Kimberly Johnson, RHIA, CPC, CHC - Health Care Compliance ...

Volume Twelve
Number Seven
July 2010
Published Monthly
Meet
Kimberly Johnson,
RHIA, CPC, CHC
Professional Practice
Compliance Officer,
Corporate Compliance Office,
University of Kentucky
HealthCare
PAGE 14
Feature Focus:
Sparking an epidemic of
compliance
PAGE 20
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Earn CEU Credit
www.hcca-info.org/quiz—see page 35
The ten compliance
commandments
for medical device
manufacturers
PAGE 42
1
July 2010

Global Compliance:
Good for BusinessSM
Hotline
Solutions
Training &
Education
Expert Advice
Expert solutions and insight to
protect your organization’s integrity –
helping you avoid costly and
potentially devastating ethics
and compliance issues.
Performance &
Benchmarking
Learn more about our
complete ethics and
compliance solutions.
Contact us today at
800-876-6023 or contactus@
globalcompliance.com.
July 2010
2
www.globalcompliance.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

INSIDE
Publisher:
Health Care Compliance Association, 888-580-8373
Executive Editor:
Roy Snell, CEO, roy.snell@hcca-info.org
Contributing Editor:
Gabriel Imperato, Esq., CHC
Editor:
Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.org
Copy Editor and Proofreader:
Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.org
Layout and Production Manager:
Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.org
HCCA Officers:
Jennifer O’Brien, JD, CHC
HCCA President
Medicare Compliance Officer
UnitedHealth Group
Frank Sheeder, JD, CCEP
HCCA 1st Vice President
Partner
Jones Day
Shawn Y. DeGroot, CHC-F, CHRC, CCEP
HCCA 2nd Vice President
Vice President Of Corporate Responsibility
Regional Health
John C. Falcetano, CHC-F, CIA, CCEP-F, CHRC
HCCA Treasurer
Chief Audit/Compliance Officer
University Health Systems
of Eastern Carolina
Catherine M. Boerner, JD, CHC
HCCA Secretary
President
Boerner Consulting, LLC
Daniel Roach, Esq.
Non-Officer Board Member
to the Executive Committee
Vice President Compliance and Audit
Catholic Healthcare West
Julene Brown, RN, MSN, BSN, CHC, CPC
HCCA Immediate Past President
Director of Corporate Compliance
Innovis Health
CEO/Executive Director:
Roy Snell, CHC, CCEP-F
Health Care Compliance Association
Counsel:
Keith Halleland, Esq.
Halleland Habicht PA
Board of Directors:
Urton Anderson, PhD, CCEP
Chair, Department of Accounting and
Clark W. Thompson Jr. Professor in
Accounting Education
McCombs School of Business
University of Texas
Marti Arvin, JD, CPC, CCEP-F, CHC-F, CHRC
Chief Compliance Officer
UCLA Health Sciences
Angelique P. Dorsey, JD, CHRC
Research Compliance Director
MedStar Health
Brian Flood, JD, CHC, CIG, AHFI, CFS
National Managing Director
KPMG LLP
Margaret Hambleton, MBA, CPHRM, CHC
Senior Vice President
Ministry Integrity, Chief Compliance Officer
St. Joseph Health System
Dave Heller
Director, Ethics
Boeing Government and International Operations
Rory Jaffe, MD, MBA
Executive Director, California Hospital Patient
Safety Organization (CHPSO)
Matthew F. Tormey, JD, CHC
Vice President
Compliance, Internal Audit, and Security
Health Management Associates
Debbie Troklus, CHC-F, CCEP-F, CHRC
Assistant Vice President
for Health Affairs/Compliance
University of Louisville
Sheryl Vacca, CHC-F, CCEP, CHRC
Senior Vice President/Chief Compliance
and Audit Officer
University of California
Sara Kay Wheeler, JD
Partner–Attorney
King & Spalding
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care
Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN
55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send
address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis,
MN 55435. Copyright 2010 Health Care Compliance Association. All rights
reserved. Printed in the USA. Except where specifically encouraged, no part of this
publication may be reproduced, in any form or by any means without prior written
consent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-
4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908.
Opinions expressed are not those of this publication or the HCCA. Mention of
products and services does not constitute endorsement. Neither the HCCA nor
CT is engaged in rendering legal or other professional services. If such assistance is
needed, readers should consult professional counsel or other professional advisors for
specific legal or ethical questions.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
4 Developments in the Physician Supervision Rule:
Cracks in the façade
By Edwin Rauzi and Kent “Bernie” Thurber
New guidance from CMS contradicts its earlier stand on
physician supervision of therapy in critical access hospitals.
6 CEU: Opportunity knocks for hospital boards to impact
clinical quality By Janice A. Anderson and C. Jason Hannagan
Study reveals that the hospital board members’ role in overseeing
quality-of-care issues has a direct impact on quality overall.
12 CEU: Waived laboratory tests: Meeting regulatory
requirements and implementing best practices
By Melissa Scott
Point-of-care testing has many benefits, but requires proper
planning and oversight.
14 Meet Kimberly Johnson, Professional Practice
Compliance Officer, UK HealthCare
An interview by Julene Brown
18 Letter from the CEO By Roy Snell
My favorite photo
19 Social Networking By John Falcetano
20 Sparking an epidemic of compliance By Stephen Kelly
Using small, incremental changes may be what’s needed to
improve compliance in your organization.
26 State attorney general oversight of financial practices
of nonprofit corporations
By Gary W. Herschman and Anjana D. Patel
A case from New Jersey illustrates the need for strong
management of the assets of a nonprofit corporation.
29 Health care compliance: Not ready for prime time
By Raj Chaudhary
A majority of covered entities and business associates admit they
are not in compliance with HIPAA privacy and security provisions.
32 The Six Sigma compliance screening process: An
engineer’s perspective By Brady Ballman
Keys to finding a more efficient way to perform compliance
screening of employees, physicians, and vendors.
36 Privacy and security risk assessment based on GRC
principles By Andy Reeder
Using the six phases of risk assessment to break down silos
between areas of common interest.
38 CEU: Managing employee turnover in a shrinking
workforce By Joyce Freville
As the Baby Boomer generation ages, labor shortages of
qualified nurses will have an impact on quality of care.
42 The ten compliance commandments for medical
device manufacturers By Jennifer E. Williams
Ten rules to help you steer clear of regulatory infractions that
can lead to major monetary fines and mandatory oversight.
48 A snapshot of training at the HCCA Compliance Academy
By Sheryl Vacca
Creativity and fun are key to learning and retention.
49 Newly Certified CHCs and CHRCs
50 New HCCA Members
3
July 2010

July 2010
4
Developments in the
Physician Supervision
Rule: Cracks in the
façade
By Edwin Rauzi, JD and Kent “Bernie” Thurber, JD
Editor’s note: Ed Rauzi and Bernie Thurber
are partners in the Seattle and Portland Offices,
respectively, of Davis Wright Tremaine, LLP.
They work for clients in the health care delivery
system full-time, all the time. Ed may be reached
by telephone at 206/757-8127 and Bernie’s
number is 503/778-5202.
Two recent developments with respect
to the rules governing physician
supervision in hospital outpatient
departments are noteworthy. They are:
n In an untitled, one-paragraph press release,
CMS announced on March 15th that it
would not enforce the physician supervision
rules against critical access hospitals
(CAHs) in 2010.
n On April 23rd, on its website CMS posted
a document entitled “Common Questions
about Supervision Requirements for
Medicare Payment of Hospital Outpatient
Services,” which includes seven questions
and answers. 1 The answers strike a much
more realistic and conciliatory tone than
the recent Preamble discussions.
The key question is whether these cracks in
the façade will lead to a breakthrough, or
CMS will patch up and paint over them.
As “clarified” by CMS in 2008 and 2009, the
Physician Supervision Rule requires a physician
to be available to step in and take over
or change a therapy in progress in a hospital
outpatient department. The physician should
be “credentialed” to perform the therapy, and
cannot be involved in anything that cannot
be interrupted. If the hospital department is
on the main campus, then the physician may
“supervise” from anywhere on the hospital’s
campus. In an off-campus provider-based
department, the physician must be in that
department in order to supervise.
Medicare does not pay the physician for supervising
the therapy. If the requisite degree of
supervision is not provided, then the hospital
should not submit a claim to Medicare. 2
CAHs are unique in that Medicare allows them
to deliver many services through physician
extenders, such as physician assistants (PAs)
or nurse practitioners (NPs). The reason for
the relaxed rule is the shortage of physicians in
many rural areas. As individual CAHs rightfully
pointed out to CMS, requiring physicians to
supervise outpatient procedures contradicts the
Congressionally-approved CAH delivery model.
Based on second-hand reports, this message
was delivered forcefully and with emotion by
CAHs and their advocates during an Open Door
conference call held on March 9, 2010. (The
Hospital & Hospital Quality Open Door Forum
is a conference call held regularly by CMS. 3 )
Politically, CMS may have had no choice
but to exempt CAHs from its draconian
clarification of the Physician Supervision
Rule. CAHs are near and dear to the hearts of
many members of Congress who have rural
constituencies. As a matter of policy, however,
the decision casts doubt about the rationale
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
CMS offered for the rule, which is that “quality”
demands physician supervision.
As readers of Compliance Today are aware,
CMS argued in 2008 and 2009 that direct
physician supervision is necessary in order
for quality care to be delivered in hospital
outpatient departments. 4 There is no empirical
evidence, however, that supervision at a level
less than “direct” results in substandard care.
If such evidence existed, then CMS would be
authorizing CAHs to deliver substandard care.
If you take CMS’ comments at face value—
that quality is the driving force behind the
decision—then CMS could justify exempting
CAHs under two circumstances:
n First, supervision by physician extenders in
CAHs is inherently better than physician
supervision in urban medical centers; or
n Second, Medicare beneficiaries seeking services
from CAHs should not expect quality care.
Neither of those propositions is correct; they
are proposed for the sake of argument because
CMS rejects the best answer: that direct physician
supervision is not necessary for hospital
outpatient departments to provide quality care.
CMS answers “common” questions
As this article was going to press, another bit
of guidance emerged in the form of seven
questions and answers on CMS’s website. 1
On the surface, it suggests that CMS may be
beginning an ordered retreat from some of
the harsh aspects of their clarified policy.
Compare the statement from the November 20,
2009 Federal Register notice Preamble to the
Changes to the Physician Supervision Rule (below)
with the statement from the more recent advice:
Preamble:
This interpretation of the previously codified
language is consistent with our longstand-

ing application of direct supervision across
settings in terms of the physical presence of
the physician and what it means to ‘‘furnish
assistance and direction throughout the
performance of the procedure.’’ We do not
believe that allowing a supervisor to be
responsible for emergencies only would satisfy
the standard to ‘‘furnish assistance and
direction throughout the performance of the
procedure’’ as the language has historically
been interpreted for physicians’ offices and
PBDs [provider-based departments]. We
disagree with commenters who stated that
the historical intent of direct supervision has
been for a supervising physician to provide
guidance and direction without expecting
that professional to be able to perform the
service or procedure and that performance
of the procedure applies only to personal supervision.
It would be unreasonable to think
that a physician or nonphysician practitioner
could competently assist and direct a procedure
for which they do not have sufficient
knowledge and skills to perform or redirect
the procedure or service. (emphasis added)
Common question #5:
Can an emergency department
physician or non-physician practitioner
directly supervise therapeutic
outpatient services while in the
emergency department? In most cases,
the emergency physician or non-physician
practitioner can directly supervise outpatient
services so long as the emergency
physician in the emergency department
of the campus is immediately available,
meaning that, if needed, he or she
could reasonably be interrupted to furnish
assistance and direction in the delivery of
therapeutic services provided elsewhere in
the hospital. We have stated that the supervisor
must be a person who is “clinically
appropriate” to supervise the therapeutic
service or procedure. We believe that most
emergency physicians can appropriately
supervise many services within the scope
of their knowledge, skills, licensure, and
hospital granted privileges including observation
services. With regard to whether
an emergency physician or a non-physician
practitioner could be interrupted, such that
the emergency physician could be immediately
available, each hospital will need to
assess the level of activity in their emergency
department and determine whether at least
one emergency physician or non-physician
practitioner could be interrupted to furnish
assistance and direction in the treatment of
outpatients. (emphasis added)
To our eyes, CMS’s more recent discussion is
much closer to an attainable goal than the prior
pronouncements. There is still something of a
fiction in the assumption that an emergency
room physician will not, from time to time, be
engaged in activities that cannot be interrupted,
but the concession is a welcome development
in a process that had been going in the wrong
direction for at least two years. The good news
is that hospitals now have something to “hang
their hats on” if they choose to do less than
radically restructure the delivery of outpatient
services. The bad news is that the guidance is
now contradictory, and there is still plenty of
potential for mischief if the Preamble statements
fall into the hands of a whistleblower’s attorney.
Conclusion
Hospital outpatient departments have been
delivering high quality care without a direct
level of supervision for years. The best
examples are the chemotherapy departments
of rural hospitals where oncologists are on-site
only one or two days a week. Because of CMS’
misguided attempt to promote quality, cancer
patients may be forced to travel long distances
to receive chemotherapy. The hardships those
patients will face is a compelling argument
against applying the new rule to rural hospitals.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Granted, there may be hospital outpatient
procedures for which direct supervision is
appropriate. But, requiring direct supervision
for all outpatient procedures—as a “one size
fits all” rule—cannot be squared with CMS’s
recent decision. If CMS is firmly committed to
the concept of requiring some level of supervision,
then they need to study the therapies and
regulate them with a much narrower focus.
CMS announced that it “plans to revisit the
issue of supervision for therapeutic services
provided to hospital outpatients in CAHs
through the annual rulemaking cycle for
calendar year (CY) 2011.” An interesting
question is whether that rulemaking will be
limited to CAHs, or whether other hospitals
will be allowed to present equally compelling
reasons why CMS should not apply the
Physician Supervision Rule to them. Given
the recent guidance, perhaps there is a way to
broaden the moratorium on enforcement.
It is impossible to know the outcome of the
rule-making process in advance. From a
policy perspective, however, CMS has painted
itself into a corner from which escape will
not be easy. One diplomatic retreat might
be for CMS to suspend application of the
rule generally while it reviews whether some
therapeutic procedures might be appropriate
for “general” physician supervision. Given the
demands created by health reform legislation,
that review might take some time to complete.
At this point, a return to the earlier rule—that
physician supervision of outpatient services on
a hospital’s main campus is “presumed”—is
probably best outcome for all concerned. n
1 The document is available at http://www.cms.gov/HospitalOutpatientPPS/Downloads/Common_Questions_about_Supervision_in_the_
Outpatient_Setting.pdf
2 74 Fed. Reg. at 60575 et seq.
3 See http://www.cms.gov/OpenDoorForums/18_ODF_Hospitals.
asp#TopOfPage
4 Rauzi, Thurber: CMS formalizes new guidance on physician supervision in
hospital outpatient departments. Compliance Today, April 2009, pp 11-13
Rauzi, Thurber: Physician supervision of hospital outpatient departments:
CMS gets it wrong. Compliance Today, February 2010, pp 4-7
5
July 2010

July 2010
6
Opportunity knocks
for hospital boards
to impact clinical
quality
By Janice A. Anderson, Esq. and C. Jason Hannagan, Esq.
Editor’s note: Janice A. Anderson, Shareholder hospitals with respect to quality. 1 The results
in the Chicago offices of Polsinelli Shughart of the study could be instrumental in how
PC, has over 25 years experience focusing on the federal government determines to best
health regulatory and compliance issues and influence quality in hospitals.
over 30 years experience working in the health
care industry. She may be contacted by e-mail The authors of the study, Harvard Professors
at janderson@polsinelli.com or by telephone at Ashish Jha and Arnold Epstein, surveyed nonprofit
312/873-3623.
hospital board chairs regarding whether hospital
boards are engaged in overseeing clinical quality
C. Jason Hannagan is a former Associate with and, if so, whether the boards’ involvement leads
Polsinelli’s Kansas City office. He may be contacted to improved quality. In addition to highlighting
by e-mail at jhannagan@dstsystems.com.
that quality of care is not currently a top priority
for many hospitals, the survey exposed a direct
The hospital board’s role in ensuring
quality of care is increasingly a top priority and the performance of the hospital
correlation between those boards where quality is
important as reimbursement changes on nationally-reported quality metrics (i.e., those
based on quality become more prevalent. hospitals with boards identifying quality as a
Notwithstanding, the exact role hospital board top priority were much more likely to be high
members need to assume to enhance hospital performing on quality metrics).
quality of care is not well defined. This article
discusses (1) the results of a recent study published
by Health Affairs journal on hospital care hospitals that reported quality data to the
The survey was focused on nonprofit acute
boards’ influence in impacting quality of care; Hospital Quality Alliance (HQA) in 2007. For
(2) recent trends in the health care industry in each hospital, the authors calculated an overall
focusing boards on improving quality of care; quality score based on the hospital’s performance
on 19 evidence-based practices reported
and (3) recommendations on how hospital
boards can better impact quality of care in nationally in three clinical conditions (i.e.,
their organizations.
acute myocardial infarction, congestive heart
failure, and pneumonia). The authors randomly
chose 1,000 hospitals from this group,
Study on hospital board’s impact on quality
of care
over-sampling those ranked in the top 10%
Although there have been several studies linking
hospital board practices with the quality (“low-performing”) of HQA performance.
(“high-performing”) and the bottom 10%
of care provided to patients, Health Affairs
journal published the first national survey of The survey focused on five categories:
board chairs related to performance of their n board training and expertise in quality;
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
n quality as a priority for board oversight
and evaluation of the chief executive officer’s
(CEO’s) performance;
n the board as an influential entity in the
quality of care delivered by the hospital;
n the board’s awareness of current quality
performance; and
n specific board functions related to quality,
such as setting priorities for quality,
devoting time to quality during meetings,
and examining quality “dashboards” (i.e.,
report cards containing the hospital’s quality
performance data).
Board training and quality of care
Although nearly three-quarters of the board
chairs surveyed reported having moderate
or substantial expertise in quality of care
represented on their boards, only 32% of the
respondents reported receiving any formal
training in clinical quality, and such training
was far more common in high-performing than
low-performing hospitals (49% versus 21%).
Among hospital boards receiving training on
clinical quality, the board members spent a
median of four hours total on quality issues.
Board oversight priorities and CEO
evaluations
More than half of board chairs chose clinical
quality as one of the two top priorities for
board oversight, but board chairs of high
performing hospitals chose quality as a top
priority more often than those of lowperforming
hospitals. Just 44% of all surveyed
board chairs chose clinical quality as one of
the top two priorities for evaluating CEO
performance. Financial performance, rather
than clinical quality, was the primary factor
selected by the respondents for determining a
CEO’s performance (high-performing, 70%
versus low-performing, 75%).
Perceived influences on quality of care
Only 20% of respondents reported that the

chairperson of the board, the board itself, or
one of the board’s committees were one of the
two most influential forces driving quality of
care in their hospital. Board chairs from highperforming
hospitals were nearly four times as
likely as those from low-performing hospitals
to report that the board was influential in
impacting quality of care in their hospitals
(38% versus 11%). In contrast, 69% of board
chairs reported that the CEO was one of the
top two influences on quality.
performance was on the agenda at every board
meeting in only 63% of US hospitals, whereas
financial performance was on every agenda
in 93% of hospitals. Furthermore, less than
half of the hospitals spent at least 20% of the
board’s time discussing quality of care.
Board priority setting
Most respondents reported that their boards
had established, endorsed, or approved goals
in four areas of quality: hospital-acquired
infections (82%), medication errors (83%),
focus extensive attention on the role hospital
governance plays in the quality of health care
in hospitals. It all started in 1999 when the
Institute of Medicine (IOM) reported that as
many as 98,000 people die each year because
of preventable medical harm, making medical
error the fourth leading cause of death in the
United States. The IOM report, titled “To Err
is Human: Building a Safer Health System,”
estimated the total annual cost of errors to be
between $17 billion and $29 billion. The report
was a call to action for hospital leadership to
Familiarity and perception of current
performance
More than two-thirds of the board chairs
surveyed reported being somewhat or very
familiar with the Joint Commission core
measures or with HQA measures. As expected,
chairs from high-performing hospitals were
significantly more likely than those from lowperforming
hospitals to report such familiarity
(80% versus 64%). When questioned about
their hospital’s current level of performance,
66% of the respondents rated their institution’s
performance on the Joint Commission core
measures or HQA measures as either better
or much better than that of the typical US
hospital. Surprisingly, only 1% of board chairs
reported that their institution’s performance
was worse or much worse than the typical hospital.
Among the low-performing hospitals,
no respondent reported that their performance
was worse or much worse than that of the
typical US hospital, and 58% reported their
performance to be better or much better, thus
indicating that board chairs of low-performing
hospitals mistakenly believe the quality at their
institutions to be much better than it is.
the HQA/Joint Commission core measures
(72%), and patient satisfaction (91%). In
these areas, high-performing hospitals were
more likely than low-performing hospitals to
have established goals to improve care.
The survey demonstrated that programmatic
emphasis on quality was not a consistent
priority for the boards at most US nonprofit
hospitals. Also, the survey highlighted the sizable
difference between how a high-performing
hospital prioritized quality for board oversight
compared to that of a low-performing hospital.
Specifically, there was a 37% gap between
high-performing and low-performing hospitals
for prioritizing quality for board oversight.
Most importantly, the authors of the survey
revealed that US hospitals have significant
variation in whether quality is a governance
priority, as evidenced by quality being a
consistent agenda item for board meetings.
Although the report did not clearly establish
a causal link between board practices and
quality of care, it is noteworthy that the
survey did reveal that low-performing
hospitals reported spending less time on
take steps to improve patient safety and quality. 2
After the 1999 IOM report, a plethora of
government and private activities began, all
focused on improving quality of care in the
health care industry. In 2004, the National
Quality Forum (NQF) members convened to
discuss strategies for improving the quality of
care in hospitals. As a result, the NQF released
guidance to hospital governing boards on how
to promote quality of care. 3 The guidance,
titled, “A Call to Responsibility,” included
a list of 23 recommendations for hospital
governing boards to consider and implement
in order to better improve quality of care in
hospitals. The NQF recommendations focused
on pragmatic steps the board should take to
achieve better focus on quality of care. For
instance, the NQF recommended that boards:
n prominently place patient safety and quality
issues (e.g., reviewing errors and their
impact on hospital resources) on board
meeting agendas;
n engage more frequently in patient safety
and quality improvement projects by
establishing governance practices that
support a system of performance measurement
Performance reporting, agendas, and board
function
The results of the survey underscored that
hospital boards generally are more concerned
with financial performance than with
issues of quality performance than those of
high-performing hospitals.
Recent trend
Long before the above study, the health care
and quality improvement; and
n ensure that a system of performance
measurement and quality improvement is
in place and that credible results enable the
evaluation of the organization’s effectiveness.
quality performance. For instance, quality industry, government, and the public began to
Continued on page 9
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
7
July 2010

