JR - Health Care Compliance Association

Volume Four/Number Eight
August 2002
A publication for
health care compliance
professionals
meet
James Roosevelt
REGISTER TODAY!
FOR THE HCCA/AHLA Fraud and Compliance Forum, WASHINGTON, DC–SEP 29-OCT 1, 2002 For
info see p.26 or go to conference central on the HCCA Website: http://www.hcca-info.org
INSIDE
2
3
5
6
10
11
13
16
18
19
22
25
Leadership letter
On the calendar
Focus on ethics &
compliance
Leveraging HIPAA
Web resources
Physician practice and
billing issues
Meet James Roosevelt
Back to basics
FYI
CEO’s letter
Academic/research
SIG
People on the go

The Good
Ol’ Boys
and Girls
AL JOSEPHS
2nd Vice President
The search for the future leaders of the
HCCA is never ending. It is the time of
year that we seek formal nominations for
the HCCA leadership roles, as members of
the Board of Directors, Regional Officers,
and Regional State Liaisons. The membership elects individuals
to the Board of Directors positions from a slate of nominations
received from HCCA members. The Board of
Directors then elects the Board Officers. Each Board Officer’s
position serves a one year-term. There is no automatic progression
to the next officer position until the position of Vice
President, which will automatically become the President of
HCCA the following year. The Board of Directors has the
responsibility to appoint the Regional Presidents and the
Regional Presidents then make recommendations to the
Board of Directors for the Regional Vice-Presidents, Regional
Secretary/Treasurers, and State Liaisons.
This model is like many other volunteer-driven associations.
Will this process produce leaders? No it only recognizes leadership
potential, but individual effort is required. It seems
complex at times and often you hear concern about “good ol’
boy/girl networks”. It is complex and there are good ol’
boy/girl networks. It is complex because no one person or
limited group of individuals can ever hope to accomplish the
many tasks necessary to operate a successful membership
organization. Nor can leaders be developed without the good
ol’ boys/girls that spend countless hours doing the hands-on,
detail work required to make an organization run. The indi-
vidual efforts of the good ol’
boys and girls often go
unseen. Sure, these efforts
can have personal benefits,
but the motivation is derived
from a personal commitment
to the profession, not any
potential personal gain.
As a friend often asks me, “So what’s your point?” Plain and
simply, if you want to become a leader in HCCA (or anywhere
else for that matter) just “do something to benefit others
and do it often”, and before you know it, you will become
one of the “good ol’ boys/girls” that are elected to positions of
leadership. ■
Instant Survey Results
From June 7-13, 2002 the Health Care Compliance
Association conducted it’s first Instant Survey–the
subject: Compliance Budget–HCCA had 787
responses. The results were first reported in the June 14
issue of This Week in Corporate Compliance. Here
are the results.
Your compliance budget in the last 12 months has:
Been
decreased
Been
increased
Remained
the same
90
COMPLIANCE BUDGET
11.4%
306
38.9%
391
0 100 200 300 400
49.7%
August 2002
2
HCCA’S
HCCA exists to champion ethical
practice and compliance standards in
MISSION the health care community and to provide
the necessary resources for compliance professionals and others who
share these principles.
fforum

DON’T
MISS OUT!
ON
THE CALENDAR
Use HCCA’s Information Sources
HCCA’s Fax-on-demand services
Membership information and upcoming events are two
items available when you call HCCA’s Fax-on-demand
service. Here’s how:
1. Dial 888/840-4359, press 2 after the system answers.
2. Enter the three-digit code of the document you wish to
receive and press #. Once all of the document codes have
been entered press #.
3. When prompted, enter the number of the fax machine
to which you wish the material faxed followed by # key.
NB: If you enter number 1 when the system answers and
enter your fax number when prompted, you will receive a
menu of the current documents available.
It’s on the HCCA Website–Payor/Managed Care Special
Interest Group information
HCCA members working in health care payor or managed
care organizations now have a new compliance information
source–the Payor/Managed Care SIG Webpages located on
the HCCA Website, http://www.hcca-info.org
You will find information including:
■ The Payor/Managed Care SIG Charter
■ Contact information for the SIG Chair and Steering
Committee Members
■ Information on HCCA conferences related to
Payor/Managed Care issues
■ A list of Payor/Managed Care-related articles published
in Compliance Today
Don’t miss out on this new and valuable resource! ■
ERRATA
On page 7 of the July issue of Compliance Today,
the last few words of the article, Proposed EMTALA
revisions: Are the rules any clearer?, were not printed.
