise of the firm, level
of experience, cost of services, and the IRO’s
willingness to partner with the organization.
From a strategic perspective, if you are able
to develop a strong working relationship
and comfort level with your IRO, the overall
review process will likely be more effective.
The IRO has a job to perform based upon the
requirements of the CIA, but that does not
mean that the organization should not benefit
greatly from the overall process.
Having a dedicated individual from the
organization to handle the day-to-day communication
with the IRO is the initial step
in building a meaningful relationship with
the IRO. An organization that encourages
upfront communication with the IRO will be
more likely to have an IRO that thoroughly
understands the organizational issues impacting
the CIA. This should lead to a more
thorough and complete understanding of the
organization and more innovative recommendations
or solutions if findings are identified
during the review.
From a strategic standpoint, investing time
and resources in the planning phase often
pays significant dividends throughout the
engagement, if the compliance officer can:
n Work together with the IRO to develop the
work plan;
n Educate the IRO on the organization, policies,
procedures, and processes;
n Prepare for the IRO review - you know
they are coming and you have the rare
opportunity to “get your house in order”
before they arrive;
n Conduct audits prior to the IRO review,
and take corrective action as needed to
address weakness in the organizations
systems and processes;
n Educate your workforce – they need to
know that you are committed to compliance
for the purpose of doing the right
thing, rather than just to satisfy the CIA;
n Expect your employees to know and understand
your policies and procedure and
processes – the IRO will; and
n Look for win-win interactions with the
IRO – they will likely see things that you
do not and can provide you with information
and recommendations based upon
leading practices.
Lessons learned
Whether you are subject to an IRO process
or not, we have found that organizations
should consider the following lessons learned
from an IRO perspective and consider implementing
these suggestions in your organization:
n Conduct a consistency review of all policies
and go through the same process of checking
for consistency when developing new
policies or revisions to existing policies;
n Review all procedures, tools, and work
force guidance to ensure consistency with
policies and with each other. Include this
process during the development of or revisions
to procedures, tools and work force
guidance;
n Assess existing committees and streamline
them to enhance effectiveness, prevent
overlap, and develop committee member
expertise;
n Establish an “Ask the compliance officer”
e-mail box and encourage employees
to ask questions and ask for guidance.
Prompt responsiveness and the sharing of
questions that are likely to be applicable to
others creates an openness that can make
your compliance program more effective.
Employees will be better educated and
equipped to handle challenging situations;
n Look for ways to seamlessly integrate IRO
procedures into the day-to-day health care
operations. The IRO tools should become
the auditing and monitoring tools of the
compliance officer;
n Designate a compliance officer who is
responsible for constantly monitoring the
requirements of the CIA and the effectiveness
of the compliance program. Similarly,
a compliance officer (or designee) who is
in constant communication and is responsible
for maintaining a close relationship
with the IRO will foster a much more
effective and efficient process than if this is
not the case;
n If the review includes cost reporting:
n Conduct a thorough review of the
cost report in advance of the IRO
review and ensure that documentation
exists for all items on the
cost report. If any exceptions are
noted, make sure that there is an
explanation as to why the exception
occurred. Have a corrective
action plan in place to show that it
was identified, and that it will not
happen again.
November 2006
32
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

n Assume a very conservative approach
when reviewing previously
filed cost reports or claims
to be submitted to the Medicare
program. If there are any questions,
err on the side of reporting
questionable items to the fiscal
intermediary to avoid potential
issues during the cost review for
unallowable items or any claims
denials.
n Establish an internal process to
identify the root cause of any
exceptions. This process is imperative
and should include identifying
all the reasons why the claim was
identified as an exception. Create
specific corrective action plans to
prevent future occurrences.
n Stay in frequent communication with the
IRO. This allows the compliance officer or
his/her designee to become aware of issues
as early in the process as possible. This also
allows the organization to work with the
IRO to clarify and/or remediate issues as
soon as possible.
Can I benefit if I am not under a CIA?
Organizations that are not subject to a mandated
IRO review can benefit in many ways
from an informal review. Reassessing your
current compliance program and making any
necessary modifications to ensure effectiveness
often leads to positive results and is
always a good defensive position.
Examples of CIAs that are applicable to your
type of organization are available from the
OIG website (http://oig.hhs.gov/fraud/cia/
index.html). You can review and assess your
compliance program in accordance with the
OIG requirements. By following the organizational
guidance set forth in an example
CIA, you can make sure that your processes
and documentation would satisfy a review if
conducted by an IRO. This may seem like a
laborious process when not mandated by the
OIG, but developing and strengthening the
various elements of an existing compliance
program will not only improve operational
efficiencies; it will also help to mitigate the
risk of any future governmental investigations.
Organizations that can demonstrate
that they have a comprehensive and effective
compliance program in place can commonly
negotiate a less onerous CIA that is reduced
in scope and term. To successfully negotiate,
however, there must be documentation, and
staff awareness to show that the compliance
program is effective. Lastly, talk with your
peers who are under a CIA, and learn what
you can do to improve your current compliance
program.
It takes time and effort to implement an effective
compliance program and the standard
is subjective. However, learning from peers is
a good place to start. n
The authors would like to thank Terri
Kraemer and John Valenta with Deloitte &
Touche, LLP for their guidance.
Additional Academy Added!
HCCA will hold an additional Compliance Academy on
December 4–7, 2006, Westin Horton Plaza, San Diego, CA
Register online at www.hcca-info.org
Questions? Contact Lizza Catalano at 888-580-8373 or lizza.catalano@hcca-info.org
registration is limited—register now
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
33

COMPLIANCE
101
Hitting the ground running—What every
new (or wannabe) compliance professional
needs to know
By Kathleen Duffett, RN, JD
Editor’s Note: Kathleen Duffett is an attorney
in private practice. She can be reached
by telephone at 845/265-3965 or by e-mail
at kduffett@optonline.net.
In the beginning…
About ten years ago, I was working in the risk
management department of a major medical
center. Although I enjoyed my job, I wanted to
branch out into something new and, if possible,
make a few more dollars. As I started to get the
word out that I was looking, a friend of mine
who worked for a large consulting firm called
me. “We do corporate compliance work for
health care businesses – why don’t you submit
your resume?” Not knowing much about
corporate compliance, but interested in a new
opportunity, I sent in my resume and got an interview.
Now I needed to beef up on corporate
compliance issues, fast! I relied on some materials
I had received at a fraud and abuse law conference
I had attended a couple of years earlier.
That got me through the interview (barely, I am
sure) and I got the job. Now I needed a crash
course in compliance basics a.s.a.p.! Although
I found plenty of sophisticated articles about
specific corporate compliance issues, it was
almost impossible to find “beginner’s information”
regarding common corporate compliance
issues. This article is just that—a down and
dirty primer on corporate compliance issues for
the new (or wannabe) compliance professional.