ARE YOU
PREPARED
FOR THE
RAC AUDITOR?
Take control with a strong defense
The RAC Auditors will soon be calling on your hospital. The RAC appeals
process is very complex and missed deadlines can result in the automatic
recoupment of your legitimate revenues. To minimize your risk of financial
losses, you need to be prepared with practical, reliable processes and
controls to ensure that critical appeals deadlines are met, with complete,
substantiated information.
July 2010
www.compliance360.com
8
Compliance 360 is the leader in compliance and risk management solutions
for healthcare. More than 300 hospitals nationwide rely on us every day to
ensure compliance with legal and industry regulations. Using our unique
software solutions, they are always “audit ready” with both proactive
defenses and the audit management tools needed to ensure successful
audit response and appeals. We are proud to help these healthcare
organizations prevent and contain compliance sanctions and we stand
ready to help you as well.
To learn more about the Compliance 360 Claims Auditor for managing
RAC audits, please visit us at booth 102 at the HCCA Compliance Institute
Conference, visit www.compliance360.com/RAC or call us at 678-992-0262
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
NEEDS A LOT OF WO

Opportunity knocks for hospital boards to impact clinical quality ...continued from page 7
Two years later, in 2006, The Joint Commission
Journal on Quality and Patient Safety published
a report titled “Getting the Board on Board:
Engaging Hospital Boards in Quality and
Patient Safety.” The report focused on the
role of hospital governance in quality. Unlike
the Health Affairs article, which surveyed the
chairs of nearly 1,000 hospitals, the Joint
Commission’s report was based on interviews
with CEOs and board chairs from only 30
hospitals. The report revealed a significant
disconnect between the CEO’s perception of
the board’s level of expertise on quality-of-care
issues and the board chair’s self-perception.
The report also revealed a small link between
board engagement in quality and hospital performance.
The Joint Commission article suggested
implementing several steps to improve
a hospital’s overall performance with respect to
quality of care including:
n increasing education on quality-of-care issues,
n improving the framing of an agenda for
quality,
n more quality planning and incentives for
leadership and governance for quality
improvement, and
n greater focus on the patients.
oversight obligations for ensuring quality of
care are part of the board’s responsibilities
under its fiduciary duties of care and obedience.
The guidance explains that the fiduciary
duty of care obligates boards to become
involved in quality of care to discharge both
its decision-making and oversight functions.
For example, it is the governing board’s
responsibility to actively monitor the hospital’s
quality of care, which requires staying upto-date
with the emergence of new quality of
care issues, managing specific quality-of-care
measurement and reporting obligations, and
monitoring the organizational quality-of-care
initiatives implemented by the medical staff.
According to the guidance, the fiduciary
duty of obedience to corporate purpose and
mission also mandates governance to actively
address quality of care, which is inherent in
the purpose and mission of most non-profit
health care organizations. Thus, to properly
discharge the boards’ duty of obedience,
boards should monitor the maintenance of
standards of professional care within the
organization. The guidance concludes that,
due to the ever-increasing attention being
paid to quality of care by the policy makers
and agencies in federal and state government,
that dashboards can be an important strategic
tool to ensure that the board’s quality agenda
is advanced. The final recommendations from
roundtable participants also included establishing
a business case for quality, educating the
board on quality issues, establishing a culture
of quality and accountability that permeates
the hospital, and making quality transparent.
Recommendations
The Health Affairs study’s results will likely
attract the attention of the applicable state
and federal agencies on the potential role the
board plays in influencing quality of care.
Specifically, the study exposed that nearly
half of the hospital board chairs surveyed
do not see quality as a top priority and the
vast majority of the boards lacked sufficient
expertise and education on quality of care
issues. Only a few board chairs surveyed had
work experience in the health care industry,
and less than one-third of chairs surveyed had
formal training programs that include clinical
quality. These results create an opportunity
for improving quality of care by creating
better awareness and training for hospital
boards on quality-of-care issues.
In September 2007, the Office of Inspector
General (OIG) for the Department of Health
and Human Services (HHS), in partnership
with the American Health Lawyers Association
(AHLA), released a resource guide on
quality of care for health care boards, titled
“Corporate Responsibility and Health Care
Quality: A Resource for Health Care Boards
of Directors.” 4 The resource guide focused
on quality of care as a core fiduciary duty of
governing boards of health care organizations
and as a top priority of the OIG.
boards will be held accountable for quality-ofcare
failures in the hospitals that they govern.
On November 10, 2008, the Health Care
Compliance Association (HCCA) teamed
up with OIG to hold a government-industry
roundtable called “Driving for Quality
in Acute Care: A Board of Directors
Dashboard.” 5 The roundtable focused on
how a hospital’s board of directors can use
performance scorecards or dashboards as a tool
to promote quality of care in the institution.
Although the one-day roundtable addressed a
In light of the recent studies and guidance,
hospital governing boards are encouraged to
engage in quality-of-care initiatives that are
consistent with the following principles:
n Being informed
n Improving board oversight, and
n Improving infrastructure
A more informed board
A board should take several steps to ensure
it is actively educating itself on key qualityof-care
issues. First, a board must recognize
quality of care is a core fiduciary obligation.
OIG and AHLA intended for the guide
to assist boards in promoting improved
quality of care in hospitals. In the guidance,
plethora of quality-of-care issues confronting
hospital governing boards, its notable conclusions
included that governance must lead the
As noted above, quality of care falls under a
board’s duty of care and obedience responsibilities.
Secondly, the board should routinely
OIG and AHLA explained how the board’s way for quality improvement in hospitals and
Continued on page 11
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
9
July 2010

MediRegs ® CCH ®
The
ComplyTrack Suite
Total Solutions for Enterprise
Compliance and Risk Management
Regulatory
Risk Assessment
and
Remediation
Electronic
Survey Tools
& Audit
Templates
Incident
Activity
Management
The
ComplyTrack
Suite
Policy,
Procedure &
Document
Management
RAC and
Claims-Based
Audit
Management
Contract &
Relationship
Management
MediRegs.com
Aspen Publishers
MediRegs ®
Compliance Today ad CTrack.indd 1
5/17/2010 10:01:54 AM

Opportunity knocks for hospital boards to impact clinical quality ...continued from page 9
receive and understand reports on quality of
care in the hospital (e.g., errors, outcomes).
If the board is properly educating itself, it will
be able to properly assess the hospital’s top
quality and compliance risks.
Improving board oversight
The board’s oversight function can be
improved if the board, administration, and
the medical staff develop a quality agenda
that is aligned with that of CMS, the Joint
Commission, and other organizations. The
Joint Commission has worked with CMS
to publicly report quality measures to allow
patients the opportunity to better distinguish
between providers. CMS and the Joint Commission
also have adopted standards used to
grade a hospital’s performance in a number
of areas, including quality-of-care issues. The
closer the board-driven quality agenda is
aligned with these standards, the less likely
its hospital will face the consequences for
not effectively ensuring its patients are being
treated with the necessary quality of care.
Another tool to improve board oversight
is the use of a quality dashboard. Dashboards
have emerged as an essential tool
for hospital boards dedicated to advancing
quality improvement within their hospitals.
Dashboard reports use graphics to concisely
present critical data in summary form.
Dashboards expose problem areas in a board’s
management of quality-of-care factors,
which allows the board to focus on solutions
to improve quality of care and advance the
board’s agenda related to quality.
The board should also assess whether the hospital
management is addressing quality issues appropriately
and is keeping the board informed on a
regular basis. If not, it is possible that the hospital
has profited by allowing its medical staff to render
poor quality to the hospital’s patients—a fact
that raises the ire of federal regulators, courts, and
the public. Through appropriately structured
oversight mechanisms, the board can avoid learning
of serious quality problems through a costly
and public enforcement action.
Improving infrastructure
Improving the infrastructure is a key
component to the board fulfilling its role in
ensuring quality of care in the hospital. The
board’s infrastructure can be improved by
recruiting board members who have expertise
on quality-of-care issues. A board composed
of members with expertise in quality, patient
safety, and clinical areas will increase the
likelihood that the board will recognize and
understand quality-of-care concerns it may
not have understood otherwise.
A board can also improve the hospital’s
infrastructure if the hospital’s executive team
routinely conducts assessments of the hospital’s
quality of care and communicates those
results, along with other quality of care issues,
to the board. Studies have disclosed that
hospitals often fall short in areas of clinical
quality when discussions between the board
and management on these issues fail to occur
on a regular basis. 6 Consistent and open
dialogue between the board and the executive
team members may also impact hospital-wide
buy-in for quality initiatives that is necessary
to improve quality of care.
Hospital boards should also set up a structure
to monitor management’s performance with
respect to national benchmarks and work to
eliminate any shortfalls in a timely manner.
Under this principle, the board should establish
compensation methodologies whereby the
hospital’s executive team’s compensation is
based, in part, on how the hospital measures up
to the national benchmarks for quality of care.
Conclusion
The Health Affairs study identified significant
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
opportunity to improve the role hospital boards
play in impacting clinical quality, and suggests
that better board oversight is linked to higher
quality of care. As a result, hospital boards
should focus now on their role in driving clinical
quality within the hospitals they govern and
implement the necessary steps to make sure that
quality is a top governance priority. n
1 Ashish Jha and Arnold Epstein: Hospital Governance and the Quality of
Care. Health Affairs, January/February 2010; 29(1):182-187
2 Available at http://www.iom.edu/~/media/Files/Report%20Files/1999/
To-Err-is-Human/To%20Err%20is%20Human%201999%20%20
report%20brief.ashx
3 National Quality Forum: Hospital Governing Boards and Quality of
Care: A Call to Responsibility. Washington DC, 2004
4 Available at http://oig.hhs.gov/fraud/docs/complianceguidance/CorporateResponsibilityFinal%209-4-07.pdf
5 The report from this roundtable can be found at http://www.hcca-info.
org/staticcontent/07OIGRoundtableReport.pdf
6 Stephen Hines and Maulik Joshi: Getting the Board on Board: Engaging
Hospital Boards in Quality and Patient Safety. Journal of Quality and
Patient Safety, Volume 32 Number 4 (April 2006)
Attention
Fellow Compliance
Professional:
In this difficult economic environment,
it is more important than ever that we
do what we can to help students who
are enrolled in university and law school
programs that focus on compliance
(most of which have been certified by
the Compliance Certification Board)
find summer jobs, internships, and/or
entry-level positions in the compliance
and ethics profession. Whether you
are a lawyer in a law firm, an ethics or
compliance consultant, or an ethics &
compliance officer, we encourage you
to work hard to create opportunities for
those trying to break into our profession.
To help this effort along, HCCA
has created a spot on the HCCA job
websites www.hcca-info.org/intern where
you could list opportunities for interns
and students without charge. Please take
advantage of this opportunity to post
your positions to this site. In addition,
we encourage all of you to do what you
can to create opportunities wherever
you can.
11
July 2010

Waived laboratory
tests: Meeting
regulatory
requirements and
implementing best
practices
By Melissa Scott, BS, CHC, CPC
certification. To comply with CLIA regulations
for waived testing sites an entity must:
n Enroll in the CLIA program by completing
form CMS-116, 2 obtain a certificate,
and pay the applicable fees to maintain
active status;
n Follow the manufacturer’s instructions for
the waived test(s) performed;
n Notify the applicable state agency 3 of any
changes in lab ownership, name, address,
or director within 30 days;
n Notify the applicable state agency if adding
tests that are more complex; and
n Permit inspections when requested by a
CMS agent.
July 2010
12
Editor’s note: Melissa Scott is a senior consultant
with Sinaiko Healthcare Consulting, Inc.,
one of the nation’s leading independent health
care management consulting firms. She works
with health care organizations nationwide on
a diverse range of compliance issues. For more
information, please e-mail mscott@sinaiko.com
or go to www.sinaiko.com.
Congress passed the Clinical
Laboratory Improvement
Amendments (CLIA) 1 in 1988,
which granted the responsibility for regulating
all human laboratory testing (with the
exception of research) to the Centers for
Medicare & Medicaid Services (CMS). The
goal of CLIA is to ensure standards for quality,
consistency, and accuracy for every clinical
laboratory test performed.
The most significant outcome of the CLIA
program is the requirement that all entities
that accept materials from the human body
for laboratory examination for the purpose
of diagnosis, prevention, treatment, or
the assessment of health must be properly
certified. Certification requirements under
CLIA vary, based on the complexity level of
the tests performed. Laboratory tests can be
classified as waived; moderate complexity,
which includes provider-performed microscopy
(PPM) procedures; or high complexity.
This article addresses the specific regulatory
requirements, compliance issues, and best
practices with respect to waived tests, which
pose particular and interesting challenges.
Waived laboratory tests are most commonly
used for point-of-care testing. To be deemed
waived, the test must be cleared by the Food
and Drug Administration (FDA) for home
use; employ simple and accurate methodology
that renders the potential for erroneous results
negligible; or yield minimal risk of danger to
the patient if performed incorrectly. Although
CLIA is the regulatory body that oversees
waived testing, ultimately it is the FDA that
grants approval to the test manufacturer’s
application for test system waiver. A complete
list of waived tests is available at http://www.
cms.hhs.gov/CLIA/downloads/waivetbl.pdf.
Many fail to realize that just because a test has
been granted waived status, it does not mean it
is waived from regulatory requirements. Even
if a provider never bills the patient or insurance
for the analysis, regardless of volume,
performance of waived testing requires CLIA
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
To ensure quality and reliability, the Centers
for Disease Control (CDC) published “Good
Laboratory Practices for Waived Testing
Sites” 4 in the Morbidity and Mortality Weekly
Reports (MMWR). If an entity is considering
starting a waived testing program, this
reference may serve as the “how to” guide
that addresses pre-analytical, analytical,
and post-analytical considerations. Existing
waived testing laboratories should also evaluate
and implement the practices outlined by
the CDC to enhance their efforts to mitigate
potential regulatory exposure. Areas of focus
should include management responsibility,
regulatory and safety requirements, testing
space and facilities, benefits and costs, staffing,
and documents and records.
A laboratory director should be designated
to provide management oversight for each
waived testing location. Ideally, this designee
would complete the CMS-116 CLIA application.
The laboratory director should have
the appropriate background and education
to make sound decisions related to testing,
quality, and regulatory compliance.
In addition to the CLIA obligations outlined,
waived testing sites must also consider the

many implications related to state and local
regulations, safety, and the Health Insurance
Portability and Accountability Act of 1996
(HIPAA). 5 As a general rule, in the event that
state or local requirements are found to be
more stringent than federal, the more stringent
will always supersede. Some laboratories may
be granted CLIA-exempt status, meaning the
laboratory has been licensed or approved by a
state 6 in which CMS has determined that the
state has enacted laws relating to laboratory
requirements that are equal to or more stringent
than CLIA requirements, and the state licensure
program has been approved by CMS.
A major variable by state is the licensure
requirements for laboratory technicians and
phlebotomists. Standards for workplace
safety are mandated by the Occupational
Safety and Health Administration (OSHA) 7
and are job-specific, based upon potential
hazards encountered. OSHA requirements
may include a written exposure-control plan,
job-specific safety training and equipment, or
provision of hepatitis B vaccinations. There
are also very specific prohibitions under
OSHA which are commonly overlooked
(e.g., no application of makeup, eating, or
drinking in locations where specimens are
collected or tested).
With respect to the Health Insurance
Portability and Accountability Act (HIPAA),
waived testing sites are mandated (as all
providers are) to establish policies and
procedures to protect patient privacy and
confidentiality. Whether on paper, electronic,
or communicated orally, protected health
information includes all patient identification
and other personally identifiable information
and test results.
The designated laboratory area should provide
adequate space to safely conduct testing and
maintain privacy. The accuracy of test kits
can potentially be hindered by environmental
factors – such as humidity, temperature, and
lighting – which also must be considered
when setting up and maintaining laboratory
space. The manufacturer’s product insert for
each individual test will outline those conditions
which are not conducive to testing.
Prior to adding a new test, it is advised that
an entity complete a cost/benefit analysis.
It is not uncommon for the direct cost of
a waived test kit to exceed the reimbursement.
Indirect costs associated with test
performance should also be considered, such
as staff training, quality controls, calibrators,
and equipment maintenance. There are times
where a clinician may feel that the benefit of
having that immediate test result outweighs
the loss that is taken. These decisions should
be made on a case-by-case basis, and it is best
to have awareness up front of which tests will
be revenue generators.
It might come as a surprise to learn that
the CDC identified staff competency and
turnover as two of the biggest impacts on
the quality and reliability of test results.
The importance of training and periodic
competency assessments should not be
overlooked. Written policies and procedures
should be developed, based on manufacturer’s
test inserts, to guide staff training and
job performance. CLIA mandates that all
manufacturer’s instructions are to be followed
when performing a waived test; adhering only
to those found in a quick reference guide does
not suffice. Additional procedures should be
in place related to identification of a properly
completed test order, patient identification
verification, specimen collection, and specimen
processing and handling.
Documentation and record keeping are often
vulnerable areas for waived testing sites. It is
permissible to record test results in a laboratory
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
log book; however, it is important to note that
an auditor will most likely look for test results
in the medical record. Many audits uncover
that the clinician’s interpretation of the test
result is documented, but the actual test result
itself is not. If the laboratory is not able to
provide sufficient documentation of the test
result, the test charges are disallowed, which
results in an overpayment liability.
Quantitative results should be documented
with their unit of measurement. Qualitative
results should be in narrative form (positive,
negative, etc.) and not symbols (+/-).
Reference ranges should be indicated, and
results that are abnormal should be flagged.
Procedures should indicate what values are
considered critical in nature and the clinician
notification protocols. In the event that an
invalid result is obtained or recorded in error,
it should not be erased from the chart and/
or log. Additional documentation should be
added to explain the anomaly and the corrective
action taken.
It is clear that a compliant waived testing program
is not as simple as the name may imply,
nor is waived testing free from regulatory
oversight. There are many requirements and
operational challenges that must be considered
and addressed to minimize risks associated
with even the most basic of laboratory testing
platforms. However, with proper planning and
oversight, a waived testing program can offer
invaluable benefits to the patient and clinician,
as well as added revenues. n
1 Clinical Laboratory Improvement Amendments, 42 CFR Part 493.
Available at: http://wwwn.cdc.gov/clia/regs/toc.aspx
2 CMS-116 Form and Instructions. Available at http://www.cms.hhs.gov/
cmsforms/downloads/cms116.pdf
3 CLIA State Agency Contacts. Available at http://www.cms.hhs.gov/
CLIA/downloads/CLIA.SA.pdf
4 CDC Good Laboratory Practices for Waived Testing Sites. Available at
http://www.cdc.gov/mmwr/PDF/rr/rr5413.pdf
5 U.S. Department of Health & Human Services Health Information
Privacy. Available at: http://www.hhs.gov/ocr/privacy/
6 List of Exempt States Under the Clinical Laboratory Improvement
Amendments (CLIA). Available at: http://www1.cms.gov/CLIA/downloads/Exempt.States.List.pdf
7 The Occupational Safety and Health Administration. Available at:
http://www.osha.gov/
13
July 2010

