JR - Health Care Compliance Association
JR - Health Care Compliance Association
JR - Health Care Compliance Association
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Volume Four/Number Eight<br />
August 2002<br />
A publication for<br />
health care compliance<br />
professionals<br />
meet<br />
James Roosevelt<br />
REGISTER TODAY!<br />
FOR THE HCCA/AHLA Fraud and <strong>Compliance</strong> Forum, WASHINGTON, DC–SEP 29-OCT 1, 2002 For<br />
info see p.26 or go to conference central on the HCCA Website: http://www.hcca-info.org<br />
INSIDE<br />
2<br />
3<br />
5<br />
6<br />
10<br />
11<br />
13<br />
16<br />
18<br />
19<br />
22<br />
25<br />
Leadership letter<br />
On the calendar<br />
Focus on ethics &<br />
compliance<br />
Leveraging HIPAA<br />
Web resources<br />
Physician practice and<br />
billing issues<br />
Meet James Roosevelt<br />
Back to basics<br />
FYI<br />
CEO’s letter<br />
Academic/research<br />
SIG<br />
People on the go
The Good<br />
Ol’ Boys<br />
and Girls<br />
AL JOSEPHS<br />
2nd Vice President<br />
The search for the future leaders of the<br />
HCCA is never ending. It is the time of<br />
year that we seek formal nominations for<br />
the HCCA leadership roles, as members of<br />
the Board of Directors, Regional Officers,<br />
and Regional State Liaisons. The membership elects individuals<br />
to the Board of Directors positions from a slate of nominations<br />
received from HCCA members. The Board of<br />
Directors then elects the Board Officers. Each Board Officer’s<br />
position serves a one year-term. There is no automatic progression<br />
to the next officer position until the position of Vice<br />
President, which will automatically become the President of<br />
HCCA the following year. The Board of Directors has the<br />
responsibility to appoint the Regional Presidents and the<br />
Regional Presidents then make recommendations to the<br />
Board of Directors for the Regional Vice-Presidents, Regional<br />
Secretary/Treasurers, and State Liaisons.<br />
This model is like many other volunteer-driven associations.<br />
Will this process produce leaders? No it only recognizes leadership<br />
potential, but individual effort is required. It seems<br />
complex at times and often you hear concern about “good ol’<br />
boy/girl networks”. It is complex and there are good ol’<br />
boy/girl networks. It is complex because no one person or<br />
limited group of individuals can ever hope to accomplish the<br />
many tasks necessary to operate a successful membership<br />
organization. Nor can leaders be developed without the good<br />
ol’ boys/girls that spend countless hours doing the hands-on,<br />
detail work required to make an organization run. The indi-<br />
vidual efforts of the good ol’<br />
boys and girls often go<br />
unseen. Sure, these efforts<br />
can have personal benefits,<br />
but the motivation is derived<br />
from a personal commitment<br />
to the profession, not any<br />
potential personal gain.<br />
As a friend often asks me, “So what’s your point?” Plain and<br />
simply, if you want to become a leader in HCCA (or anywhere<br />
else for that matter) just “do something to benefit others<br />
and do it often”, and before you know it, you will become<br />
one of the “good ol’ boys/girls” that are elected to positions of<br />
leadership. ■<br />
Instant Survey Results<br />
From June 7-13, 2002 the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
<strong>Association</strong> conducted it’s first Instant Survey–the<br />
subject: <strong>Compliance</strong> Budget–HCCA had 787<br />
responses. The results were first reported in the June 14<br />
issue of This Week in Corporate <strong>Compliance</strong>. Here<br />
are the results.<br />
Your compliance budget in the last 12 months has:<br />
Been<br />
decreased<br />
Been<br />
increased<br />
Remained<br />
the same<br />
90<br />
COMPLIANCE BUDGET<br />
11.4%<br />
306<br />
38.9%<br />
391<br />
0 100 200 300 400<br />
49.7%<br />
August 2002<br />
2<br />
HCCA’S<br />
HCCA exists to champion ethical<br />
practice and compliance standards in<br />
MISSION the health care community and to provide<br />
the necessary resources for compliance professionals and others who<br />
share these principles.<br />
fforum
DON’T<br />
MISS OUT!<br />
ON<br />
THE CALENDAR<br />
Use HCCA’s Information Sources<br />
HCCA’s Fax-on-demand services<br />
Membership information and upcoming events are two<br />
items available when you call HCCA’s Fax-on-demand<br />
service. Here’s how:<br />
1. Dial 888/840-4359, press 2 after the system answers.<br />
2. Enter the three-digit code of the document you wish to<br />
receive and press #. Once all of the document codes have<br />
been entered press #.<br />
3. When prompted, enter the number of the fax machine<br />
to which you wish the material faxed followed by # key.<br />
NB: If you enter number 1 when the system answers and<br />
enter your fax number when prompted, you will receive a<br />
menu of the current documents available.<br />
It’s on the HCCA Website–Payor/Managed <strong>Care</strong> Special<br />
Interest Group information<br />
HCCA members working in health care payor or managed<br />
care organizations now have a new compliance information<br />
source–the Payor/Managed <strong>Care</strong> SIG Webpages located on<br />
the HCCA Website, http://www.hcca-info.org<br />
You will find information including:<br />
■ The Payor/Managed <strong>Care</strong> SIG Charter<br />
■ Contact information for the SIG Chair and Steering<br />
Committee Members<br />
■ Information on HCCA conferences related to<br />
Payor/Managed <strong>Care</strong> issues<br />
■ A list of Payor/Managed <strong>Care</strong>-related articles published<br />
in <strong>Compliance</strong> Today<br />
Don’t miss out on this new and valuable resource! ■<br />
ERRATA<br />
On page 7 of the July issue of <strong>Compliance</strong> Today,<br />
the last few words of the article, Proposed EMTALA<br />
revisions: Are the rules any clearer?, were not printed.<br />
It should have ended as follows:<br />
“Hospitals should evaluate how the new rules will<br />
apply to its operations, and be prepared to implement<br />
these changes later this year.” ■<br />
AUDIO<br />
CONFERENCES:<br />
Best of <strong>Compliance</strong> Institute 2002<br />
■ July 17 - Part I - Updates on<br />
the False Claims Act, 12<br />
Noon-1:30 PM EST<br />
■ July 23 - Part II - Advanced<br />
Investigations, Privileges and<br />
Disclosure, 1-2:30 PM EST<br />
■ July 30 - PArt III - Sampling<br />
Techniques for Auditing and<br />
Monitoring, 1-2:30 PM EST<br />
<strong>Compliance</strong> Lessons Learned<br />
from Enron - Four Part Series<br />
■ September 4, 10, 17, and 24,<br />
1-2:30 PM EST<br />
Mark your calendars for the following<br />
HCCA sponsored events:<br />
■ NOV 11-15, HCCA’s Academy<br />
2002 CONFERENCES:<br />
of <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong>,<br />
SAN DIEGO, CA:<br />
Union League<br />
■ DEC 9-11, HCCA AHLA HIPAA<br />
Forum West<br />
2003 CONFERENCES:<br />
DALLAS/FORT WORTH, TX:<br />
SAN FRANCISCO, CA:<br />
■ FEB 21 - Region VI<br />
■ NOV 7-8, Region IX<br />
<strong>Compliance</strong> Meeting<br />
<strong>Compliance</strong> Conference<br />
NEW ORLEANS, LA:<br />
WASHINGTON, DC:<br />
■ APR 27-30, HCCA’s<br />
■ SEPT 29-OCT 1, HCCA/AHLA<br />
<strong>Compliance</strong> Institute 2003<br />
HCCA<br />
RESOURCES<br />
For more information about events or resources, check out the<br />
HCCA Website, http://www.hcca-info.org or call 888/580-8373.<br />
Be sure to ask about your member discount.<br />
AWARDARD<br />
WINNING<br />
■ Individual & Small Group<br />
Physician Practice <strong>Compliance</strong>:<br />
What every physician should<br />
know, HCCA’s audio training<br />
program designed specifically<br />
for physicians.<br />
■ HCCA’s <strong>Compliance</strong>,<br />
Conscience, and Conduct ,<br />
a video-based compliance<br />
training program<br />
AWARDARD<br />
WINNING<br />
Fraud and <strong>Compliance</strong> Forum<br />
ATLANTA, GA:<br />
■ NOV 4, HCCA Region IV<br />
<strong>Compliance</strong> Conference<br />
ST. PAUL/MINNEAPOLIS, MN:<br />
■ SEP 12, HCCA Region V<br />
<strong>Compliance</strong> Conference<br />
KANSAS CITY, MO:<br />
■ AUG 2, HCCA Region VII<br />
<strong>Compliance</strong> Conference<br />
ATLANTIC CITY, NJ:<br />
■ OCT 21-22, HCCA Region II &<br />
III <strong>Compliance</strong> Conference<br />
PHILADELPHIA, PA:<br />
■ Privacy Matters – HCCA’s<br />
video-based HIPAA Training<br />
Program<br />
■ HCCA’s book, <strong>Compliance</strong> 101<br />
■ The <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
Professional’s Manual, to order,<br />
call 800/638-8437 ■<br />
3<br />
August 2002
Sites and scenes from...<br />
The<br />
HIPAA<br />
Forum<br />
2002<br />
GAPMS Drafting Committee (below)<br />
The<br />
GAPMS<br />
Committee<br />
Meetings<br />
GAPMS Steering Committee (above & below)<br />
August 2002<br />
4<br />
On June 12 & 13 members of the Drafting and Steering<br />
Committees of the HCCA’s public and private sector<br />
initiative to develop Generally Accepted Performance<br />
Measurement Standards gathered in Boston, MA for a<br />
two-day working session. Through these standards the health care industry will measure their compliance<br />
program’s performance and quantify their organizations return on the investment made in developing and maintaining<br />
compliance programs. Hospital compliance programs are the first segment of the health care industry to be explored. ■
FOCUS<br />
ON<br />
ETHICS &<br />
COMPLIANCE<br />
<strong>Compliance</strong>,<br />
ethics, and<br />
stewardship:<br />
Or, why we do what we do<br />
By Jeffrey Oak, PhD<br />
Editor’s note: Jeffrey Oak, PhD, is on the<br />
HCCA Board of Directors and is the <strong>Compliance</strong><br />
and Business Integrity Officer for<br />
the Veterans <strong>Health</strong> Administration, an<br />
integrated system of over 160 hospitals, 130<br />
nursing homes, and 800 clinics, served by<br />
180,000 employees. He may be reached at<br />
202/273-5662. This article inaugurates a<br />
new column in <strong>Compliance</strong> Today. Over<br />
the next year, Dr. Oak will periodically<br />
contribute articles related to Ethics and<br />
<strong>Compliance</strong> to the HCCA magazine. If<br />
you have items you would like addressed,<br />
please email jeff.oak@hq.med.va.gov<br />
“He’s a part of history now.” This is how<br />
Mr. Gregory Commons, a former Marine<br />
and now a seventh grade history teacher at<br />
Carl Sandburg Middle School in northern<br />
Virginia, talked about his son, Matthew,<br />
the day after Matthew’s funeral at Arlington<br />
National Cemetery. Matthew was an<br />
Army Ranger, one of the eight Americans<br />
who were killed last March in Afghanistan.<br />
He was laid to rest on March 11, 2002,<br />
exactly six months to the day after<br />
September 11, 2001, the fateful day that<br />
changed a generation of Americans.<br />
My son sat in the second row of Mr.<br />
Commons’ third period class on<br />
American history at Carl Sandburg<br />
Middle School. And this is the story<br />
Nathaniel told over dinner at home some<br />
months back. Mr. Commons’ 21-year-old<br />
son gave his life in defense of our freedom,<br />
gave his life attempting to rescue a<br />
comrade who had fallen. And now the<br />
history teacher’s son is himself a part of<br />
our nation’s history. In February of last<br />
year the seventh graders at Carl Sandburg<br />
were learning about history through textbooks.<br />
By April, they were learning<br />
through the tears and sorrow of the plain<br />
speaking, no-nonsense, “turn your homework<br />
in on time or you’ll be docked a full<br />
grade” ex-Marine turned history teacher.<br />
It is not only the ones who die, like<br />
Matthew Commons, that become part of<br />
history. It is also the ones who live, the<br />
ones my organization cares for in our<br />
hospitals, the ones who willingly participate<br />
in research to advance our storehouse<br />
of medical knowledge, the ones<br />
who get fitted for prosthetics, go for therapy,<br />
and come to our clinics; all of these<br />
men and women are part of our nation’s<br />
history. And they are the ones we are<br />
privileged to serve within the Veterans<br />
<strong>Health</strong> Administration (VHA): those<br />
who are part of history.<br />
What does all this have to do with compliance?<br />
The answer: stewardship and<br />
service. Perhaps like yours, my health system<br />
strives mightily for excellence in<br />
everything we do. In fact, our vision statement<br />
is as simple as it is bold: we want to<br />
be the best health system in the world.<br />
And what does it mean to be the best?<br />
For my organization it means providing:<br />
■ high quality care<br />
■ at the best cost<br />
■ with access for the most patients<br />
■ while earning public trust<br />
This is what good stewardship in our<br />
health care system means. And this is<br />
what good stewardship requires.<br />
In his book Stewardship: Choosing Service<br />
JEFFREY OAK, PHD<br />
Over Self-Interest, management guru Peter<br />
Block defines stewardship as a set of principles<br />
which transforms the governance<br />
of an organization. Stewardship creates a<br />
sense of ownership and responsibility, it<br />
creates accountability and a sense of partnership.<br />
Stewardship is driven by internal<br />
standards, not just external requirements.<br />
It is focused on service, not self-interest.<br />
In short, stewardship is self-governance.<br />
In order to be both effective and sustainable,<br />
compliance efforts must be closely<br />
linked with organizational stewardship,<br />
with mission, and with service. When<br />
compliance becomes an exercise in<br />
“gotcha,” it has lost its credibility. When<br />
compliance becomes little more than<br />
legal maneuvering, it has lost its way.<br />
And when compliance becomes a game<br />