It should have ended as follows:
“Hospitals should evaluate how the new rules will
apply to its operations, and be prepared to implement
these changes later this year.” ■
AUDIO
CONFERENCES:
Best of Compliance Institute 2002
■ July 17 - Part I - Updates on
the False Claims Act, 12
Noon-1:30 PM EST
■ July 23 - Part II - Advanced
Investigations, Privileges and
Disclosure, 1-2:30 PM EST
■ July 30 - PArt III - Sampling
Techniques for Auditing and
Monitoring, 1-2:30 PM EST
Compliance Lessons Learned
from Enron - Four Part Series
■ September 4, 10, 17, and 24,
1-2:30 PM EST
Mark your calendars for the following
HCCA sponsored events:
■ NOV 11-15, HCCA’s Academy
2002 CONFERENCES:
of Health Care Compliance,
SAN DIEGO, CA:
Union League
■ DEC 9-11, HCCA AHLA HIPAA
Forum West
2003 CONFERENCES:
DALLAS/FORT WORTH, TX:
SAN FRANCISCO, CA:
■ FEB 21 - Region VI
■ NOV 7-8, Region IX
Compliance Meeting
Compliance Conference
NEW ORLEANS, LA:
WASHINGTON, DC:
■ APR 27-30, HCCA’s
■ SEPT 29-OCT 1, HCCA/AHLA
Compliance Institute 2003
HCCA
RESOURCES
For more information about events or resources, check out the
HCCA Website, http://www.hcca-info.org or call 888/580-8373.
Be sure to ask about your member discount.
AWARDARD
WINNING
■ Individual & Small Group
Physician Practice Compliance:
What every physician should
know, HCCA’s audio training
program designed specifically
for physicians.
■ HCCA’s Compliance,
Conscience, and Conduct ,
a video-based compliance
training program
AWARDARD
WINNING
Fraud and Compliance Forum
ATLANTA, GA:
■ NOV 4, HCCA Region IV
Compliance Conference
ST. PAUL/MINNEAPOLIS, MN:
■ SEP 12, HCCA Region V
Compliance Conference
KANSAS CITY, MO:
■ AUG 2, HCCA Region VII
Compliance Conference
ATLANTIC CITY, NJ:
■ OCT 21-22, HCCA Region II &
III Compliance Conference
PHILADELPHIA, PA:
■ Privacy Matters – HCCA’s
video-based HIPAA Training
Program
■ HCCA’s book, Compliance 101
■ The Health Care Compliance
Professional’s Manual, to order,
call 800/638-8437 ■
3
August 2002

Sites and scenes from...
The
HIPAA
Forum
2002
GAPMS Drafting Committee (below)
The
GAPMS
Committee
Meetings
GAPMS Steering Committee (above & below)
August 2002
4
On June 12 & 13 members of the Drafting and Steering
Committees of the HCCA’s public and private sector
initiative to develop Generally Accepted Performance
Measurement Standards gathered in Boston, MA for a
two-day working session. Through these standards the health care industry will measure their compliance
program’s performance and quantify their organizations return on the investment made in developing and maintaining
compliance programs. Hospital compliance programs are the first segment of the health care industry to be explored. ■

FOCUS
ON
ETHICS &
COMPLIANCE
Compliance,
ethics, and
stewardship:
Or, why we do what we do
By Jeffrey Oak, PhD
Editor’s note: Jeffrey Oak, PhD, is on the
HCCA Board of Directors and is the Compliance
and Business Integrity Officer for
the Veterans Health Administration, an
integrated system of over 160 hospitals, 130
nursing homes, and 800 clinics, served by
180,000 employees. He may be reached at
202/273-5662. This article inaugurates a
new column in Compliance Today. Over
the next year, Dr. Oak will periodically
contribute articles related to Ethics and
Compliance to the HCCA magazine. If
you have items you would like addressed,
please email jeff.oak@hq.med.va.gov
“He’s a part of history now.” This is how
Mr. Gregory Commons, a former Marine
and now a seventh grade history teacher at
Carl Sandburg Middle School in northern
Virginia, talked about his son, Matthew,
the day after Matthew’s funeral at Arlington
National Cemetery. Matthew was an
Army Ranger, one of the eight Americans
who were killed last March in Afghanistan.
