Improving compliance at the grassroots level - Health Care ...

Volume Thirteen
Number Four
April 2011
Published Monthly
Meet
Tony West, Assistant
Attorney General, Civil
Division, United States
Department of Justice
page 14
Feature Focus:
Compliance mentoring at
its best
page 26
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Earn CEU Credit
www.hcca-info.org/quiz—see page 54
Unclaimed property
compliance and
health care
page 31
1
April 2011

7 Steps to Investigate
Alleged Employee
Misconduct
– Now including: Writing Comprehensive
Investigative Reports!
2011
Seminar Series
Join us for our highly interactive,
step-by-step seminar to learn practical
skills for how to investigate and document
allegations of compliance violations, fraud,
harassment, discrimination, theft and
other employee misconduct.
For details, visit:
www.globalcompliance.com/seminar
Course Overview
You are assigned to conduct an internal investigation. The facts are
unclear and you are not sure who is telling the truth — yet you must
reach a conclusion. In this hands-on seminar, you will learn practical skills
for investigating alleged misconduct and ways to balance the rights of
the complainant and the accused while protecting the interests of your
organization. Plus, you will learn how to minimize administrative burden
while writing effective investigative reports.
In this two-day workshop, you will learn:
• How to strategically investigate “he said/she said” allegations where
there are no eyewitnesses
• How to interview witnesses using a specific method that enables
you to gather all relevant information
• How the laws have changed regarding investigations
(e.g.— is it lawful to use social media in your investigation?)
• Techniques and questioning strategies you can use to determine
whether a witness is lying
• The rules for searching an employee’s workspace, computer or
personal belongings
• The appropriate standard of proof for imposing discipline
• What to include and not include in the report
• How to properly document credibility determinations and compile exhibits
• Privilege and confidentiality designations and who should see the report
• What documents to retain in the investigative file
Continuing Education Credit
Applications have been filed with the Society of Corporate Compliance
and Ethics (SCCE) for the in-person sessions*, the 7 Steps Webinar has
been approved for 6.9 units and the Report Writing Webinar has been
approved for 3.3 continuing education units toward Certified Compliance
and Ethics Professional (CCEP) credit. Multiple state bar associations
have approved our Investigation and Report Writing Seminar for
Continuing Legal Education (CLE) credit.
2011 Dates and Locations
May 4–5 ............................. New York
May 11–12 .................. Washington, DC
June 1–2 .............................. Chicago
June 9–10 .............................. Atlanta
June 15–16 ...................... Hartford, CT
September 21–22 .................. Houston
October 5–6 ......................... Chicago
October 12–13 ......................... Dallas
October 19–20 ..................... New York
November 2–3 ................. Los Angeles
Webinars
For the webinars, the Investigations and
Reporting Writing classes will be offered
separately.
May 18–19:
May 25:
October 26–27:
November 1:
December 7–8:
December 14:
7 Steps to Investigate
Alleged Employee
Misconduct
Writing Comprehensive
Investigative Reports
7 Steps to Investigate
Alleged Employee
Misconduct
Writing Comprehensive
Investigative Reports
7 Steps to Investigate
Alleged Employee
Misconduct
Writing Comprehensive
Investigative Reports
April 2011
*Our website will be updated when approval is received
View a detailed course outline,
watch a video clip of the seminar, or register at
www.globalcompliance.com/seminar
Phone: 800-443-9037 • E-mail: seminars@globalcompliance.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
2

Publisher:
Health Care Compliance Association, 888-580-8373
Executive Editor:
Roy Snell, CEO, roy.snell@hcca-info.org
Contributing Editor:
Gabriel Imperato, Esq., CHC
Editor:
Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.org
Copy Editor:
Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.org
Layout and Production Manager:
Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.org
HCCA Officers:
Jennifer O’Brien, JD, CHC
HCCA President
Medicare Compliance Officer
UnitedHealth Group
Frank Sheeder, JD, CCEP
HCCA 1st Vice President
Partner
Jones Day
Shawn Y. DeGroot, CHC-F, CHRC, CCEP
HCCA 2nd Vice President
Vice President Of Corporate Responsibility
Regional Health
John C. Falcetano, CHC-F, CIA, CCEP-F, CHRC
HCCA Treasurer
Chief Audit/Compliance Officer
University Health Systems
of Eastern Carolina
Catherine M. Boerner, JD, CHC
HCCA Secretary
President
Boerner Consulting, LLC
Daniel Roach, Esq.
Non-Officer Board Member
to the Executive Committee
Vice President Compliance and Audit
Catholic Healthcare West
Julene Brown, RN, MSN, BSN, CHC, CPC
HCCA Immediate Past President
Regional Compliance Director
Essentia Health, West Region
CEO/Executive Director:
Roy Snell, CHC, CCEP-F
Health Care Compliance Association
Counsel:
Keith Halleland, Esq.
Halleland Habicht PA
Board of Directors:
Urton Anderson, PhD, CCEP
Chair, Department of Accounting and
Clark W. Thompson Jr. Professor in
Accounting Education
McCombs School of Business
University of Texas
Marti Arvin, JD, CPC, CCEP-F, CHC-F, CHRC
Chief Compliance Officer
UCLA Health Sciences
Angelique P. Dorsey, JD, CHRC
Research Compliance Director
MedStar Health
Brian Flood, JD, CHC, CIG, AHFI, CFS
National Managing Director
KPMG LLP
Margaret Hambleton, MBA, CPHRM, CHC
Senior Vice President
Ministry Integrity, Chief Compliance Officer
St. Joseph Health System
Dave Heller
VP and Chief Ethics and Compliance Officer
Edison International
Rory Jaffe, MD, MBA
Executive Director, California Hospital Patient
Safety Organization (CHPSO)
Matthew F. Tormey, JD, CHC
Vice President
Compliance, Internal Audit, and Security
Health Management Associates
Debbie Troklus, CHC-F, CCEP-F, CHRC
Assistant Vice President
for Health Affairs/Compliance
University of Louisville
Sheryl Vacca, CHC-F, CCEP, CHRC
Senior Vice President/Chief Compliance
and Audit Officer
University of California
Sara Kay Wheeler, JD
Partner–Attorney
King & Spalding
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care
Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN
55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send
address changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis,
MN 55435. Copyright 2011 Health Care Compliance Association. All rights
reserved. Printed in the USA. Except where specifically encouraged, no part of this
publication may be reproduced, in any form or by any means without prior written
consent of the HCCA. For Advertising rates, call Margaret Dragon at 781-593-
4924. Send press releases to M. Dragon, 41 Valley Road, Nahant, MA 01908.
Opinions expressed are not those of this publication or the HCCA. Mention of
products and services does not constitute endorsement. Neither the HCCA nor
CT is engaged in rendering legal or other professional services. If such assistance is
needed, readers should consult professional counsel or other professional advisors for
specific legal or ethical questions.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
INSIDE
4 Managing hospital-acquired conditions at a pediatric
hospital By Catharine Fischer
Even if you are not yet required to flag certain conditions, having
a system to deal with billing them is a good idea.
9 Exhale By Shawn DeGroot
Tips for self-preservation and well-being in stressful times.
10 Health IT law increases enforcement mechanisms under
HIPAA By Maria D. Buckley and Maya L. Sethi
Case law shows that fines and penalties are increasing for health
care providers, business associates, and individuals.
13 Newly Certified CHCs, CHRCs and CHPCs
14 Meet Tony West, Assistant Attorney General, Civil
Division, US Department of Justice
An interview by Frank Sheeder
18 Letter from the CEO By Roy Snell
Speed Networking
19 Social Networking By John Falcetano
Networking with peers
21 Hospital anesthesia stipends and compliance: Can due
diligence be supported?
By Devona Slater and Lynette Peterson
Operational efficiencies and accurate documentation of time and
services are key to negotiating fair stipends.
26 Feature Focus: Mary, Al, and me: Compliance mentoring
at its best By Frank Sheeder
Being mentored and being a mentor are rewarding experiences.
29 CEU: Equal visitation rights for all hospital patients: CMS
finalizes rules By Janice A. Anderson and Kimela R. West
Patients must be informed of their right to choose who can and
cannot visit, even if they are not traditional “family” members.
31 CEU: Unclaimed property compliance and health care
By Diann L. Smith, Marlys A. Bergstrom, and Jessica Kerner
Health care accounts are an easy target for unclaimed property
auditors who are looking for ways to meet budget shortfalls.
35 The discharge planning process and patient choice:
Educating staff By Frank Riccardi, Nicole Rene, and Cathy Niland
Giving patients unbiased information will help them make
informed choices about their post-acute care.
42 CEU: Protecting health information during a remote
review by a business entity By Cora M. Butler
Training, organizational policies, and electronic security are
essential tools for maintaining the confidentiality of patient records.
46 Improving compliance at the grassroots level: Strategies
for auditing By Cheryl Bowling
Seven suggestions for using auditing and monitoring to improve
coding accuracy.
51 Compliance 101: Starting out as a compliance officer
By Nicola Heslip
A look at the definitions of compliance may help you define your
role as a compliance professional.
52 People on the move
53 New HCCA Members
3
April 2011

Managing hospital-
acquired conditions
at a pediatric hospital
Editor’s note: Catharine Fischer is the Compliance
Manager with The Children’s Hospital
in Aurora, Colorado. She may be contacted by
e-mail at fischer.catharine@tchden.org.
Imagine you take your car to a mechanic
to have the battery replaced. You leave
the car overnight at the repair shop, after
being provided assurances that it would be
fixed shortly. The following day, you return
to pick up your vehicle and the mechanic
tells you that while replacing the battery, he
accidentally snipped some wires. As a result,
he had to replace all the damaged wiring. You
review your bill and are surprised to find that
the mechanic charged you for the supplies
and labor required to replace the wires that
had been accidentally cut. You challenge the
quality of the services provided and being
charged for the mistake, and after discussion,
the superfluous charges are removed.
By Catharine Fischer, MSHA, CHC
Although this is a crude comparison to health
care, it depicts the logic behind the federal
government’s creation and enforcement of the
hospital-acquired conditions (HAC) regulations.
The government does not believe that
it should be paying for treatment associated
with what is defined as avoidable errors or
subpar care. The intention of the regulations
is to try to set a higher bar for quality care
and provide monetary consequences for not
meeting the defined standard. To facilitate the
enforcement of this regulation, the government
related the HACs to Medicare Severity
Diagnosis Related Group (MS-DRG) payments.
HACs are specifically identified by the
International Classification of Diseases, Ninth
Revision, Clinical Modification (ICD-9-CM)
corresponding complication or comorbidity
(CC) or major complication or comorbidity
(MCC) codes with assigned indicators that
communicate that the condition was not
present when the patient was admitted to the
hospital. The coding Present on Admission
(POA) indicator requirement allows government
payers to easily mine the HAC data and
adjust reimbursement or MS-DRG payments
accordingly. This regulatory change influences
not only the way hospitals code, but the
impact can be seen in the private payer sector
as well as in national hospital operations.
The HAC regulations originate in the
Deficit Reduction Act (DRA) of 2005 1
which initiated the reduction of reimbursement
or “quality adjustments” for certain
conditions determined to be acquired during
the inpatient hospital stay for discharges
occurring on or after October 1, 2008. The
scope of the federal regulations broadened in
August 2008 when The Centers for Medicare
and Medicaid Services (CMS) published
the Inpatient Prospective Payment System
(IPPS) Fiscal Year (FY) 2009 Final Rule. 2
CMS named the program “Hospital-Acquired
Conditions and Present on Admission
Indicator Reporting.” Creation of the HAC
regulation is one of the first steps CMS has
taken in an attempt to regulate the quality
of care provided by hospitals. Prior to these
Figure 1: Chart for HAC process
Hospital Acquired Conditions (HAC) Process
HAC
identified by
coding.
What is the
POA Indicator?
POA=
Y or W
HIM verifies that the
documentation/coding
(with POA) is correct.
Is it correct?
Yes
POA =
N or U
Goes to Do Not
Bill (DNB) billing
queue
No
Corrected to
POA= N or U
Risk Management
reviews the chart,
summarizes the
case and sends it
on to HIM.
Is the coding
correct? (HIM
verification)
Yes
n Patient
summary e-
mailed to HAC
Committee.
n Internal Audit
pulls the patient
bill.
HAC Committee:
n Reviews the
patient bill.
n Identifies which
charges are
related to the
HAC.
Is it clear that
length of stay was
not increased due
to the HAC?
Yes
Does the payer
require the HAC
charges to be
removed?
Yes
Contact PFS
to remove
HAC charges
from bill.
The
account is
released
from the
billing
queue.
Bill Payor
Key:
POA = Present on Admission Indicator
n Y Indicates that the condition was present on
admission.
n W Affirms that the provider has determined
based on data and clinical judgment that it is not
possible to document when the onset of the
condition occurred.
n N Indicates that the condition was not present
on admission.
n U Indicates that the documentation is insufficient
to determine if the condition was present at the
time of admission.
No
HIM corrects the coding
Yes
Is it still a
HAC?
No
The attending
physician is
consulted to
determine what
room and board
charges are
associated with
the HAC.
No
n The review of
the account is
tracked.
n No adjustment to
charges is
made.
No
April 2011
4
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

egulations, a formal process in reducing the Determining appropriate HACs for pediatric So why are we doing this? The private payers
payment for conditions determined to be patients warrants further research before have now jumped on board with this regulatory
hospital acquired simply did not exist. regulations are enforced in this setting.
change. Some private payers are including
language with more stringent expectations
To proactively determine the possible impact Further, the State of Colorado has provided than the state or the federal government and
of these regulations on our facility in future guidance 4 citing that, “Reimbursement for have started including language in their contracts
years, The Children’s Hospital (TCH) in Inpatient Hospital claims that (a) include
that requires TCH to identify HACs
Aurora, Colorado worked throughout 2009 serious reportable events identified by the and remove associated charges prior to
and 2010 to develop a process to:
Department in the Provider Bulletin with billing. Other payers are requiring that we code
n identify hospital-acquired conditions after (b) discharge dates on or after October 1, 2009, all HACs with POA indicators appropriately, so
they have been coded, and
may be adjusted by the Department.” that they can conduct retrospective reviews. In
n review the charges prior to releasing the claim.
response to the private payer’s new requirements
The Colorado Department of Health Care and because it is the right thing to do, TCH
We firmly believe in integrating “doing the Policy and Financing (HCPF) provided more has developed the following process to manage
right thing” into all aspects of the care we detailed guidance in their Colorado Medical HACs and identify the corresponding charges.
provide. If one of CMS’s defined HACs Assistance Program Inpatient/Outpatient Billing
occurs for one of our patients, the right
Manual (version date 4/2010) stating: Each of the twelve hospital-acquired
thing to do is to identify what charges are
conditions identified by CMS has a set of
associated with the HAC and remove these Reimbursement for Inpatient Hospital ICD-9-CM codes associated with each of the
charges from the patient’s bill. In our pursuit claims that (a) include serious reportable conditions. With our electronic medical record
to define a process to manage HACs, we
events identified by the Department in (Epic), we have been able to created a “do-notbill”
found that this is much easier said than done. the Provider Bulletin with (b) discharge
(DNB) billing queue that flags and holds
Since the initiation of our efforts, the course dates on or after October 1, 2009, may any account with a HAC ICD-9-CM code
has evolved into an approach that seems to be adjusted by the Department. Effective
with a POA indicator of an N (representing
be working well and allows us to review each
October 1, 2009, inclusion of POA that the condition was not present at the
HAC on a case-by-case basis, using developed indicator responses became a requirement
time of admission) or a U (signifying that the
internal standardized methodologies (see
for all inpatient hospital claims. physician documentation in the chart was
figure 1, HAC process map). In order to build The Department’s policy follows that of insufficient to determine if the condition was
a thorough understanding of how and why the Medicare program for hospitals paid present on admission to hospital). This queue
we came up with this process, it is important through prospective payment.
is managed by Risk Management and the
to explain the federal and state regulatory
charges on the account will not be billed until
environment and the concomitant pressure The way the HCPF billing manual guidance Risk Management reviews the account and
from the private insurance companies as it is worded, TCH would not be held to the releases it from the queue.
relates to pediatric inpatient facilities in the HAC requirements because TCH is not paid
management of HACs.
under the prospective payment system. This A clinical nurse in our Risk Management
would then exclude TCH from any HAC department owns the task of reviewing the
At this time, the federal CMS regulations reporting or adjustment in reimbursement. queue and engages Corporate Compliance
apply to IPPS hospitals only regarding the TCH contacted the state regarding our process
when there is a HAC account present. She
POA indicator reporting requirement and
and they praised our progress and advised also summarizes the case and sends the infor-
the HAC payment provision. Non-IPPS us to not remove charges, because the state mation to Corporate Compliance to put on
hospitals, such as children’s hospitals, are currently
will be mining the HAC data and performing the agenda to review at the bi-weekly HAC
exempt from POA reporting and the retrospective audits. We are unsure of whether Committee meeting.
HAC payment provision. 3 This exemption is we will be included in these audits and the
prudent as the current HACs identified may methodology used by the state to perform
not be pertinent for pediatric patient care. this process has yet to be disclosed.
Continued on page 7
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
5
April 2011

ARE YOU
PREPARED
FOR THE
RAC AUDITOR?
Take control with a strong defense
The RAC Auditors will soon be calling on your hospital. The RAC appeals
process is very complex and missed deadlines can result in the automatic
recoupment of your legitimate revenues. To minimize your risk of financial
losses, you need to be prepared with practical, reliable processes and
controls to ensure that critical appeals deadlines are met, with complete,
substantiated information.
April 2011
www.compliance360.com
6
Compliance 360 is the leader in compliance and risk management solutions
for healthcare. More than 300 hospitals nationwide rely on us every day to
ensure compliance with legal and industry regulations. Using our unique
software solutions, they are always “audit ready” with both proactive
defenses and the audit management tools needed to ensure successful
audit response and appeals. We are proud to help these healthcare
organizations prevent and contain compliance sanctions and we stand
ready to help you as well.
To learn more about the Compliance 360 Claims Auditor for managing
RAC audits, visit www.compliance360.com/RAC or call us at 678-992-0262
NEEDS A LO
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Managing hospital-acquired conditions at a pediatric hospital ...continued from page 5
Table 1: Guiding Principles
Guiding Principle #1
Guiding Principle #2
Guiding Principle #3
Guiding Principle #4
Guiding Principle #5
Guiding Principle #6
Guiding Principle #7
Guiding Principle #8
Verify the coding to ensure that it truly fits the definition (by CMS definition and coding standards) of an HAC.
Identify the payer and understand how the hospital is reimbursed for the services provided (e.g., DRG, fee-for-service).
Identify very clearly related services/drugs/supplies that are related to the HAC and remove those from the bill.
This will differ on a case-by-case basis.
When reviewing the HAC case, if two procedures are done at the same time and one of them is associated with
a HAC, only remove the charges associated with the HAC (e.g., insertion of new central line). All charges that
apply to the necessary procedure (non-HAC related) should remain on the bill, even if some of the charges may
be associated with the HAC as well. (e.g., anesthesia)
The attending physician will need to contribute in determining whether the HAC extended the length of stay
for the patient in cases where it is not clear.
If tests are performed due to symptoms from a HAC (e.g., fever) that otherwise wouldn’t have been performed if the
patient not had these symptoms, the charges associated with those tests should be designated as associated with the HAC.
When there is a secondary complication that occurs with the HAC, all charges should be removed that are
related to the HAC as well as related to the complication.
When a HAC case does not require charges to be removed, but situations surface that still require attention, the
information should be provided to Risk Management and Legal to address the situation from the risk management
perspective.
The HAC Committee is made up of
representatives from:
n Corporate Compliance
n Risk Management
n Internal Audit
n Health Information Management (HIM)
n Patient Financial Services (PFS)
n Epidemiology/Infection Prevention and
Control
n Quality, and
n Medical Staff
At each meeting, the HAC committee reviews
all patient accounts in the queue and identifies
all labs, drugs, procedures, and supplies associated
with the HAC, which are tracked on a
case-by-case basis. When reviewing whether or
not the HAC impacted the patient’s length of
stay (i.e., room and board fee), the committee
discusses whether it is easily distinguishable.
If it is unclear whether the HAC extended
the patient’s length of stay, then the attending
physician for that patient is consulted and
assists in identifying which room charges, if
any, should be removed from the bill.
The HAC/DNB queue has been set up since
September 2009 and TCH has been
performing a secondary review of all HACs
to verify the accuracy of the coding since that
time. For certain private payers we are contractually
committed to identify and remove all
HAC-associated charges starting August 2010.
We plan to move forward with implementing
this process for an increased number of payers,
starting in the first quarter of 2011. Eventually
the goal is to use the same process and adjust
charges associated with a HAC for all payers.
As our committee reviews each HAC, we
established guiding principles that guide our
process and provide consistency in applying
our methodology. Table 1 includes the guiding
principles that exist up to this point for our
practice. All of the cases we reviewed so far
have only touched three of the twelve categories
of HACs. As we continue our process and
review a larger breadth of cases, we anticipate
that our guiding principles will need to be
revised and updated.
Moving forward, we are working on distinguishing
the procedure for addressing the professional
charges for a HAC. We are also working on
developing an initiative to review the data that
has been collected with this process, noting
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
trends that can be turned into an education plan
for key players in order to prevent (as much as
possible) these situations from occurring.
HACs are a hot topic in health care compliance
and although pediatric hospitals are
currently excluded from the federal regulations,
the time is coming when they may
not be. Additionally, more regulations are
being implemented that tie quality initiatives
to payment. For instance, according to
the FY 2011 IPPS final rule, 5 hospitals that
participate in CMS’s Reporting Hospital
Quality Data for Annual Payment Update
(RHQDAPU) are to begin reporting
hospital-associated infection (HAI) data to
the Centers for Disease Control’s National
Health Safety Network (NHSN) as of
January 1, 2011. Hospitals receive a financial
incentive to participate in the RHQDAPU
program. Therefore, the integration of quality
initiatives in the regulatory environment is
becoming more prevalent and will more than
likely remain a hot topic for years to come. n
1 Public Law 109-171, 120 Stat. 4, enacted February 8, 2006
2 73 FR 48434
3 FY 2009 IPPS Final Rule, 73 FR 48434
4 10 CCR 2505-10 8.300 Medical Assistance - Section 8.300.5.A.7
5 75 FR 50042
7
April 2011