of hide and seek, it has lost its soul.<br />
<strong>Compliance</strong> is–or should be–an act of<br />
corporate stewardship, an exercise in<br />
building systems of self-governance, a<br />
function ultimately driven by the organization’s<br />
mission. <strong>Compliance</strong> is about<br />
adhering to the standards (ethical and<br />
otherwise) which govern the way we do<br />
business, which govern the context in<br />
which we render service. Linking compliance,<br />
ethics, and stewardship highlights<br />
why we do what we do. ■<br />
5<br />
August 2002
August 2002<br />
6<br />
By Craig Harriger, J.D., MBA and Paul Singleton, CISSP<br />
Editor’s note: Wm. Craig Harriger, J.D., practices, and DME providers. The system’s<br />
insurance company carries PPO,<br />
MBA (HOM) CHC, CHE, is Corporate<br />
<strong>Compliance</strong> Officer at Washoe <strong>Health</strong> HMO, and Indemnity and Medicare+<br />
System. He may be reached at 775/982- Choice products.<br />
5249. Paul Singleton, CISSP, is the<br />
Information Security Manager at Washoe Expanded initiative<br />
<strong>Health</strong> System.<br />
Like many organizations, Washoe<br />
employed the Charter System to form<br />
I<br />
nformation is one of the most a HIPAA Implementation Committee<br />
valuable assets of health care chaired by the Corporate <strong>Compliance</strong><br />
organizations. The Federal Officer. As with many organizations,<br />
Government has recognized the importance<br />
of this information. As a consetially<br />
envisioned a “fast and cheap”<br />
some of the committee members iniquence,<br />
HIPAA initiatives must be approach. Others decided to preempt<br />
implemented. As HIPAA deadlines that approach with a proposed Charter<br />
approach, some organizations begrudgingly<br />
are attempting to just meet the<br />
amendment.<br />
deadlines with a minimum investment. The committee not only adopted the<br />
Others however, are taking advantage of amended Charter, but also embraced<br />
the opportunity to enhance information<br />
management across the enterprise. ing into the Charter the goal of “seize<br />
the spirit of the changes by incorporat-<br />
These organizations see this mandatory the opportunity to streamline business<br />
initiative as an opportunity to significantly<br />
enhance their value while meet-<br />
and achieve a competitive advantage<br />
processes, eliminate manual processes,<br />
ing the governmental mandates.<br />
while meeting federally mandated legislation”.<br />
In essence the group acknowledged<br />
that since HIPAA mandates the<br />
One organization that has chosen to<br />
seize this opportunity is Washoe <strong>Health</strong> consumption of certain resources and<br />
System (Washoe). Washoe is a Reno, time commitments, value-added thinking<br />
should be employed to improve the<br />
Nevada-based vertically integrated<br />
health care system serving Northern organization wherever possible.<br />
Nevada and Northern California.<br />
Washoe’s services include a 529-bed Information management mapping<br />
Medical Center, a surgery center, an inpatient<br />
rehabilitation facility (IRF), the Information Security Manager<br />
As a part of this value-added approach,<br />
extended care facilities and skilled nursing<br />
units (SNFs), in addition to a home information management scheme.<br />
identified the absence of a holistic<br />
health agency, multi-specialty physician Although there were numerous authen-<br />
CRAIG HARRIGER, J.D., MBA<br />
tication requirements in place, there<br />
were no links between the roles and<br />
departments in the management of<br />
information access. The committee<br />
reviewed the deficit and found a multitude<br />
of benefits were available that<br />
would form a competitive advantage<br />
from the process of information management<br />
mapping.<br />
The expanded initiative sought to<br />
devise a system that would meet<br />
HIPAA’s readily apparent basic requirements.<br />
For example, the new process<br />
needed to increase the ability to audit<br />
access to patients’ protected health<br />
information (PHI) both accurately and<br />
efficiently. Second, the prescribed sublevels<br />
of PHI, such as psychotherapy<br />
notes, required additional levels of<br />
scrutiny. Third, Washoe needed a tool<br />
that expedited the manner in which<br />
only the appropriate information is<br />
provided to users. Finally, the system<br />
needed to identify the appropriate<br />
method of destruction for differing<br />
classifications of information.<br />
The group identified several additional<br />
potential benefits of information management<br />
mapping. These value-added<br />
aspects include a quick and accurate<br />
gap analysis prior to a breach in the
system. Other advantages include easier<br />
approach to categorizing information<br />
dentiality, integrity, and availability.<br />
access to specific information, increased<br />
and regulating access based on need.<br />
efficiency in how information is distributed<br />
throughout the system as well as<br />
near real-time trending analysis of<br />
information use and needs.<br />
The similarity between this methodology<br />
and the HIPAA requirements and<br />
consequences is striking.<br />
Understanding determining factors<br />
All information is not of equal importance<br />
to an organization. In order to<br />
remain cost-effective, they need to<br />
Recently, some health care organiza-<br />
establish any information not consid-<br />
tions have begun to realize that effective<br />
ered worthy of protection. For exam-<br />
information classification is a competi-<br />
ple, many organizations do not want to<br />
PAUL SINGLETON, CISSP<br />
tive advantage and a cornerstone of an<br />
operative compliance plan. Creating an<br />
information classification system<br />
involves a three-step process that provides<br />
the organizations with a powerful<br />
set of tools that can assist in management<br />
processes across an organization.<br />
Initially, it is important to obtain senior<br />
management agreement that informa-<br />
invest the time and resources necessary<br />
to protect the contents of its internal<br />
phone book. This information generally<br />
can be acquired by calling an internal<br />
operator.<br />
The basic information classification<br />
analysis of this example is that the<br />
information is available to anyone in<br />
the hospital without restriction, and<br />
tion is a precious corporate asset, one<br />
thus, not confidential. Likewise, there<br />
Fundamental elements<br />
The information mapping system can<br />
be as basic or complex as an organization<br />
desires. The fundamental elements<br />
however, are information classification<br />
and access management. Once these<br />
elements are in place, the opportunity<br />
for cross-organizational integration is<br />
available.<br />
that needs to be managed as diligently<br />
as all other capital. Involvement of the<br />
board of directors and senior management<br />
accord is also important to ensure<br />
that the HIPAA compliance initiative<br />
conforms to the elements of an effective<br />
compliance program under the standards<br />
provided by the Federal<br />
Sentencing Guidelines. This should be<br />
viewed as an operational initiative.<br />
is no concern over the information<br />
being modified to anyone’s detriment<br />
(integrity), and without the phone<br />
book, the organization could continue<br />
to function with no lasting harm (availability).<br />
Obviously, information that<br />
does meet any of the above criteria<br />
would be considered public and need<br />
not be restricted.<br />
Information classification systems are<br />
often viewed as clandestine strategy<br />
employed by governmental agencies or<br />
similar organizations that have intense<br />
research and development initiatives.<br />
While this is true, these systems are also<br />
used as a means of maintaining a competitive<br />
advantage over business rivals;<br />
an advantage that could be lost in the<br />
event proprietary secrets are compro-<br />
Consider engaging other management<br />
personnel in the process. Using the<br />
Chief Information Officer (CIO) as the<br />
sole sponsor, risks having the initiative<br />
viewed as an Y2K boondoggle.<br />
A first step is to determine the classification<br />
of information. This is the most<br />
important and yet simplistic phase.<br />
This identification process requires an<br />
Not all information however, falls<br />
exclusively into one of the three determining<br />
factors, and some may actually<br />
meet the test of all three. It is generally<br />
the information that meets all three criteria<br />
that is identified as critical to the<br />
organization’s functional well-being.<br />
Decision analysis information and feasibility<br />
information are two examples<br />
of valuable, highly restricted informa-<br />
mised.<br />
assessment of the type of information<br />
tion (confidentiality and integrity) that<br />
the organization creates and maintains<br />
would have a lower level of criticality<br />
The banking, insurance, defense, and<br />
technology industries have long recognized<br />
the need for a systematized<br />
as well as the various levels of proposed<br />
personnel access. This process is a function<br />
of three determining factors: confi-<br />
than patient information (confidentiality,<br />
integrity and availability).<br />
Continued on page 8<br />
7<br />
August 2002
LEVERAGING HIPAA...continued from page 7<br />
August 2002<br />
8<br />
The owner of the classification project<br />
should understand the determining factors<br />
and apply them to the business<br />
process of the organization to develop<br />
the appropriate classifications. The end<br />
result should be information classified<br />
into five or six simple categories (in<br />
addition to subcategories) that allow<br />
users to quickly understand the type of<br />
information with which they are working.<br />
Identifying the classifications<br />
For example, there are five classifications<br />
that would serve most health care<br />
organizations well. These classifications<br />
are:<br />
■ Research:( Access granted only on<br />
an individual basis and not rolebased)<br />
This classification targets activities<br />
by researchers conducted within an<br />
organization. These include open as<br />
well as blinded studies. Access is<br />
provided after a matching of individuals<br />
to specific information and is<br />
never role-based. An example of the<br />
difference in treatment of this<br />
classification is that in some cases<br />
Independent Review Board members<br />
could have full access to certain<br />
information, while physicians,<br />
therapists, program administrators<br />
on certain studies would be more<br />
restricted.<br />
■ PHI Restricted: This classification is<br />
for sensitive information that must<br />
be carefully controlled. An example<br />
is psychotherapy notes (HIPAA). In<br />
order to determine additional data<br />
that fit into this category, it will be<br />
necessary to consider the extent to<br />
which more stringent state laws<br />
relating to specific categories of<br />
health information, such as HIV test<br />
results, mental health records, and<br />
genetic information are not preempted<br />
by HIPAA.<br />
■ PHI: This is the classification for<br />
most other patient-related information<br />
that does not fall within the<br />
“PHI Restricted” category. Examples<br />
might include regular physician visits,<br />
inpatient stays, personal history,<br />
etc. If the organization has developed<br />
methods for de-identifying<br />
PHI, processes must be developed to<br />
permit broader access to the PHI<br />
after, and only after, de-identification<br />
has been completed.<br />
■ Internal Use: All organizations have<br />
information to which they must<br />
restrict access but is not PHI. This<br />
information may consist of financial<br />
information, real-estate market feasibility<br />
studies for clinic expansions or<br />
decision analysis documents. A subclassification<br />
of “Internal Use” could<br />
include an “Audit” or “Confidential<br />
Financial” category that is further<br />
restricted to employees in certain<br />
departments. Other information<br />
may constitute trade secrets of the<br />
organization under state law, such as<br />
proprietary protocols, business<br />
methods, and customer lists. In<br />
order to afford this information with<br />
legal protection as trade secrets, it is<br />
generally advisable to label the data<br />
as confidential and treat it as such.<br />
■ Public: Some mistakenly believe<br />
that if the information does not fall<br />
into one of the above classifications,<br />
there are no restrictions. This is a<br />
dangerous assumption. First, often<br />
newly produced information has not<br />
yet been classified and identified.<br />
Therefore, the best practice is to<br />
identify all information, even that<br />
which is to be released to the public.<br />
Similarly, each organization should<br />
incorporate a policy in which<br />
unidentified information automatically<br />
defaults (at a minimum) to<br />
“Internal Use” classification until<br />
otherwise classified.<br />
The above categories are proposed as<br />
general guidelines without regard to<br />
organizational particularities. Once the<br />
classification development work is<br />
completed however, the owners of the<br />
specific information (i.e. business office<br />
or health information management)<br />
should begin to group their departmental<br />
information into the appropriate<br />
classifications that have been identified.<br />
Business unit participation<br />
At first glance this may appear overwhelming.<br />
The process is quite manageable<br />
however, given the appropriate<br />
set of tools employed in a reasonable<br />