feature
article
Meet Kimberly Johnson, RHIA, CPC, CHC
Professional Practice Compliance Officer, Corporate
Compliance Office, University of Kentucky HealthCare
July 2010
14
Editor’s note: This interview with Kimberly
Johnson was conducted in April by Julene
Brown, Immediate Past President of HCCA and
Director of Corporate Compliance for Innovis
Health. Julene may be contacted by e-mail at
jbrown@innovishealth.com. Kimberly may be
contacted by e-mail at KimJ@kmsf.org.
JB: When I hear people talk about the
University of Kentucky, I think basketball,
so it will be great to hear about the UK
HealthCare compliance program and what
you do. First though, please share some information
on your background with us.
KJ: I obtained my degree in Health
Information Management [HIM] from
Eastern Kentucky University. My career
began in quality assurance at Kentucky
Clinic, which is the primary UK HealthCare
outpatient practice. We obtained Joint
Commission accreditation. I was responsible
for helping clinical departments develop
quality plans and assisting them with
monitoring quality indicators. This was my
first real experience with chart reviews. I
moved from that position into the first HIM
Director position for the outpatient practice.
In 1997, Kentucky Medical Services
Foundation (KMSF), which is the billing
agent for the UK Physician Group Practice,
recruited me to join their compliance team as
a Compliance Analyst, due to my experience
in conducting chart reviews and due to the
coding education that I received as part of
my HIM training.
After mastering coding audits and the
CMS Teaching Physician rules, I decided
to take my experience on the road as a consultant.
I joined PricewaterhouseCoopers
as a Physician Coding Consultant. While
there, I had the opportunity to participate
in several Physicians At Teaching Hospitals
[PATH] audits.
I eventually returned to UK and KMSF
and continued to work my way up the ladder
to my current position as Professional Practice
Compliance Officer.
JB: Can you tell us about the organization
you work for?
KJ: I am employed by Kentucky Medical
Services Foundation, which is a non-profit
501(c)3 corporation that supports the
University of Kentucky by providing billing
and collection services on behalf of the
physicians who practice within the UK
HealthCare enterprise, and administration of
all clinical practice income. KMSF provides
a broad range of services for the faculty
and community physicians within UK
HealthCare, including accounts receivable
management, contracting, contract monitoring,
financial counseling, insurance billing
and follow-up, patient billing and collections,
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
insurance training for all registration staff
within UK HealthCare, financial reporting
and analysis, clinical budget management,
compliance, customer service, coding oversight,
physician fringe benefit management,
and practice plan administration. KMSF also
assists in the development of UK HealthCare
strategic initiative planning and budgeting.
Additionally, KMSF conducts comprehensive
due diligence associated with prospective
community-based practices and an ongoing
broad range of support for established practices.
KMSF does not employ the physicians.
UK HealthCare is a component of the
University of Kentucky. It was established
in 1957 and consists of the medical, nursing,

health sciences, public health, dental, and
pharmacy colleges and related patient care
activities in Lexington, Kentucky and in several
off-site locations. UK HealthCare facilities
include UK Chandler Hospital, Kentucky
Children’s Hospital, UK HealthCare Good
Samaritan Hospital, UK HealthCare East,
Kentucky Clinic, Polk-Dalton Clinic, and
Kentucky Clinic South as well as a network
of community hospital clinical affiliations
and stand-alone clinics throughout Kentucky.
It encompasses 80 specialized clinics, 143
outreach programs, and a team of 6,000
physicians, nurses, pharmacists, and health
care workers—all dedicated to patient health.
JB: Would you review the structure of your
compliance program at UK?
KJ: The Office of Corporate Compliance
has the responsibility of overseeing compliance
monitoring for the UK College of
Medicine, UK College of Pharmacy, UK
College of Nursing, UK Chandler Hospital,
UK HealthCare Good Samaritan Hospital,
the UK Physician Group Practice, and
Kentucky Medical Services Foundation. Our
department is comprised of a chief compliance
officer, research compliance manager,
coding compliance educator, senior compliance
analyst, RAC analyst, three coding compliance
analysts, an administrative assistant,
and my position. We are adding a special
investigator position who will focus on high
risk areas.
Our program is based upon the U.S.
Sentencing Commission’s guidelines (the
seven elements for an effective compliance
program).
JB: You are the Professional Practice
Compliance Officer. Can you explain what
your job entails?
JK: My title was chosen to encompass
compliance officer responsibilities related not
only to the physician group practice, but also
to the many other health care providers we
employ, such as nurse practitioners and physician
assistants. The majority of my time has
been, and continues to be, spent on billing
compliance matters. However, my role has
recently expanded to include all compliance
activities that impact the professional practice,
such as HIPAA, the Stark Law, contracts,
electronic medical records, etc.
JB: In working with professional practice
compliance, do you have any tips for getting
compliance with the rules and regulations
across to providers of care?
KJ: It really isn’t as difficult as some may
think. They are busy, so always get to the
point quickly, and be clear, concise, and
consistent. Be flexible about scheduling
meetings with them, as patient care is their
first priority. I often hear, “Just tell me what
I need to do and I will do it.” Always show
them how the rule or regulation will directly
affect them. If you can provide scenarios or
explanations that relate to them clinically,
that is best. Make them part of the solution;
get their buy-in.
JB: What does your education program
involve with the providers? How do you keep
it fresh and enticing?
KJ: We include a mix of customized
one-on-one educational sessions and
computer-based learning. Each new billing
provider receives a mandatory coding and
documentation class prior to billing. The
key to keeping their interest is making it real
through the use of clinical scenarios that are
tailored to their unique specialty. We also
use benchmarks to let them know how they
compare to their peers.
JB: Do you measure the effectiveness of
your professional practice program? And if
so, how?
KJ: We have two key approaches. The
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
first is through our annual compliance
report process. These reports are presented
to the Compliance Committee and senior
leadership by each clinical department and
each college on an annual basis. We use an
electronic survey tool that is populated with
indicators (questions) based upon key risks
to that particular department and the organizations.
Based upon answers, a scorecard
is completed.
The second approach is our auditing
and monitoring program for coding and
documentation compliance. Every new
provider receives coding and documentation
compliance education as soon as he/she is
granted clinical privileges. Then we conduct
a review of their services within 30-60 days
of billing to identify any potential aberrances.
Based upon results, we may repeat this
process. Otherwise the provider is placed
into our regular audit schedule. We sample
a minimum of 10 claims for every billing
provider each audit cycle and provide oneon-one
education and feedback. Currently,
we are auditing approximately 800 providers.
Coding and documentation audit results are
included in each department’s annual report
to the Compliance Committee for review and
further action.
JB: Where do you see Compliance headed
in the future?
KJ: Compliance needs to be at the head
of the table in every organization. The
Compliance department is too often seen
as a reactive department, as opposed to
proactive. As we have heard in many forums
recently, there will be a greater focus on
quality and pay-for-performance in the
future. I believe that is exactly where efforts
should be focused.
JB: Kimberly, are you certified in health
care compliance (CHC)?
Continued on page 17
15
July 2010

MediTract helps healthcare organizations manage intricacies of
the HITECH Act so they can focus on their primary objective –
providing the highest levels of patient care.
MediTract’s Contract Management Solution
increases profits and productivity
while helping healthcare organizations
manage business associate agreements,
track and monitor compliance regulations
associated with physician contracts and
reduce the risk of disclosure of information
to unauthorized parties.
Comprehensive management of BAAs
Enhance Compliance
Centralized, secure database
MediTract® is the leading technology-based contract management service provider in healthcare serving
more than 1,600 healthcare organizations in over 5,900 locations across the United States.
Changing the Way Healthcare Does Business
July 2010
16
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
www.meditract.com
(877) 492-8490

Meet Kimberly Johnson ...continued from page 15
KJ: Yes, I became certified in health
care compliance in 2007. The continuing
education required by certification keeps me
informed. The credential has provided me
with an additional level of credibility as a
compliance officer.
JB: Have you attended any of the HCCA
conferences or academies? If so, what benefits
has this brought to your career in compliance?
KJ: This is great timing, as I just returned
from the Compliance Institute in Dallas.
HCCA provided me with the opportunity
to meet others who have similar jobs with the
same concerns and challenges I experience.
Through the HCCA conferences, I have had
the opportunity to hear from the best leaders
in the industry and my colleagues. At this
year’s conference, I attended a session on how
to be an effective compliance officer. We tend
to focus so much on how we as compliance
officers can help our programs be effective. I
was grateful to see a session that would help
me be more effective! I would like to see
more sessions like this at the conferences.
JB: What have been your biggest challenges
in your job?
KJ: There are two: communication and
staying apprised of changes. In a large organization
full of busy clinicians and administrators,
getting the word out to a large audience is
tough, especially when it involves complex
regulatory guidance and continual changes.
JB: What do you think is the most important
component of a compliance program?
KJ: You must have buy-in at the top. If
the tone at the top is that compliance is a
necessary evil, as opposed to compliance is
important to the success of the organization,
you are going to have problems. Compliance
should be a part of the solution, rather than
the department that is consulted when a
problem arises.
JB: Please tell us why Compliance is important
to you.
KJ: First, as a tax payer and a patient, I
want to receive the best quality of care for
the money. Second, I want to ensure that our
elderly and the lower-income population have
access to affordable health care. Finally, I want
our organization and providers to continue
to thrive and remain the premier provider of
health care services in the State of Kentucky.
JB: What advice would you give to a new
compliance officer?
KJ: It is important to build bridges and
maintain an atmosphere of openness. Avoid
scare tactics when discussing risks, as this
typically creates silos. Always remember
that compliance is everyone’s responsibility,
not just the Compliance department. Never
take things personally. You won’t be loved by
everyone, but remember that as a compliance
professional, it is your duty to “do the
right thing.” Network not just inside but also
outside your organization. I have developed
numerous working relationships with peer
institutions such as Vanderbilt University,
University of Louisville, University of Florida,
etc. You’ve heard of peer pressure? Use it!
JB: Leisure time – we always need to think
about that! Do you have any hobbies you are
involved in?
KJ: I enjoy riding horses and playing an
occasional game of golf—two great hobbies
to have when you live in Kentucky! And, of
course, when the Wildcats are playing, I’m
right there cheering them on!
JB: It has been a pleasure interviewing you.
Thank you and keep up the great work in the
health care compliance profession. n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
2010
ComplianCe
aCademies
September 27–30
New York, NY
October 25–28
San Francisco, CA
November 15–18
Orlando, FL
December 13–16
San Diego, CA
2010
privaCy
aCademy
October 4–7
San Diego, CA
2010
researCh
aCademy
August 9–12
Chicago, IL
LeArN mOre At
www.hcca-info.org
17
July 2010

My favorite photo
We have taken thousands of pictures over the years. This is my favorite
by far. It captures the what the purpose of our organization is about
like no other picture we have ever taken. We facilitate the gathering of
compliance professionals from many organizations. We facilitate the
bringing together of people with similar responsibilities. We provide
them networking and educational opportunities.
The people in this
picture are all interested
in each other.
They are all clearly
happy and relaxed.
They are sharing an
important moment.
They are spending
time together
between sessions at
one of our meetings
and networking,
sharing stories, or
solving problems.
They may be doing nothing more than enjoying each other’s company.
But, what is most important is that they are spending time with peers
who know what their life is like and what challenges they face. They
are letting each other know they are not alone in what can sometimes
be a very difficult job. They are compliance professionals.
It requires a staff that is welcoming and
knowledgeable. It requires a Board and
speakers who take the time to network
with the attendees/members. We have few
people who fly in and fly out because they
are too busy to bother with the attendees/
members. We don’t have any business
meetings, and we free our main volunteers
ROY sNELL
and Board to network with the attendees. Many organizations have
lead volunteers that run from one committee meeting to another
during the whole conference. Their focus is to add to their resume and
make it clear to people how important they are.
Our members take their job seriously. They are up en masse on
Sunday morning to attend preconference classes, rather than treating
their trip like a junket or boondoggle. There is something special
about people who
take their job and
education seriously.
There is something
special about people
who work hard. Our
members/attendees,
by nature, are well
educated, ethical, and
friendly.
Many people, particularly
speakers, attend
several meetings a
year. They regularly comment that our culture/environment is more
upbeat, friendly, and inviting. I attend many meetings conducted by
other organizations. The absence of a positive networking culture is
deafening. After attending one of our meetings, some describe other
meetings as stuffy, dead, or uninviting.
For those who know what they are doing, providing education is not
that hard. Luckily, we have many people who can teach and many
who can select teachers and content. What we do, that is much more
difficult, is provide quality networking. It is very subtle. It requires
building a culture of trust. It requires an appreciation for everyone, not
just the elite. It requires a relaxed atmosphere. More boring, but just as
important, it requires attention to details like receptions, long breaks,
and extended lunches.
It is no accident that we are where we are. We work hard for what we
have. We worry about everyone, rather than a select few. Our members/
attendees are well-educated, principled people who are a joy to network
with. Our Board is forward thinking and interested in everyone’s
experience. Our staff are friendly, happy, and know what they are doing.
Everyone works hard on seemingly unimportant details to ensure our
meetings, networking environment, and culture stay strong. n
July 2010
18
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Social Networking
John Falcetano
Editor’s note: John Falcetano, CHC-F,
CCEP, CHRC, CIA is Chief Audit/
Compliance Officer for University Health
Systems of Eastern Carolina and Treasurer
of the HCCA Board of Directors. John may
be contacted at jfalcetano@suddenlink.net.
Social networking gives compliance
professionals the opportunity to further their professions by sharing
their knowledge, fostering their skills, learning from others, and developing
strategies to help them succeed in the 21 st century. There are
many social networking e-groups on our site, and the HCCA/SCCE
Social Networking site has something for everyone. Below are some of
the discussion groups available:
n Auditing and Monitoring n Nonprofit Network
Compliance
n Privacy Officer’s Roundtable
n Chief Compliance/Ethics Officer n Privately Held Corporations
n Communication Training and n Product Review Forum
Curriculum
n Quantitative Compliance
n Competition Law and Anti-trust n Red Flags Rule
n Compliance Risk Management n Retail Forum
n Educators Forum: Teaching n Utilities and Energy Network
Compliance
n Healthcare Billing and
n European Compliance and Ethics Reimbursement
n FCPA: Foreign Corrupt Practices n HIPAA
Act
n Hospital Network
n Financial Institutions Network n Long-term Care Network
n Global Compliance and Ethics n Managed Care & Medicare
n Government: City, County, State Participation
n Government Contractor/Vendor n Medical Device Group
n Insurance Network
n Physicians Compliance
n Investment Management Forum Professionals
n Legal Holds and Record n Quality of Care Forum
Management
n Research Compliance Network
Go to the following link to connect to our social network site: http://
www.hcca-info.org/sn. Don’t forget you can also find us on Twitter,
Facebook, and Linked-in as well.
Sign onto HCCA’s Social Network site to see how other members
are responding. To read the information posted on blogs, participate
in the discussion, review the comments, or just talk with your
peers, you can access the Social Network site by going to the link:
www.hcca-info.org/sn n
Web 2.0 is about the
new, faster, everyone
connected Internet.
HCCA is embracing this approach and offers you
a number of ways to build out your network,
connect with compliance professionals, and
leverage this new technology. Take advantage of
these online resources; keep abreast of the latest
in compliance news; and stay ahead of the curve.
Dozens of discussion groups and
more than 5,000 participants
http://community.hcca-info.org
Profiles of over 2,600 compliance
and ethics professionals
http://www.hcca-info.org/LinkedIn
Over 12,000 people already follow us on
Twitter to get breaking compliance news
http://twitter.com/HCCA_News
Connect with compliance and ethics
professionals on Facebook
http://www.hcca-info.org/Facebook
http://www.hcca-info.org/Facebook_page
Each resource is 100% dedicated to
compliance and ethics management.
So sign up for whichever one works
best for you, or for all four if you’re
already living the Web 2.0 life.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
19
July 2010

focus
feature
Sparking an epidemic of compliance
By Stephen Kelly, JD, LLM, CHC, CHRC
July 2010
20
Editor’s note: Stephen Kelly is the Chief Compliance & Privacy Officer for
the Carle Foundation Hospital and Health System, located in Urbana,
Illinois. He may be contacted by telephone at 217/383-3927 or by e-mail
at mcshane66@gmail.com.
It’s axiomatic that an organization cannot have a culture of compliance
without executive leadership and the board members
setting the right “tone at the top.” The conventional wisdom
is that if the leaders of the organization talk the talk and walk the
walk, somehow a compliance ethos will permeate all layers of the
organization. Undoubtedly, having leaders who pay more than lip
service to compliance and ethics is a huge step in the right direction.
Without their support, the compliance program doesn’t get the staff
and resources it needs, it doesn’t get included in significant decisions
affecting the structure and operation of the organization, and it
doesn’t get the muscle to mete out discipline or to make significant
overpayment refunds to payers and the government. After reading
Malcolm Gladwell’s, The Tipping Point, 1 however, I began to question
the assumptions that once an organization’s leadership has bought in
to the compliance program, the rest of the organization will surely
follow, or that creating a “tone at the top” is the only way to create a
culture of compliance.
If you have not read it, The Tipping Point, is a compelling study of
how the rules governing viral epidemics can also be used to explain
dramatic changes in social behaviors, cultural trends, and the broad
acceptance of new ideas. According to Gladwell, there is a tendency to
think that, in order to affect major change, one has to put out major
effort in order to have the desired impact. For example, I once thought
developing a culture of compliance in my organization could be
accomplished through a series of over-the-top gestures, such as getting
in a dunk tank during Compliance & Ethics Week, or by showing
up on the clinical floors in the middle of the night to demonstrate
the organization’s commitment to compliance. To the contrary, the
key message of The Tipping Point is that dramatic changes in societal
or organizational behavior are not necessarily achieved through such
grandiose efforts. Instead, they are normally achieved through a series
of much smaller adjustments: adjustments to the message being
communicated, to the type of people to whom the message is delivered
and, finally, to the environment in which the message is delivered. By
making such small-scale adjustments, one can accelerate the contagiousness
of an idea, trend, or behavior to the tipping point, which is
the point where it becomes a cultural or social epidemic. This article
examines Gladwell’s thesis and ponders whether the ideas presented
in The Tipping Point can be applied to the chief aim of compliance
programs (i.e., to prevent fraud, waste, and abuse and to develop a
culture of compliance throughout an organization). In other words,
can one create an “epidemic” of compliance?
The three rules of epidemics
In his study of social epidemics, Gladwell identified three unifying
principles that all of them have in common. By altering a message
to exploit these rules, Gladwell suggests that we have the power to
control what ideas transform into epidemics both in society and in our
organizations.
Rule number one: The Law of the Few
Gladwell’s first rule of epidemics is The Law of the Few, which holds
that the spread of a social epidemic heavily depends on a very small
number of people who become the primary agents of change. These
are people who are blessed with certain social gifts and who most
effectively carry the message, new trend, or idea (i.e., the contagion) to
the broader population we are trying to reach. Gladwell refers to these
people as Connectors, Mavens, and Salesmen.
A Connector is the type of person who seems to know everyone and
is a natural at networking. If you go to lunch with a Connector, he
or she will probably run into somebody they know. Not only do
Connectors know a lot of people, they know a lot of different types
of people. For example, in high school, a Connector was the kid who
could easily circulate amongst the jocks, the nerds, and the artsy crowd
with little difficulty. In our context, Connectors are important because
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