He was laid to rest on March 11, 2002,
exactly six months to the day after
September 11, 2001, the fateful day that
changed a generation of Americans.
My son sat in the second row of Mr.
Commons’ third period class on
American history at Carl Sandburg
Middle School. And this is the story
Nathaniel told over dinner at home some
months back. Mr. Commons’ 21-year-old
son gave his life in defense of our freedom,
gave his life attempting to rescue a
comrade who had fallen. And now the
history teacher’s son is himself a part of
our nation’s history. In February of last
year the seventh graders at Carl Sandburg
were learning about history through textbooks.
By April, they were learning
through the tears and sorrow of the plain
speaking, no-nonsense, “turn your homework
in on time or you’ll be docked a full
grade” ex-Marine turned history teacher.
It is not only the ones who die, like
Matthew Commons, that become part of
history. It is also the ones who live, the
ones my organization cares for in our
hospitals, the ones who willingly participate
in research to advance our storehouse
of medical knowledge, the ones
who get fitted for prosthetics, go for therapy,
and come to our clinics; all of these
men and women are part of our nation’s
history. And they are the ones we are
privileged to serve within the Veterans
Health Administration (VHA): those
who are part of history.
What does all this have to do with compliance?
The answer: stewardship and
service. Perhaps like yours, my health system
strives mightily for excellence in
everything we do. In fact, our vision statement
is as simple as it is bold: we want to
be the best health system in the world.
And what does it mean to be the best?
For my organization it means providing:
■ high quality care
■ at the best cost
■ with access for the most patients
■ while earning public trust
This is what good stewardship in our
health care system means. And this is
what good stewardship requires.
In his book Stewardship: Choosing Service
JEFFREY OAK, PHD
Over Self-Interest, management guru Peter
Block defines stewardship as a set of principles
which transforms the governance
of an organization. Stewardship creates a
sense of ownership and responsibility, it
creates accountability and a sense of partnership.
Stewardship is driven by internal
standards, not just external requirements.
It is focused on service, not self-interest.
In short, stewardship is self-governance.
In order to be both effective and sustainable,
compliance efforts must be closely
linked with organizational stewardship,
with mission, and with service. When
compliance becomes an exercise in
“gotcha,” it has lost its credibility. When
compliance becomes little more than
legal maneuvering, it has lost its way.
And when compliance becomes a game
of hide and seek, it has lost its soul.
Compliance is–or should be–an act of
corporate stewardship, an exercise in
building systems of self-governance, a
function ultimately driven by the organization’s
mission. Compliance is about
adhering to the standards (ethical and
otherwise) which govern the way we do
business, which govern the context in
which we render service. Linking compliance,
ethics, and stewardship highlights
why we do what we do. ■
5
August 2002

August 2002
6
By Craig Harriger, J.D., MBA and Paul Singleton, CISSP
Editor’s note: Wm. Craig Harriger, J.D., practices, and DME providers. The system’s
insurance company carries PPO,
MBA (HOM) CHC, CHE, is Corporate
Compliance Officer at Washoe Health HMO, and Indemnity and Medicare+
System. He may be reached at 775/982- Choice products.
5249. Paul Singleton, CISSP, is the
Information Security Manager at Washoe Expanded initiative
Health System.
Like many organizations, Washoe
employed the Charter System to form
I
nformation is one of the most a HIPAA Implementation Committee
valuable assets of health care chaired by the Corporate Compliance
organizations. The Federal Officer. As with many organizations,
Government has recognized the importance
of this information. As a consetially
envisioned a “fast and cheap”
some of the committee members iniquence,
HIPAA initiatives must be approach. Others decided to preempt
implemented. As HIPAA deadlines that approach with a proposed Charter
approach, some organizations begrudgingly
are attempting to just meet the
amendment.
deadlines with a minimum investment. The committee not only adopted the
Others however, are taking advantage of amended Charter, but also embraced
the opportunity to enhance information
management across the enterprise. ing into the Charter the goal of “seize
the spirit of the changes by incorporat-
These organizations see this mandatory the opportunity to streamline business
initiative as an opportunity to significantly
enhance their value while meet-
and achieve a competitive advantage
processes, eliminate manual processes,
ing the governmental mandates.
while meeting federally mandated legislation”.