Exhale
By Shawn DeGroot , CHC-F, CCEP, CHRC
Shawn DeGroot
Editor’s note: This
new column will
appear monthly
and will offer tips
on managing the
stress compliance
professionals experience
each day.
sacred trusts: Our promise to taxpayers that
we will spend every dollar wisely and our
promise to seniors and all Americans that we
will protect Medicare for this generation and
generations to come.” The reality is fraud and
abuse exist, scams continue to be created, and
hackers thrive on accessing private information.
Finding the right approach to eliminate
personal trainer or simply commit to
daily walks.
o Yoga can be therapeutic on many levels.
Your schedule may prevent you from
joining a class; however, there are DVDs
available that target areas of your body
and/or issues such as stress. Regardless
of gender, shape, or size, yoga increases
the fraud without categorizing all providers
flexibility and is incredibly refreshing,
Shawn DeGroot is HCCA Second Vice President
as fraudulent is the dichotomy we face. The both physically and mentally.
and serves as Vice President of Corporate moral fiber of most health care providers is o We are in the health care business, yet
Responsibility at Regional Health in Rapid City, good. The intentions of most providers are
similar to the shoemaker without shoes,
South Dakota.
based on quality services for their patients.
often our schedules and/or meetings
Consequently, when rules are created to
create a situation of eating “on the fly” or
What keeps you up at night? Send me an e-mail prevent and stop the evil of a few, we all pay a prohibit us from making healthy choices.
at sdegroot1@regionalhealth.com and share price. The question is, at what cost?
If that is occurring in your work life,
your approach to handling the press, maintaining
stock your desk with a few protein bars
balance in your life as a compliance officer or a I am not sure anyone has the answer to such a or packages of almonds to decrease your
member of the compliance team, or preparing to complex issue. With the increased workload appetite until the next meal.
self-disclose an issue. As a unique group of profound
and decreased resources in a somewhat toxic 4. Schedule a monthly massage. Massage
professionals, we can weather this perfect environment, we can also anticipate that the releases unhealthy toxins, reduces muscle
storm, provide support, and Exhale together. stress and demands of the compliance officer tension, and stimulates circulation. If you
and his/her team will increase. An abundance are too busy, find therapists that will come
The next few years may be brutal of resources exist on dealing with stress and on-site or create a new revenue stream
in the compliance field, given the self-awareness, and as compliance officers, we for the physical therapy department of a
fact that with or without Health need to take responsibility for our physical and hospital. Solicit support from Human
Care Reform, efforts for increased government
mental self-preservation and well-being. So Resources to support and/or sponsor
enforcement are underway. Senator here are a few tips I’d like to share with you: on-site chair massages for employees as
Grassley’s letter 1 dated December 17, 2010, 1. Accept the fact that you will never know a component of a wellness program that
criticizing arms of the government for lack it all. Develop that understanding with can prevent neck, arm, and wrist and
of criminal convictions, adds “fuel to the your leadership, compliance team, and finger strain. Sell the concept in conjunction
fire” for a tumultuous regulatory environment.
board of directors.
with improved employee morale.
Yet, we must be cognizant that health 2. Compliance is everyone’s responsibil-
5. Celebrate life and your accomplishments.
care costs consume a significant percentage ity, not just yours. Too many compliance
Take time to focus on the milestones you
of our gross national product; hence, health
officers become highly self-critical and your team reach, whether large or small.
care operations are under immense scrutiny. when an issue is discovered that involves 6. Laugh at yourself. Recently one of my staff
Public demands for state-of-the-art medicine self-disclosure to the government, when attempted to explain “split-shared billing” to
and technology as well as costly medical
overpayments are made, when an issue has a group of management and physicians. The
efforts at the end-of-life need are also financial
occurred repetitively over several years, or “split” word rhymes with a more unbecom-
and ethical issues to be considered.
the articles in the newspaper are negative. ing word and the burst of laughter by one,
We are our worst critics.
created a roomful of laughter.
Secretary Sebelius provided a press release 2 3. Dedicate time for exercise, yoga, and 7. Commit to taking care of you. No one
on January 24, 2011 regarding fraud and
eating healthier.
else will.
the Affordable Care Act that says, “As we o The physical and metaphysical rewards
implement these rules, we are mindful of two of physical exercise are endless. Hire a
Continued on page 13
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
9
April 2011

April 2011
10
Health IT law
increases enforcement
mechanisms under
Editor’s note: Maria D. Buckley is Of Counsel
and a member of the Health Care and Life
Sciences practice group at the Boston law firm
of Nutter McClennen & Fish LLP. She was
formerly senior counsel of Blue Cross Blue Shield
of Massachusetts, Inc. Ms. Buckley may be contacted
by e-mail at mbuckley@nutter.com or
by telephone in Boston at 617/439-2709.
Maya L. Sethi is an associate in the Litigation
Department and a member of the firm’s Government
Investigations and White Collar Defense
group. Ms. Sethi may be contacted by e-mail at
msethi@nutter.com or by telephone in Boston
at 617/439-2847.
The Health Information Technology
for Economic and Clinical Health
Act (HITECH), enacted as part of
the American Recovery and Reinvestment
Act of 2009 (ARRA) was intended to
spur the adoption of health information
technology by hospitals and physicians.
HITECH also has strengthened the civil and
criminal enforcement of the Health Insurance
Portability and Accountability Act (HIPAA)
in several ways. Entities, employers, and
individuals, who may not have been targeted
in the past, face increased exposure when
protecting confidential and private health
information, as several recent cases illustrate.
HIPAA enforcement
HIPAA now has some teeth behind it. On
July 6, 2010, the Connecticut Attorney
HIPAA
By Maria D. Buckley and Maya L. Sethi
General’s Office announced a settlement
with Health Net and its affiliates—the first
settlement of its kind for a state attorney
general’s office. Health Net, a Californiabased
insurer operating in Connecticut, was
accused of failing to protect private medical
and financial information belonging to nearly
half a million enrollees. The Connecticut
Attorney General sued Health Net in May
2009, after the company lost a computer
disk drive that contained protected health
information (PHI) belonging to more than
500,000 Connecticut citizens and 1.5 million
consumers nationwide. The missing drive
contained patient names, addresses, Social
Security numbers and confidential health
and financial information. The state attorney
general’s office was particularly concerned
by Health Net’s six month delay in notifying
consumers and law enforcement authorities,
even after an internal investigation concluded
that the disk drive was likely stolen. 1
As part of the settlement, Health Net and
its affiliates agreed to pay $250,000 in fines
to the state, and perhaps more importantly,
agreed to implement an extensive corrective
action plan, which included several detailed
measures such as:
n providing two years of credit monitoring
to affected individuals,
n providing $1 million of identity theft
insurance and reimbursement for the costs
of security freezes,
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
n agreeing to improve management and
oversight systems, and
n providing increased training and awareness
for its employees.
The settlement is a landmark one, because the
Connecticut Attorney General’s office is the first
state attorney general’s office to take advantage
of certain provisions passed in the HITECH
Act, which authorized such a cause of action.
The HIPAA statute never created a private
right of action. As a result, patients whose
protected information is unlawfully accessed
cannot file suit in court based upon alleged
HIPAA violations. The HITECH amendments,
which became effective February
2009, heightened HIPAA enforcement
provisions by, among other things, authorizing
state attorneys general to file suit on
behalf of their state residents. Although
the Connecticut Attorney General’s office is
the first in the nation to have settled a case
under these provisions, it is likely that other
states will soon follow suit. Certainly, by
deputizing state attorney generals to prosecute
HIPAA violations, enforcement actions will
increasingly be brought, and courts’ varying
interpretation of HIPAA will likely create a
more nuanced body of law.
It is not companies alone that are receiving
increased enforcement attention as result
of HIPAA and the HITECH amendments.
Individuals are increasingly being targeted as
well. For example, on September 15, 2010,
Paul Pepala, a former surgical instrument
technician employed by University of
Pittsburgh Medical Center, was indicted by
federal grand jury for one count of “knowing
disclosure of another person’s identifiable
health information with intent to sell, transfer,
or use the same for personal gain” under the
HIPAA statute and thirteen counts under
42 U.S.C. § 408(a)(8) (the Social Security

Act) for disclosing to unidentified individuals agencies are charged with enforcing the on the level of intent and neglect involved
the names, birthdates, and Social Security privacy provisions of HIPAA: the United (i.e., whether the violation was made without
numbers of various patients. Those individuals
States Department of Health and Human knowledge, due to reasonable cause, or due to
then used the patients’ Social Security Services (HHS), through the Office of Civil willful neglect).
numbers to file false tax returns. Pepala faces Rights (OCR), which is charged with the
up to ten years imprisonment and a fine of civil enforcement of HIPAA, and the U.S. Importantly, as of February 17, 2011, there will
no more than $250,000 for his sole HIPAA Department of Justice (DOJ), the federal be mandatory monetary penalties imposed
violation, or in the alternative, supervised agency charged with criminal prosecution of for HIPAA violations due to “willful neglect.”
release of no more than three years and an HIPAA violations.
Other penalty tiers are also clearly laid out
alternative fine based on the amount of gross
by the HITECH Act; for example, a lesser
pecuniary gain to any person. 2
Until recently, it was unclear whether the violation made without knowledge will be
DOJ was authorized to bring HIPAA fined at a mere $100 per violation, not to
Furthermore, in late April of 2010, Huping prosecutions against individuals like Pepala exceed $25,000. On the other end of the
Zhou, a former licensed cardiothoracic and Zhou (i.e., employees of a “covered spectrum, for those violations due to “willful
surgeon in China working at the UCLA entity”). HIPAA covered entities are health neglect,” penalties start at $10,000 and go
School of Medicine as a researcher, was care providers, health plans, and health care up to $250,000. The HITECH provisions
sentenced to four months in federal prison claims processors or clearinghouses.
also consider whether a violation is corrected
and a fine of $2,000 after pleading guilty to
within 30 days of knowledge of the violation.
four misdemeanor counts involving the unauthorized
This seems to have changed under the For those “willful neglect” violations that are
viewing of employee and patient HITECH Act. The HITECH provisions not corrected within this time period, the
medical records. Among a handful of criminal include several important changes to the penalty escalates to $50,000 per violation, not
prosecutions targeting individuals for HIPAA HIPAA privacy and security regulations, which to exceed $1.5 million.
violations, this was the first prosecution to extend the reach of its criminal enforcement.
result in incarceration solely related to a The criminal provisions of the HIPAA statute Further, HITECH provides that any penalties
violation of HIPAA. 3
clarify that a person who obtains or discloses collected will be used to support the enforcement
protected health information from a “covered
activities of the OCR. This provision,
Notably, the court imposed a stricter sentence entity” without authorization commits a although minor in the entire HITECH
on Zhou than was requested by the government,
violation of the criminal provisions of HIPAA. statutory scheme, may have a unique longment
which asked for 90 days of imprison-
If the DOJ declines to prosecute a case, the term impact. The OCR has traditionally
and a fine of $500, perhaps because HITECH Act allows OCR to pursue civil approached HIPAA violations by seeking to
he had received formal training on HIPAA penalties for the same violation. Furthermore, bring employers into compliance, rather than
violations, unlawfully accessed patient’s those entities that in the past were considered imposing heavy monetary penalties. By linking
records after hours, and only after receiving a “business associates” are now on the hook for
penalty payments with the OCR budget,
notice of termination. Zhou was not charged HIPAA violations, whereas previously they enforcement activities by OCR are likely to
with improperly using or attempting to sell might have only been liable under contract become more targeted and proactive.
the information he accessed, which would agreements with their respective service
have exposed him to even greater criminal providers. As a result of these amendments, Conclusion
penalties under the HIPAA criminal enforcement
employees and businesses not originally thought Given the government’s broadened enforce-
provisions.
to be covered by HIPAA are now at risk for ment mechanisms, health care providers
prosecution. This raises a host of compliance and those entities that meet the definition
Development of HIPAA enforcement issues for businesses and individuals who have of “business associates” need to review their
provisions
access to protected health information. privacy and information security programs to
Although HIPAA was enacted in 1996, civil
ensure privacy and security of personal health
and criminal enforcement of the statute is a In addition, the HITECH Act increased information. Size doesn’t seem to matter as
relatively recent development. Two federal civil penalties for violations of HIPAA based
Continued on page 13
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
11
April 2011

HCCA’s 2011
r egionA l
ConferenC es
HCCA’s regional one‐day
conferences provide high‐quality,
convenient, inexpensive education
and networking opportunities.
Don’t miss the opportunity to
attend one in your area!
Upper north central
may 6, 2011
Columbus, oH
Upper northeast
may 20, 2011
new York, nY
pacific northwest
June 10, 2011
seattle, WA
west coast
June 17, 2011
newport Beach, CA
new england
september 9, 2011
Boston, mA
Upper Midwest
september 16, 2011
minneapolis, mn
Midwest
september 23, 2011
Kansas City, Ks
north central
october 3, 2011
indianapolis, in
east central
october 14, 2011
Pittsburgh, PA
hawaii
october 21, 2011
Honolulu, Hi
MoUntain
october 28, 2011
Denver, Co
Mid central
november 4, 2011
louisville, KY
desert soUthwest
november 18, 2011
scottsdale, AZ
soUth central
December 2, 2011
nashville, tn
April 2011
leArn more AnD register At
www.hcca-info.org
12
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Health Care Compliance Association
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
888-580-8373 (p) | 952-988-0146 (f)
www.hcca-info.org

Health IT law increases enforcement mechanisms
under HIPAA ...continued from page 11
the federal government has targeted not only large academic
centers, such as UCLA and University of Pittsburgh, but
also small physician practices and clinics.
It is essential that HIPAA covered entities implement an
effective privacy and information security compliance program
that takes into account the evolving rules and guidance under
HIPAA and HITECH, as well as the small-but-growing body
of case law and history of government enforcement actions.
An effective compliance program must include training, risk
assessment, and a strong message that the employer will not
tolerate privacy and security violations. Also, to the extent that
HIPAA covered entities work with business associates (e.g.,
billing companies, consultants), covered entities should perform
some level of due diligence on their business associates to
ensure that they maintain a culture of HIPAA compliance. n
1 Office of the Attorney General, State of Connecticut, Attorney General Announces Health
Net Settlement Involving Massive Security Breach Compromising Private Medical and
Financial Info, Press release, July 6, 2010. Available at http://www.ct.gov/ag/cwp/view.
asp?A=2341&Q=462754.
2 HCPro: HIPAA Weekly Advisor: Violation carries fine of $4.7 million, up to 80 years in
prison. September 27, 2010. Available at: http://www.hcpro.com/HIM-256876-866/Violation-carries-fine-of-47-million-up-to-80-years-in-prison.html
3 Chris Dimick: Californian Sentenced to Prison for HIPAA Violation. April 29, 2010.
Available at http://journal.ahima.org/2010/04/29/californian-sentenced-to-prison-for-hipaaviolation/
Exhale ...continued from page 9
Ironically I thought of these concepts and many more at
3:00 a.m. in preparation for a press release regarding a
settlement with the government. It occurred to me that
I am not alone. I have read about countless organizations
with superb compliance officers who share similar
experiences. I also wondered how many other compliance
officers were up that night. n
1 A PDF of this letter is available at http://grassley.senate.gov/about/upload/12-17-10-Letter.pdf
2 Health and Human Services press release: Health care fraud prevention and enforcement efforts
recover record $4 billion; new Affordable Care Act tools will help fight fraud. January 24,
2011. Available at http://www.hhs.gov/news/press/2011pres/01/20110124a.html
The CCB offers certifications in
Healthcare Compliance (CHC),
Healthcare Research Compliance
(CHRC), and the Certified
in Healthcare Compliance
Fellowship (CHC-F).
Certification benefits:
n Enhances the credibility of the
compliance practitioner
n Establishes professional standards and
status for compliance professionals in
Healthcare and Healthcare Research
n Heightens the credibility of
compliance practitioners and the
compliance programs staffed by these
certified professionals
n Ensures that each certified
practitioner has the knowledge base
necessary to perform the compliance
function
n Facilitates communication with
other industry professionals, such as
physicians, government officials and
attorneys
n Demonstrates the hard work and
dedication necessary to succeed in the
compliance field
For more information about
certification, please call 888/580-8373,
email ccb@hcca-info.org, or visit our
website at www.hcca-info.org.
CCB
The Compliance
Professional’s
Certification
The Compliance Certification Board (CCB)
compliance certification examinations are
available in all 50 states. Join your peers and
demonstrate your compliance knowledge by
becoming certified today.
Congratulations!! The following
individuals have recently successfully
completed the CHC certification exam,
earning their certification:
Carol D. Flynn
Cyndy L. Harrison
David W. O’Toole
Michael P. Pasternack
Joseph L. Rivet
Erika S. Soucy
Congratulations!! The following
individuals have recently successfully
completed the CHRC certification
exam, earning their certification:
Dani G. Joyner
Congratulations!! The following
individuals have recently successfully
completed the CHPC certification
exam, earning their certification:
Gregory V. Kerr
Beth B. Page
Jeanne Marie Strickland
Call for Authors - Seeking Managed Care and Health Plan Articles
Below are a few topics to consider:
n Differences in compliance from hospital to plans
n Star ratings and their effect on revenue
n New health plan audit approach by CMS – for Medicare
n How plans are dealing with the uncertainty of
Healthcare Reform
n Fraud and Abuse from the plan side
If you are interested in contributing a Managed Care or Health Plan related article, please contact:
Ann U. Greenberg, CHP, CCEP, Telephone: 505/321-2807, E-mail: Ann.Greenberg15@gmail.com
If you have any questions about this Call for Authors, don’t hesitate to contact Margaret Dragon, Editor, Compliance Today via e-mail at
margaret.dragon@hcca-info.org or call toll free 888/580-8373 or direct: 781/593-4924.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
13
April 2011