they can carry your compliance message rapidly to a lot of different
people in all strata of your organization.
and Salespeople—individuals whose people skills are able to positively
influence the culture of compliance.
We rely on Connectors to connect us with a number and variety
of different people, but we rely on Mavens to connect us with new
information. Unlike Connectors, Mavens don’t necessarily know a lot
of people, but they seem to know a lot. Mavens are encyclopedias of
knowledge and want to share their knowledge with you, not because
they are know-it-alls, but because they are genuinely interested in
helping you solve your problems. If you are talking with a Maven,
regardless of the subject, a Maven has read an article about it and
will probably forward you a link to the website where they read it. A
Maven in your organization might be the person who seems to know
the rules better than you do and who always knows what’s going on in
the organization or the industry before you do.
Another question to consider is: Who do you send to educational
seminars? The obvious answer is that the compliance officer and, when
funds allow, the compliance staff members should go to conferences
and other educational opportunities. Thinking outside the box,
maybe it would be a good idea from time to time to send a Connector,
Maven, or Salesman from outside your department to one of the
HCCA conferences. By doing so, you are helping to create another
compliance disciple who can share your message and reach different
people in your organization. For instance, one year you may consider
sending an information Maven from your Revenue Cycle team to the
annual Compliance Institute and meet your staff’s educational needs
through trade journals and audio conferences.
In creating a cultural epidemic, Mavens discover the information to You may want to examine your own behavior. Who do you typically
be spread, Connectors get the information in the hands of a lot of network with? A lot of people, including myself, have a tendency to
people, but you still need a third kind of person, a Salesman, who network with other people like themselves in related departments
can persuade people to change their behavior on the basis of this new like Quality and Risk Management. In addition to developing these
information. Of course, compliance officers are expected to be the contacts, work to expand your professional circle by developing
perfect blend of all three—a Connector, a Maven, and a Salesman. relationships with people that you don’t typically get to interact
But what can you do if, like a mere mortal, you do not possess the with. Maybe you are on a lot of your organization’s business-oriented
perfect mix of these personality traits and you do not have the full committees, such as the Revenue Cycle Committee. If so, try getting
buy-in of your senior leaders? In attempting to spark an epidemic of invited to a clinical committee that you’re not normally involved
compliance in your organization, perhaps you should seek out people with, such as a Joint Commission Patient Care Managers meeting, as
at all levels of your organization, not just the executives, who are a means of networking and sharing information with clinicians. Or,
natural Connectors, Mavens, and Salesmen, and try to involve them in as a means of risk assessment, try identifying the information Mavens
your program.
in key departments, the people with their ears to the ground, and
conduct focus groups with them as part of your annual risk assessment
But how? For one, consider your hiring practices. Say you are a process. Information Mavens will probably know the rules that impact
Connector, but do not consider yourself to be a natural information their department, as well as its key compliance weaknesses. Make sure
Maven, then you should look to hire or network with people who are. you share your “intelligence” with them too. They will file it away and,
If you are an information Maven, then make an effort to lure talented when you are not looking, they will help you spread your message to
people who have been around your organization for a long time and others.
served in many different capacities, because these people probably
have numerous contacts throughout the organization. Certainly, you Even by networking or hiring Connectors and Mavens, it is still largely
always want to hire the best candidate, but give some consideration up to you as the compliance officer to persuade people to change their
to bringing people into your program that have spent years networking
in your organization. If you can’t hire from within, then maybe if you do not consider yourself a born Salesperson? The good news
behavior in your role as the Chief Compliance Salesperson. But, what
intellectual brawn and detail orientation are not the only traits we is that The Tipping Point offers a number of subtle changes you can
should interview for. In my own practice, I have focused on hiring make in your communication style that have been demonstrated to
people with different professional backgrounds, such as clinical or make people more persuasive. It’s commonly understood that most of
coding experience. Clearly, these are important, but all things being communication is non-verbal and, in fact, The Tipping Point discusses
equal, perhaps I should be on the lookout for Connectors, Mavens,
Continued on page 22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
21
July 2010

Sparking an epidemic of compliance ...continued from page 21
July 2010
22
a number of studies that illustrate how the persuasiveness of a message but unwittingly, we made it more interactive and the staff seemed to
often depends not just on the logic of a position, but on the physical be more engaged.
cues emitted by the messenger. For example, research has proven
that facial expressions, such as smiling when speaking or nodding Another interesting aspect of the survey was how we more effectively
can appreciably increase the chances whether a message is received engaged the board just by presenting the results of the survey in a
positively. Similarly, we tend to imitate each other’s emotions as a way different format. Ordinarily, we verbally report to the board, in addition
of expressing empathy and support. So, by controlling one’s outward
to presenting a written executive summary of core compliance
behavior, one can influence another’s moods and thoughts. By controlling
activities and metrics. But, we typically have not been very good at
one’s physical demeanor and making sure to present a positive visually presenting the information. In this case, however, we used an
and lively disposition, a compliance officer can actually influence the online survey tool, 2 which allowed us to present the results in pie chart
power of the message.
format. It was fascinating to witness how easily the board engaged
when we presented information to them in pictures, rather than using
In sum, if you find that you haven’t quite achieved the perfect culture words to convey the same information.
of compliance, consider new people in your organizational network,
the so-called Connectors, Mavens, and Salesmen, people who through From these examples, a major takeaway for our program was that by
their own social skills will be naturally inclined to take your message of making information more interactive, we were able to easily and effectively
“doing the right thing” and make it their own. In this way, try enlisting
educate our staff regarding several key aspects of our program.
a new army of employees into your mission of creating a culture of Then, through the use of pictures, we were able to engage the board in
compliance.
a discussion of ways to improve the program in a way that we had not
experienced before, without ever having to change the actual content
Rule number two: The Stickiness Factor
of what we were trying to communicate.
Gladwell’s first rule of epidemics, The Law of the Few, deals with
people. Gladwell’s second rule of epidemics is the Stickiness Factor, Another dilemma compliance professionals face, and an easy trap
which addresses the quality of the message itself. The Stickiness Factor to fall into, is that we frequently rely on fear tactics (e.g., fear of
states that in a world of competing ideas and messages, stickiness is substantial fines and penalties, fear of reputational harm) to motivate
what makes a message memorable, and ideas have to be memorable employees and management to do the right thing. The problem with
in order to cause us to change our behavior. Interestingly, while the such tactics is that most people in health care already feel like they are
content of the message is important, surprisingly, how the message doing the best that they can for their patients and the communities
is presented turns out to be critical. So, to make your compliance they serve. It is hard for them to see their organization as a bad actor
message more memorable, focus on how you are saying it, instead of capable of committing fraud. So, a message laden with fear typically
concentrating on what you are saying.
does not resonate and people tend to resist a negative message anyway,
so think of ways to spin your compliance message into a positive for
For example, compliance programs tend to struggle with getting your organization and its patients. When you are speaking with your
people to use the compliance hotline. Compliance professionals spend CFO, for instance, show him or her how doing things the right way
a lot of time marketing the hotline by sending out e-mails and posters, can improve the bottom line. In addition to improving charge capture
and by employing any number of other similar devices. Recently, opportunities, our program has uncovered a number of instances
my organization conducted a Compliance Awareness Survey. Those where payments were due from a variety of business partners. Taking
who participated were entered into a raffle to win a prize. One of the credit for these wins can be a marvelous way to earn converts to your
questions was a multiple choice question that asked people if they program. When you are speaking to your clinicians, demonstrate to
knew the hotline number. You would be amazed at how many people them how being compliant can actually improve the quality of care
called the hotline just to find out if they answered the survey question provided to the patient, for example, by improving documentation
correctly, even though they were aware that they were being entered in the medical record or by saving patients money on their co-pay or
into the raffle regardless of how they answered the questions. Since coinsurance. If you have trouble figuring out how best to tweak your
then, we have seen a modest increase in the number of calls to the message, consult with your Marketing or Education departments to
hotline. In this way, we didn’t change the content of the information, craft a presentation style that will make your message “stickier” and
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

more likely to engage your organization’s various constituencies.
The third rule: The power of context
Gladwell’s third and final rule of epidemics asserts that epidemics are
sensitive to the conditions and circumstances of the times and places
in which they occur. Just as people, through their physical behavior,
can affect their state of mind, so can our environment. Thus, changing
our environment brings the opportunity to impact how people think
and behave and how well a message is received. To illustrate this, the
book focuses on a concept called the Broken Window Theory, which
holds that crime is the result of disorder. The theory suggests that if a
window is broken and left unrepaired, people will conclude that no
one cares and no one is in charge, which makes the home or business
more susceptible to property crimes. As the environment gets more
and more disorderly, there will be more crime. This theory was put to
the test in New York City during the 1990s. There, authorities first
focused on eliminating quality-of-life crimes (e.g., subway turnstile
jumping, public drunkenness, graffiti on the subways) as a means of
reducing overall crime in the city. Lo and behold, once these qualityof-life
crimes were severely reduced, suddenly and without warning,
murder and other felonies also steeply declined. Although the results
were counterintuitive, experts attribute this sharp decline, in part, to
law enforcement’s effort to create the perception of order and stability
in the city.
In our field, because of a lack of time and resources, we have a
tendency to be primarily concerned about the biggest risks to the organization.
After all, in a world of limited compliance resources, we tend
to only focus on the largest risks and, as a result, we may not be able to
effectively address smaller compliance issues that people report or that
are identified during a risk assessment. Nor are we able to cross every
“t” or dot every “i” by properly following up on every minor issue or
letting a reporter know that their issue has been addressed. However,
the New York City example demonstrates that appearances do count
for something and, probably, more than we realize. The success of New
York City in reducing violent crime and felonies, in part by emphasizing
relatively minor quality-of-life crimes that create the perception of
disorder, causes me to wonder whether there is a similar application
of the Broken Window Theory in our hospitals and other provider
settings. In our effort to mitigate the bigger compliance risks, could it
be that we lose sight of the smaller issues that our staff might be more
aware of and concerned with? Do we unintentionally demonstrate to
them that their concerns are not important, even though we are trying
our best to remedy the biggest risks to our organization (risks that a
staff person may not be able to see or appreciate)? Although they may
not rank high on our risk spectrum, perhaps we cannot ever lose sight
of the compliance concerns that are most important to our staff that, if
unremedied, create the perception of disorder and cause them to lose
faith in the process.
Conclusion
In truth, the changes that I have suggested seem like such small
changes as to be inconsequential and, frankly, I hesitated to submit
this article. But then it occurred to me that this is precisely the thrust
of The Tipping Point—that as human beings we are conditioned to
believe that we have to make major changes to have a major impact.
We assume that to have an outstanding culture of compliance, our
efforts to achieve it have to be over-the-top. But, that is not necessarily
the case. So, if you feel like your organization already has a culture of
compliance, congratulations! Keep doing what you are doing. But,
if you feel like you are not quite there yet, why not experiment with
how you conduct your business? If you feel like you can’t get through
to senior management, try an end run. Try reaching out to new and
different types of people who might not have previously received
your message, put a new spin on your compliance message to make it
“stickier,” and make sure you devote meaningful time and attention to
the compliance details that your staff level employees are most likely to
see, even though the problems may not pose the most significant risk.
In making subtle changes to your program, you may be surprised that,
as Gladwell predicts, you’ve created an epidemic of compliance in your
organization. What do you have to lose? n
1 Gladwell, Malcom: The Tipping Point: How Little Things Can Make a Big Difference. Little, Brown and
Company, 2000.
2 Survey Monkey is a free online survey and questionnaire tool, available at http://www.surveymonkey.com
How to Conduct
Effective Internal
Investigations
November 11–12, 2010
Orlando, Florida
A TWO-DAY WORKSHOP
To learn more and register, visit
www.internalinvestigations.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
23
July 2010

July 2010
24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
25
July 2010

July 2010
26
State attorney general
oversight of financial
practices of nonprofit
corporations
By Gary W. Herschman and Anjana D. Patel
Editor’s note: Gary W. Herschman is Chair of oversee the disposition of assets by nonprofit
the Health and Hospital Law practice group at corporations serving charitable purposes. The
Sills Cummis & Gross, PC in Newark, New article also discusses a recent enforcement
Jersey. He can be reached at 973/643-5783 or action brought by the New Jersey attorney
by e-mail at gherschman@sillscummis.com. general regarding the financial management
practices of a nonprofit corporation, as well
Anjana D. Patel is Vice Chair of the firm’s as the terms of the settlement of that case and
Health and Hospital Law practice group and lessons learned as a result.
can be contacted at 973/634-5097 or by e-mail
at apatel@sillscummis.com.
State attorneys general common law authority
Among their other duties, state attorneys
The recent adverse economic conditions general may, in many states, have a common
have impacted nonprofit organizations law duty to oversee the activities of charitable
just like everyone else. Nonprofits are corporations. For example, many state courts
being forced to deal with deteriorating financial
conditions resulting from the confluence responsibilities include protecting, supervis-
have recognized that their attorney general’s
of depreciating portfolio assets and diminished ing, and enforcing charitable trusts for the
donor contributions. As a result, transactions common interest of the general public. In
are becoming more prevalent in which nonprofit
organizations that provide health care charitable corporation seeks to dispose of its
these states, it is often determined that if a
services are either divesting certain assets in assets, the attorney general may be responsible
order to generate cash flow or, in some cases, for oversight of the transaction.
being forced to sell their entire operations.
This type of public policy argument has been
Nonprofits that are considering these types adopted by courts and legislatures throughout
of transactions need to be aware that under the country, noting that unlike a for-profit
many state laws, these transactions could corporation, a nonprofit corporation does
trigger reporting and other obligations to not have shareholders to monitor whether its
the state attorney general, and sometimes activities are aligned with its charter or are
can entail a lengthy and detailed regulatory being conducted in furtherance of the best
approval process.
interests of its community. In sum, attorney
general oversight is a necessity afforded by
This article provides a general overview of the extension of common law charitable trust
the typical attorney general’s authority under principles, and is often mandated by statute
common law (and in some cases by statute) to to protect the public interest.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Another doctrine often invoked when a
charitable organization seeks to sell a substantial
portion of its assets is the doctrine of cy
pres. Cy pres states that when a charitable trust
can no longer carry out its intended purpose,
the funds must be applied to a similar purpose.
Under several states’ common law, only the
court has authority to make this determination,
however, attorneys general, as overseers
of charitable trusts and charitable corporations,
are responsible to review abandonment
of charitable purpose. Often, a change in
purpose occurs due to the disposition of a large
amount of assets, which renders the nonprofit
corporation effectively powerless to continue
its original mission. Under a cy pres analysis,
the attorney general is responsible to ensure
that the assets are sold for reasonable value and
used for similar charitable purposes.
It is also important to note that in addition to
common law authority, many states’ attorneys
general have been given more direct authority
over these types of transactions by legislation.
Certain states have, for example, enacted
legislation applicable to the transfer of control
of nonprofit hospitals and/or other nonprofit
corporations, giving the state attorney general
broad powers to oversee this process.
Recent developments: Stevens Institute of
Technology
On September 17, 2009, New Jersey’s attorney
general filed a 16-count lawsuit against Stevens
Institute of Technology, a New Jersey nonprofit
corporation, as well as the school’s president
and chairman of the board. 1 The complaint
alleged that the defendants, in violation of the
New Jersey Nonprofit Corporation Act, the
Uniform Management of Institutional Funds
Act, and their fiduciary duties:
n engaged in negligent spending and borrowing
practices,
n failed to properly maintain records and
accounts,

n financially mismanaged and improperly The attorney general’s complaint also cited broad powers over the corporation’s
administered the university’s endowment additional situations in which the defendants financial matters.
and investments,
allegedly breached their fiduciary duties by n Restructuring other committees, such
n failed to report complete and accurate mismanaging the university’s endowment as Human Resources, Compensation,
information to the full board, and funds, including:
Nominating and Governance, and
n excessively compensated the university’s n On numerous occasions, the university Investment committees to increase transparency
president.
made excessive expenditures and borrowed
and accountability.
excessive funds without board approval, n Posting certain financial and investmentrelated
The suit sought removal of certain board and failed to inform the full board when
information, as well as certain
members and the president, an overhaul of third-party consultants/auditors warned corporate governance documents, on the
the university’s internal controls and accounting
the school that its financial management corporation’s website.
practices, repayment by the president of policies and activities were improper. n Adopting a gift acceptance policy contain-
“unreasonable” compensation he received, n The university violated restrictions placed on ing guidelines for the acceptance of gifts,
and damages from the defendants equal
certain assets by donors when it improperly and a donors’ “bill of rights.”
to the losses sustained by the university’s used such assets as collateral for loans, and n Working with outside consultants on,
endowment resulting from their alleged
also when it misappropriated trust assets. among other things, corporate governance
mismanagement.
n The university failed to properly segregate, and conflicts of interest policies.
monitor, and account for gifts that had n Appointing a special counsel, a former
The lawsuit was the outcome of a three-year been donated with restrictions on their use. New Jersey Supreme Court Justice, to
investigation of the university’s financial
monitor compliance for two years.
management practices that initially began in The lawsuit was settled on January 15, 2010.
response to suspicions raised by university Among other things, the settlement requires Conclusion
trustees and alumni. In response to the suit, major corporate governance changes, including: The Stevens case is important because it is yet
the university contended that the attorney n The president’s resignation, effective another indication that state attorneys general
general overstepped her authority in trying July 1, 2010, and his repayment of the are becoming more vigilant in their enforcement
to substitute her judgment for that of its loans granted to him by the institution.
and oversight of the financial manage-
board.
n A prohibition on future loans from the corporation
ment and corporate governance practices of
to its officers, and the corporation nonprofit organizations.
In her complaint, the attorney general cited acting as a guarantor for loans to any officer;
numerous facts to support her allegation that n Setting term limits for trustees, including The case provides a valuable lesson for boards
the university excessively compensated its the chairman and the vice-chairman, and of nonprofit hospitals and health systems by
president, including:
barring the chairman, the vice-chairman, identifying the types of activities and practices
n Over a nine year period, the president’s and any member of the executive committee
(or lack thereof) that are likely to become
compensation grew by more than
from serving on any other committee; the subject of scrutiny if a state attorney
$700,000 (to over $1 million).
n Reducing the powers of the Executive general were to review and/or investigate the
n The president was one of the highest paid Committee to an advisory committee and corporate governance and related nonprofit
college presidents in the United States, yet vesting the full board of trustees with the compliance issues of their organization. To
the school’s operating budget was approximately
exclusive power over certain financial, op-
that end, all nonprofits should consider
90% less than other universities erational, and compliance issues, including implementing the following practices:
that paid comparable salaries.
the power to approve the compensation n Evaluate internal financial management
n In addition, the president received over of the president and the five highest paid and accounting practices with respect
$1 million in allegedly illegal loans at below employees;
to the administration of charitable gifts.
market rates from the university, which were n Restructuring the responsibilities of the Be mindful of the importance of strong
subsequently forgiven by the school.
Audit Committee so that it will have oversight over restricted gifts and other
Continued on page 31
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
27
July 2010