order. One of the first steps should be<br />
to include the business unit managers<br />
and supervisors in the process.<br />
Although one department will be<br />
responsible for safeguarding and controlling<br />
the access to information ultimately,<br />
business unit participation in<br />
classifying the data is essential.<br />
A key aspect to the effective implementation<br />
of the classification process is<br />
facilitating the meetings with the business<br />
units. Since there are few business<br />
unit leaders with this type of experience,<br />
the classification process owner<br />
will need to take the lead. Individual<br />
meetings with the various business<br />
group managers and supervisors keep<br />
the meeting productive. It is ill advised<br />
to have too many groups present at<br />
once. Each department perceives its sit-
uation as unique. The divide and con-<br />
tion is classified based on<br />
each job during the classification<br />
quer method allows the individual<br />
“Confidentiality”, “Integrity” and<br />
process.<br />
attention necessary for efficient and<br />
“Availability”. All data not consid-<br />
effective results.<br />
ered “Public” should have at least<br />
There are obvious benefits to imple-<br />
Creating a collection tool<br />
These meetings should focus on collecting<br />
a description of the information<br />
created and used by the business units.<br />
A successful method used in other<br />
industries includes providing a fill-inthe-blank<br />
form with clear instructions<br />
for completion. Fields that should be<br />
included are:<br />
■ Department: The group that owns<br />
the information.<br />
■ Contact information of reviewer:<br />
The contact information for the<br />
business unit individual conducting<br />
the classification process<br />
■ Date: The date that the review was<br />
conducted. This is an ongoing<br />
process that usually should be<br />
reviewed annually<br />
■ Information name/description:<br />
This is an identifier and description<br />
of the specific information maintained<br />
by the business unit. This<br />
should be at a moderately high level;<br />
not a listing of each individual document<br />
■ Storage method: Describe the<br />
method or medium in which the<br />
information is stored. For example:<br />
Paper, Hard Disk, Tape Drive, email<br />
archive, etc.<br />
■ Classification: Each line item can<br />
only fall into ONE classification.<br />
The better practice is to err on the<br />
side of caution. If there is a question<br />
the more restrictive classification<br />
level should be used. The default for<br />
information that has no determination<br />
should be Internal Use<br />
■ Determining factors: The informa-<br />
one determining factor selected<br />
Information marking<br />
After each business unit has appropriately<br />
analyzed and classified their information,<br />
the next step is information<br />
marking (IM). The goal of IM is to<br />
provide organizations with a common<br />
identification scheme that allows the<br />
employees to readily identify and<br />
appropriately handle any piece of information.<br />
Effort should be made to keep<br />
the scheme as simple as possible.<br />
For instance, PHI might be marked<br />
with one color, while more restricted<br />
information (PHI Restricted) is marked<br />
with another. Each color is identified<br />
with specific handling instructions<br />
(“faxing not allowed”). Other considerations<br />
include computer systems that<br />
are clearly identified as a PHI site as<br />
well as printers and faxes labeled as<br />
restricted where appropriate. In addition,<br />
many companies use electronic<br />
banners that present at system log-on.<br />
Managing access<br />
The final step in the information management<br />
process is managing access to<br />
the information once it has been classified.<br />
There are numerous approaches to<br />
achieve this goal depending on the size<br />
and complexity of the organization.<br />
One approach is role-based access control<br />
(RBAC). RBAC is a system of<br />
access management structured on a<br />
minimum necessary, need-to-know<br />
basis in order to fulfill a role within the<br />
organization. The business unit managers<br />
define the classification level for<br />
menting RBAC. The most notable of<br />
which is the prevention of “access<br />
creep”. Access creep occurs when<br />
employees are promoted or transferred<br />
within an organization. Often they are<br />
granted additional access with each<br />
move. Many times there is no systems<br />
for correcting corresponding prior<br />
levels.<br />
Another approach is Discretionary<br />
Access Control (DAC). DAC is primarily<br />
based on the discretion of the information<br />
owner and is not as uniform in<br />
creation and application. This approach<br />
may work appropriately for smaller<br />
organizations but in larger ones access<br />
creep is almost a certainty if not monitored<br />
closely.<br />
Additional benefits<br />
Additional possibilities materialize for<br />
leveraging this system into other<br />
departments, such as human resources.<br />
Employee badges might be marked in<br />
accordance with the classification<br />
scheme, providing a simple and effective<br />
method for visibly matching<br />
employees with appropriate access. For<br />
companies employing a higher level of<br />
technology, such as proximity cards,<br />
swipe badges, or tokens in their physical<br />
access or network controls, the<br />
access levels could be synchronized.<br />
This would allow for real-time low-level<br />
audit capabilities in the following scenario.<br />
An employee possesses one access card,<br />
provided by the human resources<br />
Continued on page 10<br />
9<br />
August 2002
LEVERAGING HIPAA...continued from page 9<br />
August 2002<br />
department when hired. She uses this to individual employee numbers allow<br />
card to gain access to restricted areas and companies to identify and conduct levels<br />
clock-in for work. During the course of of training appropriate to the access level<br />
her workday, the card is used in conjunction<br />
with a password, to access kiosk<br />
of employees.<br />
computers for Internet access and other Future initiatives will allow for Intranet<br />
terminals to view PHI. If medical information<br />
must be accessed from the HIM to populate the HRIS database automat-<br />
and outsourced Internet-based training<br />
department, the system that reads the ically when training is complete.<br />
bar coded information on the patient Conversely this same process provides<br />
record also reads the proximity card to timely notification when training compliance<br />
has not been met. This signifi-<br />
determine whether she has appropriate<br />
access level. This ensures information is cantly reduces resource consumption as<br />
checked out to a specific person (rather HIPAA training requirements grow.<br />
than a department), who is responsible This integration also enables the quick<br />
for the record until returned. Note that provision of specific information and<br />
every step of the way, this access is captured<br />
and logged for later archival, and if review purposes.<br />
documentation for audit or annual<br />
necessary, audit purposes.<br />
Conclusion–the real benefits<br />
Another possibility is the integration If the process appears daunting, bear in<br />
with human resources information systems<br />
(HRIS) such as ADP or similar The process should not be executed in<br />
mind that the steps are relatively simple.<br />
products that use an “open” database. one meeting or by a single department.<br />
Linking information classification codes The key to success is careful preparation<br />
WEB<br />
RESOURCES<br />
Editor’s conferences, compliance resources, and<br />
note: Website links. Don’t miss out–Be sure to<br />
Periodically read the articles BNA provides on the<br />
we publish a Members Only section of the HCCA<br />
listing of helpful Internet and email Website.<br />
resources. If you know of Websites that may<br />
be helpful to compliance professionals, please ■ HCCA’s quick survey results<br />
submit them to Margaret Dragon at<br />
http://www.hcca-info.org/html/<br />
mrdragon@ziplink.net<br />
compliance.html#Survey<br />
Be sure to visit the HCCA Website:<br />
■ HCCA’s Second HIPAA Readiness<br />
http://www.hcca-info.org to find the Survey<br />
most up to date listings of upcoming<br />
http://www.hcca-info.org/documents/<br />
10<br />
of the classifications and the participation<br />
of business unit managers and<br />
supervisors. Their input in assigning the<br />
classifications to the information is<br />
essential. Starting small however, does<br />
not waste time. This process is rather<br />
modular and can be implemented over<br />
time. Organizations should not expect<br />
to get perfect information classifications.<br />
They can however, expect to achieve a<br />
vastly improved system that provides<br />
safe, timely, and functional information<br />
management in an increasingly complex<br />
environment.<br />
Once this initial process is complete, the<br />
opportunity to link classifications to<br />
human resources’ databases, physical security<br />
devices, HIM management programs,<br />
and time keeping instruments increase the<br />
effectiveness of business processes.<br />
Obviously, increasing benefits are derived<br />
proportionately from the maximization of<br />
automation and the information that can<br />
be leveraged as a result. ■<br />
report02_final.pdf<br />
■ EMTALA changes–pages 31469-<br />
31479<br />
http://www.access.gpo.gov/su_docs/<br />
fedreg/a020509c.html<br />
■ Review of Medicare Outlier<br />
Payments at Rhode Island Hospital<br />
for Fiscal Year 1999<br />
http://oig.hhs.gov/oas/reports/region1/<br />
10100527.pdf<br />
Continued on page 12
By Norman Radies<br />
Editor’s note: Norman Radies is the Chief provider must meet the physician<br />
<strong>Compliance</strong> Officer for Pediatrix Medical supervision requirements, while the<br />
Group, Inc. He may be reached at services of auxiliary personnel in the<br />
800/243-3839, Ext. 5133.<br />
outpatient setting must meet the<br />
requirements of the “incident to” rule.<br />
Like many physician practice This rule requires the physician to personally<br />
render a professional service to<br />
organizations, increased<br />
utilization of non-physician which the auxiliary personnel’s service is<br />
practitioners (NPPs) has been necessary an incidental, yet integral part [of the<br />
to meet the needs of patients and diagnosis and treatment of a patient’s<br />
clients. Correspondingly, increased regulatory<br />
scrutiny of services rendered by however, that the physician must see<br />
injury or illness]. This does not mean,<br />
NPPs has elevated the need to ensure the patient on each occasion of service<br />
that all your i’s are dotted and t’s are (e.g., routine follow-up visit) by auxiliary<br />
personnel. Use of the “incident to”<br />
crossed. If you do business in multiple<br />
states and serve a Medicaid population rule also requires that auxiliary personnel<br />
are employed by the physician and<br />
in each, you will likely be faced with a<br />
complex set of issues when staffing your are unable to be paid directly for their<br />
practices, scheduling your patients, and services.<br />
billing for services rendered by NPPs.<br />
Since most commercial payers do not The scheduling of patients, staffing of<br />
enroll NPPs and few non-government the practice, and documentation<br />
contracts explicitly define physician requirements are affected by the type of<br />
supervision requirements, this article NPP rendering services, as well as the<br />
will focus on the government payer location and type of services rendered.<br />
requirements, primarily Medicaid. For example, if you schedule a<br />
Medicaid patient for an initial visit<br />
The first step is to gain a clear understanding<br />
of the regulatory distinction office suite, the incident to provisions<br />
when a physician is not present in the<br />
between mid-level providers (i.e., described above cannot be met. Even a<br />
advance nurse practitioners, physician routine follow-up visit (except 99211)<br />
assistants, certified nurse midwives, performed by auxiliary personnel cannot<br />
be billed to Medicaid when a physi-<br />
etc.) and auxiliary personnel (i.e., nurses,<br />
psychologists, technicians, therapists, cian is not present and immediately<br />
and other aides).<br />
available in the office suite (“incident<br />
to” does not apply to the inpatient setting).<br />
Documentary evidence must sup-<br />
In order to bill their services under the<br />
physician’s name and provider identification<br />
number (PIN), a mid-level dent to requirements have been<br />
port that all relevant supervision/inci-<br />
met.<br />
NORMAN RADIES<br />
Lastly, it is important to recognize that<br />
some Medicaid programs limit reimbursement<br />
of NPPs services to as low as<br />
65% of the physician fee schedule<br />
amount.<br />
Each state Medicaid program is authorized<br />
to establish its own physician<br />
supervision requirements for services<br />
rendered by NPPs. Physician supervision<br />
requirements can range from<br />
“physician is available by telephone” to<br />
“the physician must be present and<br />
immediately available to assist while the<br />
service is being rendered.” Maintain oncall<br />
logs and attendance records to support<br />
that supervision requirements have<br />
been met. Some Medicaid programs<br />
require the billing of all services by the<br />
actual provider. In other words, services<br />
rendered by a mid-level NPP must be<br />
billed under the NPP’s name and PIN,<br />
regardless of the level of physician<br />
supervision.<br />
Many state programs maintain a Website<br />
and on-line access to provider manuals.<br />