feature
article
Meet Tony West
Assistant Attorney General, Civil Division,
United States Department of Justice
April 2011
14
Editor’s note: This interview was conducted by
HCCA First Vice President Frank Sheeder in
December 2010. Frank Sheeder is a Partner in
the Dallas offices of Jones Day and may be contacted
by e-mail at fesheeder@JonesDay.com.
Mr. West may be contacted at the US Department
of Justice in Washington DC by telephone
at 202/514-2000.
FS: On behalf of HCCA, thanks for
speaking with me about health care fraud
enforcement initiatives. Please tell us a little
bit about yourself, your experience, and the
path that led you to become the Assistant
Attorney General for the DOJ’s Civil
Division.
TW: Thanks for the opportunity. Well,
mine has been a career that’s seesawed
between public and private law practice.
Before I was confirmed in April 2009, I was
a litigation partner at Morrison & Foerster
in San Francisco. Prior to that, I was a senior
policy attorney in the California Attorney
General’s office, and before that I was a
federal prosecutor for five years. I actually
started my DOJ career almost two decades
ago when, about a year out of law school, I
joined the Clinton Administration’s Justice
Department as a special assistant to the
Deputy Attorney General.
It’s my humble opinion
that my current job is
probably the best job
in the entire Justice
Department, which
I believe is the best
place to work if you’re
a lawyer, so I consider
it a great privilege and
honor to serve in this
role.
FS: Why do you say
your job is the “best job in the DOJ?” What
makes it so?
TW: That’s easy. Three reasons: First, I
have the pleasure of working with probably
more of my colleague Assistant Attorneys
General than anyone else, since the Civil
Division’s work is so broad and diverse.
Almost every week brings me into close collaboration
with the heads of the Criminal,
NSD (National Security Division), Antitrust,
Environment, and others, not to mention all
of our client agency general counsels.
Second, I can usually figure what my day
is going to be like by reading the New York
Times. It’s a good bet that something in
those pages will cross my desk at some point
during the day.
Last, and best of all, I get to work with
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
some of the most talented and dedicated
public servants I’ve ever known. I’ve always
been very proud of the fact that I spent five
years as a Justice Department career attorney
when I was an Assistant U.S. Attorney in the
Northern District of California. I’ve always
known Justice Department personnel to be
a committed, talented group, and it’s a real
privilege to work with them in this current job.
FS: You have a very impressive background.
Are there certain influences that helped to
shape your successful career?
TW: I credit my parents and the example
they set for that. Growing up, they placed a
huge emphasis on education and service. My
mother, for instance, is a teacher, and both
of my sisters became teachers. My dad was

heavily involved in public and community
service, serving in a variety of locally elected
and appointed posts apart from his day job
in management at IBM. And they, of course,
were carrying on the tradition of service
that they had learned. My maternal grandmother
was also a teacher and my maternal
grandfather was one of a long line of church
pastors in my family. So, even though I
was the first lawyer in my family, there’s no
question that the public service motive that
led me to pursue law was one that had deep
roots in my background. That, coupled with
great teachers and guides along the way who
took an interest in helping me—people like
Attorney General Janet Reno—all of it serves
as a constant reminder of how truly fortunate
I’ve been.
FS: Is there an aspect of your current role
that was especially surprising to you? What
are the greatest rewards and challenges?
TW: I think what was most surprising to
me when I first started was the large amount
of time the head of the Civil Division spends
on national security issues. Since my first tour
at the Department over 15 years ago, there has
been a considerable change in the focus of the
Justice Department’s work, and appropriately
so. September 11th changed everything. And
as the federal government’s law firm, the Civil
Division, of course, deals with many of the
issues that reflect that change.
Notwithstanding that reality, I think most
outside observers would assume that the Civil
Division’s national security work is episodic,
arising in only a handful of cases. But the
reality is, those issues are quite pervasive
and constant. Along with National Security
Division and the Criminal Division, Civil is
a leader in the Department’s counterterrorism
efforts. For example, approximately 140
habeas corpus cases brought by detainees held
at Guantanamo Bay are being litigated by our
division. Some of those cases pose difficult
questions of first impression regarding the
indefinite detention of individuals held pursuant
to the laws of war. We’ve also defended
Executive Branch authority as it relates to
our counterterrorism efforts, and our Office
of Immigration Litigation works closely with
DHS (Department of Homeland Security) to
defend removal orders involving terrorist and
other national security-risk aliens.
FS: The Civil Division is responsible for
cases involving national security, the financial
crisis, challenges to the health care reform
law, health care fraud on the government,
defense, stimulus funds, and even the recent
oil spill. How do you manage to stay focused
on so many important fronts?
TW: I have a great team of deputies and
counselors who help me stay on top of
what’s most important. I am a big believer in
finding the best people you can, hiring them,
and empowering them to do what they do
best; and that’s what we’ve done in the Civil
Division front office.
FS: What are the Civil Division’s main
initiatives aimed at recapturing taxpayers’
dollars lost to health care fraud?
TW: In the Civil Division, we’re pretty
zealous guardians of the “public fisc.” We
don’t like it when taxpayer money is lost to
fraud, waste, or abuse. So we’ve been pretty
vigilant when it comes to fighting fraud in all
areas—public contracting, grant programs,
the housing and mortgage industries, and
others—and we’ve been appropriately aggressive
in using the False Claims Act as our
primary enforcement tool.
Nowhere is this more evident than in
our fight against health care fraud. I deeply
believe that Medicare and Medicaid fraud
undermines the quality of our health care,
the integrity of our public health care programs,
and the safety of patients. And early
in my tenure, I met with private insurers
who reminded me that health care fraud isn’t
just a public sector problem; it affects the
private sector, as well. So curbing such fraud
has been a top priority for the President, the
Attorney General, and for me.
And, our focused efforts have yielded success.
Since January 2009, the Civil Division,
working with US Attorneys’ Offices around
the country, has opened more health care
fraud matters, secured larger fines and judgments,
negotiated higher settlements, and
recovered over $8 billion for the taxpayers in
health care fraud cases. That’s the largest twoyear
health care fraud recovery in the history
of the Department of Justice.
FS: What do you see on the horizon? Can
you foresee some trends that will develop in
the health care enforcement arena?
TW: I think we can expect to see continued
vigilance when it comes to ensuring our
public health care programs are untainted
by fraud. We’ve received some important
enforcement tools in the last two years that
have enhanced our efforts against health care
fraud, and I anticipate we will continue to use
those tools to great effect. That means holding
both corporations and individuals accountable
when it comes to interactions with
Medicare and Medicaid, marketing medical
products, and securing FDA approvals.
FS: As you know, HCCA’s members are
compliance professionals. How will these
trends impact compliance programs and the
roles of compliance professionals?
TW: I think your members play a central
role in promoting the good health and wellbeing
of the American people. You are often
the ones that companies and providers turn
to in order to negotiate a complicated legal
and regulatory landscape. Many rely on you
for guidance when it comes to maximizing
both compliance and innovation. And I
Continued on page 17
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
15
April 2011

NOW AVAILABLE:
The HCCA HIPAA Training Handbook
Order Now
The Health Insurance Portability and Accountability Act (HIPAA) has had
lasting impact on U.S. health care providers since its passage in 1996. Now
HIPAA, along with HITECH, affect health care professionals on a daily
basis. This newly revised handbook is intended for anyone who needs a basic
understanding of the privacy and security regulations governed by HIPAA and
HITECH. Suitable for staff training courses, it covers:
• Who must comply with HIPAA and HITECH
• When and by whom is the use or disclosure of protected health
information (PHI) permitted?
• What rights does an individual have regarding his or her PHI?
• What are the basic safeguards required to protect the security of e-PHI?
• What happens when a breach occurs?
• And much more
This handbook can prepare all health care professionals to help protect the
privacy and security of their patients’ health information.
HCCA MEMBER DISCOUNTS
# of handbooks cost per book
1–9 ...........................$25
10–24 .......................$23
25–49 .......................$20
50–74 .......................$18
75–99 .......................$16
100+ .........................$15
THE HCCA HIPAA TRAINING HANDBOOK
Qty
Cost
________ HCCA Members ($25 or see chart at left) $ __________
________ Non-Members ($30 per handbook) $ __________
________ Join HCCA!
$ __________
Non-members, add $200 to join HCCA, and pay
member prices for your order (regular dues $295/year)
Total: $
Bulk discounts available for HCCA members only. See chart at left to
figure cost. All purchases receive free FedEx Ground shipping within
continental U.S.
PLEASE TYPE OR PRINT
HCCA Member ID
First Name M.I. Last Name
Title
Organization
Street Address
City State Zip
Telephone
Fax
Make check payable to HCCA and mail to:
HCCA, 6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Or fax order to: 952-988-0146
My organization is tax exempt
Check enclosed
Invoice me | Purchase Order #
I authorize HCCA to charge my credit card (choose below):
AmericanExpress Diners Club MasterCard Visa
Credit Card Account Number
Credit Card Expiration Date
Cardholder’s Name
Cardholder’s Signature
Federal Tax ID: 23-2882664
Prices subject to change without notice. HCCA is required to charge sales
tax on purchases from Minnesota and Pennsylvania. Please calculate this
in the cost of your order. The required sales tax in Pennsylvania is 7% and
Minnesota is 6.5%.
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373 | Fax 952-988-0146
www.hcca-info.org | helpteam@hcca-info.org
E-mail

Meet Tony West, Assistant Attorney General, Civil Division, United States Department of Justice ...continued from page 15
know that, as difficult as that can be sometimes,
it’s a role you take seriously.
The work your organization and your members
perform recognizes that fair competition and
ethical compliance efforts are the foundation of
a vibrant and successful health care services and
products market. So I view you as partners in our
efforts to curb health care fraud.
FS: You mentioned some important
enforcement tools that you have received in
the past two years. I assume you are referring
to the Fraud Enforcement and Recovery Act
of 2009 (FERA) and the Patient Protection
and Affordable Care Act (PPACA), which
amended the False Claims Act (FCA) to give
the government and whistleblowers new and
strengthened abilities to make and sustain
cases under the FCA. How have those tools
helped, and do you foresee that recoveries
under the FCA will continue to grow beyond
the current record levels?
TW: Among other important changes,
FERA authorized delegation of the Attorney
General’s authority to issue civil investigative
demands (CIDs), which has substantially
increased the use of this critical investigative
tool in health care and other fraud matters.
PPACA added some significant changes to
the False Claims Act. First, it amended the
public disclosure bar to eliminate the jurisdictional
nature of the bar and narrow the
circumstances in which it could apply to bar a
relator. Second, it made clear that a violation
of PPACA can be the predicate for a violation
of the False Claims Act. Third, it defined an
overpayment in the context of a federal health
care program, to assist us in bringing claims
under FERA’s new False Claims Act provision
based on the retention of an overpayment.
FS: Can you please give your perspective
on the roles whistleblowers play in connection
with the government’s current enforcement
initiatives?
TW: Since 1986, when the False Claims
Act was significantly amended to strengthen
the qui tam (or whistleblower) provisions,
approximately 64% of our cases have come
to us from whistleblowers who filed actions
under the False Claims Act.
The False Claims Act provides that when the
United States intervenes in a qui tam case, the
relators are entitled to receive between 15% and
25% of the amount ultimately recovered by
the government as a result of their allegations.
When the United States declines to intervene
and the relators proceed on their own, they are
entitled to receive between 25% and 30% of the
recovery. The Department has prepared relator
share guidelines that set forth the standards
we use in making these determinations. We
recognize that many relators shoulder a heavy
burden when they report fraud and assist the
government in its investigation, often facing
retribution from the industries in which they
work and from their colleagues.
FS: What message or advice would you
like to give to health care compliance professionals
who are committed to keeping their
organizations compliant with all applicable
standards?
TW: We recognize that most health care
providers, companies, and individuals who
do business with the government are dealing
fairly. We know they’re playing by the rules
and are careful with the taxpayer dollars they
receive. Yet, it’s also the case that there are
others out there who are cutting corners,
taking advantage, and putting profits over
patient safety—and they are the ones who will
continue to attract our enforcement attention.
FS: We appreciate your candor, and thank
you for speaking with me about these
interesting matters.
TW: Thank you. n
False Claims
Act Training
Doesn’t Have
to Be Hard
A Supplement to Your
Deficit Reduction Act
Compliance Training
Program offers a clear,
concise review of the
False Claims Act and
its impact on federal
health care programs.
Bulk pricing
available for
HCCA members.
To order, visit
www.hcca-info.org,
or call 888-580-8373.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
17
April 2011

If you have any questions that you would like
Roy to answer in future columns, please e-mail
them to: roy.snell@hcca-info.org.
ROY sNELL
Speed Networking
The two greatest benefits of any professional association like HCCA
are networking and education. Associations have many ideas about
education, such as audio conferences, e-learning, conferences, articles,
blogs, roundtables, etc. As for networking, we now have social media,
but it’s really a tad impersonal. I would suggest that social networking
is better at education than networking. The real breakthrough on
improving professional networking was the invention of the conference
reception....back in 400 BC. Since then, the food and attire have
changed – the business casual toga had yet to be invented – but the
principle is the same: provide a forum for people to meet, get to know
each other, and help each other long after the meeting is over.
Recently someone got the bright idea that we could use the basic principles
of speed dating for professional networking. Speed networking
is like speed dating. People sit across from each other at cafeteria tables
and talk for about 15 minutes. Then you switch and talk to another
person. Eventually you meet 4-5 people. Much like speed dating, you
state your preferences as to whom you would like to meet. Computers
match people from similar types of organizations. This is very helpful
for people in segments of health care, such as DME, Pharma, longterm
care etc., who have specific networking needs. They have a harder
time networking randomly at conferences.
We are setting up a speed networking session on Sunday, April 10th at
the annual HCCA Compliance Institute in Orlando. People may stay
connected all week or meet for dinner, lunch, etc. Some will stay connected
for years to come. Many people who are new to our profession
will benefit greatly. We are looking forward to experimenting with this.
In the future, we might even try to pair up those who wish to mentor
with those who wish to be mentored. One of the problems with
traditional mentorship programs is that people are slapped together
with little effort to match interests. Even those who have attempted to
match interests cannot possibly match personalities. If you meet five
mentors, one is likely to click. With speed networking, you can stay
in touch with as many as you like.
We will get feedback and improve the process. We will think of other
ideas to use this tool to bring people of similar needs and interests
together. We are very excited to try to improve the networking side
of what we do for our members. Given that this is the first significant
professional networking idea to come along in 2,400 years, I am
optimistic it will improve our ability to provide you with what you are
looking for from HCCA. n
Speed networking is very helpful for people who specialize in certain
regulations or specific elements of a compliance program. Those
interested in HIPAA meet with their peers; those involved heavily in
investigations meet their peers. It’s also helpful for people who don’t
feel comfortable walking up to a total stranger during a reception or
between conference sessions. With speed networking, everyone is
there to meet people and eager to talk.
HCCA has stepped up our environmental
responsibility by printing Compliance Today
on recycled paper. The interior pages are now
printed on paper manufactured with 100% postconsumer
waste. The cover stock is made up of
10% post-consumer waste and is locally produced
in Minnesota near our printing facility. In addition, the energy
used to produce the paper is 100% renewable energy. This is
not to mention that the ink used in our magazine is 100% soy
based water soluble inks. Certifications for the paper include
The Forest Stewardship Council (FSC), Sustainable Forestry
Initiative (SFI), and Green-e.org.
April 2011
18
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Social Networking
John Falcetano
Editor’s note: John Falcetano, CHC-F,
CCEP-F, CHRC, CHPC, CIA is Chief
Audit/Compliance Officer for University
Health Systems of Eastern Carolina and
Treasurer of the HCCA Board of Directors.
John may be contacted by e-mail at
jfalcetano@uhseast.com.
Welcome to the Social Networking column. This column provides our
members and others with information on topics being discussed on the
Health Care Compliance Association’s (HCCA’s) Social Network site. The
social networking site is where users can find answers to their questions and
network with other compliance professionals online. They can subscribe to
discussion groups and join in on discussions, or even start a new discussion
on compliance topics.
Each of the discussion groups have a library that contain a variety of documents
on specific compliance topics that can be searched and downloaded,
as well as add documents that may benefit other users. One recent topic
discussed the Internal Audit department’s effectiveness and efficiency, as well
as building and maintaining the internal auditor’s credibility.
HCCAs Social Network website also helps you find colleagues and professionals
that you may have met at prior compliance conferences and allows
you to reconnect. It’s is a great way to network with your peers and help
discuss your compliance program activities with others.
I encourage everyone to become involved with the Social Network, it is a
great way to participate in the discussion, review the comments, or just talk
with your peers. You can access the Social Network site by going to the
following link: www.hcca-info.org/sn n
Web 2.0 is about the
new, faster, everyone
connected Internet.
HCCA is embracing this approach and offers you
a number of ways to build out your network,
connect with compliance professionals, and
leverage this new technology. Take advantage of
these online resources; keep abreast of the latest
in compliance news; and stay ahead of the curve.
Dozens of discussion groups and
more than 6,800 participants
http://community.hcca-info.org
Profiles of over 4,500 compliance
and ethics professionals
http://www.hcca-info.org/LinkedIn
Follow HCCA_News to keep up with the
latest compliance news and events
http://twitter.com/HCCA_News
Need a quick and cost-effective
way to earn CEU credits?
Want the latest news on breaking
issues and best practices?
All of this from the convenience
of your own office?
Try one of HCCA’s
upcoming Web
Conferences, and
earn 1.2 CEU credits.
It doesn’t get any easier.
learn more about
upcoming web
conferences and
register at
www.hcca-info.org/
webconferences
Connect with compliance and ethics
professionals on Facebook
http://www.hcca-info.org/Facebook
Each resource is 100% dedicated to
compliance and ethics management.
So sign up for whichever one works
best for you, or for all four if you’re
already living the Web 2.0 life.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
19
April 2011
TryWebConf_quarterpage_CTad.indd 1
7/8/2010 9:15:55 AM
HCCASocialNetworking_halfpage_301nK_CTad.indd 1
12/28/2010 10:03:44 AM

April 2011
20
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Hospital anesthesia
stipends and
compliance: Can
due diligence be
supported?
By Devona Slater, CHC, CMCP and Lynette Peterson, SCP-AN
Editor’s note: Devona Slater is the President Knowing that the anesthesia group is
and Senior Compliance Auditor with Auditing accurately documenting services and billing
for Compliance and Education, Inc. (ACE) correctly is one component of compliance.
in Leawood, Kansas. She may be contacted by Another area to analyze and to understand is
phone at 913/648-8572 or by e-mail at the group’s financial performance. A comprehensive
compliance review of the anesthesia
devonas@aceauditors.com.
group should address both operational and
Lynette Peterson is a Compliance Auditor with financial performance, because these are both
Auditing for Compliance and Education, Inc. important pieces. It is important for the
(ACE) in Leawood, Kansas. She may be contacted hospital to have this information in preparation
for stipend agreement negotiations.
by e-mail at lynettep@aceauditors.com.
More than 70% of hospitals pay Hospitals can do a detailed compliance review
stipends to anesthesia groups. One prior to renewing or entering into a stipend
has to stop and question: Is the agreement. An anesthesia provider can use
hospital getting what they are paying for? As this review as a strong tool prior to negotiating
a stipend. This discussion will focus on
stipends have grown over the years, the complexities
of the agreements have also grown. the benefits to the hospital.
Many agreements now include measurements
and a portion of the stipend is at-risk, based Documentation
on performance, meaning that compensation is The detailed compliance review will identify
tied directly to results based on predetermined potential areas where the hospital may incur
measurement expectations. Although some risk, based on how anesthesia services are
measures have been successful at improving being documented. It can also identify issues
operational efficiencies, others have not been with good faith efforts to bill and collect
so successful. Before measures are developed, appropriate fees for services. To ensure the
the hospital must first know how the practice is hospital obtains the negotiating information
currently performing. How well does the practice
currently capture patient information? How needs to include all key components specific
needed, the anesthesia compliance review
efficient is the current billing process? What to anesthesia services and be performed by
is the revenue collection percentage from each experts specializing in anesthesia coding,
type of carrier and by service provided? billing, and reimbursement.
Continued on page 22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
The first step in the anesthesia compliance
review should be the detailed examination
of service documentation. Anesthesia is one
of the few services that bill based on time,
making the documentation of anesthesia time
a risk area that should be reviewed. Specific
government rules cover what must be documented
to bill for anesthesia services. The
Centers for Medicare and Medicaid Services
(CMS) guideline 1 outlines the criteria for
billing services. The American Society of
Anesthesiologists (ASA) is another recognized
source for clinical and practice management
standards and guidelines. 2
The billing requirements vary and the hospital
must ensure that the anesthesia practice is
appropriately billing based on the services
documented. For example, Medicare requires
specific documentation to bill for anesthesiaspecific
services such as medical direction,
time, ancillary services, etc. Teaching
institutions have additional medical direction
requirements. The hospital must understand
all of these anomalies to ensure that the
anesthesia practice is performing properly to
help reduce their risk.
A detailed compliance review, conducted for
the hospital, should analyze the anesthesia
practice prior to negotiating a stipend or the
measurements that will be used to monitor
performance. To appropriately evaluate the
anesthesia time, the anesthesia record must
be evaluated in conjunction with other
supporting documentation in the patient’s
medical record. The accuracy of anesthesia
time is critical for determining time units and
to accurately capture overlapping cases that
can significantly impact the reimbursement
rate for anesthesia services. Medicare also has
medical necessity requirements for certain
anesthesia procedures, such as monitored
anesthesia care and procedure codes that
21
April 2011