Brief history of health care compliance
Health care fraud and abuse became the
focus of the federal government in the
1990s. With medical costs escalating, the
federal government was paying out big
bucks through its health care programs and
wanted to ensure that its increasing costs
were not the result of fraud and abuse. In the
mid-1990s, the Department of Justice (DOJ)
announced that combating health care fraud
was its number two priority, second only to
combating violent crime.
Most of the federal health care-related legislation
passed in the 1990s, in particular the
Health Insurance Portability and Accountability
Act of 1996 (HIPAA), included antifraud
and abuse measures. This legislative
trend has continued into the present. In addition,
since the 1990s, most fraud and abuse
legislation includes appropriations to fund
prevention activities. State governments have
also become more active in the fight against
fraud and abuse in relation to their Medicaid
and other state run programs.
Health care organizations have responded to
all this federal and state activity by instituting
corporate compliance programs. Why? In the
event that a health care organization is found
guilty of wrongdoing, an effective compliance
program can reduce the organization’s
exposure to criminal sanctions, civil damages
and penalties, and administrative remedies.
Federal & State agencies involved in
combating fraud
A multitude of federal and state agencies are
involved in the fight against fraud and abuse.
The agencies on the forefront of this effort
include:
Office of the Inspector General (OIG)
of the U.S. Department of Health and
Human Services (HHS)
The OIG is an independent unit within
HHS. It functions as a watchdog. The responsibilities
of the OIG include conducting
audits and investigations related to HHS operations
and programs (such as Medicare and
Medicaid); preventing and detecting fraud
and abuse; issuing guidelines and parameters
outlining activities that constitute fraud and
abuse; and keeping the Secretary of HHS
and Congress informed about problems and
issues related to the administration and
operations of HHS programs.
The OIG is an extremely active agency and is
a leading authority on health care fraud and
abuse issues.
The U.S. Department of Justice (DOJ)
Most people associate the DOJ with terrorism
and related matters. However, the DOJ
is actively involved in combating health care
fraud and abuse. Historically, the primary
focus of the DOJ has been the investigation
and prosecution of health care organizations
for violations of the federal False Claims Act.
State Medicaid Fraud Control Units
(MFCUs)
Almost every state has its own MFCU. New
York State has the largest (and most highly
regarded) MFCU. The MFCUs are involved
in the investigation and prosecution (or
referral for prosecution) of various illegal
activities, such as kickbacks and improper
billings, perpetrated by health care providers
and others who participate in a state’s
Medicaid program. Most MFCUs are part
of the state attorney general’s office. A small
number of the units are located in various
other state agencies.
State Attorneys General Offices
In addition to running MFCUs, many state
attorneys general get involved in fraud and
abuse issues, particularly in managed care.
Using consumer protection and other applicable
state laws, they target health plans,
providers, and other players in the health care
November 2006
34
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

industry who engage in fraudulent, misleading,
deceptive, or illegal practices.
Seven basic elements in all compliance
programs
In the federal court system, wrongdoers are
punished in accordance with the Federal
Sentencing Guidelines (FSGs). Under the
FSGs, an organization that has an effective
compliance program can reduce its exposure
to civil damages, penalties, criminal sanctions,
and administrative penalties (e.g.,
exclusion from participation in federal
health care programs). The OIG’s voluntary
Compliance Program Guidances (CPGs),
which provide the OIG’s perspective on what
constitutes an effective compliance program,
are based on the FSG’s seven basic elements:
1. Establishing written compliance standards
and procedures to be followed by
employees and other agents (e.g., policies
and procedures, code of conduct);
2. Making high-level personnel responsible
for overseeing compliance (e.g., compliance
officer, compliance committee);
3. Developing and implementing training
and education programs for all employees;
4. Developing effective lines of communication
(e.g., hotlines, protection for whistleblowers);
5. Taking reasonable steps to achieve compliance
with standards, including use of
monitoring and auditing systems;
6. Consistently enforcing the standards
through appropriate disciplinary mechanisms;
and
7. Responding promptly to detected offenses
and taking all reasonable steps to respond
appropriately and prevent further similar
offenses.
How these seven elements are incorporated
into an organization’s compliance program
depends on many things. For example, the
particulars of a hospital’s compliance program
will not be identical to a managed care organization’s
compliance program because their activities,
and therefore their risk areas, differ in
various respects. Similarly, a small community
hospital will not have the exact same compliance
program as an academic medical center.
Fortunately, the OIG has issued several CPGs
for various sectors of the health care industry
that are excellent resources when establishing
(or learning about) compliance programs. The
CPGs are available at http://www.oig.hhs.
gov/fraud/complianceguidance.html.
Key laws every compliance professional
should know
The variety and complexity of laws and
regulations that touch on an organization’s
compliance program can be mind-boggling.
Fear not! You will become familiar with all of
them in time. But there are some laws that
every compliance officer should be familiar
with right from the start.
1. The Anti-kickback (AKB) Statute – 42
United States Code (U.S.C.) Section
1320a-7b
The AKB Statute makes it a criminal offense
to knowingly and willfully offer, pay, solicit,
or receive any “remuneration” to induce or
reward referrals of items or services reimbursable
by a federal health care program.
“Remuneration” is not limited to cash
payment for referrals. Rather, if anything of
value is exchanged (e.g., referral fees, payment
of travel or conference expenses, tickets to
sporting events, free or below market value
rental space) between a referral source (e.g., a
physician) and a party who provides items or
services that are covered in whole or in part
by Medicare or Medicaid (e.g., a hospital or
DME vendor), the AKB Statute is implicated.
Some courts have held that the AKB
Statute is violated if even one purpose of the
remuneration is to induce further referrals.
Notably, the statute attributes liability to
both parties involved in an impermissible
kickback. Consequently, business practices
that are common in other industries, such as
taking clients to sporting events or paying for
dinners or golf outings, can be construed as
kickbacks when exchanged between Medicare/Medicaid
referral sources and Medicare/
Medicaid service providers.
The DOJ prosecutes criminal AKB cases. The
OIG has civil authority to exclude from the
Medicare and Medicaid programs a provider
who has participated in a kickback scheme
but has not been convicted under the criminal
AKB statute. The OIG may also impose
a civil monetary penalty (CMP) for an act
described in the AKB Statute.