REGISTER BY
SEPTEMBER 8
AND SAVE
regiSter
befOre
AuguSt 31
And SAve
September 26–28, 2010
Renaissance Harborplace Hotel
Baltimore, MD
The Fraud and Compliance Forum is jointly sponsored by
the Health Care Compliance Association (HCCA) and the
American Health Lawyers Association (AHLA). It will include
an explicit designation of a session as “compliance focused”
or “legal focused.” The Planning Committee has included
enough sessions in each designation that an individual could
attend all “compliance” sessions or all “legal” sessions for
the entire program. Yet an attendee also has the option
of selecting a diversity of sessions and networking with an
expanded group of individuals. The Fraud and Compliance
Forum has the benefit of combining the quality of HCCA
and AHLA sessions with the expanded networking power
of a combined program.
Learn more and register
at www.hcca-info.org
Physician
Practice
Compliance
Conference
OCtOber 17–19, 2010
Doubletree Hotel Philadelphia
Philadelphia, PA
Why yOu ShOuld Attend
Physicians, compliance officers, coders, and
managers will learn to manage an effective
compliance program. Designed with networking in
mind, the conference provides many opportunities
for choosing breakout sessions covering
topics of interest for all. Participants will learn
about compliance program development and
management as it relates to physician practices;
current government initiatives in the field of
health care compliance specific to physicians and
their group practices; correct documentation,
billing and coding practices for physicians; and
best practices utilized in physician practices.
learn more and register
www.hcca-info.org
July 2010
28
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health care
compliance: Not
ready for prime time
By Raj Chaudhary, PE, CGEIT
Editor’s note: Raj Chaudhary is a Principal The official responsible for security and privacy
with Crowe Horwath LLP in the Oak Brook, (usually a chief security officer, chief risk officer
Illinois office. He can be reached by telephone at or IT manager) at each of 77 U.S. health care
630/586-5127 or by e-mail at raj.chaudhary@ organizations completed the survey. Most of
crowehorwath.com.
the executives were also contacted personally to
verify and expand on their answers. Forty-two
The U.S. health care industry is risking
heavy fines, federal enforcement ties,” that is, public and private hospitals, doc-
of the respondents were from “covered enti-
action, and potentially serious civil tors, and insurance companies. The remaining
and monetary penalties, because it is not 35 were from data processors, pharmacies,
protecting the security and privacy of patient public health care vendors, and others classified
electronic health records as required by law. under the law as “business associates.” Business
The industry also risks an erosion of public associates, which provide services on behalf of
confidence as the public becomes more aware a covered entity, are responsible for properly
of the lack of industry action to prevent identity
theft; unauthorized disclosure of health (PHI) to which they have access. The survey
managing any protected health information
information; stolen, lost, corrupted and respondents were primarily from larger organizations,
those that could be expected to have
hacked data; and other serious breaches of
security and privacy. As a result, patients and more financial and human resources working
their doctors may be less willing to put their on compliance. More than a third (37%)
health records in any electronic database. of the respondents’ organizations had up to
1,000 full-time employees, 35% had 1,001 to
In a recent survey 1 of a broad spectrum of 10,000, and another 28% reported more than
health care organizations, “Benchmark Study 10,000 full-time employees.
of Healthcare Covered Entities and Business
Associates,” 94% of the respondents admitted
they were not in compliance with the was published in November 2009, just a few
The study “Are You Ready for HITECH?”
privacy and security provisions of the Health months before a February 2010 deadline for
Insurance Portability and Accountability Act compliance with new and expanded security
of 1996 (HIPAA) and its recently enacted and privacy standards. The full survey report
complement and expansion, the Health can be downloaded at www.crowerhorwath.
Information Technology for Economic and com/benchmark.
Clinical Health Act of 2009 (HITECH).
The study found a disturbing lack of Expanded law, higher penalties
compliance with the federal laws as well as These new and expanded federal laws require
inadequate planning, training, and preparing extensive electronic, physical and administrative
programs, thorough staff training for compliance.
and
management to heighten security and protect
patient privacy. They require periodic auditing
and independent testing to help ensure that
federal standards are met and that the privacy
and security measures in place work as designed.
HITECH has expanded and tightened the
provisions of HIPAA so that they now apply
to business associates as well as covered
entities. Contracts between covered entities
and their business associates must now specify
how PHI is handled and used. Under the
more recent legislation, moreover, all covered
entities and business associates now must
notify each individual affected when there is a
security breach. When more than 500 records
are breached, reporting to the media and to
the U.S. Department of Health and Human
Services within 60 days is mandatory.
Penalties have increased sharply under
HITECH, from $100 per violation (with a
cap of $25,000 for multiple violations) to
$1,000 per violation with a maximum of penalty
of $100,000 for a violation resulting from
“reasonable cause and no willful neglect.”
In cases of neglect, the fine is now $10,000
per violation (maximum of $250,000) if the
violation is cured in 30 days and $50,000
(maximum of $1.5 million per calendar year)
if no timely corrective action is taken.
The industry has been working under HIPAA
privacy and security standards for at least four
to six years. The three-part law was passed in
1996, but the privacy sections became effective
in 2003 and the security sections took
effect in 2005. It has had a year to comply
with the HITECH law that became effective
Feb. 18, 2009.
Surprisingly low compliance rates
At the time of the survey, slightly more than
1% of the respondents said their organization
changes in IT procedures and information
Continued on page 30
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
29
July 2010

Health compliance: Not ready for prime time ...continued from page 29
July 2010
30
had “achieved compliance already.” Close
to 5% said their organization’s compliance
program was “almost complete for near-term
effective dates.” That left fully 94% unable
to say their organization would meet the
compliance deadline.
Nearly 60% of the respondents admitted
that they were not even fully aware of what
they needed to do to comply. This
included some 27% of respondents
who said they were “barely aware of
compliance actions needed.”
There was some difference in
readiness and awareness between
those at the covered entities,
which have had at least four to six
years of experience with HIPAA
privacy and security regulations,
and respondents from the business associates,
which have had less than a year to digest and
comply with the new HITECH standards.
The business associates also tend to be
smaller firms with fewer financial and human
resources to use for compliance programs.
For example, nearly 30% of those at covered
entities said they had “actions under way” to
comply, while just 11% of the respondents
from business associates gave that response.
But the somewhat higher compliance rates
claimed by officials at the covered entities
were hardly reassuring, given their assumed
familiarity with the 14-year-old HIPAA
program. On one hand, more than 98% said
they had a HIPAA Privacy Rule compliance
program already in place, and 86% said their
HIPAA Security Rule compliance program
was in place. On the other hand, the survey
revealed disturbingly low rates of updating
and the required independent adequacy and
quality testing for these programs. Some 80%
said their programs had not been tested independently
annually, or even every two years.
Ten percent said they had never tested their
privacy program, and nearly 20% admitted
they had never independently audited their
security system. Another 22% said only the
in-house person responsible for the program
had evaluated their privacy system. About one
third (32%) said only the person responsible
for the security system had tested that system.
Significant percentages
of respondents “seem to
be uncertain about what
they need to do in order
to achieve substantial
compliance.”
As for updating, just 23% said they had
modernized their privacy program and 32%
said they had upgraded their security system
since HIPAA went into effect in 1996. This
left about 77% and 68%, respectively, with
privacy and security systems that did not
meet the standards for updating.
Known deficiencies and lack of
management support
It is little wonder then that 54% of the
respondents said they already knew of
deficiencies in their privacy programs, and
58% said they knew their security system had
specific deficiencies. One significant cause of
this problem, the privacy and security officers
said, was the lack of support from management.
Almost half (45%) said they did not
have “management buy-in” for compliance
with HITECH, and 53% said they did not
“have sufficient resources” to comply fully.
The study showed, for instance, that “despite
the importance of compliance in the health
care industries,” notably small proportions of
the organizations’ compliance budgets – an
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
average of no more than 12.5% – were earmarked
for information privacy and security.
Again, the respondents’ experience with
implementing the older and more familiar
HIPAA program offers little confidence that
their HITECH compliance will be very
impressive. They were asked about ten different
crucial privacy and security requirements.
The highest compliance rate was just
58%, and that was for one of the most
basic requirements: procedures in
place for fielding privacy and security
complaints. Nearly half said they do
not perform comprehensive, risk-based
assessments of their handling of PHI.
Nearly the same percentage of respondents
conceded that their organizations
have inadequate programs for storing
and protecting electronic records. About
half (47%) said their training is inadequate
and does not meet federal standards, and
44% said their incident response, business
recovery, and disaster recovery programs were
inadequate. Some 21% of the respondents
said that even after 14 years, their organizations
do not have an effective privacy policy
that clearly describes the appropriate use and
sharing of PHI.
The picture that emerges from the survey
is discouraging and disappointing. It does
not show an aggressive, consistent, or
well-executed approach to data management
and protection and other key areas of
privacy and security. It seems clear that most
organizations are not ready for HITECH –
apparently because they are still struggling
with compliance issues within their existing
HIPAA programs.
The result: Data breaches
The result for patient privacy and security
is poor. Fully 91% of respondents admitted

State attorney general oversight of financial practices of
nonprofit corporations ...continued from page 27
they had experienced data breaches in the two
years previous to the survey. More than half
(55%) said that fewer than 10 patient records
had been breached, but another 20% said
their organization had experienced breaches
containing between 10 and 500 patient
records, and 15% reported breaches of 500
to more than 10,000 records. Bear in mind
that these figures are all self-reported and
are probably best guesses for the most part,
because accurate reporting systems required
by the new law are not yet in place.
The estimated cost of these violations of security
and privacy systems, although they varied
by the size of the organization involved, were
significant. According to the respondents,
average costs ranged from $130,000 for
organizations with fewer than 100 employees,
to $4.1 million for those with more than
25,000 employees.
Not surprisingly, a healthy percentage of the
respondents said they could not close these
compliance gaps and resolve crucial privacy
and security issues without expert and experienced
outside help. Nearly half, for example,
said they would need outside help, such as a
consultant or auditor to design and conduct
a comprehensive risk analysis. Almost half
(45%) said they would need external support
to set up and perform effective staff training
programs to make sure their privacy and
security programs are implemented and work
correctly. Between 36% and 42% said they
would be looking for outside assistance to help
ensure the compliance of marketing activities,
improve complaint procedures, upgrade physical
safeguards for electronic data protection,
and manage their privacy programs.
Even though most respondents acknowledged
that their organizations’ HIPAA compliance
programs are deficient, the survey found that
implementing necessary controls or securing
third-party assistance to help ensure compliance
may be limited by budgetary constraints.
This survey reveals the significant gaps in
compliance with the federal security and
privacy laws and reinforces the dire need for
effective programs in the health care industry.
The impact on patients can be enormous. The
protection of patient information is a first
line of defense against identity theft, which
increased by 22% in 2008 and affected nearly
10 million Americans by most estimates.
Beyond that, the lack of proper controls of
PHI can affect a patient’s reputation, family,
and the ability to get and hold a job.
The study concludes that “both covered
entities and business associates face serious
challenges in achieving substantial compliance
with privacy rule and security rule
requirements.” It emphasizes that leaders
in both privacy and security “need to do a
better job in making senior management
aware of their organization’s current program
deficiencies.” Just as troubling, it shows that
significant percentages of respondents “seem
to be uncertain about what they need to do in
order to achieve substantial compliance.”
“It is disappointing, though not surprising,
to learn that a majority of companies do
not believe they are prepared for the latest
in health care information security regulations,”
said Dr. Larry Ponemon, Chairman
and founder of the Ponemon Institute. “Our
research consistently finds that a lack of
budgetary and moral support from the executive
suite is a common barrier to proper data
security and management programs, even
with the specter of regulatory enforcement
looming.” n
1 The study was conducted by Ponemon Institute LLC, which researches
and audits privacy management practices for business and government,
and co-sponsored by Crowe Horwath LLP.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
donations and endowments, including
conducting periodic audits.
n Consider adopting a donor bill of rights
and a gift acceptance policy.
n To the extent necessary, modify or add
policies and procedures to: (1) confirm,
on a periodic basis, that executive compensation
packages are appropriate; and
(2) ensure there are clear and restrictive
guidelines regarding loans to officers.
n Consider engaging independent outside
consultants to assist in the review, development,
and ongoing implementation of
various financial management, accounting,
and corporate governance practices.
n Review the powers of the entire board
and of specific committees. The fact that
a small group of individuals (whether of
the board or of an executive committee
or the like) are making all the decisions is
likely to be of concern to a state attorney
general.
n Clearly delineate board committees and
their respective powers, including adopting
specific charters or mission statements for
each committee.
n Consider imposing term limits on board
trustees.
n Ensure transparency by making certain of
the organization’s financial and governance
practices publicly available. n
The authors would like to thank Matthew
McKennan, a law clerk with the firm, for
his assistance with this article. The views and
opinions expressed in this article are those of the
authors and do not necessarily reflect those of
Sills Cummis & Gross PC.
1 For more on the State of New Jersey v. The Stephens Institute of Technology,
see http://hoboken411.com/archives/27611
31
July 2010

July 2010
32
The Six Sigma
compliance screening
process: An engineer’s
Editor’s note: Brady Ballman is a Senior Project
Manager for John Sterling Associates LLC, a
national compliance screening firm located in
Cincinnati, OH. In his previous 15-year career
as an engineer, he was involved in streamlining
industrial processes and was awarded several
patents for his unique ideas. He may be contacted
at 800/909-5763 or by e-mail at
BPB@sterlingresults.com.
Engineers have a deeply-felt belief
that nearly any problem can be
solved through methodical analysis.
Breaking down a problem into its fundamental
components is, therefore, the first step in
its solution. Then a process can be developed
to yield the optimum outcome in the most
efficient and effective manner.
But how does this apply to compliance
screening in your hospital? Well, many of the
engineering concepts applied in manufacturing
automobiles and televisions can also be useful
in compliance screening your employees,
physicians, and vendors. This article will
systematically analyze your screening tasks
and perils and will lay out a comprehensive
process to make your compliance screening
program robust and complete.
The problem
A typical hospital receives large amounts
of federal dollars for services it renders to
patients covered by Medicare, Medicaid, Tri-
Care, and other federally purposed health care
perspective
By Brady Ballman, MBA
programs. This benefit, however, comes with
many strings attached. Much of your hospital’s
compliance program flows from the need
to maintain this funding stream by adhering
to a wide range of federal requirements.
Compliance screening is one of those requirements.
In the first instance, the Office of the
Inspector General (OIG) expects the hospital
to check that a prospective new employee
or newly accredited staff physician has not
already been found to be excluded from federal
health care programs. The OIG Compliance
Program Guidance for Hospitals 1 clearly
states you need to “…prohibit the employment
of individuals who have been recently
convicted of a criminal offense related to
health care or who are listed as debarred,
excluded or otherwise ineligible for participation
in Federal health care programs.”
This is done by examining two federal compilations,
the OIG’s List of Excluded Individuals/Entities
(LEIE) and the General Services
Administration’s (GSA) Excluded Party List
System (EPLS). The former is concerned only
with health care exclusions, while the latter
also adds exclusions for reasons unrelated to
health care.
But why should exclusions for reasons
unrelated to health care concern the hospital?
It is because even non-health care fraud can
disqualify a person from working in a hospital.
The Federal Acquisition Streamlining
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Act of 1994 states that parties barred or
suspended from any federal program cannot
participate in any other federally funded
program.
OIG, in its OIG Exclusion Authorities,
claims a permissive authority to exclude,
based on a prior conviction for “...Fraud,
theft, embezzlement, breach of fiduciary
responsibility, or other financial misconduct
with respect to any act or omission in a
program, other than a health care program,
operated in whole or in part by any Federal,
State, or local government agency.” This
means that a given listing on the GSA EPLS
can be sufficient to exclude a person for nonhealth
care fraud convictions.
New vendors, likewise, need to be checked
against the two compilations before buying
goods or services from them. OIG’s position
is that providers cannot request reimbursement
for any goods or services provided by an
excluded business entity.
Periodic re-screening of your current employees,
physicians, and vendors is another express
requirement to stay in OIG’s good graces. In
the OIG Supplemental Compliance Guidance
for Hospitals, 2 OIG states “...employees,
contractors and medical staff [should be]
checked routinely (e.g., at least annually).”
In January 2009, another requirement was
put in place by CMS when it issued a letter
to state Medicaid directors advising that
“States should require providers to search the
HHS-OIG website monthly to capture exclusions
and reinstatements that have occurred
since the last search.” Furthermore, there is
evidence that OIG now may be more likely
to invoke the “knew or should have known”
criterion when an exclusion is not promptly
self-reported by a provider. The indication is
that a civil monetary penalty (CMP) is more

likely if the provider failed to perform monthly
rechecks. So, what was once an annual
rechecking requirement now seems to have
morphed into de facto monthly rechecking.
Another part of the compliance screening
problem is the imprecision of exact matching
of first name and last name pairs when searching
federal lists. As an example, your employee
“Dick Smith” will not show a match to the five
persons currently excluded as “Richard Smith”
yet, he actually could be one of them. In more
technical terms, this method of comparing
names can result in “false negatives.” If his
exclusion were found in the future, a repayment
and possible CMP could be significant.
There are hundreds of shortened or alternative
spellings of common first names which can
result in a false negative.
Dick could be Richard.
Bill could be William.
Becky could be Rebecca.
(And each could be excluded)
Any input error can also result in a false
negative. If you accidentally screen “Richard
Smiht” but meant “Richard Smith”, you will
miss a match and a possible exclusion. The
expression “garbage in-garbage out” certainly
applies to compliance screening.
Grant once was Lee.
Brown once was Green.
Likewise, if you are screening “Roberta
Grant-Lee” or “Roberta Grant Lee” an exclusion
may be missed without checking both
her name variants, Grant and Lee. Changing
surnames is probably the most common
method used by an excluded person to
circumvent detection as a hospital new-hire.
Six Sigma solution
Six Sigma teaches engineers to improve the
quality of process outputs by identifying and
removing the causes of defects (errors) and variability
in manufacturing and business processes.
This is achieved by isolating the components
of a problem, brainstorming and developing
possible fixes, evaluating each potential solution,
and then melding them into the best overall
solution. Here are six recommended steps to
create a thorough screening process.
Step 1. Get good data— “Garbage in,
garbage out”
Whether you are screening persons or
businesses for the first time or rescreening
them every month, data quality is very
important for good results. This information
has to be accurate and free of typos. Also,
it’s a good idea to make sure there are no
duplicate entries to further add to your work.
Invest the time to ensure quality data, or the
remaining steps will become meaningless
while costing you time and possibly money.
Step 2. Expand the data— “Use a shotgun
instead of a rifle”
The best practice is to check a name and all
its possible alternatives to be screened against
the databases.
Watch for shortened first names. For the
most accurate results, Ed Johnson can be
crosswalked as “Edwin Johnson”, “Edmund
Johnson”, “Edmond Johnson”, “Edward
Johnson”, “Edison Johnson”, “Edgar Johnson”
and any other possible variant (see figure 1).
Watch for hyphenated and compounded surnames
as well. Bonnie Bell could marry and
chose to be called Bonnie Bell, Bonnie Brown,
Bonnie Bell-Brown or Bonnie Bell Brown.
An employee with a middle name that could
Continued on page 34
Watch out for extra spaces in names or
misplaced commas, because the federal
database search engines are set up for exact
character matching, and a typo can give you a
false negative result. You could be mistakenly
giving an excluded party the “all clear.”
A related problem is last name changes from
marriage or divorce. If an excluded Betty
Brown remarries and now is Betty Green, a
simple search of her current name will not Figure 1
find her exclusion.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
33
July 2010

The Six Sigma compliance screening process: An engineer’s perspective ...continued from page 33
be a former last name, such as Susan Smith
Jones, needs to be checked under both names,
Susan Smith and Susan Jones. This is necessary
because she may have been excluded
under a maiden name or resumed a prior
name after a divorce.
Your employment application form should
require the applicant to divulge any other
surname they have ever used. These other
surnames should be checked at time of hire
and then with every subsequent rescreening.
It is possible to perform a correlation analysis
that can identify a person excluded under a
former surname who omitted that on their
application form. However, the level of
expertise required for this analysis is normally
only done by professionals.
the federal data you used so you can prove later
that the failure to match was not your fault.
Step 4. Collect potential matches for
further scrutiny— “Pull in the nets”
A potential match occurs when one of your
names has the same components as one (or
more) of the federal or state data. If you are
only checking a few names, your probability
of getting a potential match is fairly low. But,
if you have thousands of names to check, you
will get numerous potential matches.
Now it’s time to determine if any of those
potential matches you’ve generated are
genuinely positive exclusions. This is where
you earn your stars as a compliance screener.
Let’s say your employee Barbara Smith is
a potential match to the Barbara J. Smith
excluded by OIG. More information to
compare your employee with the excluded
person is a necessity at this point.
Information such as the employee’s date of
birth, middle name, Social Security number,
July 2010
34
Step 3. Match your data against the
databases—“Looking for trouble”
Once your data has been prepared and
expanded, it needs to be checked against the Figure 2
federal databases; namely the OIG database
online at http://exclusions.oig.hhs.gov/ and
the GSA database at https://www.epls.gov/
epls/search.do, plus any required state lists.
Each website allows names to be entered oneby-one
to find matches with excluded people
and companies.
A rule of thumb is that approximately
5%–10% of your data will match at this stage
(i.e., for every 1,000 employees checked,
normally there are 50 to 100 potential
matches to resolve). If you have significantly
less, you may not be checking as thoroughly
as you should (see figure 2).
current address, taxonomy, licenses, prior
residences, hire date, etc. can be extremely
beneficial to determine whether your
employee indeed is or is not the excluded
party. Taxonomy refers to the employee’s
professional classification. This can be
referenced for medical providers by reviewing
The more cumbersome type of checking is
the periodic rescreening of all employees,
physicians, and vendors. For this “global”
A robust, thorough screening
process will generally find
their NPI data at websites such as https://
nppes.cms.hhs.gov. Essentially, for reviewing
potential matches, one can rule out a John
rechecking, a more efficient approach is to
Smith tentative match if your employee is a
about 5%–10% of your data
download the respective databases (per each
chiropractor and is matched to a John Smith
site’s instructions). With the downloaded to be potential matches! who is an excluded dentist. Their taxonomy
files, you can then make comparisons to your
data and identify potential matches.
Most of these potential matches are false positives.
Simply put, there are many people and
differs (a chiropractor is not a dentist). 3
This determination can take a fair amount
of time to do, but it is absolutely critical in
A note of caution—federal databases often
retroactively add back-dated exclusion
records. This can make it appear that you
missed a valid match when it turns up in a
future rescreening. Protect yourself by retaining
businesses that share common names, but only
a few of them are actually excluded parties.
Step 5. Resolve potential matches—
“Apples-to-apples or apples-to-oranges?”
making an informed judgment. Be certain
to keep copies of all your work in case
you need to show how you arrived at your
conclusions.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Should you find an excluded party, following
these steps is recommended:
1. Double check to make absolutely sure
that you have an excluded party.
2. Review your findings with your compliance
officer and legal counsel. The likely
result will be to immediately terminate
the excluded party’s relationship with your
hospital.
3. Notify OIG and disclose all pertinent
information.
4. Plan on repaying affected federal funds.
You might also be penalized, possibly including
CMPs of up to $10,000 for each
wrongful submission.
Step 6. Repeat the process—“Repeat,
repeat, repeat”
Yes, that means you need to redo the whole
global process periodically. This frequency
once was defined as “at least annually” but
now may become a monthly requirement.
Part of the answer is to make your procedures
more efficient. One example is mining your
data from previous screenings. In most hospitals,
the departure rate of employees (e.g.,
quits, terminations, etc) is perhaps 20% each
year. Of course, this means that a high percentage
of the persons with potential matches
this time also had the same potential matches
in the previous screening. By accessing your
historical records from previous screenings,
you save yourself from needlessly reevaluating
the potential matches that reappear
each time. Just be sure to confirm that your
person or entity and the potential matching
record are completely identical in all data
fields before dismissing it as a repeat. Also,
keep in mind that records can be retroactively
inserted and exclusions can take longer than a
year to appear on the listed sites.
In a broad sense, finding more efficient
ways to tackle a recurring process is what we
gearheads call “engineering the costs out.”
This means making your product easier,
cheaper, faster, and better with the resources
at your disposal. By using a Six Sigma
approach, a better compliance screening
process can be designed to help you and your
hospital save time and money. n
1 Available at http://oig.hhs.gov/authorities/docs/cpghosp.pdf
2 Available at http://ftp.resource.org/gpo.gov/register/2005/2005_4876.
pdf
3 Available at http://www.cms.hhs.gov/SMDL/downloads/SMD011609.
pdf
4 To see the matches for John Smith, see https://nppes.cms.hhs.gov/
NPPES/DisplayProviderDetails.do?searchNpi=&city=&firstName=john
&orgName=&searchType=ind&state=&npi=1497758122&orgDba=&l
astName=smith&zip=
Be Sure to Get
Your CHC CEUs
Articles related to the quiz in this issue
of Compliance Today:
n Opportunity knocks for hospital
boards to impact clinical quality —
By Janice A. Anderson and
C. Jason Hannagan, page 6
n Waived laboratory tests: Meeting
regulatory requirements and
implementing best practices —
By Melissa Scott, page 12
n Managing employee turnover in a
shrinking workforce —
By Joyce Freville, page 38
To obtain one CEU per quiz, go to www.
hcca-info.org/quiz and select a quiz.
Fill in your contact information, read
the articles, and take the quiz online. Or,
print and fax the completed form to Liz
Hergert at 952/988-0146, or mail it to
Liz’s attention at HCCA, 6500 Barrie
Road, Suite 250, Minneapolis, MN
55435. Questions? Please call Liz Hergert
at 888/580-8373.
Compliance Today readers taking the
CEU quiz have one year from the
published date of the CEU article to
submit their completed quiz.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
35
July 2010