Hospital anesthesia stipends and compliance: Can due diligence be supported? ...continued from page 21
April 2011
22
bundle anesthesia services. A thorough review
of accurately documented and billed anesthesia
services can identify missed revenue
opportunities and areas where documentation
should be improved to minimize risk for
the hospital.
The hospital must also understand how
the practice stays abreast of new requirements
and how these are implemented and
integrated into daily operations. For instance,
last January the Interpretative Guidelines 3
set forth new requirements regarding the
anesthesiologist’s pre- and post-operative
visits with the patient. The time frames and
elements of the pre- and post-anesthesia
evaluations have been expanded and clarified.
The ASA also provides standards of care for
pre- and post-operative anesthesia evaluations
that should be utilized in conjunction with
the Interpretative Guidelines. The compliance
review should evaluate the practice and their
interpretation and implemtation of these
new requirements. Although these requirements
do not impact the billing of anesthesia
services, these items should be assessed to
determine if the anesthesia group may be
placing the hospital’s Medicare participation
status in jeopardy.
Coding and quality
In addition to the examination of the
anesthesia service documentation, a compliance
review should also evaluate conformance
to regulations in regard to anesthesia service.
A quality compliance review includes many
elements in order to assess actual compliance
with regulations in regards to an anesthesia
service. The coding of these services is one of
the first steps in the revenue cycle, and
reimbursement for these services is one of the
primary reasons stipends are paid. The
compliance review should include an analysis
of the medical coding service. Of course,
medical coding plays a large role to ensure
proper and maximum reimbursement. One
of the most common issues with coding is
assigning the highest level of specificity to the
service. This is something that all anesthesia
groups have to work at improving, due to the
assignment of alternate ASA units for many
procedures. It is not unusual to find 5% to
10% under-coding in anesthesia services,
due to not capturing the highest base unit
code for reimbursement. Both the ASA and
National Correct Coding Initiative (NCCI) 4
provide guidance for the services that should
be included in anesthesia care. It is important
for the hospital to understand how the
anesthesia practice performs in this area, prior
to negotiating a stipend or a business process
measurement.
Another reimbursement opportunity to
consider during the stipend negotiations
is the Physician Quality Reporting System
(PQR). In 2011, reporting PQR can bring
a 1% bonus reimbursement to the group
on all eligible Medicare dollars, if reported
correctly. For anesthesia, measures began with
documentation of antibiotics (#30) prior to
surgical incision time and maximal sterile
barrier technique (MSBT) (#76) for Swan
Ganz catheter and central line placements.
Effective in 2010, another measure regarding
the recording of temperature (#193) was
added. Coders and billing personnel must
understand the options to accurately report
these measures. Many times the elements
are missing, or billing personnel do not
understand what must be reported in order
to qualify for the bonus. The recently passed
health care reform legislation outlines a
reduction for PQR bonuses and eventually
implements a penalty for inaccurate reporting
of these measures. 5 PQR reporting and the
transition from a bonus to a penalty should
be considered in the anesthesia revenue model
as prerequisites for stipend payments. The
hospital must understand how the anesthesia
practice ensures compliance with these
requirements.
The hospital would be wise to review the
managed care rates obtained by the group
and the actual collection activity performed
by the group. Many stipends are designed to
“fill the gap” between what is collected and
what is needed to provide anesthesia services.
It is important for the hospital to check
that the anesthesia group is getting market
rates in their managed care contracts, as well
as collecting at least 90% of the allowable
charges. The hospital needs to know, from
a financial standpoint, that they are not
paying more than they should in terms of
the stipend. The ASA Managed Care Survey 6
gives hospitals an instrument to measure how
aggressive the group has been with managed
care contracting. One interesting fact from
the survey shows a minimum increase of
7% in contracted rates over the last survey
performed. This should be good news for
hospitals, because they may be able to reduce
the stipends paid to anesthesia groups.
Conclusion
All hospitals that pay stipends to anesthesia
providers should have a comprehensive compliance
review performed on the anesthesia
group. This review should be completed
to ensure that the hospital has performed
the due diligence required from a fiduciary
standpoint before issuing stipend payments.
Today’s environment demands that payments
made for services meet government documentation
requirements, as well as protect the
hospital from future audits. Expert anesthesia
compliance auditors should be used to assess
Anesthesia departments for risk. Any issues
identified during the compliance review may
be pertinent to negotiations, payments of the
stipend agreement, or development of future
measurements for performance. Hospitals
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

may need to work with providers to improve documentation,
contracting rates, and net collection ratios to make future stipend
payments acceptable for all parties involved. n
1 Centers for Medicare and Medicaid Services: Anesthesiologists Center, 2010. Available at http://www.cms.
gov/center/anesth.asp
2 American Society of Anesthesiologists: Standards Guidelines and Statements, 2010. Available at http://www.
asahq.org/For-Healthcare-Professionals/Standards-Guidelines-and-Statements.aspx
3 Centers for Medicare and Medicaid Services: 2011 State Operations Manual, Appendix A - Survey Protocol,
Regulations and Interpretive Guidelines for Hospitals. See section §482.52 Conditions of Participation: Anesthesia
Services. Available at www.cms.gov/manuals/Downloads/som107ap_a_hospitals.pdf
4 More information on NCCI is available at www.cms.gov/NationalCorrectCodInitEd/NCCIEP/list.asp
5 Centers for Medicare and Medicaid Services: Physician Quality Reporting Initiative, 2011 Physician Quality
Reporting Measures Specifications Manual. Available at http://www.cms.hhs.gov/PQRI
6 Jason R. Byrd and Loveleen Singh: ASA Survey Results for Commercial Fees Paid for Anesthesia Services –
2010. ASA Newsletter, October 2010. Available at http://viewer.zmags.com/publication/a1fcbfae#/a1fcbfae/46
Effective Internal
Investigations
for Compliance
Professionals
A Two-Day Workshop
November 10–11, 2011
San Francisco, CA
To learn more and register, visit
www.internalinvestigations.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
23
April 2011

April 2011
24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
25
April 2011

focus
feature
Mary, Al, and me:
Compliance mentoring at its best
By Frank Sheeder
April 2011
26
Editor’s note: Compliance Today is adding a new article feature on mentorship
Mary
to its line-up. Webster’s Dictionary defines a mentor as “a wise and Mary was the Chief Compliance Officer at CHRISTUS Health for
trusted counselor or teacher.” Compliance Today will publish articles many years. She developed and refined the compliance program to
written by compliance professionals about their experience and the benefits become one of the best I have seen. More importantly, she set a powerful
they derived from being professionally mentored. If you have had a mentor
and consistent tone for compliance across the entire CHRISTUS
and would like to contribute an article for this new feature in
system. She successfully used her leadership skills to help her associates
Compliance Today, please contact Margaret Dragon by e-mail at margaret.dragon@hcca-info.org
understand that compliance is everyone’s job and that the commit-
or by telephone at 781/593-4924.
ment to compliance must exist across the organization and from top to
bottom. Mary’s “people skills” are amazing. She has the ability to size
The first offering was written by Frank Sheeder HCCA Fist Vice President up people and situations quickly, understand competing agendas, and
and a Partner in Jones Day’s Health Care Law practice in Dallas. He may mediate sustainable resolutions to difficult challenges. She is also the
be reached at fesheeder@jonesday.com.
most consistent, disciplined, and compassionate person I have known.
She communicates effectively all the time. You always know where
Being a compliance professional can be tough and lonely. Misperceptions
Mary stands, and where you stand with her. She treats people equally,
of the true nature of the role by stakeholders (and sometimes by regardless of their role or stature. She is wise beyond measure.
compliance people themselves) can lead, for example, to an unfortunate
punitive culture, an “us versus them” mentality, and labeling of I first met Mary when I was representing a CHRISTUS hospital in a
the Compliance department as the “Revenue Prevention department” matter that was rather challenging. It had all of the elements that could
or the “deal killers.” Compliance professionals can feel like they are on lead to an unfortunate and potentially messy outcome. It was my first
an island, and that not enough people in their organization share their engagement for CHRISTUS, and I had just ventured out to start my
commitment and values. With the current onslaught of government own law firm. We were having some challenges, and Mary came in to
enforcement in health care, these factors will only become more help resolve them. I can remember her first words to me as if it were
exacerbated. Mentoring can help to ease the stress that compliance yesterday, spoken in her endearing Irish accent: “And who are you?”
professionals are facing.
Her command of the room began then, and it never waned. She masterfully
got everyone to work together and to develop a perspective that
I have been fortunate to have several strong mentors in my life, both went beyond their unique roles and interests. That was the first of many
personally and professionally. Two of them, Mary Lynch and Al occasions when I saw Mary do that very thing flawlessly. It was also the
Josephs, stand out for their mentoring in the compliance profession. beginning of a wonderful enduring friendship, during which Mary has
Both of them unselfishly share their experience and insight with offered unwavering support, counsel, and encouragement.
others in a positive and constructive way. If you don’t have a mentor,
I hope this article will encourage you to seek one out. If you are in Al
a position to be a mentor, please consider being one. The need is Al has also been a compliance officer for many years, and is the former
greater than ever.
President of HCCA. He is now a Senior Director in Tenet’s Compliance
department. He has offered a steady hand in challenging times.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Al is one of the most likeable guys you will ever meet. He is charming, mayor can take a stance, but will do so in a manner that respects the
warm, and engaging. He loves interacting with people, and he in turn individuals who are involved in an issue.
is well-loved. But, beneath the affable and disarming demeanor is a
smart and wise man. He can take what appears to be an intractable They willingly took on the role of mentor
situation and come to a workable outcome with seeming ease. He Both Mary and Al must have seen that I needed lots of help as I developed
calms people down along the way and inspires them to work together. my legal career around compliance. (I believe that need is a lifelong one for
He chooses his words carefully and is often a voice of reason. As a compliance professionals.) They offered insight and guidance in a nonjudgmental,
willing, and non-punitive way. They are not overbearing or
result, people listen to what he has to say. Al also has a keen sense of
humor, and is famous for his one-liners, which are often delivered with controlling. They wanted me to succeed in the way that worked best for me.
an intentionally exaggerated Texas drawl.
They understand how to “do” compliance and mentoring
I first met Al at a monthly meeting of compliance professionals in Dallas. There are several attributes and approaches that make Mary and Al
I was attempting to network and to participate in what I understood to excellent at compliance and mentoring:
be lively and insightful discussions about compliance. Al spotted me as n They are humble. Neither Mary nor Al would seek praise or recognition
for their compliance or mentoring efforts. They will prob-
the new guy in the room and immediately introduced himself. He then
proceeded to introduce virtually everyone else in the room to his new ably fuss at me for focusing this article on them, but their lessons
friend. We committed to have lunch soon and to get to know each other are too valuable not to share.
better. A couple of days later, Al called my office one afternoon while I n They exhibit “servant leadership.”
was out of town with a client. He left a message indicating that he needed n They possess high moral standards from which they do not waver.
me to do a speech. When I didn’t call back right away, he managed to call n More importantly, they live out those standards every day. When
me on my cell phone and explained that he needed me to do a speech you are a compliance professional, everyone watches you closely.
the next morning. It turned out that one of the faculty members for the If you have even seemingly minor compliance lapses, you cannot
HCCA Compliance Academy had cancelled at the last minute, and Al expect others to follow your compliance lead.
was tasked with finding a pinch-hitter. I likewise will never forget what n They are impeccable with their word. If they say something, you
he told me: “If you mess up, I will kill you.” I responded with a nervous can take it to the bank. Period.
laugh, suspecting that he probably meant it. It turns out that I must have n They maintain confidences.
done OK. Since that time, I have become increasingly active in HCCA, n They are excellent listeners.
to the point where I have the honor of being the incoming president. I n They are thoughtful.
frequently reach out to Al as a sounding board.
n They challenge lazy, convenient, or conventional approaches.
n They are flexible, based on the circumstances, but yet unwavering
What I learned from my mentors
when it comes to values and integrity.
Some lessons just can’t be put into words, but here’s a glimpse of what n They introduce people who could benefit from knowing each other,
a good mentor can do.
and help to foster relationships.
n They are champions of all people, including the powerless and folks
What they taught me
who are in bad circumstances.
Mary and Al are extraordinary people who have helped me to become n They are unconditionally loyal.
the compliance counsel that I am today. I’m hopeful that I can share n They work tirelessly.
some of the lessons that they have taught me in a way that allows you
to put them into action.
Maximizing the mentoring experience
Both the mentee and the mentor stand to gain from the experience.
They care about people
Mary and Al put others first, and try to see things from others’ Being a mentee
perspectives. Most successful compliance professionals whom I know In order to maximize the benefits of a mentoring relationship, a mentee
do the same. Al’s influence helped me to develop the theme that a must also have some salient characteristics:
compliance professional should be more of a mayor than a sheriff. A
Continued on page 49
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
27
April 2011

O N L I N E W I T H R E S I D E N C I E S I N A L E X A N D R I A , VA
Graduate Certificate in
Healthcare Corporate
Compliance
CCB
Accredited
Acquire the compliance officer knowledge in demand today.
Unique Format. Seven-month, 12 credit program, with two short
residencies and online distance learning between residencies.
Master the key concepts of high-priority healthcare laws
including federal fraud and abuse law, governance and
corporate responsibility, HIPAA, federal tax law, and more.
Enjoy unparalleled access. Learn from a world-class faculty
teamed with senior regulators, legislators, patient advocates
and legal experts.
Information Sessions
Wednesday, April 13
3:00 pm ET
Online
Tuesday, May 17
1:00 pm ET
Online
Rsvp Today!
1.800.JoinGWU
nearyou.gwu.edu/hcc
You will receive an email
with login instructions
after you RSVP.
Stackable Credentials. Apply this certificate toward a
Master’s of Public Health degree.
Program offered by the College of Professional Studies and
School of Public Health & Health Services, in partnership
with the law firm of Feldesman Tucker Leifer Fidell LLP.
www.gwu.edu/gradapply
36158
THE GEORGE WASHINGTON UNIVERSITY IS AN EQUAL OPPORTUNITY/
AFFIRMATIVE ACTION INSTITUTION CERTIFIED TO OPERATE IN VA BY SCHEV.

Equal visitation
rights for all hospital
patients: CMS
finalizes rules
The final rule revises the Medicare Conditions
of Participation for hospitals and CAHs.
Specifically, Medicare and Medicaid hospitals
will be required to have written policies
and procedures detailing visitation rights,
including the specific circumstances under
which a hospital can restrict a patient’s access
to visitors, based on reasonable clinical needs.
By Janice A. Anderson, Esq. and Kimela R. West, Esq.
The rule requires hospitals to inform incoming
patients of their right to choose their
Editor’s note: Janice A. Anderson, Shareholder in
the Chicago offices of Polsinelli Shughart PC, has
over 25 years’ experience focusing on health regulatory
and compliance issues and over 30 years’
experience working in the health care industry.
She may be contacted by e-mail at janderson@
polsinelli.com or by telephone at 312/873-3623.
that the new Rule “makes it easier for hospitals
to deliver on some of the fundamental
tenets of patient care—care that recognizes
and respects the patient as an individual with
unique needs, who should be treated with
dignity and granted the power of informed
choice.” 1
visitors, regardless of whether the visitor is a
family member, a spouse, a domestic partner
(including a same-sex domestic partner), or
friend, as well as their right to withdraw such
consent to visitation at any time. The Rule
also addresses the right for a “support person”
to be identified for incapacitated persons.
The support person can make the visitation
Kimela R. West is an Associate in the Kansas
City offices of Polsinelli Shughart PC. She
focuses her practice on health care regulatory and
compliance issues as they relate to transactions
and operations of health systems, hospitals, and
physicians. She may be contacted by e-mail
at kwest@polsinelli.com or by telephone at
816/360-4330.
The new Rule implements an April 15, 2010
Presidential Memorandum, in which President
Obama tasked CMS with developing
proposed requirements for hospitals, including
Critical Access Hospitals (CAHs), that would
address the right of patients to choose who
may and may not visit during a hospitalization.
The Memorandum emphasized the
problem that restricted or limited visitation
decisions given to patients under the Rule.
The Rule instructs all Medicare and Medicaid
participating hospitals to not “restrict, limit,
or otherwise deny visitation privileges on the
basis of race, color, national origin, sex, sexual
orientation, gender identity, or disability.” In
addition, the Rule requires hospitals to ensure
that all visitors designated by the patient
(or support person, where appropriate)
On November 17, 2010, the Centers may cause for patients. Specifically, when a enjoy visitation privileges that are no more
for Medicare and Medicaid Services patient cannot have a visitor because there is restrictive than those that immediate family
(CMS) released the final rule on not a legal relationship between the patient members would enjoy.
hospital visitation that allows patients to
designate their own visitors during a hospital
stay (the Rule). The Rule, which will apply to
any hospital that participates in Medicare or
Medicaid, went into effect January 18, 2011.
The Rule will trump previous practices in
many American hospitals that restricted
visitors for some patients to spouses and
immediate family – even in emergency rooms
and intensive care units. The Rule requires
hospitals to notify a patient or “support person”
(as defined in the Rule) of his/her visitation
rights, and requires all hospitals to establish
non-discriminatory visitation policies. CMS
and visitor, physicians and hospital staff
miss an opportunity to gain valuable patient
information regarding the patient’s medical
history and condition from those who may
know the patient best. In the Memorandum,
President Obama pointed out the plight of
individuals who are denied the comfort of a
loved one, family member, or a close friend
after they are admitted to the hospital. The
Memorandum indicated that these individuals
are often denied the most basic of human
needs, simply because the loved ones who
provide them comfort and support do not fit
into a traditional concept of “family.”
The Rule creates a new concept of a “support
person” who is not a legal representative per se,
but is the one who can make decisions regarding
visitors for incapacitated patients. In the
final rule, the term “support person” was
substituted for the term “representative” used
in the proposed rule published on June 28,
2010. CMS changed the term in response to
many commentators who expressed confusion
concerning the use of the term “representative.”
Commentators were unclear about
whether the patient’s representative for visitation
purposes needed to be the patient’s legal
administrator Donald Berwick, MD, explained
Continued on page 30
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
29
April 2011