The OIG has the authority to promulgate
safe harbors to the AKB Statue. Safe harbors
are certain payment arrangements and business
practices which, although potentially capable
of inducing referrals of business under
the Medicare and Medicaid programs, will
not be treated as criminal offenses under the
AKB Statute and will not serve as a basis for
program exclusion. However, arrangements
that don’t meet a safe harbor are not illegal
per se–they may or may not be, depending on
the circumstances. The current safe harbors
are located at 42 Code of Federal Regulations
(CFR) Section 1001.952, which is available
at http://www.access.gpo.gov/nara/cfr/
waisidx_05/42cfr1001_05.html
Criminal penalties for violating the AKB
Statute include a $25,000 fine and up to five
years imprisonment. As mentioned earlier, the
OIG can impose CMPs for AKB activities, as
well as exclude the perpetrator from involvement
in federal health care programs.
2. The Civil Monetary Penalties Law
(CMPL) - 42 U.S.C. Section 1320a-7a
Continued on page 36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
35

Compliance 101 ...continued from page 35
The CMPL allows the OIG to impose
monetary fines and assessments for a number
of unacceptable practices. Examples include
submitting false claims, accepting kickbacks
and offering or providing inducements to
Medicare and Medicaid beneficiaries that are
likely to influence their choice of a Medicare
or Medicaid provider. The full list of actions
that can result in imposition of CMPs by the
OIG is located at 42 CFR Section 1003.102,
which is available at http://www.access.gpo.
gov/nara/cfr/waisidx_05/42cfr1003_05.html
The OIG is authorized to seek different
amounts of CMPs and assessments based on
the type of violation at issue. For example, in
a case of false or fraudulent claims, the OIG
may seek a penalty of up to $10,000 for each
item or service improperly claimed, and an
assessment of up to three times the amount
improperly claimed. In a kickback case, the
OIG may seek a penalty of up to $50,000 for
each improper act and an assessment of up to
three times the amount of remuneration at
issue. Administrative remedies include exclusion
from federal health care programs.
3. The Civil False Claims Act – 31 U.S.C.
Sections 3729 -3733
Signed by President Lincoln in 1863, the
civil False Claims Act (FCA) makes it illegal
to present (or cause to be presented) a claim
to the federal government for payment or
approval when the person or entity submitting
the claim knows that the claim is false or
fraudulent. Amendments to the FCA in 1986
strengthened its efficacy and led to its use in
the health care industry, particularly in billing
and coding areas (e.g., upcoding, unbundling,
billing for medically unnecessary services, etc.)
“Claim” is any request or demand for money
if the federal government provides any portion
of the sum requested. Therefore, when a
doctor or hospital bills Medicare for a service,
a claim has been submitted to the federal
government for payment.
The required intent is actual knowledge,
deliberate ignorance, or reckless disregard of
the truth or falsity of the claim. For example,
when the DOJ suspects that a hospital has
been upcoding its diagnosis-related group
codes, (a potential FCA situation), the DOJ
will ask if the hospital was aware of Medicare
fiscal intermediary bulletins on this issue, is
the Medicare rule understandable, did the
hospital ever contact the Centers for Medicare
and Medicaid Services (CMS) for guidance
on the issue, and so on. These questions are
asked to assess intent.
Mere submission of a claim is sufficient to
sustain an action under the FCA. Actual payment
or approval of a claim is not required.
Penalties of $5,500- $11,000 per claim can
be imposed, as well as an assessment of up
to three times the damages sustained by the
government as a result of the false claim.
Administrative remedies include program
exclusion or a government-imposed compliance
program.
Under the FCA, a private person, known as
a qui tam relator, can initiate an FCA action
on behalf of the federal government. The
primary purpose of this provision is to give
whistleblowers incentives to help the government
discover and prosecute fraudulent
claims by sharing a percentage of the recovery.
If the government decides to proceed with
a case initiated by a qui tam relator, and
if the government is successful in winning
the action, the relator gets 15%-25% of
the proceeds. If the government declines to
proceed with the case, but the relator wins or
settles the case on his or her own, he or she
is entitled to 25%-30% of the proceeds, plus
reasonable costs and attorney’s fees. Disgruntled
current and former employees and
competitors are common qui tam relators.
4. The Health Insurance Portability and
Accountability Act (HIPAA) – Public
Law 104-191; Social Security Act Section
1128C(a)
Nowadays, when you say “HIPAA,” everyone
in health care thinks of the confidentiality of
patient information. But the HIPAA statute
of 1996 was very broad and touched on a
number of areas, including fraud and abuse.
Among its anti-fraud and abuse measures,
HIPAA appropriated dedicated funding to
fight fraud and abuse and created new federal
criminal offenses for health care fraud regardless
of payer. It also required the establishment
of a national Health Care Fraud and
Abuse Control Program (HCFAC). HCFAC
is under the joint direction of the Attorney
General of the DOJ and the Secretary of
HHS, the latter acting through the OIG. The
HCFAC program is designed to coordinate
federal, state, and local law enforcement
activities with respect to health care fraud and
abuse. Under HIPAA, an amount equaling
recoveries from health care investigations (i.e.,
criminal fines, forfeitures, civil settlements
and judgments, and administrative penalties)
must be deposited in the Medicare Trust
Fund. HHS and DOJ issue annual reports
detailing the amounts deposited and appropriated
to the trust fund and the source of
such deposits. More information on HCFAC,
is available at http://oig.hhs.gov/publications/
hcfac.html#1
5. The Physician Self-Referral Act (Stark
Law) – 42 U.S.C. Section 1395nn
The Physician Self-Referral Law (known
as the Stark Law because its sponsor was
Congressman Pete Stark) prohibits a physician
from referring Medicare and Medicaid
patients for certain designated health services
Continued on page 38
November 2006
36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Consult with our team
of national experts on compliance issues.
Compliance Effectiveness | Medicare & Medicaid Fraud Defense | Corporate Integrity Agreements
Pharmaceutical Contracts | Research Compliance & Billing
Revenue Cycle Analysis | Sarbanes Oxley & Internal Audit Services
Coder Certification & Training | Charge Master Analysis & Implementation
Serving clients in 45 states since 1985.
For more information, contact our specialists:
John Beattie, CPA, CFE Victor Blanchard, CISA James Cesare John Foley, CPA
717.540.4709 215.972.2392 717.540.4702 570.820.0126
jbeattie@parentenet.com vblanchard@parentenet.com jcesare@parentenet.com jfoley@parentenet.com
www.parentehealthcare.com
An Independent Member of Baker Tilly International
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
37

Compliance 101 ...continued from page 36
(DHS) to entities with which the physician or
the physician’s immediate family member has
a financial relationship, unless an exception
applies. The DHS list is quite comprehensive
and includes laboratory services, physical
therapy, occupational therapy, speech therapy,
and inpatient and outpatient hospital services
(see 42 CFR Section 411.351 for the full
DHS list). Likewise, the statutory definitions
of “physician,” “immediate family member,”
“referral,” and “financial relationship” are of
consequence. Much like the AKB Statute, a
“financial relationship” exists whenever anything
of value (“remuneration”) passes from
the DHS-provider to the physician.