Privacy and security
risk assessment based
on GRC principles
Editor’s note: Andy Reeder is Director,
HIPAA Privacy and Security at Rush
University Medical Center in Chicago.
Andrew may be contacted by e-mail at
andrew_reeder@rush.edu or by telephone
at 312/942-2995
Every health care organization is
faced with conducting a privacy
and security risk assessment at some
point in time. This may be to address regulatory
requirements found in HIPAA, or
may simply be a proactive business need to
identify gaps against best practices. With the
advent of the Health Information Technology
for Economic and Clinical Health Act
(HITECH) and the various amendments
to Health Insurance Portability and
Accountability Act of 1996 (HIPAA) privacy
and security requirements, now is a good
time for health care organizations to consider
dusting off older privacy and security assessments
and re-considering how well they are
complying with HIPAA. This can be done
more effectively by applying the principles of
Governance, Risk, and Compliance (GRC)
to guide new risk assessment efforts.
Year X RISK ASSESSMENT
RISK ASSESSMENT
By Andy Reeder, CISSP, CISA, CISM
Deficiencies
Reviewed
Deficiencies
Reviewed
Gap
Assessment
Year Y RISK ASSESSMENT
RISK ASSESSMENT
Methodology
A traditional approach toward the assessment
of privacy and security risk is to compare
an institution’s “current state” and industry
best practices in order to produce a gap
analysis. This method produces useful results,
but often doesn’t consider compliance or
governance issues that would add to a risk
view that includes regulatory concerns and
organizational effectiveness. By expanding the
gap analysis criteria to include considerations
of GRC, the institution can gain a better
understanding of overall risk.
GRC best practices have been part of a wave
over the past several years to break down silos
that have traditionally existed between areas
of common interest, such as corporate compliance,
risk management, internal audit, and
legal affairs. There has been universal recognition
that many of these corporate functions
often work on similar interests and have a
focus on similar federal and state regulations.
The GRC filter adds a new dynamic to the
privacy and security risk assessment:
Deficiencies
Reviewed
Deficiencies
Reviewed
Year Z RISK ASSESSMENT
RISK ASSESSMENT
Deficiencies
Reviewed
Governance “G” – Is there senior management
support for privacy and security efforts?
Does the organization respond to regulatory
concerns? The response effectiveness can
often be shown by looking at what assessments
have previously been done, which
deficiencies were reported, and which were
acted on over time (see figure 1). If many of
the reported deficiencies have not been acted
on, then the governance of the institution’s
privacy and security efforts may not be as
effective as it could be.
Risk “R” – What are the operational risks to
privacy and security? Where is PHI processed
and stored, and how is it transmitted electronically?
How is this information secured?
Oftentimes, vulnerabilities associated with
the use of PHI are assessed and compared to
threats that exist – both internal and external.
The summary of PHI information assets,
vulnerabilities, and threats (see figure 2) will
provide a depiction of operational risk.
RISK
V U LN E R A B ILIT IE S
D
ESTRUCTION
S T O R A G E
INFO
ASSET
(PHI)
R E T E N T IO N
T R A N S M IS S IO N
T H R E A T S
Figure 2
Compliance “C” – What are the federal
and state regulatory concerns for privacy and
security? HIPAA is the most obvious, but
other regulations must be considered. The
compliance assessment determines what your
organization has actually done to comply
with requirements and where it may have
fallen short (see figure 3).
U SE
July 2010
36
Figure 1
Gap
Assessment
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Privacy
Regulation
Requirements
Security
Regulation
Requirements
Figure 3
Planning
X
X
XXXX
Implementation
XXXX
Implementation
Planning for a GRC-focused risk assessment
is not much different from more traditional
assessment methods. A scope, project plan,
schedule, resource assignments, and budget
need to exist. The number and type of
resources assigned obviously influences the
schedule and time line for completing the
project and often determines how best to
gather and assess information. If resources
are limited, then you must be innovative in
how information is gathered and in what
tools are used. Automated survey tools help
immensely in gathering information from a
wide array of individuals in a short amount
of time. A multi-phased approach should be
used to manage the assessment in distinct but
interlocking phases (see figure 4):
o Developing the assessment model and
approach
o Preparing the project plan
o Developing the deliverable model
o Determining guiding principles
n Phase II – Assessment Kick-off: The
kick-off brings together the resources
to be used and sees the formation the
project team. Presentations are made to
key project stakeholders (e.g., Compliance
Committee) about the project during the
kick-off.
n Phase III – Information Gathering:
Information about the institution’s current
state is collected from various sources:
o Past assessments/audits
o Interviews with management and staff
o Document review
o Best practice collections
o Consultation with subject matter experts
o Observations
o Systems audits
n Phase IV – Risk Analysis: The aggregate
privacy and security data that was collected
about the current state is analyzed.
From this, a consideration of risk is made
to determine and prioritize risks as high,
medium, or low.
n Phase V – Roadmap/Budgeting: After
the risk analysis, mitigation steps are
n Phase VI – Reporting: A final report of
the risk assessment results must be produced
and presented to stakeholders.
Analysis
The GRC assessment approach is different
from other, more traditional methods of
assessing privacy and security, in that it
achieves a more integrated view of risk—one
that considers privacy and security from
several functional viewpoints rather than
being more technically focused. The GRC
approach goes beyond just performing a
technical gap analysis against best practices.
It also considers what may cause the gaps:
What is management’s view of operations? Is
there something missing from the regulatory
compliance program?
A risk assessment has many benefits but, of
course, none of these will be realized without
finishing the effort with a complete risk
analysis and mitigation plan. The data gathered
must be critically evaluated to identify
prioritized organizational risks. Given limited
resources, your institution will want to
concentrate on those considered most critical.
The risk mitigation plan must consider what
steps need to be taken that make sense from a
cost-benefit perspective.
Planning
Figure 4
Assessment
Kick-Off
Information
Gathering
n Phase I - Planning: The steps needed
to lay out the schedule and to identify
objectives and tasks for the risk assessment
include:
o Determining scope/objectives
o Identifying the sponsor and resources
to be used
Risk
Analysis
Roadmap
Budgeting
Reporting
determined that will lower risk. There
will likely be a number of recommendations,
so, these will be brought together
into a roadmap of future efforts. These
efforts need to be reflected in the annual
Compliance Plan for Privacy and Security
and, at an appropriate time, the projects
recommended for implementation need to
be considered for budgeting.
In the end, the privacy and security risk
mitigation plan should be blended into the
overall multi-year compliance plan to achieve
continuous improvement in privacy and
security efforts. This shows any outside auditor
that the institution has taken the proactive
steps toward achieving regulatory compliance.
The GRC approach to the privacy and
security risk assessment contributes toward
the overall compliance program goals of not
only identifying and responding to risk issues,
but also of preventing them as well.n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
37
July 2010

July 2010
38
Managing employee
turnover in a
shrinking workforce
Editor’s Note: Joyce Freville is the Vice President
and Chief Compliance Officer for Trilogy Health
Services, LLC in Louisville, Kentucky. Joyce may
be contacted by telephone at (502) 213-1725 or
by e-email at jfreville@trilogyhs.com.
The present long-term care landscape is
full of opportunities to both succeed
and to fail. One of the best methods
to increase the chances of success, both in
quality and financial terms, is to monitor and
manage employee retention. Over the next
half century, the number of individuals who
use long-term care facilities (e.g., nursing
facilities, alternative residential care, or home
care services) will increase, while the number
of qualified staff will decrease.
Let’s look at the landscape we presently face.
Although the future demand for long-term
care (LTC) cannot be precisely predicted, in
2002, the U.S. Government Accountability
Office estimated that spending on LTC will
increase two-and-a-half to four times over the
next 40 to 50 years, reaching $379 million
per year. Furthermore, according to the US
Bureau of Census, the number of Americans
over age 65 will increase by approximately
36.4 million by the year 2030. That equates to
approximately 71.4 million people age 65 and
older, an increase of 104.2%, and they will be
approximately 20% of the US population. 1
The Baby Boomer generation is the fastest
growing segment of the population in the
United States, and encompasses individuals
born between 1946 and 1964. During
this period, the U.S. saw an explosion in
By Joyce Freville, PhD, CHC
birthrates never seen before and not seen
since. The increased longevity of the Baby
Boomer generation will cause a substantial
increase in the size of the elderly population
in the coming decades, and will increase the
demand for long-term care services.
In fact, about 44% of the current population
over 65 will use a nursing home at some
point. By 2050, the nursing home population
is expected to increase to 5.4 million, about
260% greater than in 2000, and the number
of those using home health care to 2.3 million,
about 156% greater than in 2000. 2 Furthermore,
with the increase in Americans over
age 65, there will be a greater need for clinical
workers; however, a nation-wide shortage of
nurses is predicted. The combination of the
personnel shortage, increase in senior citizens,
and the current turnover trend poses a significant
problem to the US health care system.
As Baby Boomers retire, more health care
workers will leave the workforce. Because
Baby Boomers make up such a large part
of the current nursing workforce, this will
create a severe shortage. Furthermore, because
Baby Boomers will make up 20% of the US
population, they will require more health care
as a part of the aging process. 1 Essentially,
the providers will become the recipients of
health care services. With advancement in
medical technology, people are living longer.
With seniors occupying such a large segment
of the population, it is predicted that there
will be a major financial strain on the health
care industry as a whole when they retire; not
only because they will require health care, but
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
also because they will no longer contribute as
much to the tax base that funds the Medicare
and Medicaid Programs.
Health care cost
The U.S. spent $2.3 trillion on health care in
2008, or $7,681 per person. This amounted
to 16.2% of the nation’s gross domestic product
(GDP). Health care is predicted to rise
to 25% of GDP in 2025 and 49% in 2082. 3
More than a fifth of health care spending
is on Medicare. Moreover, this represents
about 16.2% of the federal budget and 3.5%
of the GDP. Medicare is funded through a
combination of payroll taxes (41%), general
tax revenues (39%), premiums paid by the
elderly (12%), and other sources, such as
interest earned on a trust fund established for
the program. 4 Conversely, Medicaid makes
up approximately 2.6% of the GDP and
represents about one fourth of state expenditures
and approximately 50% of incremental
spending. Over the past five years, Medicaid
enrollment has increased by 40% and will
continue to grow as Baby Boomers age. 4
Long-term care
Based on a study by the Department of Health
and Human Services in 2005, it is estimated
that by 2050, the total number of individuals
who will need LTC services will increase to
approximately 27 million. The aging of the
Baby Boomer generation is the most significant
factor contributing to the demand. The number
of elderly people is expected to more than
double over the next 50 years, increasing from
approximately 8 million to 19 million. The
trends in the size of demand for LTC will follow
trends of the aging Baby Boomer generation.
When Baby Boomers start to reach age 75 in
2021, the use of institutional and home care will
increase significantly. The demand will increase
even more sharply around 2040, when the
majority of Baby Boomers are in their eighties.

Although the demand for skilled nursing facilities
will increase, based on the estimated size of
the US population over age 65, trends suggest
that the majority of the increased growth in
LTC will be in assisted living/residential care
and in-home and community-based services. 5
Shortage of health care workers
Because of the increased demand for health
care services, coupled with the on-going
nursing shortage, the supply of registered
nurses (RN), licensed practical nurses (LPN)
and certified nurse aides (CNA) needs to be
increased. Earlier studies show a slow but
steady decrease in the total number of skilled
beds, but it is predicted that there will still be
a significant gap in the supply and demand for
health care workers. 6,7 This prediction is based
on the influx of the aging population and
their increased life expectancy after retirement.
Currently, qualified health care workers are
in short supply. A study by the American
Healthcare Association in 2008 shows a gap
of approximately 109,000 workers. This gap is
likely to increase, partly because of the need to
replace the retiring Baby Boomers. 7
In the 2007 study conducted by the
American Health Care Association (AHCA),
nursing vacancy and employee turnover rates
at nursing homes were examined to assess
their ability to recruit new staff. AHCA sent
the survey to 15,558 eligible nursing facilities
in the U.S., and management from 25%
of the facilities completed and returned the
survey questionnaire. The survey instrument
collected information about six nursing staff
positions, specifically the:
n number of established and vacant positions
as of June 30, 2007,
n number of employees who left the facility
during the six-month period from January 1
through June 30, 2007, and
n relative difficulty the nursing home experienced
in recruiting key nursing staff.
Data were collected in the following six
nursing staff categories: Director of Nurses
(DON), RNs with administrative responsibilities
(Administrative RNs), staff RNs, LPNs,
CNAs, and non-certified nursing aides. Data
for the five main nursing staff categories were
reported, but data on non-certified aides were
insufficient for meaningful analysis and were,
therefore, not included in this report.
The study found that in 2007, nearly 109,900
full-time equivalent health care professionals
were needed to fill vacant nursing positions at
nursing homes across the United States. It was
estimated that close to 60,300 vacancies were
for CNA positions, 19,400 were for staff RN
positions, and 24,200 were for LPN positions.
Overall, nursing position vacancies increased
14.7% from 2002 to 2007, from about 95,800
vacancies in 2002 to about 109,900 in 2007. 6, 7
This gap will widen as more Baby Boomers
leave the workforce. Not only is the shortage
of workers a challenge, employee retention
in LTC is a major issue, especially in the days
ahead, due to Baby Boomers retiring and the
current economic recession.
Staffing and turnover
Given the preceding evidence indicating a
drastic shift in LTC market demographics
and staffing requirements, maintaining low
employee turnover rates appears essential to
meeting future demand for quality nursing
home care. High employee turnover rates effect
quality of care and have financial consequences
for the federal and state governments that
collectively pay for most of the care provided
in nursing homes. When employee turnover
increases, the workload for the staff that remains
in place also increases. This in turn causes stress
levels to climb, overtime pay becomes routine,
and consequently, more nurses and nurse aides
leave because they are over-burdened and may
not be able to meet the needs of their residents.
Continued on page 40
Author Debbie
Troklus has revised
and updated
Compliance 101
to reflect recent
developments in
compliance.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Compliance
101
Second Edition
This essential guide to
health care compliance
will help you build a
compliance program
The second edition includes:
• Up-to-date compliance
information
• A brand-new chapter dedicated
to HIPAA regulations
• An expanded glossary with
additional new terms and
definitions
• Expanded appendixes,
including a selection of
additional new and userfriendly
sample documents
If you’re planning to
become Certified in
Healthcare Compliance,
Compliance 101 is an
invaluable study aid for the
CHC examination.
To order, visit the
HCCA Web site
at www.hcca-info.org.
39
July 2010

HCCA’s 2010
RegionAl
ConfeRenCes
HCCA’s regional one‐day conferences
provide high‐quality, convenient,
inexpensive education and networking
opportunities. don’t miss the
opportunity to attend one in 2010!
new englAnd
September 13, 2010 | Boston, MA
UppeR Midwest
September 16, 2010 | Minneapolis, MN
Managing employee turnover in a shrinking workforce
...continued from page 39
Furthermore, high rates of employee turnover can lead to chronic low
staffing levels that can result in declines in the quality and continuity of
care for residents, more adverse events for patients (e.g., medical errors),
higher patient mortality rates, and the need to close beds or defer
patients to other facilities. 8 Moreover, the cost related to high turnover
can affect the financial performance of organizations.
Cost of turnover
Staff turnover within the LTC industry continues to increase at a significant
rate. 6,7 National averages show the overall turnover rate ranges from
38% to 50% for LPNs, RNs, and administrators, and 66% for CNAs. 7
Turnover increases costs associated with recruitment and training as well
as affecting quality of care and customer satisfaction. For example, a
turnover rate of 45% among 2.6 million LTC workers costs about $4.1
billion per year. Furthermore, it can lead to inadequate staffing levels
which results in decreased continuity of care. 9,10,11
July 2010
40
Midwest
September 24, 2010 | Overland Park, KS
noRtH CentRAl
October 1, 2010 | Indianapolis, IN
eAst CentRAl
October 8, 2010 | Pittsburgh, PA
HAwAii
October 15, 2010 | Honolulu, HI
MoUntAin
October 22, 2010 | Denver, CO
Mid CentRAl
November 5, 2010 | Louisville, KY
soUtH CentRAl
November 12, 2010 | Nashville, TN
deseRt soUtHwest
November 19, 2010 | Scottsdale, AZ
leARn MoRe
And RegisteR
www.HCCA‐info.oRg
In addition to influencing the financial health of providers and quality
of care that LTC residents receive, turnover affects the efficiency of
resource allocation within the Medicare and Medicaid programs.
Inadequate staffing levels are the primary reason for poor quality of care
in nursing homes. 9
Although many turnover costs are borne by providers, others are borne
directly or indirectly by direct care workers themselves, by consumers
and their families, and by the public sector. The exact costs are difficult
to measure, but the evidence suggests that the price paid by government
payers for turnover in LTC is approximately $2.5 billion. 10
How employee turnover impacts quality
In a qualitative study conducted by Mascio, 12 data from 251 caregivers
(i.e., RN, LPN, and nurse aides) were used to examine job satisfaction
scores of these caregivers and what characteristics of these caregivers are
associated with job satisfaction. The data were collected from two nursing
homes over a two-and-a-half year period with five periods of data
collection at six-month intervals. The Job Description Index was used to
collect job satisfaction data. Mascio concluded that there is a consistent
association between job satisfaction and the quality of resident care, even
affecting the mortality rate of the elder person. Furthermore, employees
who experience a higher job satisfaction proved to be better caregivers.
In this study, the residents felt well-cared for when employees had higher
job satisfaction. Based on these results, nursing home management
should take measures to improve employee satisfaction that will improve
the quality of care and help create a warm and loving environment for
residents. 12
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