Equal visitation rights for all hospital patients: CMS finalizes rules ...continued from page 29
April 2011
30
representative for decision-making purposes.
CMS clarified that the individual responsible
for exercising the patient’s visitation rights
does not need to be the same individual who
is legally responsible for making medical
decisions on the patient’s behalf, though it
is possible for both roles to be filled by the
same individual. Further, the designation of
a support person for purposes of exercising
the patient’s visitation rights generally does
not need to be in writing; however, when
the patient is incapacitated and there is a
clear dispute between two or more people
over whether a particular person should be
the support person, hospitals and CAHs can
require written documentation to establish
support person status. In the absence of a
verbal support person designation, hospitals
should look to their established policies and
procedures for the purpose of exercising a
patient’s visitation rights.
CMS strongly encourages individuals to
establish written advance directives that
document the selection of a designated legal
representative and the support person for
purposes of making visitation decisions,
along with the patient’s choices about specific
medical conditions and treatments. Such
documentation will help ensure that the
patient’s wishes are honored.
Under the final rule, a hospital must meet
the following requirements:
n Inform each patient (or support person,
where appropriate) of his/her visitation rights,
including any clinical restriction or limitation
on such rights, at the same time the patient is
informed of his/her other rights.
n Inform each patient (or support person,
where appropriate) of the right, subject
to his/her consent, to receive the visitors
whom he/she designates, including,
but not limited to, a spouse, a domestic
partner (including a same-sex domestic
partner), another family member, or a
friend, and the patient’s right to withdraw
or deny such consent at any time.
n Not restrict, limit, or otherwise deny
visitation privileges on the basis of race,
color, national origin, religion, sex, gender
identity, sexual orientation, or disability.
n Require proof of a relationship between a
patient and a visitor only when the patient
is incapacitated and there is a clear dispute
between two or more people over whether
a particular person is the support person.
The following forms of proof are suggested:
an advance directive naming the
individual support person, approved visitor,
or designated decision maker; shared
residence; shared ownership of a property
or business; financial interdependence;
marital/relationship status; existence of a
legal relationship recognized in any jurisdiction;
and acknowledgment of a committed
relationship (i.e., an affidavit). This
list of proof and documentation is not
intended to be exhaustive of all potential
sources of information regarding proof of
a relationship to allow patient visitation or
support person preferences.
n Develop restrictions on visitation
privileges only if clinically appropriate.
Examples of clinically appropriate reasons
upon which hospitals and CAHs might
impose restrictions or limitations on visitors
include: when the patient is undergoing
care interventions; when there may be
infection control issues; or when visitation
may interfere with the care of other
patients. There are other, similarly obvious
areas where restriction or limitation of
visitation may also be appropriate: existing
court orders restricting contact of which
the hospital or CAH is aware; disruptive,
threatening, or violent behavior of any
kind; the patient’s need for rest or privacy;
limitations on the number of visitations
for clinical reasons during a specific period
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
of time; minimum age requirements for
child visitors; and inpatient substance
abuse treatment programs that have clinical
necessary protocols limiting visitation.
n Ensure that all visitors enjoy full and equal
visitation privileges consistent with patient
preferences.
CMS finalized the Rule based on thousands of
comments from patient advocates, the hospital
community, and other stakeholders. Because
of the new Rule, hospitals should develop
visitation policies and procedures if they do
not have them, or review and revise existing
policies and procedures if they do. In doing so,
hospitals need to evaluate and identify explicitly
those clinically appropriate reasons to allow the
hospital to restrict visitation under the Rule.
Hospitals also should review and, if necessary,
revise admission and advanced directive
procedures to address the new requirements
of the Rule. It is also advised that hospitals
educate their staff on the hospitals’ new policies
and procedures regarding the Rule, because a
failure to adopt and implement visitor policies
in accordance with the Rule could provide new
bases for hospital liability. n
1 CMS News Release, Medicare Finalizes Rules to Require Equal Visitation
Rights for All Hospital Patients. November 17, 2010. Available at
http://www.hhs.gov/news/press/2010pres/11/20101117a.html.
2 The White House, Office of the Press Secretary, Presidential Memorandum-
Hospital Visitation. April 15, 2010. Available at http://www.
whitehouse.gov/the-press-office/presidential-memorandum-hospitalvisitation.
Contact Us!
www.hcca-info.org
info@hcca-info.org
Fax: 952/988-0146
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone: 888/580-8373
To learn how to place an advertisment
in Compliance Today, contact Margaret
Dragon: e-mail: margaret.dragon@hccainfo.org
phone: 781/593-4924

Unclaimed property
compliance and
health care
By Diann L. Smith, Esq.; Marlys A. Bergstrom, Esq.; and Jessica Kerner, Esq.
impossible to recreate an insurance providers’
payment history. Unclaimed property audits
live in the world of old documentation,
and health care has to keep pace with this
electronic age. Unfortunately when the two
worlds collide, health care pays the cost.
Editor’s note: Diann L. Smith is Counsel in
the Washington DC offices of Sutherland Asbill
& Brennan LLP. She is a member of the Tax
Practice Group, concentrating on state and local
tax matters. She may be contacted by e-mail at
diann.smith@sutherland.com or by telephone
at 202/383-0884.
Marlys A. Bergstrom is an Attorney in the
Unclaimed Property Practice in the Atlanta
offices of Sutherland Asbill & Brennan LLP. She
may be contacted by e-mail at marlys.bergstrom@
sutherland.com or by telephone at 404/853-8177.
Jessica Kerner is an Associate at Sutherland Asbill
& Brennan LLP in New York. She is member
of the Tax Practice Group and focuses on state
and local tax matters. She may be contacted by
e-mail at jessica.kerner@sutherland.com or by
telephone at 212/389-5009.
It is no secret that states are facing huge
budget deficits. With unemployment
numbers teetering in the double digits,
and foreclosures continuing to skyrocket, the
notion of raising taxes is about as popular
as…well, you choose the analogy.
Faced with unsustainable structural deficits,
states do have an effective money raising
weapon in their arsenal that brings much
needed funds into the states’ coffers,
without the politically unfavorable stigma
associated with raising taxes. This antiquated
yet efficient weapon is the unclaimed
property law. All 50 states and the District
of Columbia have these laws. Unclaimed
property laws require that organizations that
hold unclaimed intangible property that has
not been paid to or otherwise claimed by
the rightful owner by a certain date must be
paid over to the state. What is the result of
recent enforcement of these laws? Billions of
dollars have been turned over to the states.
For example, the California State Controller
reported that the state is currently holding
over $6 billion in unclaimed property funds.
What organizations make good audit targets?
In other words, where are the states likely to
get the most bang for their buck? As you will
soon learn, unclaimed property is not a tax,
but if it were a tax, it would be a tax on the
disorganized. Unclaimed property auditors
thrive on lots of old missing records, periods
of time where the financial records simply no
longer exist, and organizations with frequent
changes to their financial systems. Auditors
also have discovered that organizations that
deal with a significant amount of “small”
balances generally end up owing big dollars.
Most organizations have a pretty good
grasp on unclaimed property reporting
as far as accounts payable and payroll are
concerned. These same organizations are
woefully unaware of the unclaimed property
generated by credit balances. This explains
the unclaimed property profile of the health
care industry. Unfortunately, it is common
knowledge among state unclaimed property
auditors. Health care audits generally
yield significant monetary results for
states. Records are not available, small credit
balances are written off, and frequent changes
to billing and financial systems make it nearly
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
What is unclaimed property?
Generally, unclaimed property is property
that the owner has not taken some action to
indicate an ownership interest or awareness
of the property during a certain period of
time specified by law. When this failure to
act or “abandonment” occurs, it becomes the
obligation of the party holding the property
to report and pay over the property to the
state. The rationale behind the requirement
to turnover the property to the state is that
the state can best preserve and protect the
interest of the rightful owner. The state
becomes the custodian of the unclaimed
property and steps into the shoes of the
owner. The unclaimed property laws in most
states primarily pertain to intangible property,
such as uncashed payroll and vendor checks,
unredeemed gift cards, uncashed dividend
checks, and two types of property that are of
particular interest to the health care industry:
account receivables and credit balances.
Application of the unclaimed property laws
The priority rules for determining which state
is entitled to “hold” unclaimed property when
the owner can not be located were established
in 1965 by the United States Supreme Court.
Essentially two rules determine which state
has the right to property deemed abandoned.
The “primary rule” requires that property
must be turned over by the holder to the
state of the owner’s last known address. If the
holder does not have a record of an address
for the owner or if the state of the owner’s
last known address does not provide for
Continued on page 33
31
April 2011

Is your Employee and Vendor Screening Solution
Meeting All Your Needs?
SM
● Easy to Use
● Automated Solution
● Verify Caregivers’ License Information
● Economical Solution/Competitive Pricing
● Search Federal and State Databases
● Produces Concise Results
● Unlimited Screening with 24/7 Access
● Backed by a Company with Compliance Experts
Stop by our Booth #104 at the National HCCA Compliance Institute
to see a demonstration.
Call BESLER Consulting - 877.4BESLER
April 2011
32
VerifiedSM
— Put the Power of Our Expertise in Your Hands
www.besler.com/bverified.htm
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
sm
Scan qr code
to learn more

Unclaimed property compliance and health care ...continued from page 31
remittance of the property to the state, the severely understaffed. As a result, unclaimed by overpayments by insurance companies,
“secondary rule” is applied, and the right to property audits are most often conducted duplicate payments, and the constant changing
the property goes to the state in which the by third-parties who contract with the state. and upgrading of billing systems.
holder is incorporated. However, the primary These third-party auditors are usually paid
rule always provides a superior right to the a contingent fee of 10% to 12% of the Scenarios
state of the owner’s address, and if another final liability. Only a handful of third-party Below are a few examples of common
state submits proof it is the state of the unclaimed property auditing companies exist, situations that generate credit balances in the
owner’s last known address, the state in which and most states have contracts with one or health care industry which potentially create
the holder is incorporated must remit the more of these firms. As a result, most audits property subject to remittance under a state
property to the state with the superior right. are multi-state audits, typically conducted by unclaimed property laws and definitely fall
a third-party auditor for 10 to 23 different within the assessment sights of an auditor
Enforcement of the unclaimed property laws states at one time.
paid on a contingent fee basis.
The unclaimed property laws have been a
part of states’ laws for decades, but the states’ Another important distinction between 1. A patient comes into a medical center
application and enforcement of the laws unclaimed property and tax collections is the and pays a $25 co-payment for a wellness
via audits is a more recent phenomenon. lack of an administrative remedy to dispute an exam. The provider bills the patient’s
Although unclaimed property laws are unclaimed property liability. If a company disagrees
insurance company and the wellness exam
enforced through audits, don’t be fooled.
with an unclaimed property assessment, is fully covered under the patient’s insur-
These audits are not like the tax audits with generally the only remedy is in civil court. ance policy without a co-payment by the
which most companies are familiar. Enforcement
Delaware is the only state that provides for an patient. The $25 collected from the pa-
of unclaimed property laws is quite administrative remedy, and this remedy is only tient by the medical center is a duplicate
different from enforcement of the tax statutes, of very recent vintage. However, the administrative
payment and is property that should be
because unclaimed property is not a tax.
remedy provided is largely weighted in returned to the patient or if, the patient
Unclaimed property is a property right, and Delaware’s favor, because the audit manager cannot be found, is unclaimed property
property rights are something that is held in in charge of the liability being challenged subject to remittance to the state.
deep reverence in the United States. The most decides the outcome of the initial appeal. 2. Based upon old contract rates with an
significant difference between enforcement of
insurance provider, the hospital billing
the unclaimed property laws and the tax laws Unclaimed property and health care
system is set up to record a receivable
is that there is no concept of a statute of limitations
providers
for $600 for procedure X. The insurance
with respect to unclaimed property. Why should companies in the health care busi-
company pays the hospital $700, because
During an unclaimed property audit, the state ness be so concerned with unclaimed property? under the new contract, the rate for
auditor is permitted to look back to the date The reason is simple: Health care has always procedure X is $700. From a review of the
in which the corporation was incorporated or been a viable target and lucrative unclaimed books, it appears that the hospital received
when the state enacted its unclaimed property property audit target. All institutions across the an overpayment of $100; however, the
statute. Generally, unclaimed property audits health care industry make good state targets, hospital was paid the correct amount and
will look back approximately 10 to 20 years. including hospitals, medical centers, and dialysis an error with the billing system created the
centers. The industry is a good target because it appearance of an incorrect overpayment.
There are a number of other aspects of generates significant credit balances; frequently
unclaimed property audits that make them involves at least three parties to the payment These types of transactions can and do
different from tax audits. The first is the process (the provider, the patient, and an insurance
happen often, and can result in hundreds
affiliation of the personnel conducting the
company); and has complicated billing, of thousands of dollars in credit balances
audit. Unclaimed property is generally payment, and accounting rules that vary greatly on a single organization’s books. As the
administered from a division of a state’s even within a single entity. Credit balances, the transactions continue to multiply and the
Department of Revenue or Treasurer’s Office, target of unclaimed property audits of members
credit balances become larger, it becomes
but most unclaimed property divisions are
of the health care industry, are generated
Continued on page 34
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
33
April 2011

Unclaimed property compliance and health care ...continued from page 33
April 2011
34
increasingly difficult to unwind the
individual transactions. To an unclaimed
property auditor, the matter is simple:
There is an amount the hospital should
have collected, a larger amount that was
collected, and the excess is therefore
unclaimed property subject to remittance
to a state. The burden of unwinding these
complex transactions and proving the
amount that should have been collected is
on the health care provider.
3. An insurance company accidentally makes
an overpayment to a health care provider,
often as part of a lump sum payment
involving multiple claims. The health care
provider tries to return the money, but
the insurance company refuses to accept
it. This often happens if an insurance
company does not know where to “post”
the returned payment. Nevertheless, often
the insurance company will not disclaim
an interest in the property. The health
care provider is forced to hold money for
someone who refuses to take back the
money, but will not give up a claim to the
money. As a result, health care companies
will often place such funds into a suspense
account until a determination is made
as to how to adequately dispose of the
funds. Unclaimed property auditors target
suspense accounts, particularly those
accounts that contain credit balances in
excess of 120 days.
3. Assuming the organization has filed an
unclaimed property report, did it ever
report credit balances?
4. Do outstanding credit balances remain on
an aging report longer than 120 days?
If the answer was “no” to any of these questions,
there is a strong likelihood that the
organization has an unclaimed property issue.
The remedy
Unfortunately, no quick fix exists when it
comes to unclaimed property, but there are
opportunities to mitigate unclaimed property
exposure. The first step is to ensure that the
organization is in compliance with unclaimed
property laws. If the organization is not in
compliance, it needs to get into compliance,
which may require significant effort and
commitment.
The states are generally forgiving when holders
of unremitted unclaimed property come forward
voluntarily. When an organization comes
forward voluntarily, most states will generally
waive penalties and interest, but will require
a look-back period of approximately 10 years
in the determination of the actual property
liability. Before an organization voluntarily
comes forward and begins filing, serious
consideration should be given to the idea of
performing an internal exam or self audit.
Given the potentially large liability and other
important considerations, an initial conversation
management, and the necessary resources must
be provided in order to remain in compliance.
Opportunities exist to minimize an organization’s
potential unclaimed property exposure,
particularly with respect to credit balances.
First, several states have statutory limitations
periods that apply to certain overpayments,
unidentified remittances, uncashed refund
checks, and credit balances held by health
care providers. These maybe applied to
transactions between health care providers
and various insurance companies.
Second, some states have enacted business-tobusiness
exemptions that specifically exclude
certain property types from the states’
unclaimed property laws. To the extent that
a business-to-business exemption provision
applies to the items at issue for health care
providers, the property will not be considered
unclaimed property and therefore will not
have to be remitted to the state. Generally,
in order for a health care provider to take
advantage of these exemptions, the health
care provider:
n must be engaged in current and continuous
business relationships with all the
insurance companies for which it has an
overpayment reflected on its books, and
n must have a business relationship at the
time the property is “deemed abandoned”
under the relevant state unclaimed
property law.
The unclaimed property quiz
Health care organizations should not
wait until an auditor arrives to determine
potential unclaimed property liability. Such
companies should initially answer these few
simple questions:
1. Before reading this article, did anyone in
the organization know what “unclaimed
property” is?
2. Has the organization ever filed an
with counsel is a good starting point.
Once over the past liability hurdle, the next
challenge is to stay in compliance. The key
to continuing compliance is implementing
processes and procedures that not only adhere
to the unclaimed property laws, but also
are customized to the specific organization.
Another key to success is management support.
Unclaimed property compliance must
Therefore it is recommended that the health
care provider be engaged in a transaction
with the insurance company within the 12
months immediately preceding the end of the
abandonment period. Before taking advantage
of these business-to-business exemptions,
it is advisable that the company consult with
both in-house counsel and outside counsel.
States have begun to closely scrutinize the
unclaimed property report?
be seen as a priority from the top levels of
Continued on page 39
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The discharge
planning process
and patient choice:
Educating staff
By Frank Riccardi, JD, CHC, CFE, CICA, CPHRM;
Nicole Rene; and Cathy Niland, RN, CHC, CHCQM
Editor’s note: Frank Riccardi is Executive
Director of Organizational Integrity & Internal
Audit with Adventist HealthCare located in
Rockville, Maryland. He may be contacted by
telephone at 301/315-3371 or by e-mail at
friccard@adventisthealthcare.com.
Nicole Rene is an Internal Auditor with Adventist
HealthCare in Rockville, Maryland. She may be
contacted by telephone at 301/315-3684 or by
e-mail at nrene@adventisthealthcare.com.
Cathy Niland is an Organizational Integrity
Manager with Trinity Health in Farmington
Hills, Michigan. She may be contacted by
telephone at 248/324-8356 or by e-mail at
nilandc@trinity-health.org.
Navigating the highly regulated
waters of discharge planning can be
frustrating to nurses and other caregivers
who work in case management, particularly
since patient choice has long been a
focus area of the U.S. Department of Health
& Human Services Office of the Inspector
General (OIG). 1
Denying patient choice—whether by intent
or ignorance—can lead to compliance
violations, decreased patient satisfaction, and
conflicts with other health care providers.
For example, a common complaint made
by home health agencies (HHA) and skilled
nursing facilities (SNF) is that some hospitals
steer patients to HHAs or SNFs that are
owned by the hospital. Another concern,
primarily expressed by discharge planners, is
that some physicians require that patients be
sent to the physician’s “preferred” provider.
To ensure the right of patient choice, hospitals
should educate case managers on the applicable
regulations, including how to document a
compliant discharge planning process.
The frequently asked questions (FAQ) listed
below are designed to help the compliance
professional develop an educational tool that
will remove some of the confusion surrounding
discharge planning and patient choice.
Discharge planning and patient choice
Question: Do patients have a right to choose
what home health agency (HHA) or skilled
nursing facility (SNF) they will be transferred
to upon discharge from a hospital?
Answer: Yes, patients (and their family
members) have the right to make important
decisions about post-hospital care. This
includes the right to choose which Medicareparticipating
HHA or SNF they would like
to go to. The discharge planning process and
the right of patient choice is regulated by the
Medicare Conditions of Participation (CoP). 2
Question: In a nutshell, how does the discharge
planning process ensure patient choice?
Answer: As part of the discharge planning
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
process, the patient (and family members)
must be counseled to prepare them for posthospital
care, and the items listed below must
be part of the discharge plan:
n The patient must be given a list of HHAs or
SNFs that participate in Medicare and serve
in the geographical area where the patient
resides (or where the patient requests);
n The hospital must document in the
medical record that the list was presented
to the patient;
n The hospital must inform patients of
their freedom to choose among Medicare
participating HHAs or SNFs, and cannot
specify or limit the qualified providers that
are available; and
n The hospital must disclose any financial
interest in an HHA or SNF.
Respecting patient choice
Question: What does the discharge planner
need to do to ensure patient choice?
Answer: Once it has been determined that
the patient needs post-acute services, the
discharge planner must provide the patient
with a list of appropriate HHAs or SNFs.
Question: Does every HHA or SNF need to
be included on this list?
Answer: No. The list must contain only those
HHAs or SNFs that participate in Medicare
and are in the geographical area where the
patient resides (or where the patient requests).
Also, an HHA is not automatically included
on the list; rather, the HHA must request to
be placed on the list. However, SNFs do not
need to request placement on the list.
Question: Does the CoP say what the
patient choice list is supposed to look like?
For example, can the hospital place a preferred
provider at the top of the list? Or does
the list have to be in alphabetical order?
Answer: The CoP does not mandate how
Continued on page 37
35
April 2011