In addition to penalizing the physician, the
Stark Law also prohibits the DHS provider
from billing for any services rendered or
goods delivered as a result of a prohibited
referral. The goal of the law is to ensure that
a physician’s decision to refer is based on
the best interest of the patient and not the
physician’s financial interest in the entity that
provides the services or items. As “they” say,
the road to hell is paved with good intentions.
The complexity of the regulations implementing
the Stark Law (see 42 CFR Sections
411.350-361) bears this out.
Stark is a strict liability statute. This means
that the law is violated if a prohibited referral
is made and does not meet the specific
requirements of the applicable exception.
Whether the physician or DHS provider
intended to violate the statute is irrelevant.
The current exceptions, which are similar but
not identical to the AKB safe harbors, are
available at 42 CFR Section 411.355 -357.
Sanctions for Stark violations include:
(1) denial of payment for services resulting
from prohibited referral;
(2) refund of any payment made by CMS to
an entity furnishing DHS as a result of a
prohibited referral;
(3) CMP of up to $15,000 per service plus an
assessment of not more than three times
the amount claimed;
(4) CMP of up to $100,000 for circumvention
schemes;
(5) CMP of not more than $10,000 per day
for failure to comply with certain reporting
requirements;
(6) program exclusion; and
(7) potential prosecution under the FCA.
With the exception of lawyers, most
compliance professionals are not required
to understand the complexities of the Stark
Law. Compliance professionals do need to
recognize situations where the Stark Law is
implicated (almost any relationship with a
DHS referral-generating physician where
remuneration of some sort is involved) and
bring these situations to the attention of a
knowledgeable attorney who can advise as to
the application of the law in that scenario.
When analyzing the Stark Law, the questions
to ask include:
n Is there a financial relationship between the
physician (or immediate family member)
and the entity providing DHS services?
n If so, does the physician make referrals to
the entity for DHS?
n If so, are the services payable or paid by
Medicare or Medicaid?
n If so, do any of the Stark statutory exceptions
apply?
n If so, does the arrangement meet all of the
qualifications of the applicable exception?
CMS, which is responsible for the regulations
implementing the Stark Law, has a Physician
Self-Referral Home Page, available at http://
www.cms.hhs.gov/PhysicianSelfReferral/.
Note: The Stark Law and the AKB Statute are
NOT identical. It is possible to be in compliance
with one while simultaneously violating
the other. Transactions between physicians
and other entities must be analyzed separately
under each statute.
Valuable Internet resources
(and how to use them)
Once you master the basics of compliance,
the challenge is to stay on top of compliancerelated
issues in your segments of the health
care industry. Of course, joining a professional
organization—such as HCCA—is an
excellent way of staying up to date.
Another extremely useful practice is to develop
a list of Internet sites that address issues
that you are responsible for and consult them
on a regular basis (daily if necessary). Your
list will typically include federal and state
agencies that regulate health care in some way
(e.g., CMS, OIG, or state departments of
health or insurance) as well as law firms and
professional or trade organizations that monitor
issues that are important to your industry.
Once you start using the Internet for this
purpose, you will find plenty of useful Web
sites to include on your list!
A majority of my clients are health care institutions
(i.e., hospitals, home care agencies,
managed care organizations, etc.) and their
businesses are involved with federal, state,
and private health care insurance programs.
HIPAA is also an issue for my clients. Here is
a partial list of Web sites and recommendations
for how often to use them. You may use
this list as a jumping off point to start yours.
Visit daily
n Federal Register - http://www.access.gpo.
gov/su_docs/fedreg/frcont06.html
Note: The Federal Register is the official document
that the federal agencies use to promulgate
new or revised rules and regulations. It is
the first Web site I go to every day. I typically
November 2006
38
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

scroll down to the CMS and HHS sections,
the latter of which includes OIG notices.
n CMS - http://www.cms.hhs.gov/apps/media/
Note: I routinely search the press releases and
fact sheets for current information.
n Medicare Advantage What’s New
Home Page - http://www.cms.hhs.
gov/HealthPlansGenInfo/02_WhatsNew.
asp#TopOfPage
n OIG What’s New Home Page - http://
www.oig.hhs.gov/w-new.html
n HHS http://www.hhs.gov/ (Hint: look to
right for “News”)
n American Health Lawyers Association
http://www.healthlawyers.org/ (Hint: click
on the News Center tab and then on the
“Of Note” drop down)
n Kaiser Network - http://www.kaisernetwork.org/
(Daily Reports)
n Health Care Compliance Association
http://www.hcca-info.org/am/Template.
cfm?Section=Home
n Island Peer Review Organization (IPRO)
http://providers.ipro.org/index
n NYS Attorney General Health Bureau
Home Page - http://www.oag.state.ny.us/
health/health_care.html
n NYS Department of Health - http://www.
health.state.ny.us/
n NYS Department of Insurance Circular
Letter Index - http://www.ins.state.ny.us/
circindx.htm
n NYS Department of Insurance, Opinions
of the Office of General Counsel - http://
www.ins.state.ny.us/ropi2006.htm
n NYS Register - http://www.dos.state.
ny.us/info/register/2006.htm
n NYS Senate and Assembly Floor Calendars
http://public.leginfo.state.ny.us/menugetf.
cgi?COMMONQUERY=CALENDAR
n Office for Civil Rights HIPAA Privacy
Home Page - http://www.hhs.gov/ocr/
hipaa/
Note: Internet access to the various parts of
Volume 42 of the CFR is available by going
to - http://www.access.gpo.gov/nara/cfr/
waisidx_05/42cfrv2_05.html
October (or thereabout). Consequently, on
or after October 2006, the “waisidx_05” and
the “05.html” within the URL will need to be
changed to “waisidx_06” “06.html” in order
to get the current version of the regulations. n
Correction!
The ad in the October 2006
issue of Compliance Today
on page 37 announcing the
new Continuing Education
Units (CUE) program mistakenly
says that CEU credits
are only available to members.
This benefit is open to everyone.
We hope you will take
advantage of this new way to
earn credits for certification.
Visit weekly
Please Note: The CFR is updated every
HCCA’s Compliance Institute
NEW HOTEL AND DATES
Register online today and save! HCCA will
hold its 11th Annual Compliance Institute in
Chicago, IL, at the Sheraton Chicago Hotel
and Towers, April 22–25, 2007.