A subsequent study by Kash and Naufal 13
linked the level of quality provided by skilled
nursing facilities to employee turnover. Findings
by Kash and Naufal suggest that high
quality nursing homes have higher employee
satisfaction, and have a better chance or
retaining RNs. Therefore, they have lower
turnover than facilities that have lower
standards of care. The reason for the study
was to test the association between RN job
satisfaction, intent to leave, level of quality
of care at the facility, and RN turnover rates.
A sample of 626 observations was selected
from 1,017 facilities after incorporating
data from a 2003 survey of registered nurses
in Texas nursing homes, Medicaid Cost
Reports, the Texas Quality Reporting System
(QRS), and the Area Resource File (ARF).
Results showed that quality of care was a
useful and significant predictor of an RN’s
intention to leave; it also affects actual RN
turnover rates. There was a negative relationship
between the level of job satisfaction and
empowerment, and the RN’s intent to leave
the workplace in the next 9 to 12 months.
Nonetheless, job satisfaction and empowerment
were not significant predictors of
intent to leave in the models that included
three alternative measures of quality of care
provided at the facility. Hence, facilities
providing higher quality of care have lower
recruitment and staffing costs that are related
to RN turnover. 14
Nursing home value-based purchasing
demonstration
Evidence shows that low staffing levels and
high staff turnover compromise the quality
of care of nursing home residents. Consequently,
staffing and turnover are coming
under scrutiny. In the summer of 2009,
Centers for Medicare and Medicaid Services
(CMS) began a three-year demonstration
known as the Nursing Home Value-Based
Purchasing (NHVBP) Demonstration.
The NHVBP Demonstration is part of a
CMS initiative to improve the quality and
efficiency of care furnished to Medicare
beneficiaries. Under NHVBP, CMS will
offer financial incentives to nursing homes
that meet certain conditions for providing
high quality care. The demonstration
includes freestanding and hospital-based
facilities and beneficiaries who are on a Part
A stay as well as those with Part B coverage
only. The demonstration is budget neutral
to Medicare because it is assumed that
quality of care will improve, thus reducing
potentially avoidable hospitalizations. 15
The demonstration measures performance
using nurse staffing, rates of potential avoidable
hospitalizations, outcome on selected
Minimum Data Set-based quality measures,
and results from state surveys. The staffing
measures comprise RN/DON hours per resident
day; total LPN/RN/DON nursing hours
per resident day; CNA hours per resident,
and nursing staff (RN/LPN/CNA) turnover
rate. Staffing measures will be adjusted for
case mix differences. In addition, staffing
measures will be calculated from payroll data
submitted by nursing homes.
Steps to control turnover
Understanding the cost and issues surrounding
employee turnover is the first
step to developing a comprehensive retention
plan. The Society of Human Resource
Management 16 suggests the following steps to
help control turnover:
1. Set up a retention committee that
includes members from all levels of the
organization;
2. Establish measurements and incentive
programs to ensure focus on the issue;
3. Redesign ineffective applicant testing,
interviewing, and selection processes to
prevent hiring people who are higher
turnover risks;
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
4. Look carefully at the way employees are
treated (e.g., respect, communication,
work/life balance); and
5. Evaluate opportunities for learning
and growth (e.g., training, position,
pay, benefits).
Conclusion
To meet the increased demand for skilled
nursing care, more qualified skilled nursing
facilities with lower employee turnover
are needed. In this respect, high employee
turnover rates in skilled nursing facilities have
financial consequences for federal and state
governments as well as health care providers.
Turnover increases costs associated with
recruitment and training as well as affecting
quality of care and customer satisfaction.
Furthermore, it can lead to inadequate staffing
levels which results in decreased continuity
of care. n
1. U.S. Census Bureau Population Division: Interim State Population
Projections. April 21, 2005. Available at http://www.census.gov/population/projections
/PressTab4.xls
2. Melnyk, A: Long-Term Care Insurance or Medicaid: Who Will Pay for
Baby Boomers’ Long-Term Care? American Council of Life Insurers Research
Findings 2005. Available at http://www.acli.com/NR/rdonlyres/
FEB87D8A-9E2F-45B6-B08A-CBED882A66C6/0/LTCBabyBoomers05.pdf
3. Centers for Medicare and Medicaid Services: Medicare: National
Health Expenditure Data, 2008. Available at http://www.cms.hhs.gov/
NationalHealth ExpendData/25_NHE_Fact_Sheet.asp
4. Center for Health Transformation: Making Medicaid work: A practical
guide for transforming Medicaid. 2007. Available at http://www.shps.
com /medicaid/book/SHPS_Making_Medicaid_Work.pdf
5. University of California: An aging US population and the workforce:
Factors affecting the need for geriatric care workers. 2006. Available at
http://futurehealth.ucsf.edu/geria/062404-Geria%20Final.pdf
6. American Health Care Association: Results of the 2002 AHCA Survey of
Nursing Staff Vacancy and Turnover in Nursing Homes. February 12, 2003.
7. My Daily Record: Nursing turnover impacts nursing homes.
2005. Available at http://www.dunndailyrecord.com/main.
asp?SectionID=1&SubSectionID =1&ArticleID=70686&TM=32281.77
8. American Health Care Association: Report of Findings 2007 AHCA Survey
Nursing Staff Vacancy and Turnover in Nursing Facilities. July 21, 2008.
9. Castle, NG; Degenholtz, H; and Rosen, J: Determinants of staff job
satisfaction of caregivers in two nursing homes in Pennsylvania. BMC
Health Research, 2006.
11. Seavey, D: The cost of frontline turnover in long-term care: Better jobs
better care. 2004. Available at http://www.bjbc.org/content/docs/TO-
CostReport.pdf
12. Mascio, B: Staffing health and elder care industry, High turnover diminishes
quality of life. 2007. Available at http://www.americanchronicle.
com/articles/viewArticle.asp?articleID=23082
13. Kash, B and Naufal, G: The impact of quality on intent to leave and
actual Registered Nurse turnover in nursing homes. 2008, The Gerontologist,
48, 738 at ProQuest Medical Library database. (Document
ID: 1647961231).
14. Long Term Care Community Coalition (LTCCC): Protecting current
and future nursing home residents: Government action is needed to
mandate minimum safe staffing levels. 2008. Available at http://www.
nursinghome411.org/documents/nhstaffingbrief1.pdf
15. Centers for Medicare and Medicaid Services. Demonstration Projects.
Available at www.nhvbp.com
16. Galbreath, R: Employee turnover hurts small and large company profitability.
SHRM White Paper. 2000.
41
July 2010

July 2010
42
The ten compliance
commandments
for medical device
manufacturers
By Jennifer E. Williams
Editor’s Note: Jennifer E. Williams is an attorney Obama administration has “zero tolerance” for
with the law firm of Mintz, Levin, Cohn, Ferris, health care fraud and stated that fighting and
Glovsky and Popeo, PC in Washington, DC. Ms. preventing fraud “is a personal priority of the
Williams can be contacted by telephone at 202/585- President’s and a personal priority of mine.”
3542 or by e-mail at jewilliams@mintz.com.
In his address, Attorney General Eric Holder
Health care fraud prevention, detection,
and enforcement efforts have accomplishments, which included a record
highlighted the Department of Justice’s 2009
never been stronger. Several recent number of health care fraud defendants
fraud-fighting initiatives—and the increasing charged (more than 800), more than 580
resources dedicated to them—have raised the convictions, and civil health care fraud recoveries
of $2.2 billion under the False Claims
stakes for compliance officers, who are tasked
with establishing and maintaining a culture Act. He then outlined a five-point strategy
that promotes the prevention, detection, for continuing the fight against fraud that
and resolution of unlawful or undesirable included:
conduct. In the first quarter of 2010 alone, n strengthening the Health Care Fraud
the Obama administration held a national Prevention and Enforcement Action Team
summit addressing health care fraud and proposed
that an unprecedented $1.7 billion be n supporting and expanding the Medicare
(HEAT);
allocated to the Department of Health and Fraud Strike Forces;
Human Services (HHS) for fraud-fighting n continuing to push for funding for fraud
activities in the fiscal year 2011 budget. prevention and enforcement efforts;
And, of course, Congress passed comprehensive
health care reform legislation that pursue legislative and regulatory reforms
n working with Congress to identify and
includes new and strengthened mechanisms to prevent, deter, and prosecute fraud; and
for combating fraud, waste, and abuse in the n engaging the private sector in anti-fraud
state and federal health care programs.
efforts.
The National Summit on Health Care Fraud, On February 1, President Obama unveiled
held on January 28, 2010, marked the first the fiscal year 2011 budget. The $3.83 trillion
time the public and private sectors have come budget, which dedicates an unprecedented
together to share ideas on how to eliminate $1.7 billion to HHS for fraud-fighting activities,
includes $561 million in Health Care
fraud and abuse in the nation’s health care
system. In her opening address, HHS Fraud and Abuse Control Program discretionary
funding (an increase of $250 million Secretary Kathleen Sebelius declared that the
over
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
the FY 2010 enacted level) and $52 million
in discretionary funding for the HHS Office
of Inspector General (OIG) (an increase of
$1.5 million over the FY 2010 enacted level).
This $1.7 billion is expected to generate $9.9
billion in savings from increased recoveries
and prevention efforts.
Finally, as most everyone knows by now, President
Obama signed the Patient Protection
and Affordable Care Act 1 (PPACA) on March
23, 2010, and the Health Care and Education
Affordability Reconciliation Act of 2010
(HCEARA) 2 on March 30, 2010. These two
Acts make it easier for enforcement authorities
to prove health care fraud violations by,
among other things, significantly expanding
the reach of the Medicare and Medicaid
Anti-kickback Statute (AKS) 3 and the civil
False Claims Act (FCA). 4 They also advance
the trend toward increased transparency by
imposing various disclosure obligations on
certain manufacturers, including medical
device manufacturers. Importantly, PPACA
also makes the establishment of a compliance
program a condition of enrollment under the
Medicare, Medicaid, and SCHIP programs.
Of course, these new laws and initiatives
supplement the already stepped-up enforcement
efforts seen in 2009, including, among
many others, the provision of an additional
$48 million in funding to the HHS OIG by
the American Recovery and Reinvestment
Act of 2009, and the sweeping changes to the
FCA enacted as part of the Fraud Enforcement
and Recovery Act of 2009 (FERA). FERA significantly
broadened liability under the FCA,
made liability easier to prove, and strengthened
protections for relators (a/k/a whistleblowers),
who are eligible to receive between 15-30% of
the government’s recovery. Many in the health
care industry believe that FERA’s amendments
to the FCA will lead to an increase in
whistleblower suits, known as qui tam actions,

from which the vast majority of health carerelated
FCA recoveries result. PPACA’s changes
to the Anti-kickback Statute and FCA will also
undoubtedly result in more qui tam actions
and government-initiated investigations. The
sanctions for violating the FCA are treble
damages and mandatory penalties of between
$5,500 and $11,000 per false claim filed. In
addition, the HHS Secretary and OIG may
exclude from the federal health care programs
any person or entity who submits a false claim.
Because the sanctions are so severe, many qui
tam cases settle to avoid litigation risk.
Medical device manufacturers have been a
particular focus of fraud and abuse enforcement
efforts and qui tam actions in recent
years. One especially popular whistleblower
strategy (to which medical device manufacturers
have not been immune) has been to
assert that violations of laws that prohibit
inducements and other marketing misconduct,
govern pricing and reimbursement, and
relate to quality and transparency, “caused”
the claims submitted to the government in
connection with such violations to be “false”
under the FCA. Quest Diagnostics Incorporated’s
April 2009 settlement of an FCA case
initiated by a qui tam relator followed this
pattern. The relator and the United States
alleged that Nichols Institute Diagnostics
(NID), a Quest Diagnostics subsidiary,
manufactured and sold in vitro diagnostic kits
for testing parathyroid hormone levels that
produced unreliable test results and that the
unreliable results produced using these kits
“caused” NID’s laboratory customers to file
false claims. 5 Quest Diagnostics and NID
expressly denied FCA liability, but settled the
case to put the matter behind them.
As part of that settlement—one of the largest
ever involving a medical device manufacturer—Quest
Diagnostics agreed to pay $262
million to resolve the FCA allegations and
entered into a Non-Prosecution Agreement
with the United States Attorney’s Office for
the Eastern District of New York. NID, which
Quest Diagnostics voluntarily closed in April
2006, pled guilty to a misbranding violation
arising from certain performance claims about
the kits at issue and paid a fine of $40 million.
Quest Diagnostics also entered into a novel
Corporate Integrity Agreement (CIA) that
focuses on compliance with certain identified
portions of the Food and Drug Administration’s
Quality System Regulations (QSRs).
The relator, who was the founder and owner
of a competing California laboratory, received
approximately $45 million.
The renewed vigor with which both government
agencies and individuals have begun
to prosecute fraud leaves compliance officers
with little room for error. Compliance officers
should ensure not only that their companies
have written policies and procedures
in place, but also that those policies and
procedures are understood by the companies’
employees, reflect the companies’ practices,
and are consistently enforced. Because
several recent CIAs have required the chief
compliance officer to report directly to the
chief executive officer, 6 compliance officers
should also ensure that their companies’
reporting structures are appropriate to the
companies’ size and that the companies’
policies and procedures have been reviewed
and understood by top management and the
board of directors. Finally, compliance officers
should review relevant compliance guidance,
including the OIG Compliance Program
Guidance for the Durable Medical Equipment,
Prosthetics, Orthotics and Supply
Industry, 7 and the AdvaMed Code of Ethics
on Interactions with Health Care Professionals,
and incorporate relevant provisions
from these guidance documents into their
compliance policies.
Continued on page 44
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
False Claims
Act Training
Doesn’t Have
To Be Hard
A Supplement to Your
Deficit Reduction Act
Compliance Training
Program offers a clear,
concise review of the
False Claims Act and
its impact on federal
health care programs.
Bulk pricing available for
HCCA members.
To order, visit
www.hcca-info.org,
or call 888-580-8373.
43
July 2010

The ten compliance commandments for medical device manufacturers
...continued from page 43
The Ten “Compliance Commandments” listed below will assist the compliance
officers of medical device manufacturers in their efforts to maximize
compliance and minimize the likelihood of an FCA suit or government
investigation.
1. Thou shalt incorporate all seven elements identified by the OIG as
“fundamental” into the compliance program.
Every compliance program should be appropriately tailored to the company
it is intended to govern and protect. However, no company is too small or
close-knit to justify the absence of any of the seven elements the OIG has
identified as “fundamental.” Those seven elements, which are based on the
seven steps of the Federal Sentencing Guidelines, are:
1. Developing and distributing written policies, procedures, and standards
of conduct
2. Designating a compliance officer and compliance committee
3. Conducting regular, effective training and education
4. Developing effective lines of communication between the compliance
officer and all employees
5. Enforcing standards through well-publicized disciplinary guidelines
6. Conducting internal monitoring and auditing
7. Responding promptly to detected offenses and developing corrective action
2. Thou shalt not copy the AdvaMed Code of Ethics on Interactions with
Health Care Professionals, paste it into an internal document, and identify
that document as the company’s compliance program.
As noted in Compliance Commandment 1, every compliance program should
be appropriately tailored to reflect the individual needs and circumstances
of the company to which it applies. The AdvaMed Code of Ethics is an
excellent resource and sets forth informative policies and principles, but it
is not intended to take the place of an individualized compliance program.
Compliance officers who simply adopt the AdvaMed Code of Ethics, rather
than developing an individualized compliance program, not only do their
company a disservice by failing to consider their company’s individual compliance
needs, but they also increase the risk that the compliance program will
not reflect their company’s actual practices. This risk is particularly troubling
because having a written compliance program that is not followed is viewed by
many as worse than not having a written compliance program at all.
July 2010
44
3. Thou shalt review the compliance program frequently and update it
as necessary to reflect current practices and industry developments.
Even the best, most appropriately tailored, compliance programs can become stale
in a rapidly changing industry. An acquisition or merger, a new product line or
other type of expansion, and new industry-specific laws or guidance all merit a
fresh look at the compliance program. Compliance officers should also monitor
and review OIG pronouncements, especially fraud alerts and other relevant
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

developments, such as medical device settlement
agreements and CIAs, and update policies and
procedures accordingly.
the company’s devices is accurate and
objective.
As medical technologies become increasingly
complex, physicians and other providers and
The allegedly improper payments included free
boxes of disposable biosensors used with the
device. NeuroMetrix agreed to pay a criminal
fine of $1.2 million and civil damages and
4. Thou shalt monitor thy company’s sales
representatives and ensure that they are
appropriately trained.
Sales representatives, particularly those who
work on commission, have one primary goal:
to close the sale. Most sales representatives
try to do so lawfully and honorably; however,
financial pressures or greed may cloud the
judgment of some. Others may not understand
the prohibitions established by law,
causing them to offer unlawful inducements
or to market their products for uses beyond
those approved or cleared by the FDA. To
minimize these risks, compliance programs
should ensure that sales representatives receive
frequent training. Attendance at training sessions
should be mandatory and documented
in the company’s files. Many compliance
officers find that including “quizzes” in the
training sessions results in a higher level of
trainee involvement and retention.
suppliers look to medical device manufacturers
for guidance on reimbursement. Providers
and suppliers seeking reimbursement
from the federal health care programs for a
medical device must ensure that the device
is both reasonable and necessary and billed
using the correct code. Violations of the
federal health care programs’ reasonable and
necessary requirement and the prohibition on
upcoding (i.e., using a code that one knows
or should know will result in a payment that
is greater than the payment associated with
the appropriate code applicable to the item or
service provided) are often alleged together in
FCA suits. 8 Thus, the compliance program
for any medical device manufacturer that
provides guidance with respect to coding
and reimbursement should include policies
and procedures that ensure the accuracy and
objectivity of such advice.
6. Thou shalt proceed with caution when
penalties of $2.5 million, change its business
practices to prevent future kickbacks through
marketing programs, and sign a CIA with the
OIG to settle the allegations.
To minimize the risk of claims such as those
brought against NeuroMetrix, medical device
manufacturers’ compliance programs should
include policies addressing the provision of
items of value to referral sources. Generally,
the provision of items of value should be
prohibited, with certain de minimis exceptions
such as certain educational items and
occasional, modest meals offered in conjunction
with business presentations. When
evaluating whether the provision of an item
of value to a physician or other health care
professional is appropriate, the manufacturer
should examine whether it is providing the
benefit with the intent to induce or reward
referrals. If so, the item of value should not
be provided, because it has the potential to
Allegations of off-label marketing have resulted
in some of the health care industry’s biggest
fraud settlements, including the September
2009 settlement in which Pfizer, Inc. agreed
to pay $2.3 billion to settle allegations that
it fraudulently marketed certain drugs. Sales
representatives should, therefore, be fully
informed of the uses for which the company’s
products have been approved or cleared so
that they may avoid promoting the products
for unapproved or “off-label” uses. Finally,
“red flags” such as a dramatic increase in the
number or dollar amount of sales by a particular
sales representative should be reviewed and,
if necessary, addressed in accordance with the
compliance plan’s disciplinary guidelines.
offering anything for free or providing
something of value to referrers, recommenders,
arrangers, or purchasers.
Medical device manufacturers can run afoul
of the Anti-kickback Statute and other laws
prohibiting inducements by giving something of
value to physicians or other referral sources. The
Anti-kickback Statute’s prohibitions apply to
both the person offering or paying for the item
of value and the person soliciting or receiving
it, and potentially subject them to criminal
penalties, civil monetary penalties, and exclusion
from the Medicare and Medicaid programs. For
example, in one recent case, the government
alleged that device manufacturer NeuroMetrix,
Inc. marketed its medical device through illegal
referral programs pursuant to which it paid
implicate the Anti-kickback Statute, unless
it meets the terms of an applicable safe
harbor. 9 Whenever possible, arrangements
with referrers, recommenders, arrangers, and
purchasers should be structured to fit within
a safe harbor, because safe-harbored transactions
and arrangements are not subject to
prosecution under the Anti-kickback Statute
and are unlikely to successfully be asserted as
a predicate to an FCA action. A transaction
or arrangement must satisfy each and every
element of a safe harbor to be immunized.
7. Thou shalt carefully structure and
review all payments to providers.
Payment arrangements with providers are
sometimes desirable and may even be necessary.
5. Thou shalt ensure that guidance physicians to recommend its device to their col-
This is especially true in the medical
provided on how to code and bill for leagues for use in federally-reimbursable studies.
Continued on page 47
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
45
July 2010