State Medicaid links are available<br />
through both government and private<br />
sites such as http://www.geocities.com/<br />
medicaid.geo/index.html, Murphy’s<br />
Unofficial Medicaid Page.<br />
Continued on page 12<br />
11<br />
August 2002
PHYSICIAN PRACTICE AND BILLING ISSUES...continued from page 11<br />
Beware that a number of state sites may<br />
still be under construction or may not<br />
have any “search” capabilities. Further,<br />
some states do not provide explicit written<br />
guidance concerning physician<br />
supervision, while others default to the<br />
requirements established by Medicare<br />
or their contracted managed care payers.<br />
When you may be faced with a<br />
lengthy, and oftentimes unsuccessful,<br />
review of years of Medicaid program<br />
bulletins, it is generally easier to solicit<br />
information directly from their provider<br />
relations group. Remember to always<br />
get answers in writing. Send a letter or<br />
fax to confirm answers provided over<br />
the phone.<br />
Finally, a number of state programs do<br />
not enroll all types of NPPs. For example,<br />
MediCal enrolls advance practice<br />
nurses, but only pediatric nurse practitioners<br />
and primary care nurse practitioners.<br />
In these states, you may end up<br />
having to petition the state program to<br />
recognize a new type of NPP. Be prepared<br />
to submit extensive information<br />
regarding qualifications and types of<br />
services provided (e.g., CPT codes).<br />
Another important step in effectively<br />
dealing with the issues presented by<br />
NPPs requires careful reading and<br />
interpretation of the AMA’s CPT<br />
(Common Procedure Terminology)<br />
manual. Many of the services provided<br />
by physician practices in both the inpatient<br />
and outpatient settings entail evaluation<br />
and management (E&M) services<br />
which, with the exception of 99211,<br />
are described as requiring the presence<br />
of a physician. However, in a state<br />
where the supervision requirement is<br />
“available by telephone,” E&M services<br />
may be reported under an enrolled,<br />
mid-level provider’s name and PIN.<br />
Conversely, other E&M services performed<br />
by an enrolled mid-level<br />
provider should be reported under the<br />
supervising physician’s name and PIN<br />
even if the supervision requirements<br />
have been met. For example, the 2002<br />
CPT manual defines the neonatal critical<br />
care codes as “services provided by a<br />
physician directing the care of a critically<br />
ill newborn [or managing the continuing<br />
intensive care of the very low birth<br />
weight (VLBW) infant].” The reported<br />
service is the physician’s direction of the<br />
critically ill newborn’s care, not the<br />
individual services that may have been<br />
rendered by the mid-level provider.<br />
State laws and practice acts also need to<br />
be researched to confirm that services<br />
fall within the NPP’s scope of practice;<br />
e.g., licensure. For example, Arizona<br />
permits delivery services to be provided<br />
by a licensed midwife without direct<br />
physician supervision, but only to<br />
Medicaid beneficiaries for whom an<br />
uncomplicated prenatal course and a<br />
low-risk labor and delivery can be<br />
anticipated. Also, make certain that any<br />
mid-level providers working in an inpatient<br />
setting have been granted appropriate<br />
privileges by the hospitals.<br />
Once the regulatory research is complete,<br />
the next step is to ensure that the<br />
practice’s operations supports both the<br />
billing and record keeping requirements;<br />
i.e., are all NPPs properly<br />
enrolled (including those cross-over<br />
states), would existing documentation<br />
evidence that supervision requirements<br />
had been met, etc. All appropriate practice<br />
personnel need to be educated<br />
regarding pertinent requirements.<br />
Lastly, don’t leave your fate to chance.<br />
Conduct a follow-up review a short<br />
while after implementing any changes<br />
to ensure compliance. A few unintentional<br />
errors may be acceptable, but a<br />
pattern of errors may have serious consequences.<br />
■<br />
August 2002<br />
WEB RESOURCES...continued from page 10<br />
■ OIG ISSUES Draft <strong>Compliance</strong><br />
Program Guidance for Ambulance<br />
Suppliers<br />
http://oig.hhs.gov/fraud/docs/<br />
complianceguidance/draftambulance<br />
compliance060602.pdf<br />
■ IG Testimony: Medicare pays above<br />
12<br />
market prices for medical supplies<br />
http://oig.hhs.gov/testimony/docs/2002/<br />
020611fin.pdf<br />
■ Federal Register Notice RE: Revision<br />
of OIG <strong>Compliance</strong> Guidance for<br />
the Hospital Industry<br />
http://oig.hhs.gov/authorities/docs/<br />
cpg%20hospital%20solicitation<br />
%20notice.pdf<br />
■ OIG Advisory Opinion No. 9–concerning<br />
whether a proposed singlespecialty<br />
ambulatory surgical center<br />
that would be wholly-owned by a<br />
physician would violate the administrative<br />
authorities related to the antikickback<br />
statute<br />
http://oig.hhs.gov/fraud/docs/advisory<br />
opinions/2002/ao0209.pdf ■
feature<br />
article<br />
Editor’s note: This interview with James<br />
Roosevelt, Senior Vice President and<br />
General Counsel for Tufts <strong>Health</strong> Plan in<br />
Boston and recently named President of<br />
the American <strong>Health</strong> Lawyers <strong>Association</strong><br />
was conducted by F. Lisa Murtha, HCCA<br />
Board member and Chief Audit and<br />
<strong>Compliance</strong> Officer for Children’s<br />
Hospital of Philadelphia. Mr. Roosevelt<br />
may be reached at 781/466-8564 and<br />
Ms. Murtha may be reached at 215/590-<br />
9156.<br />
LM:<br />
Thank you so much Jim for<br />
joining us. We really appreciate your<br />
time this morning. I wanted to chat<br />
with you a bit about your new role as<br />
the President of American <strong>Health</strong><br />
Lawyers <strong>Association</strong> (AHLA). When<br />
does your term begin or has it already<br />
begun and what is your single biggest<br />
mission for the AHLA for your term as<br />
President?<br />
<strong>JR</strong>:<br />
My term with AHLA begins<br />
at our annual meeting in San Francisco<br />
on July 1st. The fundamental mission<br />
of AHLA is education of lawyers and<br />
others who work with health law and<br />
regulations. So my single biggest mission<br />
is to maintain and continue to<br />
improve the high standard of education<br />
both in in-person conferences and teleconferences<br />
as well as publications. My<br />
secondary mission is to expand the<br />
audience and membership of AHLA.<br />
LM:<br />
Do you see any obstacles over<br />
the course of the next year with AHLA<br />
Meet James Roosevelt<br />
Senior Vice President and General<br />
Counsel for Tufts <strong>Health</strong> Plan<br />
in achieving your mission. I mean, in<br />
light of world events such as September<br />
11th.<br />
<strong>JR</strong>: Well, we have increased teleconferences,<br />
some of them on issues<br />
that come up quickly, and we’ve put<br />
together a quick mini-seminar or discussion.<br />
We’ve initiated a series of conversations<br />
with major policymakers by<br />
teleconference. However, our in-person<br />
conferences have returned to the sort of<br />
attendance that we were getting before<br />
9-11. After 9-11, we had a little dip,<br />
maybe 20 percent or so, but within<br />
about two months, we came back to<br />
the pre-9-11 level.<br />
LM:<br />
Well, as you know, the <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> is partnering<br />
with the American <strong>Health</strong><br />
Lawyers <strong>Association</strong> on the Fraud and<br />
<strong>Compliance</strong> Forum. And I was just<br />
curious as to your perspective on partnerships<br />
with associations like the<br />
HCCA or others, as the case may be.<br />
Do you think that that is the wave of<br />
the future?<br />
<strong>JR</strong>: I participated in the Fraud<br />
and <strong>Compliance</strong> Forum last fall actually<br />
and I was also a participant in another<br />
joint conference that <strong>Health</strong> Lawyers<br />
put on this year with the American<br />
<strong>Association</strong> of <strong>Health</strong> Plans. And I do<br />
think that joint events are valuable to<br />
both organizations. <strong>Health</strong> Lawyers<br />
bring a particularly high standard in<br />
legal education and great resources in<br />
terms of our speakers and writers. The<br />
organizations of people who work in<br />
the field bring both an important perspective<br />
on planning the conferences so<br />
that the conferences are relevant to very<br />
current issues, not just what might have<br />
come to a lawyer in a law firm six<br />
months, a year, two years after the fact<br />
when some litigation matter has arisen<br />
or something like that. So, I think that<br />
the collaboration between <strong>Health</strong><br />
Lawyers and some of the health care<br />
industry organizations is valuable both<br />
for the content and the attendance at<br />
the events.<br />
LM:<br />
Have you been involved in the<br />
Continued on Page 14<br />
13<br />
August 2002
August 2002<br />
James Roosevelt<br />
you see as the future of health care<br />
14<br />
development of the compliance program<br />
within Tufts <strong>Health</strong> Plan?<br />
<strong>JR</strong>:<br />
I am the senior corporate<br />
sponsor of the compliance program at<br />
Tufts <strong>Health</strong> Plan. I am not the compliance<br />
officer or the senior compliance<br />
officer but rather the next step above<br />
that because we take compliance so<br />
seriously. My role as a member of the<br />
most senior group of management is to<br />
sponsor the compliance program. So I<br />
am very heavily involved in the ongoing<br />
development of the program. There<br />
was a good program in place when I<br />
got there. We are working every day<br />
and every month to improve it and to<br />
respond to the changing demands of<br />
compliance in such areas as HIPAA.<br />
LM:<br />
Excellent. I actually have a<br />
question for you on that. Given the<br />
things that you’ve done within the context<br />
of the clients in your organization,<br />
what do you think is the single biggest<br />
dollar?<br />
<strong>JR</strong>:<br />
front, say $1,500, as an example, a<br />
I would say, first of all, the $1,000 personal care account that can<br />
most important thing in our compliance<br />
program is our people, both our<br />
people who design and implement the<br />
program. We have a great compliance<br />
officer, Anne Doyle, and a great senior<br />
compliance officer, Russ Kopp, who<br />
really take compliance seriously. But<br />
ultimately what makes a good compliance<br />
program is all 2,500 Tufts <strong>Health</strong><br />
Plan employees. And in order to<br />
encourage that from day one, from orientation<br />
to annual quizzes to training<br />
during the year, keeping people aware<br />
of compliance and explaining what it<br />
means and adapting to changes in the<br />
working environment, are where we<br />
really get value.<br />
LM:<br />
compliance?<br />
Tufts <strong>Health</strong> Plan and I think has to be<br />
Oh, that’s excellent. The next an integral part of both every provider’s<br />
factor for the success of your program? question I’d like to ask you is what do and every insurer’s operation because<br />
<strong>JR</strong>:<br />
I think health care compliance<br />
is a dynamic field that keeps<br />
evolving. So, I’m not sure I can predict<br />
the future specifically other than to say<br />
that I think as the areas of both health<br />
care and health care coverage expand<br />
and change, so will compliance. New<br />
approaches in terms of assuring that<br />
law regulation and ethics are complied<br />
with will have to respond to the changing<br />
field and the changing market.<br />
Just to give you an example,<br />
there’s a lot of planning being done<br />
these days for offering defined contribution<br />
health care coverage. This is a<br />
plan where an employee is given a certain<br />
amount of money by his or her<br />
employer and he or she, first of all,<br />
Would it be the training, the monitoring?<br />
You know, where have you seen they’re going to have but, secondly,<br />
chooses the sort of coverage that<br />
the real bang for your compliance often has quite a high deductible up<br />
be used for traditional health care and<br />
also for things like wellness activities,<br />
complimentary medicine, everything<br />
from podiatry to massages. And the<br />
compliance aspect of a plan like that is<br />
probably going to be different from a<br />
traditional HMO or even PPO. The<br />
establishment of the network is going<br />
to present new challenges of avoiding<br />
conflicts of interest and things like<br />
that.<br />
LM:<br />
So you really believe that<br />
compliance has become an integral<br />
part of your operation?<br />
<strong>JR</strong>:<br />
Yes, absolutely. <strong>Compliance</strong> is<br />
an integral part of our operations at
there are so many issues that have to be<br />
determined on both a regulatory and<br />
an ethical basis.<br />
LM:<br />
What advice would you give<br />
to organizations to assist in prevention<br />
of fraud and abuse and exposure from<br />
government investigations.<br />
<strong>JR</strong>:<br />
The most important thing is<br />
to make people aware of what is permissible<br />
and what is not, not just the<br />
letter of the law, but what is in keeping<br />
with the spirit of the law. Now, some<br />
of that is just absolutely clear in black<br />
letter. For example, you may have<br />
noticed that Vermont has just enacted<br />
a statute requiring that all gifts of over<br />
$25 from pharmaceutical companies to<br />
providers have to be reported to the<br />
state. So there’s a new twist on compliance.<br />