Go to www.compliance-institute.org to register.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
39

December 4–7, 2006
The Westin Horton Plaza
San Diego, CA
February 5–8, 2007
Argonaut Hotel
San Francisco, CA
March 19–22, 2007
Hilton Dallas Lincoln Centre
Dallas, TX
June 25–28, 2007
Hyatt at Fisherman’s Wharf
San Francisco, CA
Visit www.hcca-info.org to register
November 2006
40
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

assure that creditor clients can remain confident
that collection agencies are trustworthy
handlers of sensitive consumer information,
collection agencies must navigate a steady
course through the waters of the various state
data breach laws and must chart a responsible
course for action.
Editor’s note: Leslie C. Bender, CIPP is an
attorney practicing in Timonium, Maryland.
She may be reached by telephone at
410/453-4123 or by e-mail at
LBender@theROI.com.
In July 2003, California led the nation
by enacting Senate Bill 1386, a law
requiring companies to notify consumers
when their electronic data had been
compromised. Although Congress was unable
to reach agreement on any of the dozens of
data security breach notification acts or data
security bills proposed in 2005, most of the
states considered legislation, and 22 states
enacted legislation.
Despite the absence of a data breach notification
requirement in all states or at the national
level, the reach of California’s law beyond
its borders is evident. In 2005, more than 130
companies publicly and voluntarily reported
security breach incidents. Since ChoicePoint
notified the public regarding its data security
breach in February 2005, other companies
have, of their own accord, provided notifications
of data security breaches that affected
more than 53 million consumers. On average,
39% of all banks and other financial institutions
annually report some type of security
breach. Nearly 20% of those breaches were
caused by external sources, 10% by internal,
and another 13% from both. Analysts agree
that data security breaches are on the rise, are
By Leslie C. Bender, CIPP
costly to businesses who regularly handle consumers’
information, and are of grave concern
to consumers (i.e., voters).
Many companies doing business nationally
have chosen to use California’s law as their
baseline for compliance while they patiently
await passage of a law establishing a national
standard. Congress is expected to pass a
national data security breach law in 2006.
Consumers expect to know when and how
their sensitive non-public information may
have been improperly used, accessed, or even
misplaced. The cost of understanding and
complying with what analysts call a “smorgasbord
of state laws poses a growing problem,
because the [state laws] often specify different
triggers for notifications and set varying
requirements on what needs to be disclosed,
to whom, and when.”
Under national privacy laws, such as the
Gramm Leach Bliley Financial Modernization
Act of 1999 (GLBA) or the Health Insurance
Portability and Accountability Act of 1996
and the regulations promulgated under it
(collectively known as HIPAA), companies
may have an obligation to mitigate known
harmful effects flowing from data security
breaches – but, no express mandate that they
give notice of security breaches to consumers.
Collection agencies and debt buyers are directly
regulated under the GLBA and, if they
handle the resolution of medical receivables,
they are indirectly regulated as “business
associates” under HIPAA. Nonetheless, to
Top 10 List
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
We have developed 10 steps for protecting the
sensitive consumer data that is entrusted to
your care.
First, determine which of the states where
you do business have enacted data security
laws. Evaluate the applicable state laws and
develop an information grid that will help
you quickly go through the requirements of
each state’s laws. Know what circumstances
will trigger your requirement to notify consumers
of a breach. Determine in advance
how you will decide when to notify your
clients and solicit their input before notifying
consumers. Understand what alternatives are
available for giving notice (e.g., study sample
forms posted on the Internet or on the Federal
Trade Commission’s website).
Second, using the grid of applicable laws,
conduct a risk assessment or, if appropriate,
engage the services of a knowledgeable outside
professional to conduct a risk assessment
for you. Use the findings of the risk assessment
to identify gaps or risks in your data
security, and design a workable compliance
program to fill the gaps.
Third, understand how sensitive consumer
information comes to your collection agency,
how it enters your information systems or
other computerized records, how it is accessed,
and under what circumstances it is
disclosed--either to the consumer directly or
to some other third parties.
Continued on page 42
November 2006
41

Data Breach Notification Laws ...continued from page 41
Fourth, adopt “least reasonable use principles.”
In other words, play out scenarios
and create general guidelines on how much information
is generally appropriate to disclose
and under what circumstances. Ask yourself,
what is the least information that will meet
reasonable and “authorized” requests for disclosure.
Engage members of your workforce in
brainstorming sessions. Educate members of
your workforce about situations in which it is
best to obtain a consumer’s written permission
or authorization before making a questionable
release or disclosure (e.g., to an aggressive
mortgage refinancing company demanding
sensitive financial information in time for an
upcoming settlement). Don’t underestimate
your employees’ desire to be helpful and that
they may err by improperly disclosing sensitive
information out of a misguided intent
to be helpful. Provide one or more forms for
documenting a consumer’s permission, and
offer tips or a sample script for explaining
to consumers why their permission is being
sought. Prepare a matrix or simple guidelines
that members of your workforce can
understand and follow, thus allowing them
to make good decisions on their own and to
seek advice only when requests for release or
disclosure do not match those guidelines.
Fifth, understand when data is no longer
needed and develop a plan for encrypting it,
returning it, or destroying it. Know what uses
of historic data are reasonable and appropriate,
and eliminate data from your systems
that has outlived its usefulness. Encryption
may seem an ideal solution for protecting
data at rest, but it may prove to be an
expensive and unwieldy solution when you
balance protecting the confidentiality of the
information against ensuring its availability
for legitimate uses and disclosures. Avoid
contracting to encrypt all data – or at least
the data you currently need to use. Evaluate
alternatives for securely exchanging electronic
data with clients and others. Data at rest
(or data transferred electronically without
being zipped up, downloaded into password
protected files, or encrypted) may prove to be
your most vulnerable information, because it
is no longer regularly monitored and remains
ripe for harvesting or getting misplaced. Back
up your critical information systems and ensure
you can restore both data and software, if
your hardware fails or becomes damaged.
Sixth, prevent data security breaches by
creating access controls that limit access to
data to those with a business reason to use
the information. Further, establish guidelines
for who is permitted to release or disclose
information, for permissions that must be
obtained, and for protections to ensure
that the proper information is released only
under appropriate circumstances. Passwords,
electronic monitoring of high risk accounts
(e.g., accounts of celebrities, co-workers, family
members), and sanctions are inexpensive
tools to help detect risks of data breaches.
Simple confidentiality pledge documents are
meaningful reminders of the responsibility to
properly use and disclose information; have
them signed by each of your employees when
they receive passwords that allow them access
to your information systems.