July 2010
46
HCCA would like to thank Our Corporate Members
Baker & Daniels LLP
Bass, Berry & Sims PLC
BlickenWolf, LLC
Broad and Cassel
Compliance 360, Inc
Compliance Concepts, Inc
Epstein Becker & Green PC
Foley & Lardner LLP
Fresenius Medical Care NA
Global Compliance Services
Hayes Management Consulting
HCA, Inc.
Health Care Compliance Strategies (HCCS)
Holland and Hart LLP
Huron Consulting Group
Indiana Health Centers Inc
KPMG LLP
Liberty Medical
Meade & Roach, LLP
MediTract, Inc
Miller, Canfield ,Paddock & Stone PLC
PricewaterhouseCoopers
Reimbursement Management Consultants, Inc
Sidley Austin LLP
Sinaiko Healthcare Consulting, Inc
TMDG LLC
TMF Health Quality Institute
T-System , Inc
VA Premier Health Plan Inc
Wolters Kluwer Law & Business
Zix Corporation
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The ten compliance commandments for medical device manufacturers ...continued from page 45
device industry, where consulting services and
royalty arrangements play vital roles. However,
such payment arrangements may potentially
implicate the Anti-kickback Statute and other
laws that prohibit inducements. Furthermore,
some states have enacted laws that require
certain manufacturers, including medical
device manufacturers, to disclose payments
to physicians and other providers and are
investigating and prosecuting manufacturers
who fail to disclose such relationships. The
PPACA continues the trend toward increased
transparency by requiring medical device
manufacturers to report annually to the HHS
Secretary, beginning in 2013, certain information
on payments and other transfers of value
to physicians and teaching hospitals.
Given the scrutiny surrounding payment
arrangements with providers, compliance
programs should set forth the parameters for
entering into such arrangements and require
legal review of any such arrangement prior to
execution. Like the arrangements discussed
in Compliance Commandment 6, payment
arrangements with providers should be structured
to fit within a safe harbor whenever
possible. Compliance programs should also
require the periodic review of consulting
and advisory arrangements to ensure that
the company continues to have a need for
the services, the services are being provided,
and compensation for the services is set at
fair market value. Royalty arrangements with
physicians or other health care professionals
in a position to refer or prescribe devices,
while not uncommon in the industry, may be
particularly susceptible to abuse and therefore
should be carefully considered, appropriately
structured, and periodically reviewed.
8. Thou shalt require legal review of all
contracts.
The health care regulatory environment is
complex and constantly evolving. Many
arrangements that are common and even
encouraged in other industries, such as discounting,
present legal and compliance hurdles
to health care companies. Consequently,
compliance programs should require that the
company’s legal counsel review and approve
all contracts that deviate from pre-approved
templates or include pricing or other terms
that depart from the norm. Uncommon or
potentially suspect arrangements, such as consulting
payments, should always be reviewed
by legal counsel prior to execution. If possible,
such agreements should be structured to meet
an applicable safe harbor.
9. Thou shalt ensure that an appropriate
method has been implemented for capturing
and reporting adverse events and noncompliance
with QSR requirements.
The failure to report adverse events can trigger
a U.S. Department of Justice investigation
and can serve as the underlying violation in a
number of civil fraud enforcement actions. 10
Serious violations can also lead to criminal
prosecutions. Similarly, a device manufacturer’s
failure to comply with QSR requirements
can cause its products to become adulterated
and subject it to liability. 11 Violations of
these requirements could also potentially
serve as predicate violations for FCA claims.
Compliance programs should therefore
include policies and procedures designed to
capture and report adverse events and noncompliance
with QSR requirements.
10. Thou shalt take the complaints of
employees and competitors seriously.
Whistleblowers are often unhappy competitors
or current or former employees whose
complaints were dismissed or ignored by
management. Most employees want to
comply with the law, want their companies
to comply with the law, and may become
angry or resentful if they feel that their
legitimate complaints have been dismissed
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
by management. Thus, one of the best ways
a company can minimize its exposure to qui
tam suits is to listen to its employees and
address their concerns. Even if a company
believes that an employee’s concerns are
without merit, an explanation as to how the
employee’s concern was handled, and why,
may diffuse what otherwise might become a
volatile situation. Often, such explanations are
best handled verbally. Any written responses
should be reviewed by the company’s legal
counsel before they are sent to the employee.
Complaints brought to the company’s attention
by competitors, including complaints
about allegedly unlawful marketing practices
or inflated or inaccurate performance claims,
should be reviewed and evaluated by the
company’s legal counsel to determine what
response, if any, is appropriate.
Medical device manufacturers are unlikely
to avoid the escalating enforcement of laws
prohibiting fraud and abuse. However, a
strong and functional compliance program
that complies with the Ten Compliance
Commandments will reduce a company’s
potential exposure to FCA suits and government
investigations in this environment of
increased enforcement. n
The author would like to thank Hope Foster, who
is a member of Mintz Levin’s Health Section, for
her valuable contributions to this article.
1 Pub. L. No. 111-148
2 Pub. L. No. 111-152
3 42 U.S.C. § 1320a-7b
4 31 U.S.C. § 3729 et seq.
5 United States ex rel. Cantor v. Quest Diagnostics Incorporated and Nichols
Institute Diagnostics (EDNY). The author’s law firm, with others,
represented Quest Diagnostics and NID in this matter.
6 See, e.g., Pfizer Inc. 8/31/2009 Corporate Integrity Agreement, available
at http://www.oig.hhs.gov/fraud/cia/cia_list.asp#p
7 64 Fed. Reg. 36,368 (July 6, 1999).
8 See, e.g., Complaint, United States ex rel. Bates and Patrick v. Kyphon,
Inc. et al. (W.D.N.Y. 2005) (No. 05-CV-6568) (where two former
employees alleged that Kyphon’s sales campaign to induce hospitals to
admit patients for overnight hospital stays for a procedure involving
Kyphon’s device caused the submission of false claims because the
procedure could have been safely performed on an outpatient basis).
9 The safe harbors can be found at 42 C.F.R. § 1001.952.
10 21 C.F.R. § 803.3 (setting forth the FDA’s requirements for medical device
manufacturers to report adverse events connected to their devices).
11 21 U.S.C. § 360j(f)(1). The Qualty System Regulations requirements
are set forth at 21 C.F.R. Part 820.
47
July 2010

A snapshot of
training at the HCCA
Compliance Academy
By Sheryl Vacca, CCEP, CHC-F, CHRC
July 2010
48
Editor’s note: Sheryl Vacca is Senior Vice President/Chief
Compliance and Audit Officer at the
University of California in Oakland, California,
Past President of HCCA, and current
HCCA Board Member and a member of the
SCCE Advisory Board. She may be contacted
via e-mail at sheryl.vacca@ucop.edu.
HCCA Basic Academies are one of
the best ways for new and experienced
compliance professionals
to come together to network, learn new
knowledge, or reinforce current knowledge
on the elements of effective compliance
programs and related subject matter (e.g.,
HIPAA, investigations, etc.) which we all
generally apply in our compliance programs.
Debbie Troklus, President of the Health Care
Certification Board (the certification arm of
HCCA) and Dean of the HCCA Academies,
feels that one of the most important elements
of an effective compliance program is education
and training, which she also teaches at
the Academies.
In this class, the adult education principles are
discussed as well as curriculum and classroom
design for the adult learner. “The four critical
elements of learning are reinforcement, retention,
transference, and motivation,” according
to Debbie. Real-life examples of each of these
are discussed and brought to practical application
as Debbie teaches this class. Throughout
the lecture, the learner is reminded to also
consider and integrate into their education
and training plan the cultural variables,
desirable teaching characteristics, audiences,
scheduling, and challenges, particularly when
faced with training physicians. Additionally,
general training components, such as content
for a general audience, are also reviewed and
discussed interactively with the class.
Systems around tracking, certifications,
and training approaches are also part of the
education and training content. “Interactive,
face-to-face training is one of the best
approaches for learning,” says Debbie.
Evaluation of the education and training
program should
also be done to help
students identify their
pre/post knowledge,
the instructor´s effectiveness,
and whether
you have “obtained
the desired results.”
During the class, case
examples (one of the
best ways for learners
to retain information)
are used to apply the
content presented in
this class.
One of the teaching elements that Debbie
uses is to break the class into groups and ask
them to develop a poster which markets a
“theme” developed for their group’s compliance
program. Poster materials such as
pens, pencils, letters, numbers, markers, and
poster board are all part of getting the class
to participate in this exercise. It is amazing
to see the energy and fun generated, first
by challenging each other to be creative to
Sheryl Vacca
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
develop the theme, and then by applying that
theme to a colorful, creative rendition on
their 11x18 poster board. Most people believe
they don’t have any creative capabilities, but
it is amazing to watch the transformation of
these themes. Peer pressure really energizes
the group, because they know the class will
vote on the top three themes and everyone
wants to win! You can see from the pictures
below how engaged the participants were in
completing this exercise.
Debbie emphasizes that this activity is a great
way to get your organization involved in the
compliance program and to get them to “own”
the theme that will permeate your branding
and marketing of the compliance program.

Overall, the education and training class at an
HCCA Academy is fun to participate in and
has specific content to “educate” the participants
on this topic. The class also engages in
activities which students can immediately
transfer to their own environments. Themes
were developed that any one of us would bring
back home to try out! It is amazing how our
concrete, black-and-white words turn into
colorful displays of themes and branding for an
organization, and as one participant said, “You
don’t have to be an artist to make it happen!”
Bottom line....an HCCA Academy is filled
with great ideas and FUN! n
Tariq Abdullah
Victoria Abril
Niurka I. Adorno Gonzalez
Darcy L. Alatalo
Laura I. Asbury
Pamela J. Bankowski-Petz
Paula Jene Barton
Nancye Loren Beard
Regina A. Beck
Cathy Blackstone
Susan C. Blair
Stuart R. Bless
Larry L. Boyles
Eileen Kelly Breslin
Sandra C. Brown
Renee Bullard
Michelle Carpenter
Alysha M. Cartman
Sharmini Kandasamy Cassady
Pamela S. Catlett
Felicia Chao
Brian P. Chew
Kim Lynn Christensen
Connie J. Cline
Jo Ann M. Davis
Grace De Vault
Juan Deleon
Lori Dempsey
Nancy J. Digiacomo
Mary Elizabeth Donnelly
James T. Downes
Catherine Dubinsky
Leslie A. Duncan
Don Dunlop
Andrea L. Eklund
Matthew E. Elder
Rebekah Elkins
Chris Finch
Diane Ford
Heathyr A. Ford
Matt Frederiksen
William D. Gallaway
The CCB
Compliance
Professional’s
Certification
The Compliance Certification Board (CCB) compliance
certification examinations are available in all 50 states. Join
your peers and demonstrate your compliance knowledge by
becoming certified today.
Congratulations!! The following individuals have recently successfully completed
the CHC certification exam, earning their certification:
Eileen Mary Gibbons
Angelle Breaux Granier
Janet R. Grant
Faye E. Griffin
William E. Griffin
Laura T. Grover
April S. Haag
Cindy L. Hahn
Marie A. Hall
Kerri L. Hall
Jeffrey A. Hayes
Etta I. Henderson
Kathleen A. Henehan
Catherine L. Hicks
Robyn M. Hoffmann
Rhonda M. Hudson
Angela Jacobs
Aaron C. Jensen
Frank S. Jensen
Joya A. Jett
Jennifer Johnson
Latonya B. Johnson
Tryone P. Johnson
Holly H. Kazan
Paul Keoppel
James R. Kirkland
Hubert L. Koehn
Katy H. Labauve
Susan D. Lansdon
Lisa Carolyn Lauffer
Carolyn A. Launer
Karen M. Lee
Stacy D. Lentz
Dana L. Lesley
Kathleen P. Maine
Vivian Marquez
Marsha A. Martin
Michelle Mayes
Christopher L. Mcadam
Debbie C. Meade
Angela S. Miller
Iris M. Monrouzeau
Marie Moseley
Victoria A. Murray
Bonnie M. Nance
Sarah Anne Neal-Fujimoto
Rick W. Neeck
Jayshree M Negandhi
Mary A. Nester
Cynthia G. Nicholas
Jane A. Obert
Marc O’Gwynn
Charlie Oltman
Ryan James Oster
Laurie J. Pagnac
Karen Lynn Parton
Katherine E. Penchansky
James A. Perkins
Matthew C. Pezzulich
Jonathan S. Quigley
Marilyn Marie Rasmussen
Debra Jo Ronaldo
Mark P. Ruppert
Dorothy A. Sample
Eleace E. Sawyers
Kristin C. Scarcella
Kenneth H. Schell
Donna A. Schneider
Kathleen F. Schofield
Nicholas A. Sciortino
Eileen M. Scott
Claire M. Seguin
Robert D. Sevell
Lauren Shellenberger
Ria K. Story
Timothy D. Sullivan
Jason Tankel
Dawn Trout
Sheila Lyons Wallace
Susan T. Wallis
Alan L. Weldy
Steven D. Westberg
Shannon K. Wilks
Debra L. Woods
Congratulations!! The following individuals have recently successfully completed the
CHRC certification exam, earning their certification:
Pippa J. Amick
Jane K. Bernheim
Judith A. Blacklidge
Margie I. Brackeen
Jodie H. Brokowski
Theresa F. Burke
Kita D. Cathey
Stacy-Ann Nicola Christian
Sherry A. Conner
Rhonda L. Dash
Robert John Divito
Brenda R. Flam
Joanna R. Gerry
Amanda G. Holloway
Leigh O. Lamonica
Angela M. Melillo
Mikki R. O’Neal
Denise A. Quint
Barry Jay Rosen
Michael J. Rugani
Gerald E. Salamone
Cindy K. Shifflett
Sandra J. Stoflet
Ryon C. Terry
Emily Vandermolen
Adele Vogel
Elizabeth R. White
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
49
July 2010

July 2010
50
New HCCA Members
Alabama
Illinois
n Sheila Limmroth, DCH Health System
n Shelly Carling
n Paula Carney, Northwestern University
Arizona
n Amanda Fiedler, Deloitte
n Michael Downs, Little Colorado Behavioral
n Deborah Hoffmann
Health Centers
n Janice Johnson, Rush University
n Bonnie Edelblute, Mohave Mental Health Clinic
n Carmela Manarang, Rush University
n Chris L. Meyers, Cobius Healthcare Solutions
n Jessica I. Morales, Deloitte
Arkansas
n Susan Slimack, Alexian Brothers Health System
n Adam Lentz, Wal-Mart Stores Inc.
n Doug Weinberg, Cobius Healthcare Solutions
n Sandy Priebe, Baxter Regional Medical Center n Amelia Wray, Rush University
California
n Patricia Ashley, Health Information Partners
n Patricia Bilman
n Dorothy E. Blakeman, Salinas Valley Memorial
Hospital
n Melissa Borrelli
n Janice Dreyer, Fresno Heart & Surgical Hospital
n Rebecca L. Elithorp, Kaiser Permanente
n Suzanne M. Forrest, University of CA
n Joanna Gerry, Amgen
n Jan Huckins, VNA & Hospice of Southern CA
n Christiane Leichter, University of CA
n Claudia P. Lewis, University of CA
n Virgie Lluvido-Gowin, Caritas Business
n Jessie Masek
n Cheryl Nikas, UCSD Health Sciences
n Sheryl Pessah, Health Net, Inc.
n Shara Reed, CARES
n Richard Skaff, K & M Consulting Services
n Rosemary Sova
n Mary Stumpf, NuFactor
n Michelle C. Walker, Advanced Bionics
n Gay Ann Williams, Health Net Inc
Colorado
n Georgeanna Bady, VA Health Admin Center
n Kat V. Foo, State of Colorado
n Lori J. Shine, Shine Healthcare Adv Svc
n Kim Woodruff, Pinnacle III
Florida
n Lilli-Ann Cifarelli, Sheridan Healthcorp
n William Dillon, Messer, Caparello & Self, PA
n Bruce Hoffman, Universal Health Care
n Steven King, CCS Medical
n Lilia Santiago, Universal America
n Scott Zinna, Wellcare Health Plans
Georgia
n Yvette Benjamin, Kaiser Permanente
n Daniel Sturtevant, Anesthesia Healthcare
Partners
Idaho
n JoAnn Hayward, Portneuf Medical Center
Indiana
n Tammy Chadd, MDwise, Inc.
Kentucky
n Stacey Moore, Saint Joseph Health System, Inc.
Louisiana
n Keith McRee, Vantage Health Plan, Inc.
n Alisha McVay, Richland Parish Hospital
n Kathy Pratt, Parish Management Consultants
Maine
n Diane Hills, Martin’s Point Health Care
n Bernice A. Mills, University of New England
Massachusetts
n Rosland Fisher McLeod, Biogen
n Robin N. Seidman, Simione Consultants, LLC
n Randi E. Wasik, Univ MA Medical School
n Stephen Wojcik, South Shore Mental Health
Michigan
n Tamie K. Case, Barry CMH
n Pamela Dietz, Alpena Regional Medical Center
n Kathleen P. Maine, MMPC/Spectrun Health
Med Group
n Kelly L. Partin, Botsford Health Care Continuum
n April Streeter, Brian Kaser, PLC
n Fred Taccolini, Pioneer Surgical
Minnesota
n Marta E. Kramer, HealthEast Care System
Mississippi
n Dena Boggan, St Dominic Jackson-Memorial
Hospital
Montana
n Dawn Halver, Billings Area Indian Health Srvs
New Jersey
n Vishal Gandhi, Digital Medical Billing Inc
n George Latyszonek, Johnson & Johnson
n Shawn Reardon, Brajak Consulting, LLC
New York
n Carolyn Angrisani
n Louis DiGiovanni, North Shore LIJ Health System
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
n Paulina Ganem, NYC Dept of Health
n Patricia M. Gonzalez, O’Connor Hospital
n Lisa Heine, NYC Dept of Health
n Luis A Jusino, Jr., Health Quest
n Elisabeth Morgulas, AHRC NYC
n Feisal Nanji, Techumen
n Colette Pean, BMS Family Health Center
n Lauren Pete, St. Joseph’s College
n Leo Priola
n Dmitry Shapsis, NYC Dept of Health
n Daniel Splitgerber, Cornell Medical
n Sharon J. Thompson, The Center for
Developmental Disabilities
n Veronica Volpe, NYC Dept of Health
North Carolina
n Juliana Fisher
n Undi N. Hoffler, North Carolina Central Univ
n Jessica P. Phillips, The Carolina’s Center for
Medical Excellence
n Donna Rooney, Center for Legal Consulting
Ohio
n Aja M. Brooks
n Sally Jones-McNamara, Holzer Consolidated
Health System Inc
n Browne Lewis, Cleveland Marshall College of
Law
n Nike Otuyelu, Universal American
Oklahoma
n Kristie Foster, Surgical Specialists of Oklahoma
n Steve W. Walls, Hire Right
Oregon
n Suzanne Laisner, The Oregon Clinic
n Annmarie P. Rainford, FamilyCare, Inc
n Kimberly Shaw, Acumentra Health
Pennsylvania
n Elizabeth Barnett, BSN, JD, WellPoint
n Marianne Bechtle
n Michael Ginsberg, Korn/Ferry International
n Elaine S. Nace, Esq, National Medical Reviews Inc
n Stacey Smith, Chester County OB/GYN
n Pamela B. Watkins, Pocono Health System
n Cynthia Zaber, Community Care Behavioral
Health
South Carolina
n Patricia McFadyen, Tenet-Conifer
Tennessee
n Kevin Adcock, Cumberland River Hospital
n Yarcheka Burns, St. Thomas Physician Services
n David T. Lewis, Husch Blackwell Sanders
n Stephen Mills, Smith & Nephew

Clientfocused
solutions
• Revenue Recovery
• Denials Management
• Compliance Consulting
• Operations Enhancement
McBee Associates, Inc. has provided financial and operational consulting exclusively to the health care industry for
over 35 years. Our customized solutions and unparalleled reputation for results ensures institutions receives top quality
services with a commitment to compliance. With both contingency and fee-based engagements, McBee Associates’
in-house experts provide proven, technology-driven consulting that will significantly transform your institution’s
performance. That’s why our 3,500 clients choose us repeatedly over other firms. Call us today!
Performance. Profitability. Partnership.
800.767.6203 • McBeeAssociates.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
51
July 2010

Compliance in the
Post-Reform World
An HCCA Workshop
Baltimore, MD | November 2010
The Health Care Reform law brought many changes for health care
providers and their compliance professionals. In this intensive two-day
workshop, participants will learn about Health Care Reform from a
compliance perspective. Nationally prominent speakers and high-ranking
government officials have been invited to provide the latest and most
insightful information to attendees. They will cover topics such as:
• The Economics of Health Care Reform
• Dealing with the Future: New Service Lines and Arrangements
• New and Expanded Fraud and Abuse Provisions
• What to Expect from Payers
• The Expanded Implications of Quality
• Transparency and Data Reporting
• Mandatory Compliance Programs
• OIG Enforcement
Partipants will receive tools that they can take back to their senior
leaders and Boards to help communicate the implications of these issues
from a compliance perspective.
Compliance professionals, in-house counsel, senior leaders,
risk managers, financial officers and revenue cycle personnel
should plan to attend.
MORE DETAILS COMING SOON: VISIT
www.healthcarereformcompliance.org
July 2010
52
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org