Some of us have had internal<br />
policies similar to that but now here’s<br />
an absolute need for compliance to a<br />
regulatory approach.<br />
LM:<br />
As the general counsel of<br />
Tufts <strong>Health</strong> Plan, how do you work<br />
with the compliance department on<br />
compliance issues, particularly investigations,<br />
etc.<br />
<strong>JR</strong>:<br />
The legal department, which<br />
I head as general counsel, and the compliance<br />
department work together in<br />
several ways. First of all, as the senior<br />
corporate sponsor of compliance,<br />
together with one of my associate general<br />
counsels, Lois Cornell, we work<br />
with the compliance steering committee<br />
in drafting policies and adapting<br />
them to real-life situations. Lois also<br />
works on the gift and grant review<br />
committee to make specific determinations<br />
as to whether a particular gift or<br />
grant is in compliance with our corporate<br />
policies.<br />
When we reach an issue that<br />
is really in dispute in some way, the<br />
legal department becomes involved in a<br />
more, you might say, traditionally legal<br />
way. We might well have one of our<br />
litigators, Dave Abelman, conduct an<br />
investigation. We might advise both<br />
the operating department and the<br />
compliance department as to statutory<br />
and regulatory, as well as internal policy,<br />
requirements on a specific issue.<br />
LM:<br />
What do you see as the<br />
biggest compliance risk for health<br />
plans as well as for providers?<br />
<strong>JR</strong>:<br />
Currently the biggest compliance<br />
risk is probably meeting the<br />
HIPAA requirements and deadlines.<br />
That’s something that we can see on<br />
the horizon and therefore define. So<br />
that’s the greatest immediate risk. Long<br />
term, and ongoing, I would say the<br />
risk is trying to balance reality with<br />
our aspirations. We need to assure that<br />
our employees operate ethically and<br />
legally every step of the way. We also<br />
have to deal with a real world where<br />
things are not always absolutely clear as<br />
to what is the right thing to do. So the<br />
important thing I think is having people<br />
think about things in an ethical<br />
fashion.<br />
LM:<br />
And that would be both for<br />
health plans and providers?<br />
<strong>JR</strong>:<br />
That really applies to both<br />
health plans and providers. It’s not a<br />
whole lot different. The guiding principle<br />
actually is something that we<br />
think about and focus on a lot at Tufts<br />
<strong>Health</strong> Plan, which is basically to do<br />
the right thing and to put integrity<br />
before everything else.<br />
LM:<br />
Have you been involved in<br />
HIPAA implementation for Tufts<br />
<strong>Health</strong> Plan? And, if so, can you<br />
describe those efforts? Who is the chief<br />
privacy officer and where does he or<br />
she report?<br />
<strong>JR</strong>: We have many people including<br />
me involved in HIPAA implementation.<br />
Our compliance officer is also<br />
our chief privacy officer. One of her<br />
staff members, Jeannette Frey, who formerly<br />
worked on compliance generally<br />
has been detailed solely to privacy and<br />
HIPAA compliance. I have a legal<br />
department staff member who is<br />
devoted almost exclusively to HIPAA<br />
implementation and compliance. So at<br />
sort of every step of the way we’re<br />
finding HIPAA compliance to be not<br />
quite all consuming but a major task,<br />
certainly no less than Y2K compliance.<br />
LM:<br />
I have one more question for<br />
you. Is your organization combining<br />
compliance and HIPAA activities.<br />
<strong>JR</strong>: We do combine compliance<br />
and HIPAA activities in terms of the<br />
compliance side of the activities. Now<br />
in terms of staffing there are people<br />
who are dedicated solely on the IT side<br />
and the business processes side but in<br />
terms of compliance, we do integrate<br />
compliance and HIPAA activities<br />
because basically HIPAA raises to a<br />
regulatory level the issues of privacy<br />
that have had some legislative treatment<br />
in the past but have primarily<br />
been issues of internal policy in the<br />
past.<br />
LM: Thank you for your time today.<br />
<strong>JR</strong>: Thank you and we’ll see you<br />
in September at the Fraud and<br />
<strong>Compliance</strong> Forum. ■<br />
15<br />
August 2002
BACK<br />
TO BASICS<br />
For gathering facts, nothing beats<br />
16<br />
Conduct-<br />
August 2002<br />
there is no substitute for facts.<br />
allow. If you think a person has said<br />
ing a<br />
<strong>Compliance</strong><br />
Interview<br />
speaking directly with an individual<br />
involved in the alleged non-compliance.<br />
Interviews, therefore, are vital parts of<br />
By Ryan D. Meade<br />
investigations and can make or break<br />
the integrity of the investigation report<br />
Editor’s note: Ryan Meade is a partner in<br />
the Chicago office of the law firm<br />
Michael Best & Friedrich. Mr. Meade is<br />
as well as the government’s perception<br />
of the competency of the compliance<br />
staff and program.<br />
also adjunct professor of law in the<br />
<strong>Health</strong> Law Institute at Loyola<br />
University of Chicago Law School. He<br />
may be reached at 312/222-6686 or<br />
rdmeade@mbf-law.com<br />
You don’t have to be a lawyer to conduct<br />
a compliance interview, but a few<br />
tips from a lawyer might not hurt.<br />
Interviewing to get at facts is not an<br />
easily taught skill. It is mostly learned<br />
When the Department of <strong>Health</strong> and<br />
Human Services’ Office of Inspector<br />
through experience and the awkward<br />
trial and error method.<br />
General (OIG) issued its “<strong>Compliance</strong><br />
Program Guidance for Hospitals” (63<br />
FR 8987) in 1998, it set out the basic<br />
seven elements the OIG expected to see<br />
in an effective compliance program.<br />
One of those elements was stated as:<br />
Development of a system to respond<br />
to allegations of improper/illegal<br />
activities and the enforcement of<br />
appropriate disciplinary action<br />
against employees who have violated<br />
internal compliance policies, applicable<br />
statutes, regulations, or Federal<br />
health care program requirements.<br />
Id. At 8989.<br />
Investigations are critical for getting a<br />
handle on what has gone wrong or to<br />
support a determination that nothing<br />
has gone wrong. Investigations should<br />
be quick, yet thorough. Investigations<br />
should be focused on gathering facts.<br />
There may be a time for pointing fingers,<br />
but initially it is more critical to<br />
get to the bottom of things. It is a simple<br />
concept which is often forgotten:<br />
Below are tips for conducting compliance<br />
interviews. They are not by any<br />
means exhaustive and they are not in<br />
any particular order of importance.<br />
Most of them constitute plain old-fashioned<br />
common sense, but often common<br />
sense approaches can be lost in the<br />
heat of the moment or can go unrecognized<br />
unless articulated. Some of the<br />
following also reflect the author’s own<br />
personal style of interviewing so that<br />
the reader may need to adjust these tips<br />
to meet the unique circumstances of an<br />
interview or investigation.<br />
1. Take copious notes<br />
Few of us have photographic memories<br />
and few of us are able to keep in the<br />
forefront of our mind all the different<br />
views on the same set of facts. It doesn’t<br />
take many interviews before an interviewer<br />
gets confused as to who said<br />
what about an event. Focus on the person<br />
you are interviewing and take as<br />
many notes as time and circumstances<br />
RYAN D. MEADE<br />
something particularly important, write<br />
down the person’s words verbatim.<br />
Don’t be embarrassed to pause the<br />
interviewee and repeat the quote back<br />
to him or her to ensure you have<br />
recorded the words precisely.<br />
2. Don’t tape an interview<br />
Written notes are preferable to recorded<br />
voice tapes. Taping voices picks up<br />
all words, even those which might be<br />
corrected later on in the interview and<br />
possibly heard (or played) out of context.<br />
Also, in those instances in which<br />
it is legitimate to erase tapes, erased<br />
recordings are often found to be not as<br />
successfully erased as the erasor presumes.<br />
Technology grows by leaps and<br />
bounds such that techniques exist that<br />
can sometimes recover voices from cassette<br />
tapes that are presumed to be<br />
erased with magnets. Additionally, digital<br />
voice recordings may leave a recoverable,<br />
electronic impression on the<br />
computer system supporting the<br />
recordings. If anything has been placed<br />
on a computer, the document usually<br />
exists forever as stored or “backed-up”<br />
somewhere. As a practical suggestion<br />
for any recording, be sure you want to<br />
create an inextinguishable document<br />
before you create it.
3. Have a witness! Do interviews with<br />
yourself when accused of wrongdoing.<br />
do two people remember the exact<br />
a partner<br />
When people are confronted with an<br />
same set of facts the same way. Just<br />
A team of two is always a good idea<br />
accusation of personal liability, then he<br />
because a person’s memory may seem-<br />
when conducting a compliance inter-<br />
or she typically become more selective<br />
ingly contradict another person’s mem-<br />
view. Not only is a witness important to<br />
in the facts that are revealed. Try to<br />
ory does not mean that one of the indi-<br />
help substantiate what a person said at<br />
avoid conclusions of wrongdoing dur-<br />
viduals is lying. Each person may have<br />
a particular interview, but the witness is<br />
ing the interview and stick to the facts.<br />
witnessed the same set of facts from a<br />
also valuable should the interviewee<br />
different angle, so to speak, so that<br />
allege that something unsavory<br />
6. Ask job employment and education<br />
assembling all the angles constructs the<br />
occurred during the interview (e.g.,<br />
history–get a sense of the intervie-<br />
best view of an event. Plus, under some<br />
harassment or threats of retaliation).<br />
wee’s background<br />
circumstances, attempting to influence<br />
The interviewee’s background is rarely a<br />
a person’s memory could be considered<br />
4. Put a person at ease: Strike a<br />
determinative factor in getting at the<br />
obstruction of justice.<br />
balance between casual conversation<br />
facts surrounding an allegedly improper<br />
and formality<br />
activity. Nevertheless, job employment<br />
9. Identify what is the interviewee’s<br />
There is no way around the fact that<br />
and educational history can provide a<br />
personal knowledge versus knowl-<br />
most people are nervous when they are<br />
context in which to evaluate whether<br />
edge learned from other people<br />
being interviewed in the course of an<br />
the requisite intent or breach of duty<br />
This is a matter of parsing out ambigu-<br />
internal investigation. Try to put the<br />
existed so as to raise a simple mistake to<br />
ous sources of information. Often peo-<br />
person at ease. While it is not appropri-<br />
that of a civil false claim or worse, a<br />
ple will state a fact as if they know the<br />
ate for the interview to be excessively<br />
crime. In some circumstances, an inves-<br />
information first hand, but when you<br />
casual so that it is indistinguishable<br />
tigation can rule out criminal intent<br />
press further it is revealed that the<br />
from a chat with your best friend over a<br />
when it is clear that a person submitted<br />
information is nothing more than<br />
cup of coffee, nevertheless the interview<br />
an erroneous claim not for nefarious<br />
hearsay. If a person “understands” a fact<br />
need not be a star chamber interroga-<br />
purposes but as the result of lack of<br />
to be true, press him or her on how he<br />
tion. Try chatting briefly about innocu-<br />
education and training.<br />
or she knows it to be true. Likewise, if a<br />
ous topics at the beginning of the inter-<br />
person “heard” a fact, press him or her<br />
view to set the person at ease. Consider<br />
7. Don’t assume the interviewee has<br />
on who the source of the information<br />
asking about the person’s weekend or<br />
the same level of knowledge as<br />
is.<br />
their children or a local topic of inter-<br />
you–ask basic questions to establish<br />
est. Often times a person can be put at<br />
the person’s understanding<br />
10. Have the interviewee clarify<br />
ease if the interviewer is simply friendly.<br />
It may be important to ask individuals<br />
ambiguous pronouns (the infamous<br />
for their understanding of very rudi-<br />
“they”)<br />
5. Never criticize the interviewee<br />
mentary operations, even of high-level<br />
Never let an ambiguous “they” go by.<br />
during the interview<br />
management. This line of questions is<br />
Press the interviewee as to who the<br />
Remember that in an investigation, the<br />
used not so much as a vehicle for the<br />
“they” is. Don’t assume you know who<br />
goal is to gather facts. You can make a<br />
interviewer to understand the subject in<br />
“they” are.<br />
judgment about the meaning of those<br />
question but as a means to gauge the<br />
facts later, but when interviewing, keep<br />
level of a person’s personal level of cul-<br />
11. Let the interviewee talk–don’t<br />
your eyes on the prize: facts. Criticizing<br />
pability and the institutional intent<br />
interrupt!<br />
the interviewee or expressing judge-<br />
involved in an activity.<br />
Interviewees will likely be nervous and<br />
ments during interviews can cause the<br />