Seventh, establish an accessible hotline or
other notice mechanism that makes your employees
(or contractors or clients) your eyes
and ears and gives them the ability to quickly
report to you any known or suspected misuses
of consumer data. Record, investigate, and
resolve all complaints related to known
or suspected misuses of consumer data,
and track and trend all incidents. Take all
complaints seriously, avoid retaliating against
whistleblowers, and reinforce workforce
understanding with meaningful updates.
Keep your workforce advised of the consequences
of data security issues (e.g., arrests
and prosecution of identity thieves, rewards
for innovators who identify weaknesses in the
links in your data security program and those
who propose workable solutions). Update
or revise information security compliance
guidelines to continuously improve your data
security program.
Eighth, put a person or group of persons
in charge of your data security who are
knowledgeable about information security as
well as your operations, and give them an appropriate
level of authority to be responsible
for administering your data security program.
Provide them with regular access to continuing
professional education programs so they
remain current and advise you on new technologies,
training, or awareness programs to
keep your agency up to date on risks and how
to manage them. Know who your clients’ “go
to” people are for data security and link your
own security official with theirs.
Ninth, know and document what data
security requirements your clients have.
Ensure your own data security is appropriately
matched to your clients’ expectations. Let
your clients know that you have made a meaningful
investment in assuming responsibility
for safeguarding consumer data and that you
strive to be trustworthy business partners.
Tenth, be practical and keep it simple and
straightforward. A data security solution for
one collection agency may not be sized to fit
your agency. For example, the most robust
data security policies and procedures may
meet the letter of the law, but if they are
written in technical language or legalese, they
may be so cumbersome that your workforce is
unable to gain a working knowledge of them.
Simple, to-the-point policies and procedures
that apply directly to situations members of
your workforce may actually face are much
more likely to be read and followed. n
November 2006
42
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Your HCCA Staff
The Association for Health Care Compliance Professionals
888-580-8373 | 952-988-0141 | fax 952-988-0146
Sarah Anondson
Graphic Artist
sarah.anondson@hcca-info.org
Jennifer Bauer
Office Manager
jennifer.bauer@hcca-info.org
Lizza Catalano
Conference Planner
lizza.bisek@hcca-info.org
Lisa Colbert
Certification Coordinator
lisa.colbert@hcca-info.org
Gary DeVaan
Graphic Services Manager
gary.devaan@hcca-info.org
Margaret Dragon
Director of Communications
margaret.dragon@hcca-info.org
Darin Dvorak
Director of Conferences
darin.dvorak@hcca-info.org
Wilma Eisenman
Member Relations
wilma.eisenman@hcca-info.org
Nancy G. Gordon
Managing Editor
nancy.gordon@hcca-info.org
Karrie Hakenson
Project Specialist
karrie.hakenson@hcca-info.org
Patti Hoskin
Database Associate
patti.eide@hcca-info.org
Jennifer Hultberg
Conference Planner
jennifer.hultberg@hcca-info.org
April Kiel
Database Administrator
Member Relations
april.kiel@hcca-info.org
Caroline Lee Bivona
Accountant
caroline.leebivona@hcca-info.org
Patricia Mees
Communications Editor
patricia.mees@hcca-info.org
Beckie Smith
Conference Planner
beckie.smith@hcca-info.org
Roy Snell
Chief Executive Officer
roy.snell@hcca-info.org
Charlie Thiem
Chief Financial Officer
charlie.thiem@hcca-info.org
Nancy Vang
Administrative Assistant
nancy.vang@hcca-info.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
43

WEBLINKS
Health Care Fraud and Abuse Control
(HCFAC) Program annual report for FY 2005. To get to the full
document:
http://oig.hhs.gov/publications/docs/hcfac/hcfacreport2005.pdf
MFCU (Medicaid Fraud Control Units) Contact Directory
http://oig.hhs.gov/publications/mfcu.html#1
Work Plan for Fiscal Year 2007
http://oig.hhs.gov/publications/docs/workplan/2007/Work Plan
2007.pdf
Recent OIG Advisory Opinions
Use this link - http://oig.hhs.gov/w-new.html - for:
Advisory Opinion 06-15 PDF (concerning an arrangement under
which a managed care company will disburse pay-for-performance
financial incentives on behalf of a State’s Medicaid program)
Advisory Opinion 06-14 PDF (concerning a pharmaceutical manufacturer’s
proposal to establish a patient assistance program to provide
the company’s drugs to financially-needy Medicare Part D enrollees
outside of the Part D benefit
Advisory Opinion 06-13 PDF (concerning a nonprofit, tax-exempt,
charitable organization’s proposal to provide financially needy persons
who have [diseases redacted] with grants to defray the costs of premiums
and cost-sharing obligations under Medicare Part B, Medicare
Part D, Medicare Supplementary Health Insurance, and Medicare
Advantage)
Advisory Opinion 06-12 PDF (concerning a municipality’s exclusive
contract arrangement for non-emergency inter-facility ambulance
transport services)
Advisory Opinion 06-11 PDF (concerning a municipality’s exclusive
contract arrangement for non-emergency inter-facility ambulance
transport services)
Publisher:
Health Care Compliance Association, 888-580-8373
Executive Editor:
Roy Snell, CEO, HCCA, roy.snell@hcca-info.org
Contributing Editor:
Dan Roach, President, HCCA, 888-580-8373
Manager, Articles and Advertisments:
Margaret R. Dragon, HCCA, 781-593-4924, margaret.dragon@hcca-info.org
Copy Editor/Proofreader:
Patricia Mees, HCCA, 888-580-8373, patricia.mees@hcca-info.org
Style Editor:
Sarah Anondson, HCCA, 888-580-8373, sarah.anondson@hcca-info.org
Layout:
Gary Devaan, HCCA, 888-580-8373, gary.devaan@hcca-info.org
HCCA Officers:
Daniel Roach, Esq.
HCCA President
VP & Corporate Compliance Officer
Catholic Healthcare West
Steven Ortquist, CHC
HCCA 1st Vice President
Senior Vice President, Ethics and
Compliance/Chief Compliance Officer
Tenet Healthcare Corporation
Rory Jaffe, MD, MBA, CHC
HCCA 2nd Vice President
Executive Director–Medical Services
University of California
Julene Brown, RN, BSN, CHC, CPC
HCCA Treasurer
MeritCare Health System
Jennifer O’Brien
HCCA Secretary
VP Corporate Compliance
Allina Hospitals & Clinics
Odell Guyton
HCCA Immediate Past President
Senior Corporate Attorney,
Director of Compliance,
U.S. Legal–Finance & Operations
Microsoft Corporation
Frank Sheeder
Non-Officer Board Member of
Executive Committee
Partner
Jones Day
CEO/Executive Director:
Roy Snell, CHC
Health Care Compliance Association
Counsel:
Keith Halleland, Esq.