In essence the group acknowledged
that since HIPAA mandates the
One organization that has chosen to
seize this opportunity is Washoe Health consumption of certain resources and
System (Washoe). Washoe is a Reno, time commitments, value-added thinking
should be employed to improve the
Nevada-based vertically integrated
health care system serving Northern organization wherever possible.
Nevada and Northern California.
Washoe’s services include a 529-bed Information management mapping
Medical Center, a surgery center, an inpatient
rehabilitation facility (IRF), the Information Security Manager
As a part of this value-added approach,
extended care facilities and skilled nursing
units (SNFs), in addition to a home information management scheme.
identified the absence of a holistic
health agency, multi-specialty physician Although there were numerous authen-
CRAIG HARRIGER, J.D., MBA
tication requirements in place, there
were no links between the roles and
departments in the management of
information access. The committee
reviewed the deficit and found a multitude
of benefits were available that
would form a competitive advantage
from the process of information management
mapping.
The expanded initiative sought to
devise a system that would meet
HIPAA’s readily apparent basic requirements.
For example, the new process
needed to increase the ability to audit
access to patients’ protected health
information (PHI) both accurately and
efficiently. Second, the prescribed sublevels
of PHI, such as psychotherapy
notes, required additional levels of
scrutiny. Third, Washoe needed a tool
that expedited the manner in which
only the appropriate information is
provided to users. Finally, the system
needed to identify the appropriate
method of destruction for differing
classifications of information.
The group identified several additional
potential benefits of information management
mapping. These value-added
aspects include a quick and accurate
gap analysis prior to a breach in the

system. Other advantages include easier
approach to categorizing information
dentiality, integrity, and availability.
access to specific information, increased
and regulating access based on need.
efficiency in how information is distributed
throughout the system as well as
near real-time trending analysis of
information use and needs.
The similarity between this methodology
and the HIPAA requirements and
consequences is striking.
Understanding determining factors
All information is not of equal importance
to an organization. In order to
remain cost-effective, they need to
Recently, some health care organiza-
establish any information not consid-
tions have begun to realize that effective
ered worthy of protection. For exam-
information classification is a competi-
ple, many organizations do not want to
PAUL SINGLETON, CISSP
tive advantage and a cornerstone of an
operative compliance plan. Creating an
information classification system
involves a three-step process that provides
the organizations with a powerful
set of tools that can assist in management
processes across an organization.
Initially, it is important to obtain senior
management agreement that informa-
invest the time and resources necessary
to protect the contents of its internal
phone book. This information generally
can be acquired by calling an internal
operator.
The basic information classification
analysis of this example is that the
information is available to anyone in
the hospital without restriction, and
tion is a precious corporate asset, one
thus, not confidential. Likewise, there
Fundamental elements
The information mapping system can
be as basic or complex as an organization
desires. The fundamental elements
however, are information classification
and access management. Once these
elements are in place, the opportunity
for cross-organizational integration is
available.
that needs to be managed as diligently
as all other capital. Involvement of the
board of directors and senior management
accord is also important to ensure
that the HIPAA compliance initiative
conforms to the elements of an effective
compliance program under the standards
provided by the Federal
Sentencing Guidelines. This should be
viewed as an operational initiative.
is no concern over the information
being modified to anyone’s detriment
(integrity), and without the phone
book, the organization could continue
to function with no lasting harm (availability).
Obviously, information that
does meet any of the above criteria
would be considered public and need
not be restricted.
Information classification systems are
often viewed as clandestine strategy
employed by governmental agencies or
similar organizations that have intense
research and development initiatives.
While this is true, these systems are also
used as a means of maintaining a competitive
advantage over business rivals;
an advantage that could be lost in the
event proprietary secrets are compro-
Consider engaging other management
personnel in the process. Using the
Chief Information Officer (CIO) as the
sole sponsor, risks having the initiative
viewed as an Y2K boondoggle.
A first step is to determine the classification
of information. This is the most
important and yet simplistic phase.
This identification process requires an
Not all information however, falls
exclusively into one of the three determining
factors, and some may actually
meet the test of all three. It is generally
the information that meets all three criteria
that is identified as critical to the
organization’s functional well-being.