they will likely feel more at ease the<br />
likely already agitated person to retreat<br />
8. Don’t attempt to correct or influ-<br />
more they talk. It is also important to<br />
inward, closing off fact-finding oppor-<br />
ence the person’s memory<br />
let the interviewee talk virtually without<br />
tunities. It’s human nature to defend<br />
Let memories be what they are. Rarely<br />
Continued on page 18<br />
17<br />
August 2002
CONDUCTING A COMPLIANCE INTERVIEW...continued from page 17<br />
interruption on the chance that the<br />
interviewer is not “clicking” with the<br />
interviewee intellectually. In such circumstances,<br />
letting the interviewee talk<br />
offers a greater chance for facts to spill<br />
out. While this can make interviewing<br />
tedious, the interviewer might obtain<br />
facts he or she would never have<br />
obtained if the interview was presumptively<br />
cut short.<br />
12. Reassure the interviewee that<br />
“it’s OK” if he or she doesn’t remember<br />
Memories are not perfect. Sometimes a<br />
person’s memory needs time to “brew.”<br />
A day after the interview a person<br />
might recall with great clarity a fact that<br />
was completely lost or buried the day<br />
before. Encourage interviewees to call<br />
the interviewer if there are facts that<br />
need correcting or a discovery of a new,<br />
relevant fact. Reassure an interviewee at<br />
the end of the interview that if he or<br />
she remembers anything else, you are<br />
available to talk–and assure the person<br />
that it is OK if he or she needs to clarify<br />
or correct something said during the<br />
interview<br />
13. Plan plenty of time for an interview–they<br />
are almost always longer<br />
than you expect<br />
Often times interviews do not go as<br />
planned. A new fact is frequently identified<br />
or an issue is raised which takes<br />
the investigation in an unexpected<br />
direction. Within reason, time must be<br />
allotted to go where the interview goes.<br />
This author’s experience is that an issue<br />
that begins an investigation rarely looks<br />
the same by the end of the investigation.<br />
14. If interviews identify an important<br />
meeting, interview everyone at the<br />
meeting<br />
Meetings which are at the center of<br />
events should be investigated thoroughly,<br />
including interviewing everyone at<br />
the meeting. You can be sure that the<br />
government will investigate a critical<br />
meeting thoroughly, and so should you.<br />
Even if a person would not seem on the<br />
surface to hold any key information, go<br />
through the process of interviewing him<br />
or her on the events of the meeting.<br />
15. End all interviews by asking the<br />
interviewee if there is anything else<br />
he or she wants to relay to you or any<br />
other compliance he or she wants to<br />
talk about<br />
If the interviewee answers with an<br />
answer of “I don’t know anything else,”<br />
then this puts the person on record as<br />
having told the interviewer everything<br />
he or she knows about a particular issue<br />
as well as not knowing of any other<br />
compliance problem. This is important<br />
not only to be sure that nothing else is<br />
lurking which the interviewer should<br />
know about but if there is something<br />
which is later revealed that the interviewee<br />
knew but did not disclose, then<br />
compliance personnel are insulated<br />
from accusations of lack of thoroughness<br />
or cover-up. Of course it is not<br />
uncommon for an interviewee to supply<br />
the interviewer with another wholly<br />
different compliance issue. ■<br />
FOR<br />
CA and<br />
LA County<br />
to pay $73<br />
million to U.S.<br />
for overbilling Medicaid program<br />
On June 20, the U.S. Department of<br />
Justice announced that the State of<br />
California and the County of Los<br />
Angles will pay the federal government<br />
$73.3 million to settle allegations that<br />
they violated the False Claims Act with<br />
August 2002<br />
18<br />
YOUR INFO<br />
respect to claims submitted to<br />
Medicaid.<br />
This settlement resolves allegations that<br />
the state and the county directly or indirectly<br />
billed the federal health care program<br />
for services provided to certain<br />
minors when these jurisdictions had no<br />
basis for concluding that these individuals<br />
financially qualified for Medicaid<br />
services. The services included drug and<br />
alcohol abuse, pregnancy and pregnancyrelated<br />
services, family planning, sexual<br />
assault treatment, sexually transmitted<br />
diseases, and mental health services.<br />
The Whistleblower, Singh Khalsa, an<br />
employee of the LA Department of<br />
Mental <strong>Health</strong>, will receive approximately<br />
$1.36 million of the total recovery<br />
as his statutory award. For more;<br />
http://www.usdoj.gov/opa/pr/2002/June/<br />
02_civ_364.htm ■
leagues. Physicians can hear the message<br />
from Physicians. CEO’s hear<br />
from CEO’s.<br />
The HCCA<br />
2003 <strong>Compliance</strong><br />
Institute,<br />
New Orleans,<br />
April 27-30<br />
ROY SNELL<br />
A melting pot of compliance<br />
intellectual capital<br />
The <strong>Compliance</strong> Institute is completely<br />
geared to the needs of the <strong>Compliance</strong><br />
Professional. It is a comprehensive program<br />
offering the latest information for<br />
all levels of experience. We are currently<br />
developing the program for the April 27-30 CI 2003, New<br />
Orleans, LA–Keeping that in mind I’d like you to answer the following<br />
questions:<br />
■ Are you having trouble justifying your budget?<br />
■ Is your <strong>Compliance</strong> Program stalled out or moving forward<br />
too slowly?<br />
■ Do you hear? “I am too busy to do compliance.”?<br />
■ Do you have someone in your organization that needs to be<br />
more committed?<br />
■ Is there someone who needs a better understanding of compliance?<br />
■ Are you having trouble getting your colleagues to commit the<br />
time and energy?<br />
“Yes”<br />
If you have answered “yes” to any of the above questions–and I<br />
expect that most of you have–please consider bringing a colleague<br />
to the <strong>Compliance</strong> Institute. <strong>Compliance</strong> requires all<br />
employees of the organization to pull in the same direction–and<br />
we all know how challenging that can be. However, <strong>Compliance</strong><br />
Professionals have been pulling this off for years. <strong>Compliance</strong><br />
professionals who have brought a colleague to one of our<br />
<strong>Compliance</strong> Institute meetings have left with an individual who<br />
has a new appreciation and commitment to compliance.<br />
<strong>Compliance</strong> Institute<br />
Getting and keeping your organization’s leadership on board<br />
with the <strong>Compliance</strong> Program is vital to the success of your organization’s<br />
program. When leadership and Board members attend<br />
the <strong>Compliance</strong> Institute, they have a better understanding of<br />
budget requests. Speakers from the enforcement community<br />
share future objectives. Department heads learn from their col-<br />
Your colleagues will leave with a<br />
renewed commitment. They gain a<br />
greater understanding and appreciation<br />
through hearing the message<br />
from their peers, the enforcement<br />
community, and others. This helps to motivate them to commit<br />
the time, resources, and energy necessary to move their piece of<br />
the organizations compliance program forward.<br />
This is all possible because the <strong>Compliance</strong> Institute facilitates a<br />
sharing of ideas between health care professionals. Speakers from<br />
all walks of health care (see pp. 20/21) share ideas in general<br />
sessions, breakout sessions, panels, networking sessions, preconference<br />
workshops, and post-conference workshops.<br />
Cross functional and cross industry compliance melting pot<br />
The <strong>Compliance</strong> Institute is a melting pot of compliance professionals.<br />
<strong>Health</strong> care executives from all segments of the industry<br />
benefit from this comprehensive and instructive program. The<br />
<strong>Compliance</strong> Institute brings us all together to learn from each<br />
other and strives to address the compliance concerns of the<br />
health care industry–as opposed to exclusive conferences where<br />
people from all one segment of health care meet. The <strong>Health</strong><br />
<strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong> does this because compliance does<br />
not operate in a vacuum; we interact with many parts of the<br />
organization. The <strong>Compliance</strong> Institute facilitates interaction<br />
between departments just as we do in our organization. At the<br />
HCCA <strong>Compliance</strong> Institute lawyers learn from consultants,<br />
who learn from compliance officers, who learn from educators,<br />
who learn from the enforcement community and visa versa.<br />
The following is a list of individuals that have attended past<br />
HCCA meetings and have left with a renewed understanding<br />
and appreciation for their role in moving the organizations compliance<br />
program forward.<br />
<strong>Compliance</strong> Professionals<br />
■ Auditors<br />
■ Coders<br />
■ Educators<br />
■ Internal Investigators<br />
■ Billers<br />
■ Medical Records<br />
Continued on page 20<br />
19<br />
August 2002
LETTER FROM THE CEO...continued from page 19<br />
■ In-house Counsel ■ Outside Counsel<br />
■ Consultants<br />
■ Software Vendors<br />
■ Publishers<br />
■ Administrators<br />
■ Chief Executive Officer ■ Chief Financial Officer<br />
■ Physicians<br />
■ Board Members<br />
■ <strong>Compliance</strong> Officers ■ Risk Managers<br />
■ Nurses<br />
■ Researchers<br />
■ Information Technology ■ Natl. Office of Inspector General<br />
■ District Dept. of Justice ■ Local Office of Inspector General<br />
■ National Dept. of Justice ■ Medicaid Fraud Control Unit<br />
■ Attorney General ■ Commercial Fraud Investigators<br />
■ Managed <strong>Care</strong> Fraud Investigators<br />
Industry Segments Represented<br />
■ Managed <strong>Care</strong> ■ Commercial Payor<br />
Peter Adler, Partner, Foley & Lardner,<br />
<strong>Health</strong> <strong>Care</strong> Privacy Officer <strong>Compliance</strong><br />
Pre-Conference<br />
William Altman, Vice President of<br />
<strong>Compliance</strong> and Government Programs,<br />
Kindred <strong>Health</strong>care, Long Term <strong>Care</strong><br />
<strong>Compliance</strong>; 102 <strong>Compliance</strong> Effectiveness for<br />
2002 and Beyond<br />
Bob Arnot, NBC News, Bio-terrorisom’s<br />
Impact on <strong>Health</strong> <strong>Care</strong> Operations<br />
Marti Arvin, <strong>Compliance</strong> Office University<br />
of Pittsburgh Physicians, Governance: The<br />
Balance of Power<br />
Victor Blanchard, Manager, Arthur<br />
Andersen, Security and Transactions and<br />
Code Sets, the Technical Side of HIPAA<br />
<strong>Compliance</strong><br />
Christine Boras, Corporate <strong>Compliance</strong><br />
Officer, United <strong>Health</strong> Services, The<br />
<strong>Compliance</strong> Officer Forum Pre-Conference<br />
Tony Boswell, Chief <strong>Compliance</strong> Officer,<br />
Laidlaw, <strong>Health</strong> <strong>Care</strong> Privacy Officer<br />
<strong>Compliance</strong> Pre-Conference<br />
Elizabeth Carder, Reed Smith, <strong>Compliance</strong><br />
Officer Personal Liability and Insurance<br />
Coverage Issues<br />
Lisa Clark, Partner, Duane Morris, LLP<br />
August 2002<br />
20<br />
■ Long Term <strong>Care</strong><br />
■ Laboratory<br />
■ Group Practices<br />
■ Pharmaceuticals<br />
■ Research<br />
■ University Hospital<br />
■ Durable Medical Eqpt.<br />
Privacy Primer -The Overview You Have<br />
Been Waiting For!<br />
Eileen Coggins, Vice President of<br />
<strong>Compliance</strong>, Genesis <strong>Health</strong> Ventures,<br />
Long Term <strong>Care</strong> <strong>Compliance</strong> Pre-Conference<br />
Darrel Contreras, Manager, Ernst &<br />
Young, Sample Techniques for Auditing and<br />
Monitoring<br />
Lisa Dahm, Partner, DDF & Associates,<br />
HIPAA Document Workshop<br />
Shawn DeGroot, <strong>Compliance</strong> Officer<br />
VISN 13, Veteran’s <strong>Health</strong>care<br />
Administration, <strong>Compliance</strong> Officer Forum<br />
Pre-Conference; The Value of <strong>Compliance</strong> in<br />
the VHA<br />
Joette Derricks, CEO, <strong>Health</strong>care<br />
Management Solution Inc., Physician<br />
<strong>Compliance</strong> Training<br />
Suzie Draper, <strong>Compliance</strong> Administrator,<br />
Intermountain <strong>Health</strong> <strong>Care</strong>, What CCOs<br />
are Doing with Their On-line Training<br />
Monte Dube, Partner, McDermott Will &<br />
Emery, Conflicts of Interest–Individual and<br />
Organizational<br />
Jim Finnegan, Manager, Ethics and<br />
<strong>Compliance</strong> Program Assessment, HCA,<br />
Inc., Integrated Heralth <strong>Care</strong> Systems<br />
■ Home <strong>Health</strong><br />
■ Hospitals<br />
■ Integrated Delivery Systems<br />
■ Pharmacy<br />
■ Pharmacy Benefit Management<br />
■ University Group Practice<br />
■ Clinical Research Organizations<br />
The 2002 <strong>Compliance</strong> Institute had a remarkable assortment of<br />
distinguished speakers who covered an extensive number of subjects<br />
from a wide-variety of industry perspectives. Give your<br />
compliance program a Boost–join your compliance colleagues in<br />
New Orleans, April 27-30, 2003 and bring a member of your<br />
leadership team with you! See below for a partial listing of the<br />
<strong>Compliance</strong> Institute 2002 speakers and their topics. ■<br />
HCCA <strong>Compliance</strong> Institute 2002: Speakers & Topics (partial listing)<br />
<strong>Compliance</strong> Pre-Conference<br />
Ken Fody, HIPAA Project Executive,<br />