April 2011
36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The discharge planning process and patient choice: Educating staff ...continued from page 35
the list should be organized. Therefore, a
preferred provider could be at the top of the
list, or highlighted in bold. Also, providers do
not need to be listed in alphabetical order.
Question: The patient would like to go to
an HHA that is owned by the hospital. Must
this be disclosed to the patient?
Answer: Yes. The discharge plan must identify
any HHA (or SNF) in which a hospital
has a financial interest.
Question: Are there circumstances where the
discharge planner does not have to honor the
patient’s choice of post-acute provider?
Answer: Sometimes it is not feasible to honor
the patient’s choice of post-acute provider,
such as when the preferred SNF does not
have available beds, or the preferred HHA
does not service the patient’s geographical
area. In such cases, the hospital’s efforts to
provide patient choice should be documented
in the discharge plan.
Question: Do the CoP requirements for discharge
planning and patient choice only apply
to HHAs and SNFs, or do they apply to other
post-acute providers such as durable medical
equipment (DME) and hospice providers?
Answer: The discharge planning/patient
choice regulations apply to all post-acute care
services, including DME and hospice. 3
Question: How does the case manager
document patient choice?
Answer: The CoP does not tell hospitals how
to document patient choice. Instead, it is up
to the hospital to determine the best way to
document patient choice. One option is for
discharge planning staff to post a note into
the medical record. Alternatively, discharge
planning staff may give the patient a “Patient
Choice” form to sign. This is typically done
by using software (such as eDischarge or
AllScripts) to generate a patient choice letter
that is then uploaded into the medical record.
Question: What should the discharge planner
say to patients?
Answer: According to the CoP, the hospital
must inform patients of their freedom to
choose among Medicare participating HHAs
or SNFs, and cannot specify or limit the qualified
providers that are available. This means
that discharge planners must tell patients about
their right to choose their own post-acute care
provider, and not “steer” the patient toward
or away from a particular provider. Discharge
planners can, however, provide factual information
about a post-acute care provider so that
the patient can make an informed choice.
Typically, a discharge planner will provide a
list of post-acute care providers to the patient
and say, “You have the right to choose which
nursing home you would like to use. Here is
a list of nursing homes that provide services
near your home.”
If the patient makes a choice, then the discharge
planner takes care of the logistics,
and the patient is discharged to the chosen
SNF. However, if the patient cannot make
a choice, then it is okay for the discharge
planner to provide information, so that the
patient can make an informed choice. For
example, the discharge planner could review
the list with the patient and say:
n “Acme Nursing Home has an occupational
therapy program. Would you like information
about Acme Nursing Home to help
you choose?”
n “Our hospital has a preferred provider
relationship with ABC Nursing Home.
Would you like information about ABC
Nursing Home to help you choose?”
n “Our hospital owns Quality Nursing Home.
Would you like information about Quality
Discharge planners and post-acute care
providers
Question: Every so often, a representative from
an HHA or a SNF will stop by with pens, food,
or other gifts for the discharge planners and
case management staff. Is this okay?
Answer: If your organization has a “zero
tolerance” policy with respect to accepting
such gifts, the answer is no. To avoid
the appearance of conflicts of interest, it’s
important to develop a clear policy on gifts
and entertainment, and communicate that
policy to your staff.
Examples
Question: A discharge planner sends a
patient to Acme Nursing Home because the
SNF is the physician’s preferred provider,
and the physician only refers patients to that
SNF. Is this okay?
Answer: No. The physician’s preference
cannot override the patient’s choice.
According to the CoP, the hospital cannot
“…specify or otherwise limit the qualified
providers that are available to the patient.” 4
In circumstances where a physician tells a
discharge planner to discharge patients only
to a specific SNF or HHA, the discharge
planner should instead comply with the CoP,
and educate the physician about the patient’s
right of choice.
Question: Does the answer to the question
above mean that a physician or hospital cannot
have a preferred provider?
Answer: No. Physicians and hospitals can
have preferred providers; however, a physician
or hospital’s preference cannot override the
patient’s right of choice. For example, there
is nothing wrong with a physician writing an
order for a specific acute-care provider. However,
the patient must still be given a choice,
and the discharge planner would document
that choice in the medical record.
Nursing Home to help you choose?”
Continued on page 39
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
37
April 2011

The Health Care Compliance
Professional’s Manual
SUBSCRIPTION SERVICE INCLUDED WITH
PERIODIC UPDATES
• Hard-copy subscribers receive
quarterly updates
• Internet subscribers receive updates
as soon as they are issued
The Health Care Compliance Professional’s
Manual gives you all the tools you need to plan
and execute a customized compliance program
that meets federal standards. Available via print
or the Internet, the Manual walks you through
the entire process, start to finish, showing you
how to draft compliance policies, build a strong
compliance infrastructure in your organization,
document your efforts, apply self-assessment
techniques, create an effective education
program, pinpoint areas of risk, conduct
internal probes and much more.
The Health Care Compliance Professional’s Manual shows you how to:
• Confidently use OIG publications and
Federal Sentencing Guidelines to help you
plan and execute a customized compliance
strategy that meets strict federal standards
• Perform risk assessments within your
program to help you uncover possible
areas of risk
• Draft your own compliance policies that
will form the basis for your organization’s
program
• Develop and reinforce a solid
infrastructure, including guidelines for
hiring the right personnel
• Design an effective education program that
instills the importance of compliance
• Conduct your own internal probes to
surface and cure questionable activities,
thus mitigating possible penalties
• Keep continually up-to-date with the latest
regulatory changes, including practical
coverage of federal and state laws
USED BY HCCA AS THE
BASIC TEXT FOR ITS
COMPLIANCE ACADEMY
April 2011
www.hcca-info.org 38
| 888-580-8373
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The discharge planning process and patient choice: Educating staff
...continued from page 37
Unclaimed property compliance and health
care ...continued from page 34
Question: QualityCare Hospital is a 280-bed
acute-care facility that owns Quality Nursing
Home. Is it permissible for Quality Nursing
Home to be the hospital’s preferred provider
of skilled nursing services?
Answer: Hospital-owned HHAs or SNFs
may be preferred providers; however,
discharge planners must still include other
post-acute care providers on the patient list of
choices, and must also disclose to the patient
any financial interest in the HHA or SNF.
A compliant discharge planning process would
look as follows. The discharge planner meets
with the physician and the patient to discuss
discharge plans, and it is agreed that the patient
will go to a SNF upon discharge. The discharge
planner gives the patient a list of SNFs in the
patient’s geographic area, and informs the
patient that Quality Nursing Home is affiliated
with QualityCare Hospital. The patient’s
family visits three of the SNFs on the list, and
thereafter makes a choice. The discharge planner
takes care of the logistics, and the patient is
discharged to the chosen SNF. (The patient
probably isn’t able to visit the SNFs herself, so it
makes sense for her family to do it.)
Conclusion
A thorough understanding of the right of
patient choice not only assures compliance with
the CoP, but also results in increased patient
satisfaction and a safe transition of care. FAQs
are a simple and effective way to educate nurses,
social workers, and other discharge planning
staff on the patient’s right of choice. n
1. Compliance Program Guidance for Hospitals, 63 FR 8987 (February
23, 1998).
2. Medicare Conditions of Participation, 42 C.F.R Section 482.43.
3. Medicare Program: Changes to the Hospital Inpatient Prospective Payment
System and Fiscal Year 2005 Rates, Federal Register, August 11,
2004, page 49228.
4. 42 CFR Section 482.43(c) (7).
application of the business-to-business
exemptions, and each state law varies in the
application of the exemption. Furthermore,
some states may have impermissibly narrowed
the statutory exemption through regulatory
pronouncements.
Finally, remember that unclaimed property
is easy money for states. The current state
budget deficits will not be cured overnight.
Almost everyday there is new state legislation
permitting the “borrowing” of funds from
state earmarked unclaimed property accounts
for use in the general fund account. Raising
taxes is politically unfavorable, but increased
unclaimed property compliance often flies
under the radar. Therefore, the states turn
to those industries with large amounts of
unidentifiable funds, such as health care. As a
result, health care companies must prepare for
the inevitable. n
Compliance Today Editorial Board
The following individuals make up the Compliance Today Editorial Advisory Board:
Gabriel Imperato, Esq, CHC
CT Contributing Editor
Managing Partner
Broad and Cassel
Ofer Amit, MSEM, CHRC
Research Compliance
Administrator
Baptist Health South Florida
Janice A. Anderson,
JD, BSN
Shareholder
Polsinelli Shughart, PC
Christine Bachrach, CHC
Chief Compliance Officer
University of Maryland
Dorothy DeAngelis
Managing Director
FTI Consulting
David Hoffman, JD
President
David Hoffman & Associates
Gary W. Herschman,
Chair, Health and Hospital Law
Practice Group
Sills Cummis & Gross P.C.
Eric Klavetter, JD, MS, MA
Privacy and Compliance Officer
Mayo Clinic
F. Lisa Murtha, JD, CHC,
CHRC
Partner, Sonnenschein Nath &
Rosenthal, LLP
Robert H. Ossoff, DMD,
MD, CHC, Assistant Vice
Chancellor for Compliance and
Corporate Integrity
Vanderbilt Medical Center
Jacki Pemrick
Privacy Officer
Mayo Clinic
Deborah Randall, JD
Partner
Arent Fox LLP
Emily Rayman
General Counsel and Chief
Compliance Officer
Community Memorial Health
System
Rita A. Scichilone, MSHA,
RHIA, CCS, CCS-P
Director of Practice Leadership
American Health Information
Management Association
James G. Sheehan, JD
New York State
Medicaid Inspector General
Lisa Silveria, RN BSN
Home Care Compliance
Catholic Healthcare West
Jeffrey Sinaiko,
President
Sinaiko Healthcare Consulting, Inc.
Debbie Troklus,
CHC-F, CCEP, CHRC
Assistant Vice President for Health
Affairs/Compliance, University of
Louisville School of Medicine
Cheryl Wagonhurst, JD, CCEP
Partner
Law Office of Cheryl Wagonhurst
Linda Wolverton, CHC,
CPHQ, CPMSM, CPCS,
CHCQM, LHRM, RHIT
Vice President Compliance
Team Health, Inc.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
39
April 2011

TRANSPARENCY
IS POWER
Monitor, discover, act and rest assured
State and federal authorities have drastically increased health care fraud and abuse enforcement actions in the last few years,
collecting billions of dollars in CMPs. The stakes are high and mitigating your organization’s legal, financial and reputational risks is
increasingly important.
Again a proud sponsor of HCCA’s Compliance Institute, Verisys® provides health care compliance professionals
with the tools they need to reduce threats from high-risk people, professionals and business
entities. As the leading provider of sanctions, exclusions and disciplinary actions in our flagship data
source FACIS®, Verisys offers a full complement of primary sources to monitor licensure, DEA, criminal,
sex offender, abuse registries and more.
Our ProviderSentinel® continuous monitoring programs integrate selected primary sources and verification services into a
comprehensive solution that identifies adverse activity affecting your organization’s ability to continue relationships. Simply put,
Verisys provides you the clearest and most complete picture of the people, professionals and companies you deal with,
thereby protecting your organization from undisclosed risks.
verisys.com | 888.VERISYS
Verisys products allow our clients to:
n Reduce non-compliance penalties
n Minimize legal risk
n Prevent health care waste, abuse and fraud
n Preserve institutional reputation and public image
n mprove the quality of health care delivery in the U.S.
Verisys Corporation
1001 N. Fairfax Street, Suite 640
Alexandria, VA 22314
10653 River Front Parkway, Suite 140
South Jordan, UT 84095-3531
© 2011 Verisys Corporation. All rights reserved.
Verisys is a fully accredited credentials verification organization by URAC.
Verisys is a NCQA certified CVO for the verification of Medical Board
Sanctions, Medicare/Medicaid Sanctions and Ongoing Monitoring of Sanctions.

Corporate Compliance & Ethics Week May 1–7, 2011
Official poster for Corporate
Compliance & Ethics Week:
20" x 28" glossy color poster
$6.25 (min. order 10)
Four colorful glossy posters, 20" x 28", each showcasing a different ethics message
(4-pack includes one of each poster). Perforated strip along bottom allows easy
removal of Corporate Compliance & Ethics Week logo once week is over.
$30.00 per 4-pack
Highlighter, 5.3", blue ink, with
carabiner top
$1.75 (min. order 10)
Mini metal flashlight, 2.4", with carabiner
$3.50 (min. order 10)
Order at
www.hcca-info.org/complianceweek
Order before Friday,
April 15 to ensure delivery by
Compliance Week!
Questions, call our order fulfillment center at 877/646-
9226
Retractable computer screen cleaner and
keyboard duster, 2.5" closed
$3.00 (min. order 10)
5-color post-it flag carrier, 3.25" x 2.2"
$1.50 (min. order 10)
Translucent travel tumbler, 15 oz,
with screw-on lid (BPA-free)
$4.50 (min. order 5)
Jelly smacker stress ball, 2.25" diameter
$4.99 (min. order 5)
Travel clock/timer with memo-clip top,
3.25" x 2.2"
$3.95 (min. order 10)
Retractable ballpoint pen, black ink
$1.35 (min. order 20)

April 2011
42
Protecting health
information during
a remote review by a
business entity
Editor’s note: Cora M. Butler is the Director of
Commercial Operations for Primaris in Columbia,
Missouri. She oversees business operations,
including customized medical record reviews,
Medicare Risk Adjustment coding, and Core
Measure Abstraction. She further collaborated
in the development of The Missouri Health
Information Technology Assistance Center. Cora
was the Compliance Officer for Missouri’s largest
writer of workers’ compensation insurance,
where she developed a corporate governance
program focused on issues such as e-commerce,
IT governance, data privacy and security, and
internal controls. She may be contacted by
e-mail at cbutler@primaris.org.
A
hot topic in the health care industry
is how to protect confidential
health information while providing
remote access to the professionals who need
to review that information. Security rules
outlined by the Health Insurance Portability
and Accountability Act (HIPAA) require
medical organizations to protect the confidentiality
and integrity of patient information,
including electronic Patient Health
Information (ePHI). Organizations compelled
to do so may be covered entities, such
as health plans or providers, or their business
associates.
The Health Information Technology
for Economic and Clinical Health Act
(HITECH) requires medical organizations to
add data-breach rules to their existing HIPAA
By Cora M. Butler, JD, RN, CHC
practices. 1 This law promotes the conversion
of health records to electronic form
while ensuring that confidential information
remains confidential.
The topic has become so important because
remote access is now regularly given to
both business associates and researchers.
The medical research industry is currently
addressing how to store data so people cannot
read identifying information in a patient file. 2
This process may be relevant to business associates,
because new technologies may emerge
that benefit them and medical researchers.
But, any effective strategy for keeping remote
access secure will concentrate on protecting
business entities on two levels: organizational
policies and electronic security.
Before the age of portable computing, it was
much easier to protect ePHI. Now, people
can remotely access main health care systems
by using home computers and laptops, and then
store information on a variety of devices—hard
drives, laptops, CDS/DVDs, USB flash drives,
smart phones, PDAs, remote-access backup
media, and wireless access points, and any
other device with information storage
capability. Home-based insurance billers need
to access hospital records that contain sensitive
information. Medicare Advantage hires
abstract review specialists who work on home
computers. Physicians and other medical
personnel increasingly access patient records
remotely as well.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
The question becomes one of security. How
do you prevent confidential patient health
information from being stolen or lost?
The answer lies in a two-tier structure of
controls. The first tier limits access to essential
personnel and provides recourse when
confidential data is lost or stolen. It is devoted
to developing and implementing policies,
training employees, and reporting incidents.
The second tier concerns securing electronic
records through a risk management framework
that protects data at the original source
and remotely. Clearly, there is no simple
solution to protecting PHI, but there are
many ways to secure data and quickly identify
system breaches. Computer security controls
must work in tandem with the administrative
controls to create the ideal system. Satisfying
business needs and HIPAA and HITECH
requirements go hand in hand.
Administrative controls for remote privacy
and security – The who
Securing a system with remote access to
confidential medical records must begin with
administrative controls. Such controls are
often found lacking, because management
relies on IT divisions to establish them. That
is a mistake. IT departments often:
n have no control over what happens to data
after transmission,
n do not train employees, and
n do not have the right to terminate anyone
who fails to follow policies.
Much of the current literature about protecting
patient information touts data encryption
and passwords, but completely ignores the
point of how those passwords are assigned in
the first place. “Administrative versus technical”
issues get right to the heart of remote
security system challenges. In other words,
administrative controls answer the question of

who should have a password in the first place.
Privacy (the who of remote access) is related
to security (the what of remote access). They
are separate-but-equal concepts. Administration
must decide who gets access and rely on
established controls to make sure people use
the system appropriately. 3
The administrative controls not only define
who is given access to what information, but
also should convey practical information
to remote users. Proper training of staff in
several areas is critical. The training should
cover the handling of portable storage media,
personal responsibility for the safety of the
data, consequences for unsafe handling of
(discussed in the following section). Administrative
procedures should also address
recovery procedures in the event of a security
breach to minimize damage.
Electronic security controls – The what
This is where security of ePHI gets more complicated.
Technology continually advances,
Administrative policies should include:
n completing a risk analysis and identifying
risks related to permitted remote devices;
n establishing a procedure for reporting
incidents;
n documenting policies and procedures
including minimizing consequences of
incidences;
n determining if there is a business case for
permitting remote access using laptops
(only absolutely necessary access should
be given);
n deciding what users are to be given access
based on job need (need-to-know);
n establishing a tiered security access system
based on job need (not all users will need
the same access);
n identifying source of equipment that will be
permitted to be used for remote access; and
n training staff on all policies and procedures
related to general and remote system access
and use of data. 4,5
confidential information, and using security
controls.
Because people take portable media for
granted today, there must be clear written
policies on the handling of the media itself,
including:
n Never leave a laptop unattended.
n Do not transfer ePHI to small storage
devices that are easily misplaced.
n Always store and protect portable media
devices a way that prevents loss, theft, or
unauthorized use of data.
n Never copy data onto a second portable
media device.
n Never transfer central data to unprotected
portable media or desktop computers that
do not have adequate virus protection.
Incident reporting policies should be clearly
defined and communicated. When personal
computing devices are lost or an unauthorized
user gains access to the portable media,
and that is good news for those organizations
using remotely accessed files. More advanced
security tools are introduced all the time.
Obviously, you cannot prevent an employee
from accidentally leaving a laptop in an airport.
You can, however, implement automatic
encryption that prevents a laptop thief from
reading the files stored on it. Encryption of
portable media devices is just one way to
better protect ePHI files.
Layering encryption controls onto portable
media and laptops is proving to be one of the
best approaches for protecting confidential
data. 6 The encryption control should meet
the FIPS 140-2 standard (i.e, the Federal
Information Processing Standard Publication
140-2) that defines a US government
computer security accreditation program
for cryptographic modules. It is important
to note that the success of the encryption
process relies on adequate employee training.
Ultimately, administrative controls should
identify a specific need for access to the
information and provide only that access—
nothing more. All too often, companies create
one level of access that unnecessarily exposes
the information to additional risk.
staff members must understand their
reporting responsibilities. Quick response
to possible breaches can often prevent the
actual loss of data.
Sometimes people do not report problems
out of fear it will jeopardize their position;
Encryption remains one of the main technical
security features providing the highest level
of data protection. Data should be encrypted
during all transfers between devices. Other
technical security measures for remote access
users include:
n Give remote users access only to a
Though some of the listed steps may seem
obvious, many organizations fail to develop
them. When administrative controls do not
exist, there is general confusion when a laptop
is stolen or an attempted security breach
occurs. Meanwhile, the confidential PHI is
that is one of the risks of remote computing.
Employee training should reassure those
who make honest mistakes that reporting
errors will not automatically mean loss of a
job. What will cost someone their job is not
reporting a breach that is later uncovered
controlled download site.
n Create multi-level password access.
n Use SSL as the minimum encryption
solution for Internet-based access.
n Install and maintain current virus software
on laptops and home computers.
not contained.
through electronic security control measures
Continued on page 45
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
43
April 2011

CTfpAD:Layout 1 2/3/11 3:59 PM Page 1
Let's you and I talk about effective
Healthcare Corporate & HIPAA compliance training
for your staff, contractors, and physicians
Healthcare facilities that are serious about
training and educating their staff choose
eHealthcareIT and PricewaterhouseCoopers.
We don’t need to tell you, healthcare compliance is a very
serious business. In fact, one of the greatest risks to consider in
2011 is the increase in targeted healthcare fraud enforcement
efforts by the government’s Health Care Fraud Prevention
and Enforcement Action Team (HEAT).
Expertise
PricewaterhouseCoopers’ Health Industries Practice and
eHealthcareIT is comprised of highly qualified healthcare
professionals specializing in regulatory compliance. Included
within this group of professionals are physicians, registered
nurses, certified coding specialists, registered records
administrators, certified public accountants and attorneys.
You know as well
as we do that one
size does not fit all:
• Over 100 engaging,
department specific
HIPAA Compliance,
Clinical Research
Compliance, and
Corporate Compliance
courses.
• Customization that allow
you to embed your
policies, procedures,
welcome messages, site
specific pictures and
“contact information”.
• Department specific topics
ensures that your staff
will receive compliance
education geared specifically
to their needs and
responsibilities.
Your compliance education
should not be a matinee at
the movies. Contact
eHealthcareIT for further
information or consultation.
Engaging & Practical Learning
Reliable, engaging, IT friendly and up to date content is key
to a successful compliance education program, which is what
eHealthcareIT brings to the table.
eHealthcareIT
e L e a r n i n g & I T S o l u t i o n s
email: info@ehealthcareit.com
or call 1-800-806-0874.
www.ehealthcareit.com