Decision analysis information and feasibility
information are two examples
of valuable, highly restricted informa-
mised.
assessment of the type of information
tion (confidentiality and integrity) that
the organization creates and maintains
would have a lower level of criticality
The banking, insurance, defense, and
technology industries have long recognized
the need for a systematized
as well as the various levels of proposed
personnel access. This process is a function
of three determining factors: confi-
than patient information (confidentiality,
integrity and availability).
Continued on page 8
7
August 2002

LEVERAGING HIPAA...continued from page 7
August 2002
8
The owner of the classification project
should understand the determining factors
and apply them to the business
process of the organization to develop
the appropriate classifications. The end
result should be information classified
into five or six simple categories (in
addition to subcategories) that allow
users to quickly understand the type of
information with which they are working.
Identifying the classifications
For example, there are five classifications
that would serve most health care
organizations well. These classifications
are:
■ Research:( Access granted only on
an individual basis and not rolebased)
This classification targets activities
by researchers conducted within an
organization. These include open as
well as blinded studies. Access is
provided after a matching of individuals
to specific information and is
never role-based. An example of the
difference in treatment of this
classification is that in some cases
Independent Review Board members
could have full access to certain
information, while physicians,
therapists, program administrators
on certain studies would be more
restricted.
■ PHI Restricted: This classification is
for sensitive information that must
be carefully controlled. An example
is psychotherapy notes (HIPAA). In
order to determine additional data
that fit into this category, it will be
necessary to consider the extent to
which more stringent state laws
relating to specific categories of
health information, such as HIV test
results, mental health records, and
genetic information are not preempted
by HIPAA.
■ PHI: This is the classification for
most other patient-related information
that does not fall within the
“PHI Restricted” category. Examples
might include regular physician visits,
inpatient stays, personal history,
etc. If the organization has developed
methods for de-identifying
PHI, processes must be developed to
permit broader access to the PHI
after, and only after, de-identification
has been completed.
■ Internal Use: All organizations have
information to which they must
restrict access but is not PHI. This
information may consist of financial
information, real-estate market feasibility
studies for clinic expansions or
decision analysis documents. A subclassification
of “Internal Use” could
include an “Audit” or “Confidential
Financial” category that is further
restricted to employees in certain
departments. Other information
may constitute trade secrets of the
organization under state law, such as
proprietary protocols, business
methods, and customer lists. In
order to afford this information with
legal protection as trade secrets, it is
generally advisable to label the data
as confidential and treat it as such.
■ Public: Some mistakenly believe
that if the information does not fall
into one of the above classifications,
there are no restrictions. This is a
dangerous assumption. First, often
newly produced information has not
yet been classified and identified.
Therefore, the best practice is to
identify all information, even that
which is to be released to the public.
Similarly, each organization should
incorporate a policy in which
unidentified information automatically
defaults (at a minimum) to
“Internal Use” classification until
otherwise classified.
The above categories are proposed as
general guidelines without regard to
organizational particularities. Once the
classification development work is
completed however, the owners of the
specific information (i.e. business office
or health information management)
should begin to group their departmental
information into the appropriate
classifications that have been identified.
Business unit participation
At first glance this may appear overwhelming.
The process is quite manageable
however, given the appropriate
set of tools employed in a reasonable
order. One of the first steps should be
to include the business unit managers
and supervisors in the process.
Although one department will be
responsible for safeguarding and controlling
the access to information ultimately,
business unit participation in
classifying the data is essential.
A key aspect to the effective implementation
of the classification process is
facilitating the meetings with the business
units. Since there are few business
unit leaders with this type of experience,
the classification process owner
will need to take the lead. Individual
meetings with the various business
group managers and supervisors keep
the meeting productive. It is ill advised
to have too many groups present at
once. Each department perceives its sit-

uation as unique. The divide and con-
tion is classified based on
each job during the classification
quer method allows the individual
“Confidentiality”, “Integrity” and
process.
attention necessary for efficient and
“Availability”. All data not consid-
effective results.
ered “Public” should have at least
There are obvious benefits to imple-
Creating a collection tool
These meetings should focus on collecting
a description of the information
created and used by the business units.
A successful method used in other
industries includes providing a fill-inthe-blank
form with clear instructions
for completion. Fields that should be
included are:
■ Department: The group that owns
the information.