Independence Blue Cross, Integrating<br />
HIPAA Into Your <strong>Compliance</strong> Program<br />
Robert Freeman, Assoc. General Counsel<br />
& <strong>Compliance</strong> Officer, BCBS of<br />
Massachusetts, Payors/Managed <strong>Care</strong><br />
<strong>Compliance</strong> Pre-Conference<br />
Kent Giles, PricewaterhouseCoopers, To<br />
De-Identify or Not to De-Identify? That is the<br />
Question<br />
Georgette Gustin, Director,<br />
PricewaterhouseCoopers, Coding for<br />
Attorneys and <strong>Compliance</strong> Professionals<br />
Mindy Hatton, VP and Chief Washington<br />
Counsel, American Hospital <strong>Association</strong>,<br />
The New Proposed Changes to the Privacy<br />
Regulations<br />
Sharon Hayman, Director of <strong>Health</strong>care<br />
Management Administration, Blue Cross<br />
Blue Shield of NJ, Payors/Managed <strong>Care</strong><br />
<strong>Compliance</strong> Pre-Conference<br />
Michael Hemsley, VP/Corporate<br />
<strong>Compliance</strong> & Legal Services, Catholic<br />
<strong>Health</strong> East, Integrated <strong>Health</strong> <strong>Care</strong> Systems<br />
<strong>Compliance</strong> Pre-Conference; <strong>Compliance</strong><br />
Effectiveness for 2002 and Beyond: Taking<br />
<strong>Compliance</strong> Effectiveness to the Next Level
Alyse Hutchinson, Associate <strong>Compliance</strong><br />
Counsel, Laidlaw, <strong>Health</strong> <strong>Care</strong> Privacy<br />
Officer <strong>Compliance</strong> Pre-Conference<br />
Margaret Hutchinson, Assistant US<br />
Attorney, US Dept. of Justice, Updates on<br />
the False Claims Act<br />
Bruce Japsen, Chicago Tribune, <strong>Health</strong><br />
<strong>Care</strong> Fraud & Abuse Issues: The Media’s<br />
Perspective<br />
Chris Jedrey, Attorney, McDermott Will<br />
& Emery, Academic & Research <strong>Compliance</strong><br />
Kristin Jenkins, <strong>Compliance</strong> & Quality<br />
Officer, JPS<strong>Health</strong> Network, Quality Issues<br />
and <strong>Compliance</strong>; HIPPA Document<br />
Workshop<br />
Vreeland Jones, Attorney, Foley & Lardner,<br />
Managed <strong>Care</strong> <strong>Compliance</strong> Risks<br />
Mike Kendall, Partner, McDermott, Will,<br />
& Emery, Advanced Investigations, Privileges<br />
and Disclosure<br />
Carole Klove, Principal, Deloitte &<br />
Touche, Integrating HIPAA Into Your<br />
<strong>Compliance</strong> Program<br />
Doug Lankler, Corporate Counsel, Pfizer<br />
Inc., Advanced Investigations, Privileges, and<br />
Disclosure<br />
Robert Lower, Partner, Akston & Bird,<br />
HIPAA Document Workshop<br />
Allison Maney, <strong>Compliance</strong> Officer,<br />
Lovelace <strong>Health</strong> System, Graduate<br />
Level–<strong>Compliance</strong> 202<br />
Vickie McCormick, Special Counsel,<br />
Halleland Nilan Lewis Sipkins & Johnson<br />
PA, Payors/Managed <strong>Care</strong> <strong>Compliance</strong>-Pre-<br />
Conference; Practical Tools for Auditing &<br />
Monitoring; Managed <strong>Care</strong> <strong>Compliance</strong> Risks<br />
Ryan Meade, Partner, Michael Best &<br />
Fridrich, Current Events and Hot Topics in<br />
HIPAA<br />
Mark Meaney, Executive Director,<br />
Bioethicist, Institute for Clinical and<br />
Corporate Ethics, <strong>Health</strong> <strong>Care</strong> Privacy<br />
Officer <strong>Compliance</strong> Pre-Conference; 403<br />
Ethics and the <strong>Compliance</strong> Professional<br />
Kathy Merlo, Director, St. Louis<br />
University, <strong>Compliance</strong> Officer Forum<br />
Bill Middleton, Case Manager<br />
HCA, Inc., Integrated <strong>Health</strong> <strong>Care</strong> Systems<br />
<strong>Compliance</strong> Pre-Conference<br />
Elizabeth Moran, Halleland, Lewis, Nilan,<br />
Sipkins & Johnson, Payors/Managed <strong>Care</strong><br />
<strong>Compliance</strong> Pre-Conference<br />
Lewis Morris, Asst. Inspector General for<br />
Legal Affairs, Office of the Inspector<br />
General, US Dept. of HHS, Regulatory<br />
Panel–Hot Topics and Current Events<br />
Emil Moschella, Asst. General Counsel,<br />
Horizon BCBS of New Jersey,<br />
Payors/Managed <strong>Care</strong> <strong>Compliance</strong><br />
Pre-Conference<br />
F. Lisa Murtha, Chief Audit and<br />
<strong>Compliance</strong> Officer, Children’s Hospital of<br />
Philadelphia, Academic & Research<br />
<strong>Compliance</strong> Pre-Conference; Research<br />
<strong>Compliance</strong> & Human Subject Research<br />
Jody Ann Noon, Principal, Deloitte &<br />
Touche, Business Associates–What Should you<br />
be Doing Now?<br />
Jeffrey Oak, Chief <strong>Compliance</strong> & Business<br />
Integrity Officer, Veterans <strong>Health</strong><br />
Administration, Ethics and the <strong>Compliance</strong><br />
Professional; The Value of <strong>Compliance</strong> in the<br />
VHA<br />
David Orbuch, Corporate <strong>Compliance</strong><br />
Officer, Allina <strong>Health</strong> System, <strong>Compliance</strong><br />
Effectiveness for 2002 and Beyond: Taking<br />
<strong>Compliance</strong> Effectiveness to the Next Level<br />
Ronald Orth, Director of Utilization<br />
<strong>Compliance</strong> , Kindred <strong>Health</strong>care, Inc.,<br />
Long Term <strong>Care</strong> <strong>Compliance</strong> Pre-Conference<br />
Sandy Piersol, Senior Manager, Deloitte &<br />
Touche, Sampling Techniques for Auditing<br />
and Monitoring<br />
Susan Postal, VP of <strong>Health</strong> Information<br />
Management Services - Government<br />
Programs, HCA, Coding for Attorneys and<br />
<strong>Compliance</strong> Professionals<br />
Sue Prophet, Director of Coding, Policy &<br />
<strong>Compliance</strong>, AHIMA, Current Events and<br />
Hot Topics in HIPAA<br />
Dan Roach, VP/Corporate <strong>Compliance</strong><br />
Officer, Catholic <strong>Health</strong>care West, What<br />
CCOs are Doing with Their On-line<br />
Training<br />
Ted Sanford, <strong>Compliance</strong> Officer,<br />
University of Michigan <strong>Health</strong> System,<br />
Current Events and Hot Topics in HIPAA<br />
Brent Saunders, Partner,<br />
PricewaterhouseCoopers, Enron Panel<br />
Regulatory Panel - Hot Topics and Current<br />
Events<br />
Rubin Shaw King, Chief Operating<br />
Officer, CMS, An Update from CMS<br />
Edward Shay, Partner, Post & Schell, P.C.<br />
Security and Transactions and Code Sets, the<br />
Technical Side of HIPAA <strong>Compliance</strong><br />
John Steiner, Director of Corporate<br />
<strong>Compliance</strong>, Cleveland Clinic Foundation,<br />
HIPAA Readiness Survey/Tools for Self<br />
Assessment<br />
Mike Treash, Senior Manager, Ernst &<br />
Young, Payors/Managed <strong>Care</strong> <strong>Compliance</strong><br />
Pre-Conference<br />
Debbie Troklus, Manager,<br />
PricewaterhouseCoopers, Privacy Assessments,<br />
Beginning the Process; <strong>Compliance</strong> 101<br />
Sheryl Vacca, Director, <strong>Health</strong> <strong>Care</strong><br />
Services, Deloitte & Touche, Practical Tools<br />
for Auditing & Monitoring; Graduate Level-<br />
<strong>Compliance</strong> 202<br />
L. Stephan Vincze, Ethics and <strong>Compliance</strong><br />
Officer, TAP Pharmaceutical Products Inc.,<br />
Update on HCCA Coalition to Study<br />
<strong>Compliance</strong> Program Effectiveness<br />
Greg Warner, Director of <strong>Compliance</strong>,<br />
Mayo Clinic, The <strong>Compliance</strong> Officer Forum<br />
Pre-Conference<br />
Gadi Weinreich, Partner, Shaw Pitman,<br />
STARK 2002: A detailed Overview of the<br />
Law<br />
Holly Winn, <strong>Compliance</strong> Training Analyst,<br />
HCA, Inc., Integrated <strong>Health</strong> <strong>Care</strong> Systems<br />
<strong>Compliance</strong> Pre-Conference<br />
Amanda Yoh, <strong>Compliance</strong> Manager,<br />
Laidlaw, Privacy Primer-The Overview You<br />
have Been Waiting For!<br />
Alan Yuspeh, Senior VP, Ethics,<br />
<strong>Compliance</strong> and Corporate Responsibility,<br />
HCA, Inc., Integrated <strong>Health</strong> <strong>Care</strong> Systems<br />
<strong>Compliance</strong> Pre-Conference<br />
21<br />
August 2002
Implementing<br />
a HIPAA<br />
work plan in<br />
an academic medical environment<br />
By Maria Gonzales, J.D.<br />
Editor’s note: Marcia Gonzales, JD, is <strong>Compliance</strong><br />
Officer & Privacy Officer for Long<br />
Hospital in Indianapolis, Indiana. She may<br />
be reached at marcgonz@iupui.edu<br />
Ms. Gonzales is a member of the HCCA’s<br />
Academic/Research Special Interest Group<br />
(SIG). To learn more about joining this<br />
SIG, please contact Marti Arvin–<br />
412/647-3388–arvinm@msx.upmc.edu<br />
Many Privacy Officers and <strong>Compliance</strong><br />
Officers know by now that there are no<br />
one size fits all approaches to developing<br />
and implementing compliance program<br />
in accordance with the Administrative<br />
Simplification provisions of the<br />
<strong>Health</strong> Insurance Portability and<br />
Accountability Act (HIPAA). Therefore,<br />
the only experience that I am able to<br />
share with my colleagues is the<br />
approach chosen for the Indiana<br />
University School of Medicine, through<br />
the Office of <strong>Compliance</strong> Services.<br />
Unlike many physician practices and<br />
some smaller hospitals, more complex<br />
health care systems such as an academic<br />
medical center (AMC), have several<br />
covered entities situated among other<br />
covered entities. Not only does an<br />
AMC have to consider its own needs,<br />
but it must also consider the immediate<br />
ripple effects that may impact its affiliates<br />
when implementing any changes.<br />
As with any implementation strategy<br />
involving a complex health care system,<br />
the structure and the collaboration<br />
process are two of the most important<br />
SPECIALINTEREST<br />
GROUP<br />
August 2002<br />
22<br />
SPECIAL<br />
variables that will govern the shape of<br />
the outcome.<br />
Structure<br />
To better explain the approach chosen<br />
by the School of Medicine, a brief<br />
description of the medical center’s structure<br />
is necessary. The Indiana University<br />
School of Medicine provides training<br />
for over 1,200 medical students. In conjunction<br />
with 19 practice plans and five<br />
hospitals on campus, training is also<br />
provided to over 1,000 residents as well.<br />
Additionally, the School of Medicine<br />
also provides training through its allied<br />
health and public health programs.<br />
The practice plans have clinic sites<br />
throughout the campus including those<br />
located within the hospitals and<br />
University buildings. Some computer<br />
and other technological support is also<br />
provided to the practice plans through<br />
the University. As a result of this intermingling,<br />
employees of the University,<br />
hospitals, and practice plans work side<br />
by side on a daily basis at all of the various<br />
sites. Organizational control often<br />
varies from entity to entity. Following<br />
an analysis of HIPAA and its potential<br />
effects on the School of Medicine and<br />
its affiliates, it was decided that the<br />
School of Medicine should consider<br />
itself as a separate covered entity from<br />
the practice plans and the hospitals.<br />
However, this decision did not mean<br />
that the School of Medicine’s responsibility<br />
to work with its affiliates during<br />
this HIPAA implementation process<br />
ended. While there is a great deal of<br />
independence among these health care<br />
institutions, a collaborative process was<br />
necessary in order to have a practical<br />
and effective HIPAA program.<br />
Academic/Research<br />
Collaboration process<br />
The first plan of action was to assemble<br />
the stakeholders at the School of<br />
Medicine. This did not only include<br />
University employees, but it also included<br />
members of the practice plans who<br />
also, served as faculty members at the<br />
School of Medicine. During this kickoff<br />
meeting, it was announced that four<br />
task forces would be created. These task<br />
forces included clinical operations,<br />
administrative operations, education,<br />
and research. The administrative operations<br />
task force focused on privacy and<br />
security issues that arise while performing<br />
the administrative and non-clinical<br />
functions of the health care facilities<br />
such as billing, answering requests for<br />
medical records, quality assurance activities,<br />
and other related claims processes.<br />
The clinical operations task force<br />
focused on privacy and security issues<br />
that arise while providing or arranging<br />
for patient care or treatment. This<br />
included scheduling, medical records<br />
access, transcription, appointment cards<br />
and reminders, and communications<br />
with other treating providers. This differentiation<br />
assisted both the task force<br />
members and the Office of <strong>Compliance</strong><br />
Services in focusing on separating health<br />
care operations issues and treatment<br />
issues as they relate to privacy and security.<br />
The importance of this would later<br />
be beneficial in explaining the applicability<br />
of the minimum necessary rule<br />
during training and in policy development.<br />
The education task force jurisdiction<br />
involved the medical students,<br />
interactions with the residents, and gift<br />
development.<br />
Members of the practice plans were<br />
strongly encouraged to participate in as
many tasks forces as they deemed<br />
appropriate. It was in their best interest<br />
to participate in this process so that<br />
their organizational structures and opinions<br />
on how to implement HIPAA at<br />
the School of Medicine would be taken<br />
into consideration. The main goals were<br />
to identify the use and disclosure of<br />
protected health information at the<br />
University, identify potential areas of<br />
risk, and to provide training and guidance<br />
to the practice plans. Unlike the<br />