Halleland Lewis Nilan Sipkins & Johnson
Board of Directors:
Urton Anderson
Associate Dean for Undergraduate Programs
at McCombs School of Business
University of Texas
Cynthia Boyd, MD, FACP, MBA
Chief Compliance Officer
Rush University Medical Center
Anne Doyle
Director of Public Policy, Government Affairs
and Compliance
Tufts Health Plan
Gabriel Imperato
Managing Partner
Broad and Cassel
Al W. Josephs, CHC
Senior Director Policies and Training
Tenet Healthcare Corporation
Joseph Murphy
Partner, Compliance Systems Legal Group
Chairman, Integrity Interactive Corp
F. Lisa Murtha, Esq., CHC
Managing Director
Huron Consulting Group
Mark Ruppert, CPA, CIA, CISA, CHFP
Director, Internal Audit
Cedars-Sinai Health System
Debbie Troklus, CHC
Assistant Vice President for Health Affairs/
Compliance
University of Louisville, School of Medicine
Sheryl Vacca, CHC
Director, National Health Care
Regulatory Practice, Deloitte & Touche
Cheryl Wagonhurst
Partner, Foley & Lardner LLP
Greg Warner, CHC
Director for Compliance
Mayo Clinic
Advisory Opinion 06-10 PDF (concerning a nonprofit, tax-exempt,
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance
Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $357 a
charitable organization’s practice of providing certain therapy management
services and assistance with Medicare cost-sharing obligations to
year for nonmembers. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes
to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2006
the Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically
encouraged, no part of this publication may be reproduced, in any form or by any means without prior written
financially needy Medicare beneficiaries undergoing medical treatment
consent of the HCCA. For subscription information and advertising rates, call Margaret Dragon at 781-593-
for certain diseases)
4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908. Opinions expressed are not those of
this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the
HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers
should consult professional counsel or other professional advisors for specific legal or ethical questions.
November 2006
44 Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The Health Care Compliance Association
welcomes the following new members and
organizations. Please update any contact
information using the Member Center on
the Web site, or e-mail Karrie Hakenson
(karrie.hakenson@hcca-info.org) with
changes or corrections.
Missouri
■ Kathy M. Boschert, BJC HealthCare
■ Mitchell Dobson, Hanger P & O
■ Lawrence Fogel, BKD, LLP
■ Lorinda S. Johnson, St John's Health Sys.
■ Debbie LaVelle, Mallinckrodt Inc.
■ Staci McGivern, Hanger P & O
■ Kathleen Merlo, Saint Louis University
■ Penny Nunley, Hannibal Regional Hosp.
■ Milissa A. Smith, St. Johns Health System
■ Donna Walter, Northwest Medical Center
■ Joseph Watt, CPA, BKD, LLP
■ Teresa R. Wetzel, Express Scripts
■ Pam R. Winslow, Des Peres Hospital
■ Barbara Zubeck, Truman Medical Centers
Mississippi
■ Cathy Bridge, King's Daughters Medical
Center
■ Andy Caldwell, George County Hospital
■ Stellanda M. Davis, Dr. Arenia C. Mallory
Community Health Center
■ Kim Monson, Singing River Hospital Sys.
Montana
■ Cheryl Dorsman, RN, St. Patrick Hospital
■ Marilyn Sparks, Central Montana Medical
Center
Nebraska
■ Kris Maples, Mosaic
■ Jennifer L. Martinez, RHIA, CCS, CPC,
UNMC Physicians
■ Angela R. Peters, Alegent Health
■ Reta L. Studnicka, Alegent Health
■ Dorothy A. Zimmerman, RN, MSHCA,
Beatrice Com. Hosp. & Hlth. Ctr.
Nevada
■ Tamara Bradshaw, Saint Mary's
■ Lane D. Edenburn, HealthDataInsights,
Inc.
■ Leean Hernandez, West Valley Imaging
■ Roberta Houchen, MHA, NV Cancer
Institute
■ Melinda C. Lyons, Washoe Medical Ctr.
New Hampshire
■ Sean O'Neil, Core Physician Services
■ Kenneth Spence, CFE, Association of
Hlthcare Internal Auditors
■ Katherine St. Jean, RN,BS, CMAS, Elliot
Hospital
■ Melinda H. Tobin, Long Term Care
Partners, LLC
New Jersey
■ Mary Beth Barone, McKesson Provider
Technologies
■ Nancy Bisco, RN, MPA, Catholic Health
& Human Svcs
■ Emalie Burks, Johnson & Johnson
■ Jeffrey P. Davis, JD, LLM, Columbia Univ
Medical Ctr.
■ Cecelia Demarest, Univ Physician
Associates
■ Maureen K. Dempsey, Medco Hlth Solutions,
Inc.
■ Jigar H. Desai, Quality & Compliance
Specialist, LLC
■ David Haier, Univ Physician Associates
■ Michael Hopson, Univ Physician Associates
■ Forrest Kinzli, Hackettstown Regional
Med Ctr.
■ Susan S. Kuper, Atlantic Health System
■ Cheryl London, RHIT, CCS, Palisades
Medical Ctr.
■ Stephanie Macholtz
■ Marc Mayer, Englewood Hosp & Medical
Ctr.
■ Darryl S. Neier, CFE, MS-ECM, Sobel &
Co, LLC
■ Ronald Pearce, DP Software
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
■ Kerry G. Rothschild, Celgene Corporation
■ Rowena Spigarelli, Saint Barnabas Health
Care System
New Mexico
■ Mary Harding, Gerald Champion Regional
Medical Center
■ Sandra O. Saunders, Presbyterian Healthcare
Services
New York
■ Gerald F. Anello, Elderplan Inc
■ Robert Belfort, Manatt, Phelps & Phillips,
LLP
■ Denise Berdebes, Mt Sinai Medical Center
■ Kristy Biswas, Allied Urological Services,
LLC
■ Donna Freedman Borgstrom
■ Audrey Brahamsha, Royal Health Care
■ Deborah Brown, Greater NY Hosp.
Association
■ John N. Camperlengo, Gentiva
Health Care
■ Bernadette Catanzaro, Esq., RPA, St
Francis Hospital
■ Barbara Fogarty, Putnam Hospital Center
■ Derek George, CNR Health
Care Network
■ Adam Gordon, Developmental Disabilities
Institute
■ Christine Helzner, Healthfirst, Inc.