Protecting health information during a remote review by a business entity ...continued from page 43
n Use e-mail encryption programs that
automatically encrypt messages containing
PHI.
n Use data-at-rest encryption so that files are
automatically protected after media is not
used for a designated period of time.
n Install firewalls on laptops.
n Establish security that protects PHI as it
flows from and to the portable media.
n Include audit mechanisms that trigger
notification for abnormal PHI use.
n Limit remote users from accessing the
main data base if browser has unpatched
security vulnerabilities.
n Establish traffic controllers that direct
network traffic to designated ports.
n Automatically log all access activity or
attempts.
n Install controls that prohibit engagement
of company outside of the U.S.
n Install enforced session termination. 7,8
A strong electronic security control is to
enable password protection at the BIOS level
on a laptop. In other words, the laptop should
not power on without the right password.
Of course, neither administrative nor
electronic controls can completely eliminate
the inherent risks in permitting remote access,
but enough controls can be put into place
that the risks are minimized. It is not just the
theft of portable devices that creates a risk
either. Other risks include the destruction of
data from the remote site, inadequate virus
protection, and system hacking.
There is also a risk that people working from
home can improperly use the information
accessed by saving data or even printing it
out, but in reality, that is also true for those
employees working at the central site. There
are electronic controls that prevent printing
or data copying. Another possible solution is
to give remote users access only to a virtual
network, so that no data actually leaves the
central site. 7
One of the drawbacks to elaborate encryption
programs is they can significantly slow down
data processing, but that is changing too, as
technology improves.
Other controls to consider
In the drive to protect ePHI, businesses are
using other strategies designed to keep the
information safe. For example, some companies
ban flash drives. Another tactic is to give
employees designated equipment that is to
be used only for accessing the central system.
The laptop can then be audited regularly
for actual usage. The auto log review is an
important step for keeping track of what
employees are doing through remote access.
Using designated equipment for remote
access also makes it easier to insure that the
latest security patches and virus protection
programs are loaded. A user should not have
full responsibility for security. Finally, security
access should preclude a remote user from
allowing a third party user from accessing the
central system.
Protection comes from a blend of security
controls
It seems like almost every day there is a
news report about sensitive or confidential
information being lost or misused. As the
U.S pushes the medical community to rely
more on the sharing of computerized records
for research purposes, medical review, and
accounting, security becomes more and more
of an issue. Remote users accessing central
systems are using portable media, which adds
a risk element that must be addressed through
a blend of administrative and electronic
controls.
The ideal security system will rely on
policies and procedures that clearly assign
responsibility to the employee after proper
training. All the encryption and passwords in
the world cannot stop the careless employee
who leaves the laptop lying on the back seat
of an unlocked car, but the administrative
policies will dictate an immediate response
of incidence reporting and the electronic
security controls will prevent unauthorized
laptop access.
In the end, the quality of the company and
its employees has a lot to do with the security
of the information. Professionals in the
health care industry realize the importance of
self-monitoring their access to ePHI and the
subsequent usage of the information. When
choosing a company to assist with review
of PHI for any reason, the first requirement
should be insuring the company has not only
implemented the most current protocols for
information protection, but also checks itself
for compliance. n
1 Sanders, Denise L. and Kern, Steven I: What the HITECH Act Means
for You: data breach rules require new procedures. Medical Economics,
March 19, 2010; vol 87, no 6, p 26
2 Meystre, Stephane M; Friedlin, FJ; South, BR; et al: Automatic De-
Identification of Textual Documents in the Electronic Health Record: a
Review of Recent Research. BMC Medical Research Methodology, August 2,
2010; issue 10, pp 70-71
3 Withrow, Scott C: How to Avoid a HIPAA Horror Story: The
HITECH Act has Expanded the Financial Risk for Hospitals that
Do Not Meet the Privacy and Security Requirements Under HIPAA.
Healthcare Financial Management, 2010; vol 64, no. 8, p 83
4 Sibson Consulting: CMS Issues HIPAA Security Rule Guidance on
Laptops and Remote Access to ePHI. Bulletin, March 2007. Available at
http://www.sibson.com/uploads/c753b60f2c00b94f6a6c31e35850b352.
pdf
5 Tridia Corporation: The Twelve Most Common Threats to HIPAA
Compliance When Providing Remote Access to Systems and Data.
March 2010. Available at http://www.tridia.com/pdfs/New_Threats_to_
HIPAA_Compliance.pdf
6 Hudock, Robert: Key Issues in Privacy and Security for 2010. Law
Blog 2.0, November 17, 2010. Available at http://law2point0.com/
wordpress/2009/11/17/key-issues-in-privacy-and-security-for-2010/
7 Hudock, Robert: Business Associate and Covered Entity HIPAA Compliance
- Auditing Questions and NIST 800-53 Security Controls. Law
Blog 2.0, November 29, 2009. Available at http://law2point0.com/
wordpress/2009/11/29/business-associate-and-covered-entity-hipaacompliance-auditing-questions-and-nist-800-53-security-controls/
8 Lane, Julia and Schur, Claudia: Balancing Access to Health Data and
Privacy: A review of the issues and approaches for the future. Health
Services Research, 2010; vol 45, no.5, p 1456
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
45
April 2011

April 2011
46
Improving
compliance at the
grassroots level:
Strategies for auditing
By Cheryl Bowling, RHIT, CCS, CHC, C-CDI
Editor’s note: Cheryl Bowling is Compliance auditing and monitoring program should be
Director for Kforce Healthcare, Inc., a professional
staffing firm providing contract and direct of continuous feedback and identification of
proactive in its approach, providing a system
hire staffing for Health Information Management areas in which improvement is needed.
departments. She may be contacted by e-mail at
cbowling@kforce.com.
A strong program will include measures
to address areas identified as problematic
Frequent, well-documented inpatient by the Office of Inspector General (OIG).
and outpatient audits are an important
part of a health care facility’s recent version of the OIG Work Plan to
Compliance managers can consult the most
compliance plan. Although many managers determine the areas and issues the OIG plans
look to auditing as a strategy to improve a to examine, using this information to shape
facility’s case mix and optimize reimbursement,
the most important objective of any minimize risks. Specific OIG focus areas
their auditing and monitoring programs to
audit is to improve coding accuracy to ensure include coding, documentation issues, present
compliance with regulatory guidelines. on admission (POA) indicators, adverse
When performed correctly, coding audits can effects, observation versus inpatient status,
enhance compliance from the ground up and Emergency Departments, critical access hospitals
(CAH), and financial reporting issues.
provide valuable education.
Regular coding audits should be incorporated Critical access hospitals are covered under
as part of a facility’s health information management
compliance plan, with each facility review as well as acute care hospitals. CAH
Medicare Part A and are eligible for OIG
customizing the compliance program to meet are generally paid at 101% of reasonable costs
its needs and address its specific risks. An effective
compliance plan should be comprehensive, and Human Services will review CAHs to be
of provided care. The Department of Health
relevant, and provide feedback and education assured they meet the criteria for CAH designation.
An additional element to Emergency
to all departments that impact compliance.
Department review for the OIG Workplan
Elements of a strong auditing and
2011 is “Payments for Diagnostic Radiology
monitoring plan
Services in Hospital Emergency Departments.”
In addition to ensuring that coded data is These will be reviewed under Medicare Part B
accurate, an effective compliance auditing paid claims and medical records for interpretation
and reports of diagnostic radiology
plan should include targeted areas for monitoring
and improvement. Such an ongoing services. A determination will be made as to
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
whether the diagnostic radiology interpretations
and reports contributed to the diagnoses
and treatment of the patient. Facilities
should also review their criteria for evaluation
and management (E&M) assignment
for Emergency Department levels. At this
time it is the responsibility of the facility to
establish criteria to assign the various levels of
E&M for Emergency Department use. Most
facilities use a “tic” sheet or grid to establish
these levels of care. For added information
regarding the areas of possible review by
the OIG, please refer to the OIG Workplan
2011. Health care facilities should be sure to
focus auditing efforts around many of these
risk areas.
Performing an audit
Before beginning a coding audit, it’s important
to understand the auditing process from
beginning to end. The most effective compliance
audits follow the entire facility revenue
cycle and include the following key steps.
1. Define the audit scope. Determine the
specific area or process the audit will
target (e.g., inpatient medical/surgical,
inpatient rehab or inpatient psychiatric,
hospice, long-term acute care, skilled
nursing facility/sub-acute unit, ambulatory
surgical center, Emergency Department,
injections and infusions, outpatient
diagnostic, outpatient therapies, E&M,
Charge Description Master, etc.) and how
large the audit should be. An audit will
likely become overwhelming if too many
charts are analyzed, but will not be representative
if too few charts are reviewed.
Sample size may best be determined if it
is statistically significant relative to the
total population of the audit. Managers
should determine whether the facility is in
need of only coding validation, or if a full
review is needed of the medical record for
coding accuracy and to verify the accuracy

of charges and codes applied by staff outside
the Health Information Management
department. Will the audit identify and
reflect individual coder accuracy ratios as
well as overall statistics? Will documentation
be reviewed too?
2. Determine the types of records to
include in the audit sample. Reviewing
records in areas such as Recovery Audit
Contractor (RAC) targets, the OIG Work
Plan, Program for Evaluating Payment
Patterns Electronic Report (PEPPER)
and Comprehensive Error Rate Testing
(CERT) reports are good ways to identify
areas in which staff may need additional
education.
3. Decide whether a retrospective, concurrent
audit, or mixed methodology
will be performed. A concurrent audit
provides the benefit of making coding or
charging revisions, additions, or deletions
prior to billing the case. A retrospective
audit may offer a more complete medical
record, but any changes that reflect
a reimbursement change will require
re-billing of the claim. Will the audit
be performed on an annual, monthly,
quarterly, or ad hoc basis?
4. Determine whether the review will be
a remote review or an on-site project.
Many times this will depend on the
resources at the facility or whether the
facility is using electronic or paper-based
records (or a hybrid). If a remote audit is
conducted, it’s important to ensure that it
is performed in compliance with HIPAA
requirements under the HITECH Act.
5. Always share audit findings with coders
and other revenue cycle team members.
It’s vital that audit findings and auditor
recommendations are shared with the
coders who are working at the grassroots
level. Many times managers receive the
results of audits and then fail to share
them with the coding staff, which can
defeat the purpose of the audit. It’s imperative
that coding staff understand which
issues were identified so they can correct
these errors and promote compliance
going forward. A question and answer
session with members of the coding
department can provide coders with
additional feedback on areas identified
for improvement.
6. Structure education sessions around
coders and other organizational revenue
cycle team members. When reviewing
audit results, focus on the coders’
strengths but help them understand the
errors that were found and how to correct
them. If an audit uncovers significant
problems with code selection, managers
should consider bringing in an outside
coding reviewer to determine the cause(s)
of incorrect coding and provide training
for staff to eliminate errors in the future.
Most coders will assign codes in a “rote”
manner. If an error is identified, the
coder should be given an explanation as
to why or where the code was changed,
including valid references for the change.
Remember an audit evaluates processes,
people, organizations, or systems for validity
and reliability. Without education,
corrective action, and follow-up, there
will be no change in the revenue cycle
data base.
7. Monitor problem areas and conduct
follow-up audits. Follow-up audits
provide a way to evaluate whether coding
staff understood the education and
training they received. Providing coders
with a resource to ask questions is also
important. If the facility uses an outside
resource to conduct external audits,
managers should be sure that auditors
provide guidance and assist staff in being
compliant.
Sharing audit findings is critical
Compliance certainly is driven from the top
of an organization, but to be effective, it
must be an ongoing effort by all who work in
the organization. Some health care facilities
make the mistake of limiting involvement
in compliance auditing procedures to senior
management. Because these managers are
not charged with staff education or training,
the result may be that they react only when
non-compliant behavior is uncovered, rather
than preventing it through staff education and
training. In other situations, Internal Auditing
departments may create well-planned auditing
and monitoring programs and perform regular
audits, but the reporting gets stalled in
committees and is never shared with staff.
To be proactive about compliance, managers
must ensure that audit findings are conveyed
to all staff members whose work directly
impacts compliance. Effective auditing programs
“close the loop” by providing feedback
and education to coders and other staff to
address issues that have been identified and
offer solutions for correcting future errors.
If coding staff are not made aware of errors
uncovered by audits, they will continue to
make the same mistakes.
When sharing data and audit findings with
coding staff, it is best to approach the topic
from an educational perspective. Most coders
are very detail-oriented individuals who strive
to provide the most accurate data. When
provided with the rationale for the correct
code assignment, coders can learn from errors
and resolve future issues.
Findings should be shared with coders on an
individual basis, using supporting data such
as “real time” medical records, documentation,
and the appropriate coding guideline,
the American Hospital Association (AHA)
Continued on page 49
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
47
April 2011

Physician
Practice/
Clinic
Compliance
Conference
Save
the
Date
SAVE
THE DATE
OCTOBER 16–18, 2011
PHILADELPHIA, PA
WHY YOU SHOULD ATTEND
Physicians, compliance officers,
coders, and managers will
learn to manage an effective
compliance program. Participants
will learn about compliance
program development and
management as it relates to
physician practices; current
government initiatives in the field
of health care compliance specific
to physicians and their group
practices; correct documentation,
billing and coding practices for
physicians; and best practices
utilized in physician practices.
September 25–27, 2011
Renaissance Harborplace Hotel
Baltimore, MD
The Fraud and Compliance Forum is jointly sponsored by
the Health Care Compliance Association (HCCA) and the
American Health Lawyers Association (AHLA). It will include
an explicit designation of a session as “compliance focused”
or “legal focused.” The Planning Committee has included
enough sessions in each designation that an individual
could attend all “compliance” sessions or all “legal” sessions
for the entire program. Yet an attendee also has
the option of selecting a diversity
of sessions and networking with SPONSORS
an expanded group of individuals.
The Fraud and Compliance Forum
has the benefit of combining the
quality of HCCA and AHLA sessions
with the expanded networking
power of a combined program.
Learn more and register at
www.hcca-info.org
LEARN MORE &
REGISTER AT
www.hcca-physician-conference.org
2011_Phys_HalfPage_2C.indd 1
3/9/2011 1:44:54 PM

Improving compliance at the grassroots level: Strategies for auditing ...continued from page 47
Coding Clinic, the American Medical Association
(AMA) CPT Assistant, official coding
guidelines, or another recognized Centers
for Medicare and Medicaid Services (CMS)
memorandum or transmittal. Feedback that
is provided in an educational, rather than
punitive, setting is more likely to result in a
positive response and behavioral change.
Ongoing education and training are
extremely important for coders, because
coding is a highly monitored and audited
field with many regulations, principles, and
payer-specific guidelines. These rules and
requirements change often, and ongoing education
is necessary for coders to stay current
with the most up-to-date regulations.
After educational sessions have been
conducted, the auditing team should monitor
and follow up on problem areas. It’s important
to be sure that coders truly understand
the principles and are able to assign codes
correctly.
In addition to coding, audits may uncover
that physician documentation also requires
improvement. A similar approach can be
used to address documentation issues at the
appropriate level with feedback and follow
up, although care must be taken to avoid
disrupting the relationship with physicians.
Consider outside coding reviews
Another effective strategy that facilities can
use to improve compliance is to enlist the
help of an outside auditor to conduct regular
coding audits. Partnering with an outside
coding reviewer can provide health care
facilities with a way to gain a fresh, objective
look at coded data. An outside reviewer looks
at the overall compliance of the coded data,
rather than simply focusing on the reimbursement
to the organization, as some internal
auditors may. Outside auditors objectively
review the documentation to identify errors
and provide feedback with the support of
appropriate references, such as CMS transmittals,
memorandums, AHA Coding Clinic,
and official coding guidelines.
Outside reviewers can also provide the
facility with an unbiased review of each of its
coders, to establish a baseline for education,
offer ongoing advice, and provide access to a
network of other professionals who work in
specific areas of coding. Request biographies
or resumes of the audit staff who will perform
your review prior to signing a contract agreement.
Some audit companies hire subcontractors
after they obtain the signed contract,
thus limiting their control over staff.
One health care facility in Philadelphia
significantly improved compliance and
reduced coding errors by employing an
outside auditor to conduct inpatient audits
on a monthly basis for six months. Audit
findings were shared with coders each month,
and education was provided to help them
understand what issues were identified so
they could correct the errors and promote
compliance going forward.
With this method, the results of the audits
improved month after month. After six
months, an enterprise-wide effort was initiated
to set expectations for coding accuracy
and provide incentives for coders whose code
assignment was accurate and compliant.
Audits are now conducted on a quarterly basis
to monitor coding accuracy. By employing
the expertise of an objective, outside coding
reviewer and effectively conveying audit findings
to coders, this auditing and monitoring
plan has been highly successful.
By implementing a proactive auditing and
monitoring plan that includes objective
coding reviews, regular follow up, and proper
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
communication of auditing findings, health
care facilities can improve compliance from
the ground up. Auditing programs that
proactively address risk areas and provide a
continuous system of feedback and education
to staff will ensure compliance with
regulatory guidelines and ultimately boost a
facility’s financial health. n
Mary, Al, and me: Compliance mentoring at
its best ...continued from page 27
n Suspension of ego that allows you to be in
a position to learn from others. “Know-italls”
need not apply.
n Respect and trust for the mentor.
n A willingness to be honest when it comes
to your shortcomings or deficiencies.
n The ability to listen.
n Openness to the mentor’s suggestions.
n The ability to put the knowledge and insight
gained from a mentor into practice.
Mentor benefits
The best mentors operate in the spirit of
altruism, there are nonetheless benefits that
arise from the relationship:
n A strong legacy.
n Satisfaction that comes from helping
another.
n Development of new perspectives.
n Honing of coaching and leadership skills.
As I mentioned at the beginning of this
article, my hope is that this small vignette will
inspire you to take on the role as a mentor to
someone who is developing as a compliance
professional. Likewise, if you do not have a
mentor, my unqualified advice is that you
should find one. I feel so strongly about that
point that I make this offer: If you need a
mentor and don’t know exactly how to go
about establishing a relationship with one,
contact me. I’ll help you get started. n
49
April 2011

HCCA BASIC COMPLIANCE ACADEMIES
2011 Basic Compliance Academies
Scottsdale, AZ | June 6–9
New York, NY | August 8–11
Chicago, IL | September 19–22
Las Vegas, NV | October 24–27
Orlando, FL | November 14–17
San Diego, CA | December 5–8
2011 Basic Research Academies
Las Vegas, NV | August 15–18
2011 Basic Privacy Academies
San Francisco, CA | October 10–13
San Diego, CA | December 5–8
JUST
ADDED
CERTIFICATION EXAM OFFERED FOLLOWING EACH ACADEMY
REGISTRATION FOR EACH ACADEMY IS LIMITED TO 75 ATTENDEES
“I just wanted to say thank you for helping to coordinate and present such an
educational and useful compliance academy. If I knew how much I was going
learn and how many ideas I would leave with to improve our compliance
program I would have attended much sooner. The academy helped to
energize and inspire me to take our compliance program and myself as a
compliance professional to the next level.”
Michael Scudillo, Chief Compliance Offi cer, Universal Institute, Inc.
April 2011
50
www.hcca-info.org • 888-580-8373
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