■ Contact information of reviewer:
The contact information for the
business unit individual conducting
the classification process
■ Date: The date that the review was
conducted. This is an ongoing
process that usually should be
reviewed annually
■ Information name/description:
This is an identifier and description
of the specific information maintained
by the business unit. This
should be at a moderately high level;
not a listing of each individual document
■ Storage method: Describe the
method or medium in which the
information is stored. For example:
Paper, Hard Disk, Tape Drive, email
archive, etc.
■ Classification: Each line item can
only fall into ONE classification.
The better practice is to err on the
side of caution. If there is a question
the more restrictive classification
level should be used. The default for
information that has no determination
should be Internal Use
■ Determining factors: The informa-
one determining factor selected
Information marking
After each business unit has appropriately
analyzed and classified their information,
the next step is information
marking (IM). The goal of IM is to
provide organizations with a common
identification scheme that allows the
employees to readily identify and
appropriately handle any piece of information.
Effort should be made to keep
the scheme as simple as possible.
For instance, PHI might be marked
with one color, while more restricted
information (PHI Restricted) is marked
with another. Each color is identified
with specific handling instructions
(“faxing not allowed”). Other considerations
include computer systems that
are clearly identified as a PHI site as
well as printers and faxes labeled as
restricted where appropriate. In addition,
many companies use electronic
banners that present at system log-on.
Managing access
The final step in the information management
process is managing access to
the information once it has been classified.
There are numerous approaches to
achieve this goal depending on the size
and complexity of the organization.
One approach is role-based access control
(RBAC). RBAC is a system of
access management structured on a
minimum necessary, need-to-know
basis in order to fulfill a role within the
organization. The business unit managers
define the classification level for
menting RBAC. The most notable of
which is the prevention of “access
creep”. Access creep occurs when
employees are promoted or transferred
within an organization. Often they are
granted additional access with each
move. Many times there is no systems
for correcting corresponding prior
levels.
Another approach is Discretionary
Access Control (DAC). DAC is primarily
based on the discretion of the information
owner and is not as uniform in
creation and application. This approach
may work appropriately for smaller
organizations but in larger ones access
creep is almost a certainty if not monitored
closely.
Additional benefits
Additional possibilities materialize for
leveraging this system into other
departments, such as human resources.
Employee badges might be marked in
accordance with the classification
scheme, providing a simple and effective
method for visibly matching
employees with appropriate access. For
companies employing a higher level of
technology, such as proximity cards,
swipe badges, or tokens in their physical
access or network controls, the
access levels could be synchronized.
This would allow for real-time low-level
audit capabilities in the following scenario.
An employee possesses one access card,
provided by the human resources
Continued on page 10
9
August 2002

LEVERAGING HIPAA...continued from page 9
August 2002
department when hired. She uses this to individual employee numbers allow
card to gain access to restricted areas and companies to identify and conduct levels
clock-in for work. During the course of of training appropriate to the access level
her workday, the card is used in conjunction
with a password, to access kiosk
of employees.
computers for Internet access and other Future initiatives will allow for Intranet
terminals to view PHI. If medical information
must be accessed from the HIM to populate the HRIS database automat-
and outsourced Internet-based training
department, the system that reads the ically when training is complete.
bar coded information on the patient Conversely this same process provides
record also reads the proximity card to timely notification when training compliance
has not been met. This signifi-
determine whether she has appropriate
access level. This ensures information is cantly reduces resource consumption as
checked out to a specific person (rather HIPAA training requirements grow.
than a department), who is responsible This integration also enables the quick
for the record until returned. Note that provision of specific information and
every step of the way, this access is captured
and logged for later archival, and if review purposes.
documentation for audit or annual
necessary, audit purposes.
Conclusion–the real benefits
Another possibility is the integration If the process appears daunting, bear in
with human resources information systems
(HRIS) such as ADP or similar The process should not be executed in
mind that the steps are relatively simple.
products that use an “open” database. one meeting or by a single department.