■ Matthew Johnston, Fulton County Chapter
NYSARC, Inc. D/b/a Lexington Center
■ Laraine Kelly
■ Robert Kertulis, Crouse Hospital
■ Grace R. Langan, RN, Lutheran Medical
Center
■ Theresa Lillis, St Vincents Catholic
Medical Center
■ Robert J. Locke, Thompson Health
■ Joseph M. Lurin, MBA, Group Health
Incorporated
■ David B. Mandel, Allied Urological Svcs,
LLC
■ John A. Mangona, Saratoga Hospital
November 2006
45

■ Michael J. Manza, LCSW, Vassar Brothers
Medical Center
■ Caridad Martinez, Aptium Oncology
■ Kerry McDonald, Liberty Health Advantage
■ Leah L. Neely, Claxton Hepburn
Medical Ctr.
■ Margo Nemet, Gentiva Health Services
■ Mary Nicholson, Visitng Nurse Service
■ Jacci O'Brien, Elderplan, Inc.
■ Mitchelle Pierre, Reed Smith, LLP
■ Lorilyn Marie C. Rosales-Menzel, Esq,
Liberty Health Advantage, Inc.
■ Arlene Santiago, RN, MS, SPHR,
North Shore - LIJ Health System
■ Ellen Silverstein, Northern Dutchess
Hospital
■ Linda Smith, North Bronx Healthcare
Network
■ Sherryann Sookraj, BS, Aptium
Oncology, Inc.
■ Florence E. Stassi, Syracuse Hematology/
Oncology
■ Sarah D. Strum, Catholic Health Care
System
■ Joanne M. Todd, Claxton-Hepburn Med
Center
■ Jon Wilkenfeld, Potomac River Partners
■ Karl Williams, Mckesson
■ Keith Wolf, St. Barnabas Hospital
■ Taryn M. Zingaro, CPA, Elderplan, Inc.
■ Pamela Zoumadakis, HCCS
North Carolina
■ Irving A. Bassett, Strategic Management
Systems, Inc.
■ Robert Casey, The Assurance Group, Inc.
■ Lillian F. Chinault, NP, MHA, Duke Univ.
Health System
■ Jennifer C. Davis, Mission Hospitals
■ Denice Denzin
■ Myra Fields, Mission Hospitals Laboratory
■ Mary Ellen Haynes, Sterling Healthcare
■ Francine L. Hill, MBA, Mission Hospitals
■ Joan A. Kavuru, East Carolina Univ. Brody
School of Med.
■ Tracy Killette, BA, Duke Health Raleigh
Hospital
■ Yates Lackey, North Carolina Baptist
Hospital
■ Gary D. Lankton, VA Medical Center
■ Jean P. Lee, 3HC
■ Kay Murray, BSN, RN, Mission Hospitals
■ Kelly W. Patterson, RHIA, CPC,
Novant Health
■ Mark Payne, Blue Cross and Blue Shield of
North Carolina
■ Christopher Royal, GlaxoSmithKline
■ Sherry R. Rumbough, MT, MPA,
Carolinas Pathology Group, PA
■ Thomas Whalen, Franklin Regional
Medical Center
North Dakota
■ Wanda E. Hodnefield, Fargo VAMC
Ohio
■ Alonzo Blackwell, UHHS Bedford
Medical Ctr.
■ Dawn Blaylock, EMH Regional
Healthcare System
■ Paul J. Blubaugh, Mid-Ohio Heart Clinic
Inc.
■ Brooke Brady, Northeastern Ohio Universities
College of Medicine (NEOUCOM)
■ Megan R. Brickner, MSA, Kettering
Adventist Healthcare
■ Barbara Cluster, McCullough-Hyde Memorial
Hospital
■ Frances Coleman, Anthem BCBS
■ Martin J. Fallon, Esq, Emergency
Medicine Physicians
■ Karen Flanagan, University Urologists of
Cleveland, Inc.
■ Michael Frank, EMP Management
Group, LTD.
■ Beth Hickman, Mercy Health Partners
■ Suzanne Inglis, RN, BA, Midohio Cardiology
and Vascular Consultants
■ Melody Knapp, RN, BSN, MBA, Southern
OH Medical Ctr.
■ Meredith A. Krisher, The Ohio State
University
■ Sharalyn Milliken
■ Lori Oberholzer, OSU Physicians, Inc.
■ Maureen Pallas, Kaiser Permanente
■ Amanda J. Peterson, Envision
Pharmaceutical Svcs.
■ Carolyn Petty, Medical Mutual Of Ohio
■ Arlene Piersall, CCP, Kettering Med.
Center Network
■ Edward Ries, Anthem BCBS
■ Richard Schuster, PhD, JD, Mercy Health
Partners
■ Linda C. Shelton, Catholic Healthcare
Partners
■ Carl Shiltz, CMPM, Inc.
■ Todd Shuttleworth, Adena Health System
■ June Simmons, AtriCure, Inc.
■ Donald A. Sinko, Cleveland Clinic Health
System
■ Michael Stagar, MBA,CPA, CGS
■ Cheryl Wahl, JD, Univ Hospitals Hlty.
System
■ Leigh A. Wolfrey, Summa Health System
■ Steven Worster, Cardinal Health
Oklahoma
■ Sue Brown, Jane Phillips Medical Ctr.
■ Gayle Burden, Jane Phillips Medical
Center
■ Blanca Butcher, OU Medical Center
■ LaDonn J. Harbour, Perry Memorial
Hospital
■ Vi Le, GlobalHealth Inc.
■ Lee McCarty, Janes Phillips Medical Ctr.
■ Elizabeth Tejada, Saint Francis Heart
Hospital
■ Scott A. Washam, OU Medical Center
November 2006
46
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

FloraSure Financial
Liability
of
Research
Analysis
To get the right answers,
you must ask the right questions.
FloraSure is a web-based tool designed to walk you through the key rules
and regulations related to reimbursement and clinical trials. This program
provides a systematic approach to conducting a financial liability analysis
and assigning responsibility for coverage of items and services in a
clinical trial – preferably before entering into an agreement with the
sponsor and more importantly, prior to submitting claims to third party
payors. Throughout the program, links to rules, regulations, and other
helpful information are provided that are pertinent to the question at hand.
Another key feature of FloraSure is the parallel function for creating a billing
template while conducting the financial liability analysis. This billing
template serves many important functions, such as providing valuable
information during contract negotiations and serving as a guide for the
Billing Office as claims are prepared for submission.
Le t u s h elp you
take t he steps
to Compliance
Info@florasure.com Kahu Health LLC 625 N. Michigan Ave. Suite 2575 Chicago, IL 60611 (312) 893-7024
www.florasure.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
November 2006
47

HCCA’s Compliance Institute
NEW HOTEL AND DATES
Register Online Today and Save! HCCA will hold its
11th Annual Compliance Institute in Chicago, IL, at the
Sheraton Chicago Hotel and Towers, April 22–25, 2007.
Go to www.compliance-institute.org to register.