COMPLIANCE
101
Starting out as a
compliance officer
By Nicola Heslip, RN, CPHQ, LNC, CPSO
Editor’s note: Nicola Heslip is a Certified Professional
in Healthcare Quality at PolicyMedical.
Nicola has over twenty years of experience in
the health care industry as a Registered Nurse,
Certified Legal Nurse Consultant, and Certified
Professional in Healthcare Quality, among other
roles. She authors a patient safety blog at www.
patientsafetypeople.com and may be contacted
by e-mail at nicola@policymedical.com or by
telephone at 253/217-7180.
So you just joined an organization
as the new Compliance Officer.
Congratulations, to both you and
your employer!
If this is your first time in this position, I’m
sure you’re filled with questions. Do you
know your roles and responsibilities? Do you
know how you’re supposed to “fit” into the
organizational structure? Do you know how
to get the staff to be on your side?
Unfortunately, the answer is not in the
organizational chart that they hand you in your
employee orientation packet. Sorry. Don’t you
wish it was that easy? If you’ve received any kind
of education about becoming a compliance
officer, you may have your own ideas and expectations
based on the school curriculum that
was covered. But, in most cases, the textbook
translation is not realistic either. You need to
figure out how to take the general guidelines
from your learning and mold them to fit your
new organization’s structure and expectations.
Essentially, you need to figure out…
What type of compliance officer are you?
A corporate compliance officer often addresses
the business ethics, billing fraud, Emergency
Medical Treatment and Active Labor Act
(EMTALA) regulations, code of conduct,
privacy laws, and other business relations.
A regulatory compliance officer is often
responsible for the standards and accreditation
requirements for a variety of agencies. It is
important that the type of compliance you are
responsible for is articulated clearly.
Your understanding of the position should
accurately reflect your job description, and
your employer should clearly outline expectations
for you. Ideally, there would also be some
preferred educational requirements, such as
a starter guide about “Becoming a Certified
Healthcare Compliance Professional/Officer.”
I would also highly recommend that you go
to the HCCA website, where there are tools
and resources to help you in your role, as well
as opportunities for continuing education
and certification. They also have an excellent
document titled “Evaluating and Improving a
Compliance Program - a Resource for Healthcare
Board Members, Healthcare Executives
and Compliance Officers.” 1
You’re already starting off on the
wrong foot
When I am out on the floors, I frequently
hear staff say that they do things to be
“compliant” with The Joint Commission
rules, or for the next survey. I explain to
them that we do things to prevent patient
harm and to be ready for the next patient.
But, just hearing the way that they refer to
“compliance” gives me some insight into why
some people have a tendency to shy away
from people who are in compliance roles.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
To figure this out, let’s look at some standard
definitions for compliance. Webster’s
Dictionary defines “compliance” as:
1 a: The act or process of complying
to a desire, demand, proposal, or regimen
or to coercion; 1 b: Conformity
in fulfilling official requirements;
2: A disposition to yield to others;
3: The ability of an object to yield
elastically when a force is applied;
flexibility.
In reference to the first definition (i.e., compliance
being the act of complying to a regimen
or coercion), you can see how staff would be a
bit resistant to your approaching them about
an issue if they perceived you as the “enforcer
of conformity.” With respect to the second
definition (i.e., a disposition to yield to others),
staff may behave submissively knowing they
have to listen to you and go along with what
you say and want implemented.
And according to the third definition (i.e., the
ability of an object to yield elastically when
a force is applied; flexibility), there is nothing
more disheartening than working with
a member of the health care team who uses
their title to “bend staff into shape.” When
health care staff regards the word “compliance”
with those connotations, they are
hardly going to be “flexible.”
For those of you (like me) who are visual
learners, think about what happens when
you put enough force on something
that is rigid and resistant to change. It
will break. This is why the integration
of a compliance officer is met with such
tension. After the break, often a mess is
left behind and there will be pieces to
pick up. How do you prevent these clean
ups in the first place? You need to change
Continued on page 52
51
April 2011

Starting out as a compliance officer ...continued from page 51
April 2011
52
the perception of resistant staff. And in
order to do that, you need to understand
capacity and capability.
Changing perceptions
The Institute for Healthcare Improvement
(IHI) has an excellent series for leadership
as it relates to Quality Improvement. 2
In this series, they discuss capacity as:
n the ability to receive, hold, or absorb;
n the maximum or optimum amount of
production;
n the ability to learn or retain information;
n the power, ability, or possibility of doing
something or performing; and
n a measure of volume; the maximum
amount that can be held.
Do the team players on your roster have
the capacity to participate in the issue that
is non-compliant? Another term that IHI
describes in this series is capability:
n the power or ability to generate an outcome;
n the ability to execute a specified course of
action;
n the sum of expertise and capacity; or
n knowledge, skill, ability, or characteristic
associated with desirable performance on
a job, such as problem solving, analytical
thinking, or leadership.
Some definitions of capability include
motives, beliefs, and values. Are those team
players capable? Can they impact the issue
you are raising? Do they have the necessary
skill sets and/or experience?
If the team that you have assembled—or
were handed—has the capacity and
capability to address your compliance
issue, then you have made a big step in
engagement of key stakeholders.
Let’s go back to Webster’s definitions
again, but look at them through a
perspective that is to your advantage. In
the first definition (i.e., the act or process
of complying to a desire, demand,
proposal, or regimen or to coercion), the
key word is desire. You need to communicate
your plans and expectations in a
way that promotes a willingness to make
the change versus having to do it to be
compliant.
IHI has a great slide on Continuous Quality
Improvement (CQI). It discusses the
three elements that are necessary to drive
capacity. One of those elements is will
(a.k.a. desire): having the will to change the
current state to one that is better. The second
element consists of ideas: developing ideas
that will contribute to making processes and
outcome better. The third is element execution:
having the capacity to apply CQI theories,
tools, and techniques that enable the execution
of those ideas. Implementation of practices
involving compliance involves change and
continuous quality improvement. These
principles are key to your success.
Webster’s second definition of compliance
is a disposition to yield to others. If you
engage your audience and they have the
will, capacity, and capability, compliance
will most likely follow.
The third definition is flexibility, when
force is applied. Molding and shaping
your team comes from your leadership
style. Your values, beliefs, and efforts to
use CQI will be evident and have a ripple
effect on your team. Continue to perform
cycles of change on a small scale (i.e.,
plan, do, check, act), until you achieve
the desired behaviors you want from your
team. Building a relationship on false
expectations will not promote a collaborative
relationship. If that means analyzing
your leadership style, then so be it.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Become a change agent, not a
compliance agent
So, as you sit in your new desk chair in your
new office, please remember that your role
is to help the organization meet the needs of
the patients and the community that it serves.
Your new employer has many values and
belief systems and has its own culture, and
part of your job is to learn to be “compliant”
with that culture. However, you are
in a position to take the temperature of the
organization and lead those peers toward your
goals and vision. Become a change agent, not
a compliance agent, in order to help move the
culture to where it needs to be. n
1 Available at http://hcca-info.org/Content/NavigationMenu/ComplianceResources/EvaluationImprovement/default.htm
2 Institute for Healthcare Improvement: Leading Quality Improvement:
Essentials for managers. More information is available at http://www.ihi.
org/IHI/Programs/ProfessionalDevelopment/LeadingQualityImprovementEssentialsforManagers.htm?player=wmp
People
On the Move
Robert A. Wade joins Krieg DeVault’s
Health Care Practice
Robert A. Wade has joined Krieg DeVault’s
Health Care Practice as Partner. Mr. Wade
concentrates his practice in representing
health care clients, including large health
systems, hospitals, ambulatory surgical
centers, physician groups, physicians and
other medical providers.
Robert Michalski, CHC, has recently
been named AHIA Secretary-Treasurer
Robert is Chief Compliance Officer for
Baylor Health Care System, which is
a faith-based not-for-profit health care
provider system in Dallas, TX
Bayonne Medical Center appoints new
VP of Compliance, Audit/Privacy Officer
J. Eric Sandhusen, MPH, CHC, CPC
has been named Vice President of
Compliance & Audit/Privacy Officer of
Bayonne Medical Center, located in East
Bayonne, NJ.

New HCCA Members
Alabama
n James A. Hoover, Burr & Forman LLP
n Marilyn C. Thomas, UAB
Alaska
n Margaret G. Balster, Alaska VA Healthcare
System & Reg Office
n Jennifer Carson, JAMHI
n Rebecca S. Dean, Sportsmedicine Fairbanks
n Jana Ray, Denali Orthopedic Surgery
Arizona
n Jeff Buehrle, Banner Health
n Michael A. Cimino, Banner Behavioral Health
n Janice J. Crossan, Heritage Home Healthcare
n Lynette Peterson, Auditing for Compliance and
Education
n Jeniece Poole, Univ of Arizona
n Patty Rhoden, Banner Estrella Medical Center
n Melinda White, Winslow Indian Health Care
Center
Arkansas
n Keith L. DeLeeuw, Sisters of Mercy Health
System
n Susanne Hiland, Wal-Mart
n Marijo Norris, Radiology Associates, PA
n Sybil M. Richard, Wal-Mart Stores Inc.
n Hudson L. Vanderhoff, Golden Living
California
n Adriana A. Avalos, Kaiser Foundation Hospital
n John M. Carfora, Loyola Mary Mount
University
n Diana J. Christie, Kaiser Permanente
n Tracy Curnutt
n Jennifer M. Evans, Health Net Inc
n Robert Fahlman, Arcadian Health
Management
n Thomas Hsu, Allied Physicians of California (IPA)
n Scott Huhn, Omnicare
n Jerry W. Jackson, Monarch Health Plan
n Wilcil Joseph, Kaiser Permanente
n Steven Krivit
n Amy E. May, Kaiser Permanente
n Lisa Mendoza, Conejo Valley Billing Center
n Maria Sessions, Micrus Endovascular
n Sherwin E. Shakramy, Alpha Hospice Care
n Kimberly M. Skiff, Kaiser Permanente
n Thomas Tempske, California Department of
Public Health
Colorado
n Michelle Bradbury, Sorin Group
n Cindi L. Cross, Univ of Colorado Hospital
n Janell A. Raines, Kaiser Permanente
n Jori Snyder, Centura Health
n Aaron Van Artsen, University Physicians, Inc.
Connecticut
n Mary Beth Bednarz, Charlotte Hungerford Hosp
n Cathea Jackson, Yale New Haven Health System
Delaware
n Kathy M. Brown, Nemours-A I DuPont Hospital
n Brian Williamson, Nemours
Florida
n Lee Ann Atkinson, Florida Pediatric Associates
n Louis Jack Bevilacqua, Traditions Management
n Nancy Cameron, Halifax Health
n Desiray M. Co, Hospice of St. Francis
n Agnes Devonish
n Cindy A. Fortner, TriCenturion
n Karen Haines, BCBS of Florida
n Tara Hazard, Shell Point Retirement Community
n Lianna Hernandez, Jupiter Medical Center
n Jill C. Jacobson, American Hospice
n Amanda L. Jansante, WellCare Health Plans, Inc.
n Nasreen Kabani
n Howard Kasson, Insight Healthcare Consulting
n Marcy Lugo-Alvarez
n Lori A. Molina, WellCare Health Plans, Inc.
n Clark M. Parker, Coleman Consulting Group
n Gloria A. Petrey, CCS Medical
n Kevin Rodriguez, WellCare Health Plans, Inc.
n Christine Rosado, BCBS of Florida
n Peggy Siebert, 21st Century Oncology
n John Villaruel, WellCare Health Plans, Inc.
n Japa A. Volchok, Vohra Wound Physicians Mgmt
Georgia
n John M. Bennett, Medical Mgmt Associates, Inc.
n Audra Y. Cabiness, Houston Healthcare
n Lori P. Harris-Pleasure
n Gladys James, Columbus Specialty Hospital
n Dana G. Mack, CCS Medical
n Renee Webb, Harbin Clinic
Hawaii
n Amy Bauchens, Waimanalo Health Center
Illinois
n Carol Burkhart, Marsh, USA
n Tanya Ford, Near North Health Service Corp
n Kimberly Kinman, St James Hospital
n Sheri Lindsay, Northwestern University
n Corey M. Perman, Advocate Health Care
n Pamela Stuart, Blessing Physician Services
Indiana
n Brenda M. Golden, Grossnickle Eye Clinic
n Becky Merkel, Bluffton Regional Medical Cntr
n Rebecca Osowski
n Della Sennett, Clark Memorial Hospital
Kansas
n Bob Thomas, BCBS of Kansas Inc
Kentucky
n Sara K. Fly, Kentucky Medical Services
Foundation
n Jill Force, Springstone, Inc.
n Mary S. Stine, JHSMH
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Louisiana
n Alec Alexander, Christus Health Lousiana
n Hunter Ely, Tulane University
n Jason Emfinger, Franklin Medical Center
n Tammy Heim, ACS
n Peggy Kelly, Acadiana Computer Systems
Maine
n Elizabeth A. Tardif, MaineHealth
Maryland
n Janet C. Braun, Maxim Healthcare
n Bob Bullen, Clifton Gunderson LLP
n Eileen Langan, Maxim Healthcare Srvs
n Andrew Ranck, Clifton Gunderson
n Amanda Riley, Johns Hopkins Healthcare LLC
n John Wells, Arcadian Management Services
Massachusetts
n Hope M. Violette, Newton-Wellesley Hospital
Michigan
n Joni Baker, Spectrum Health Hospitals
n Barbara Cote, Spectrum Health
n Helen Franklin, Connective Consulting
n Connie Hervey, Spectrum Health
n Carol Jorgensen, CareSource
n Janet McClain, Memorial Healthcare
Minnesota
n Tanya Anderson
n Daniel Hoemke, The Burchfield Group
n Kyle Pettersen-Scott, UnitedHealth Group
Missouri
n Mary R. Daniel, Husch Blackwell Sanders LLP
n William Devoy, Pershing Health System
n Angela Muncy, Argus Health Systems, Inc
n Lisa Oswald, Univ of Missouri Health Care
n L. Rene Pfaltzgraff, Viracor-IBT Laboratories
n Connie S. Rhoads, Christian Homes, Inc
Montana
n Gwethlyn Sabatinos, Washakie Health Consult
Nebraska
n Paul Edwards, Saint Elizabeth Regional
Medical Center
n Erin R. Mayer, Catholic Charities - Omaha
n Amber Taylor, Fillmore County Hospital
Continued on page 54
53
April 2011

New members ...continued from page 53
New Jersey
n Linda Brower, Univ of Medicine & Dentistry
of New Jersey
n Walter J. Finnigan, Community Surgical Supply
n Kevin J. Licciardi, Rutgers University
n Haley G. McEwan, Rutgers University
n Vera Murphy, Sanofi-Aventis
n Tammy Zamot, Styker Orthopaedics
New York
n Thomas Ambury, ProCare Physical Therapy
n Jessica L. Bielo, IPRO
n Desiree Davila
n Kim Dynka, Practice Resources, LLC
n Julie A. Greco, Hometown Health Centers
n Shelly A. Howe, Maxim Healthcare
n Deborah Kurtz, Community General Hospital
n Christine Liberti, FamilyCare Medical Group, PC
n Eric Musial, Medina Memorial Hospital
n Susan Rozumalski, Schofield Residence
n Donna M. Winters, Unity Health System
North Carolina
n Jackie Chapman-Pointer, BlueCross BlueShield
of North Carolina
n Kathy Chavis, LabCorp
n Annette Miller, Novant Health
n Marie C. Moseley, UHSEC
n Brian Rainey, Compliance Concepts, Inc
n Debra K. Thompson, UHS Physicians
North Dakota
n Wilbert Ressler, Trinity Health
Ohio
n Nicole Beadle, CareSource
n Mark R. Chilson, CareSource
n Tameka Copeland, CareSource
n Gina Gryzlo, Cleveland Clinic
n Cessalie V. Harris, Cleveland Clinic
n Teresa Huysman, CareSource
n Mary Eileen Lechleitner, CareSource
n Carole Meisler
n Michelle R. Moon, Neurocare Center
n Gabby M. Reissland, OSU Medical Center
n Becky A. Thompson, Fayette County Memorial
Hospital
Oklahoma
n Janis F. Darley, McBride Orthopedic Hosp
n Nicole McFarlane, Select Medical Corporation
n Teresa A. Williams, INTEGRIS Health, Inc.
Oregon
n Margaret M. Wise, Kaiser Sunnyside Med Ctr
Pennsylvania
n John Barrett, PerformRx
n Angela Dohrman, Lutheran Social Services
n Andrea Felician, Select Medical Corporation
n Valerie Greco
n Terry Shade, Lutheran Social Services of
Southcentral PA
Be Sure to Get
Your CHC CEUs
Articles related to the quiz in this issue of
Compliance Today:
n Equal visitation rights for all hospital
patients: CMS finalizes rules—By
Janice A. Anderson and Kimela R.
West, page 29
n Unclaimed property compliance
and health care—By Diann L. Smith,
Marlys A. Bergstrom, and Jessica Kerner,
page 31
n Protecting health information during
a remote view by a business entity—By
Cora M. Butler, page 42
To obtain one CEU per quiz, go to www.
hcca-info.org/quiz and select a quiz. Fill in
your contact information and take the quiz
online. Or, print and fax the completed
form to CCB at 952/988-0146, or mail it
to CCB at HCCA, 6500 Barrie Road, Suite
250, Minneapolis, MN 55435. Questions?
Please call at 888/580-8373.
Your HCCA Staff
Sarah Anondson
Graphic Artist
sarah.anondson@hcca-info.org
Lizza Catalano
Conference Planner
lizza.catalano@hcca-info.org
Gary DeVaan
IT Manager/Graphic Artist
gary.devaan@hcca-info.org
Margaret Dragon
Director of Communications
margaret.dragon@hcca-info.org
Darin Dvorak
Director of Conferences
and Exhibits
darin.dvorak@hcca-info.org
Wilma Eisenman
HR Director/Office Manager/
Compliance Officer
wilma.eisenman@hcca-info.org
Jodi Erickson Hernandez
Conference Planner
jodi.ericksonhernandez
@hcca-info.org
Nancy L. Gordon
Managing Editor
nancy.gordon@hcca-info.org
Melanie Gross
Marketing Coodinator/
Conference Planner
melanie.gross@hcca-info.org
Karrie Hakenson
Receptionist
karrie.hakenson@hcca-info.org
Elizabeth Hergert
Certification Coordinator
elizabeth.hergert@hcca-info.org
Patti Hoskin
Database Associate
patti.hoskin@hcca-info.org
April Kiel
Database and Member Services
Administrator
april.kiel@hcca-info.org
Meg Kosowski
Certification Specialist
meghan.kosowski@hcca-info.org
Katie Luitjens
Conference Planner
katie.luitjens@hcca-info.org
Amy Macias
Member Services
amy.macias@hcca-info.org
Patricia Mees
Communications Editor
patricia.mees@hcca-info.org
Eric Newman, Esq.
Social Media Manager
eric.newman@hcca-info.org
Tracey Page
Member Services
tracey.page@hcca-info.org
Jennifer Power
Conference Planner
jennifer.power@hcca-info.org
Marlene Robinson
Web Conference Planner
marlene.robinson@hcca-info.org
Beckie Smith
Conference Planner
beckie.smith@hcca-info.org
Roy Snell
Chief Executive Officer
roy.snell@hcca-info.org
Charlie Thiem
Chief Financial Officer
charlie.thiem@hcca-info.org
April 2011
54
Adam Turteltaub
VP Member Relations
adam.turteltaub@hcca-info.org
Allison Willford
Accountant
allison.willford@hcca-info.org
Julie Wolbers
Accountant
julie.wolbers@hcca-info.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373
Fax 952-988-0146
www.hcca-info.org
info@hcca-info.org

Is your organization operating
at it’s highest power?
Let us take a look.
Call today for a Complimentary Consultation
1-866-588-3444
TRUSENT Solutions provides the depth of consulting experience and business savvy, to
maximize your top line, protect your bottom line and minimize compliance risk.
www.trusentsolutions.com
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Trusent Solutions, LLC.
April 2011
55

Register today
and enjoy the
flexibility of two
conferences for
the price of one!
Complimentary access to
SCCE’s Higher Education
Compliance Conference
is included with your
Research Compliance
Conference registration.
The parallel schedule
gives you the freedom to
attend sessions at either
conference—two for the
price of one.
ReseaRch
Compliance
Conference
June 12–15, 2011 | austin, TX
Come to Austin, Texas, June 12–15 to learn best practices and the latest thinking on:
• Implementation of the Sunshine Act provisions to the Health Care Reform Package
• Handling the updates to the Medicare as Secondary Payer Rules and the effect on
research‐related injury
• Responding to changes to CMS Clinical aResearch Policy (replacing the Medicare
NCD for Clinical Trials)
• And much, much more
You’ll hear directly from representatives from NIH, OHRP, ORI, the FDA, the OIG, and
the DOJ, and from other industry experts who can provide practical perspectives for
how to handle your research compliance risks.
LeaRn moRe and RegisTeR aT
www.hcca-research-conference.org
April 2011
56
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org