hospitals affiliated with the School of<br />
Medicine, many practice plans did not<br />
have the manpower or resources in<br />
which to develop a HIPAA compliance<br />
begin with a blank canvas. As a result,<br />
flow chart templates for each task force<br />
were developed to allow the task force<br />
members to react to a base model<br />
rather than brainstorming on a blank<br />
sheet of paper. These templates were<br />
developed from flow charts from other<br />
organizations and from the experiences<br />
of our staff who have worked in physician<br />
practices. In addition to these task<br />
force meetings, the Office of <strong>Compliance</strong><br />
Services also convened meetings<br />
with the specific practice plans in order<br />
to provide a more detailed inventory<br />
of protected health information use,<br />
disclosure, and storage.<br />
similar to the need to know basis, and<br />
safeguards were essentially policies and<br />
procedures. This explanation was necessary<br />
in order to allow those who had<br />
not participated in the initial HIPAA<br />
process to understand the goals of the<br />
privacy and security regulations enough<br />
to assist the administrators in the assessment<br />
process. Simplifying this process<br />
will hopefully allow each work force<br />
member to assess the privacy and security<br />
risks present in their own areas.<br />
Training<br />
The next area of concern involved training.<br />
Pursuant to Section 164.530(b)(1),<br />
program alone. Therefore, guidance<br />
from the School of Medicine was necessary.<br />
Additionally, to mimic the structure<br />
developed for the <strong>Compliance</strong><br />
Program at the School of Medicine,<br />
each practice plan would be required to<br />
have a HIPAA compliance program that<br />
would need to be consistent with the<br />
yet to be finalized requirements of the<br />
School of Medicine’s HIPAA<br />
<strong>Compliance</strong> Program.<br />
The main charge for these task forces<br />
Assessments<br />
Identifying the use, disclosure, and storage<br />
of protected health information was<br />
only half the battle. The other half<br />
involved determining whether sufficient<br />
safeguards were in place. If these safeguards<br />
were not in place, what guidance<br />
would the School of Medicine need to<br />
provide to the practice plans to allow<br />
them to assess their current risks and to<br />
prioritize the privacy and security issues<br />
that needed to be addressed?<br />
covered entities must train all members<br />
of its work force as necessary and<br />
appropriate. However, in an academic<br />
medical setting, it is extremely difficult<br />
to keep track of who has met this training<br />
requirement. Many work force<br />
members wear several hats and go in<br />
and out of the several covered entities<br />
on campus on a daily basis. So, who has<br />
a responsibility of providing this training?<br />
Therefore, the various affiliates of<br />
the School of Medicine decided that a<br />
reciprocal training program had to be<br />
was to develop a flow chart of how protected<br />
health information was used, disclosed,<br />
and stored within their practices.<br />
Based on these findings, a checklist was<br />
developed to assist with the assessment<br />
of the uses, disclosures, and storage of<br />
protected health information. The purpose<br />
of the flow charts was not to identify<br />
every detailed use, disclosure, and<br />
storage of protected health information,<br />
but the main concern was to identify<br />
the more common processes that were<br />
likely to occur among the various practice<br />
plans. In an effort to make their<br />
time more valuable and efficient, it was<br />
imperative that the task forces did not<br />
Clearly, the administrator of each practice<br />
plan alone could not accomplish<br />
this process. One of the main themes<br />
that the Office of <strong>Compliance</strong> Services<br />
wanted to get across during its initial<br />
training for HIPAA awareness was that<br />
the confidentiality of patient information,<br />
now known as protected health<br />
information, was not a new phenomenon.<br />
Therefore, part of the training<br />
would entail reintroducing a familiar<br />
topic in the health care industry under<br />
different names. Protected health information<br />
was simply confidential patient<br />
information, minimum necessary was<br />
developed. Open training schedules<br />
were advertised and any member of the<br />
work force from any of the covered<br />
entities at the medical center were permitted<br />
to attend any training session.<br />
Uniform attendance sheets were developed<br />
so that the information could be<br />
consistently tracked.<br />
Perhaps one of the greatest hurdles to<br />
overcome in the HIPAA implementation<br />
process was the development of<br />
policies and procedures that are consistent<br />
among the various covered entities<br />
at the medical center. Initially, develop-<br />
Continued on page 24<br />
23<br />
August 2002
IMPLEMENTING A HIPAA WORK PLAN...continued from page 23<br />
August 2002<br />
ment of these policies and procedures representatives from the hospitals. The ally being done with trepidation.<br />
by the School of Medicine and the hospitals<br />
were going to be done independ-<br />
and then individually tailored to meet The implementation process described<br />
policies would be drafted collectively<br />
ently. The practice plans were waiting the needs of each covered entity.<br />
above is unique to the School of<br />
for the completed draft prepared by the However, the main requirements of Medicine given its current structure,<br />
School of Medicine to use as a template each policy and procedure would be however many of the issues that arise will<br />
in the development of their own policies<br />
and procedures. The Office of extent possible. As with all the covered institution or health care practice.<br />
required to remain intact to the greatest be applicable regardless of the size of the<br />
<strong>Compliance</strong> Services was often asked entities throughout the nation, this Identifying potential opportunities for<br />
when the provider was moving from process as well as the training implementation<br />
process is still under way and tion will not only streamline the imple-<br />
collaboration and the sharing of informa-<br />
one covered entity to another, whose<br />
policies would govern their activities? As given the recent modifications that were mentation process, but also help each<br />
a result, a policies committee was convened.<br />
This committee involved not al modifications in the future, much of orative process in identifying areas that<br />
proposed and the potential for addition-<br />
covered entity participating in this collab-<br />
only the School of Medicine, but also the implementation process is continu-<br />
may have been originally overlooked. ■<br />
SPECIAL<br />
INTEREST GROUPS<br />
To get involved or ask a question, just email or call the following SIG chairs; be sure to include your telephone and fax numbers,<br />
and best time to contact you. Alternately, you may fill in this form and fax it to 215/545-8107 or mail it to The<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong>, 1211 Locust Street, Philadelphia, PA, 19107 ■<br />
❏ I am interested in the Special Interest Group(s) checked at right ❏ <strong>Health</strong> <strong>Care</strong> System<br />
❏ I have a question about:<br />
Michael C. Hemsley, Esq., 610/355-2047<br />
mhemsley@che.org<br />
❏ Payor/Managed <strong>Care</strong><br />
Vickie McCormick, 612/204-4156<br />
Name<br />
vmccormick@halleland.com<br />
❏ Long Term <strong>Care</strong><br />
Title<br />
Terri Graham, 502/596-7356<br />
Organization<br />
terri_graham@kindredhealthcare.com<br />
❏ Home <strong>Care</strong><br />
Address<br />
Chris Anderson, 631/501-7390<br />
chris.anderson@gentiva.com<br />
City<br />
❏ Behavioral <strong>Health</strong><br />
State<br />
Zip<br />
John Ciavardone, 610/260-4610<br />
Jciavardone@nhsonline.org<br />
Phone<br />
❏ Academic/Research<br />
Marti Arvin, JD, CHC, CPC, 412/647-3388<br />
Fax<br />
arvinm@msx.upmc.edu<br />
❏ Pharmaceutical<br />
Email<br />
Charles Brock, 847/937-5210<br />
HCCA member #<br />
charles.brock@abbott.com<br />
24
Editor and Publisher:<br />
Margaret R. Dragon, 781/593-4924, mrdragon@ziplink.net<br />
Consulting Editors:<br />
Sheryl Vacca, President, HCCA, 916/498-7156<br />
Roy Snell, CEO, HCCA, rsnell@hcca-info.org<br />
Advertising Department:<br />
Joni Lipson, 888/580-8373, joni.lipson@rmpinc.com<br />
Design & Layout:<br />
Robin Taliesin, Raven Creative, 781/631-4639, robint@raven2.com<br />
HCCA Officers and Board of Directors:<br />
Sheryl Vacca, CHC<br />
HCCA President<br />
Director, West Coast <strong>Compliance</strong> Practice,<br />
Deloitte & Touche<br />
Alan Yuspeh, JD, MBA<br />
HCCA 1st Vice President<br />
Senior Vice President<br />
Ethics, <strong>Compliance</strong> and Corporate<br />
Responsibility<br />
HCA<br />
Al W. Josephs, CHC<br />
HCCA 2nd Vice President<br />
<strong>Compliance</strong> Officer<br />
Hillcrest <strong>Health</strong>care System<br />
Odell Guyton<br />
HCCA Treasurer<br />
Director for <strong>Compliance</strong><br />
Microsoft Corporation<br />
Daniel Roach<br />
HCCA Secretary<br />
VP and Corporate <strong>Compliance</strong> Officer<br />
Catholic <strong>Health</strong>care West<br />
Greg Warner<br />
HCCA Imme. Past President<br />
Director for <strong>Compliance</strong><br />
Mayo Foundation<br />
Shawn Y. DeGroot, CHC<br />
<strong>Compliance</strong> Officer<br />
Upper Midwest Network & VA Medical<br />
& Regional Office Center<br />
Suzie Draper, BSN, RN<br />
Corporate <strong>Compliance</strong> Officer and Privacy<br />
Officer, Intermountain <strong>Health</strong> <strong>Care</strong><br />
CEO/Executive Director:<br />
Roy Snell, CHC<br />
<strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong><br />
Rory Jaffe, MD, MBA<br />
Chief <strong>Compliance</strong> Officer<br />
U.C. Davis <strong>Health</strong> System<br />
Allison Maney, CPA, CHC<br />
<strong>Compliance</strong> Officer<br />
Lovelace <strong>Health</strong> System<br />
Vickie McCormick<br />
Special Counsel<br />
Halleland Lewis Nilan Sipkins & Johnson<br />
Lewis Morris, Esq.<br />
Assistant Inspector General<br />
for Legal Affairs<br />
DHHS Office of Inspector General<br />
F. Lisa Murtha<br />
Chief Audit and <strong>Compliance</strong> Officer<br />
Children’s Hospital of Philadelphia<br />
Jeffrey Oak, PhD<br />
Associate Chief Financial Officer for<br />
<strong>Compliance</strong><br />
Veteran’s <strong>Health</strong> Administration<br />
Teresa L. Mullett Ressel<br />
Deputy Assistant Secretary<br />
U.S. Treasury<br />
Brent Saunders<br />
Partner<br />
PricewaterhouseCoopers<br />
Debbie Troklus, CHC<br />
Manager<br />
PricewaterhouseCoopers<br />
L. Stephan Vincze, JD, LL.M, CHC<br />
Ethics and <strong>Compliance</strong> Officer<br />
TAP Pharmaceutical Products, Inc.<br />
<strong>Compliance</strong> Today (CT) (ISSN 1523-8466) is published by the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
<strong>Association</strong> (HCCA), 1211 Locust Street, Philadelphia, PA 19107. Subscription rate is $287 a year<br />
for non-members. Periodicals postage-paid at Philadelphia, PA 19107. Postmaster: Send address<br />
changes to <strong>Compliance</strong> Today, 1211 Locust Street, Philadelphia, PA 19107. Copyright 1998<br />
the <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong> <strong>Association</strong>. All rights reserved. Printed in the USA. Except where<br />
specifically encouraged, no part of this publication may be reproduced, in any form or by any<br />
means without prior written consent of the HCCA. For subscription information and advertising<br />
rates, call HCCA at 888/580-8373. Send press releases to M. Dragon, PO Box 197, Nahant, MA<br />
01908. Opinions expressed are not those of this publication or the HCCA. Mention of products<br />
and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering<br />
legal or other professional services. If such assistance is needed, readers should consult professional<br />
counsel or other professional advisors for specific legal or ethical questions.<br />
PEOPLE<br />
Editor’s note: If you have received<br />
a promotion, award, degree, or<br />
recently changed jobs, please let CT<br />
know. Call or fax 781/593-4924, email<br />
mrdragon@ziplink.net, or mail your news to Margaret<br />
Dragon, HCCA, P.O. Box 197, Nahant, MA 01908.<br />
➤ Anne Connor, MPA, RN is now the <strong>Compliance</strong> Officer<br />
at Nursing Sisters Home<strong>Care</strong> in Westbury, NY. She may<br />
be reached at 516/705-4026.<br />
➤ Dennis Olson is now Corporate <strong>Compliance</strong> Officer at<br />
Enloe Medical Center in Chico, CA. He may be reached<br />
at 530/332-6758.<br />
➤ Letitia Damron is now AVP <strong>Compliance</strong>/Education<br />
Coordinator for University of Louisville in Louisville, KY.<br />
Letitia may be reached at 508/852-8680.<br />
➤ Regina V. Maier has been named <strong>Compliance</strong> Officer for<br />
MCG <strong>Health</strong>, Inc. located in Augusta, GA. She may be<br />
reached at 706/721-0900.<br />
➤ Kathleen Salazar is now with the VA Medical Center in<br />
Houston, TX. Kathleen may be reached at 713/791-1414<br />
Ext. 4924. ■<br />
Here it Comes Again<br />
The HCCA’s Annual <strong>Compliance</strong> Officer Survey. Over<br />
the next few weeks you will receive the HCCA’s 5th<br />
Annual Survey, 2002 Profile of <strong>Health</strong> <strong>Care</strong> <strong>Compliance</strong><br />
Officers. When you receive it, please take a few minutes<br />
to answer the questions and return it in the envelope<br />
provided. If you have any questions call Lana Bandy,<br />
Walker Information, 317/843-8870 or Margaret<br />
Dragon, HCCA, 781/593-4924. ■<br />
25<br />
August 2002