Linking information classification codes The key to success is careful preparation
WEB
RESOURCES
Editor’s conferences, compliance resources, and
note: Website links. Don’t miss out–Be sure to
Periodically read the articles BNA provides on the
we publish a Members Only section of the HCCA
listing of helpful Internet and email Website.
resources. If you know of Websites that may
be helpful to compliance professionals, please ■ HCCA’s quick survey results
submit them to Margaret Dragon at
http://www.hcca-info.org/html/
mrdragon@ziplink.net
compliance.html#Survey
Be sure to visit the HCCA Website:
■ HCCA’s Second HIPAA Readiness
http://www.hcca-info.org to find the Survey
most up to date listings of upcoming
http://www.hcca-info.org/documents/
10
of the classifications and the participation
of business unit managers and
supervisors. Their input in assigning the
classifications to the information is
essential. Starting small however, does
not waste time. This process is rather
modular and can be implemented over
time. Organizations should not expect
to get perfect information classifications.
They can however, expect to achieve a
vastly improved system that provides
safe, timely, and functional information
management in an increasingly complex
environment.
Once this initial process is complete, the
opportunity to link classifications to
human resources’ databases, physical security
devices, HIM management programs,
and time keeping instruments increase the
effectiveness of business processes.
Obviously, increasing benefits are derived
proportionately from the maximization of
automation and the information that can
be leveraged as a result. ■
report02_final.pdf
■ EMTALA changes–pages 31469-
31479
http://www.access.gpo.gov/su_docs/
fedreg/a020509c.html
■ Review of Medicare Outlier
Payments at Rhode Island Hospital
for Fiscal Year 1999
http://oig.hhs.gov/oas/reports/region1/
10100527.pdf
Continued on page 12

By Norman Radies
Editor’s note: Norman Radies is the Chief provider must meet the physician
Compliance Officer for Pediatrix Medical supervision requirements, while the
Group, Inc. He may be reached at services of auxiliary personnel in the
800/243-3839, Ext. 5133.
outpatient setting must meet the
requirements of the “incident to” rule.
Like many physician practice This rule requires the physician to personally
render a professional service to
organizations, increased
utilization of non-physician which the auxiliary personnel’s service is
practitioners (NPPs) has been necessary an incidental, yet integral part [of the
to meet the needs of patients and diagnosis and treatment of a patient’s
clients. Correspondingly, increased regulatory
scrutiny of services rendered by however, that the physician must see
injury or illness]. This does not mean,
NPPs has elevated the need to ensure the patient on each occasion of service
that all your i’s are dotted and t’s are (e.g., routine follow-up visit) by auxiliary
personnel. Use of the “incident to”
crossed. If you do business in multiple
states and serve a Medicaid population rule also requires that auxiliary personnel
are employed by the physician and
in each, you will likely be faced with a
complex set of issues when staffing your are unable to be paid directly for their
practices, scheduling your patients, and services.
billing for services rendered by NPPs.
Since most commercial payers do not The scheduling of patients, staffing of
enroll NPPs and few non-government the practice, and documentation
contracts explicitly define physician requirements are affected by the type of
supervision requirements, this article NPP rendering services, as well as the
will focus on the government payer location and type of services rendered.
requirements, primarily Medicaid. For example, if you schedule a
Medicaid patient for an initial visit
The first step is to gain a clear understanding
of the regulatory distinction office suite, the incident to provisions
when a physician is not present in the
between mid-level providers (i.e., described above cannot be met. Even a
advance nurse practitioners, physician routine follow-up visit (except 99211)
assistants, certified nurse midwives, performed by auxiliary personnel cannot
be billed to Medicaid when a physi-
etc.) and auxiliary personnel (i.e., nurses,
psychologists, technicians, therapists, cian is not present and immediately
and other aides).
available in the office suite (“incident
to” does not apply to the inpatient setting).
Documentary evidence must sup-
In order to bill their services under the
physician’s name and provider identification
number (PIN), a mid-level dent to requirements have been
port that all relevant supervision/inci-
met.
NORMAN RADIES
Lastly, it is important to recognize that
some Medicaid programs limit reimbursement
of NPPs services to as low as
65% of the physician fee schedule
amount.
Each state Medicaid program is authorized
to establish its own physician
supervision requirements for services
rendered by NPPs. Physician supervision
requirements can range from
“physician is available by telephone” to
“the physician must be present and
immediately available to assist while the
service is being rendered.” Maintain oncall
logs and attendance records to support
that supervision requirements have
been met. Some Medicaid programs
require the billing of all services by the
actual provider. In other words, services
rendered by a mid-level NPP must be
billed under the NPP’s name and PIN,
regardless of the level of physician
supervision.
Many state programs maintain a Website
and on-line access to provider manuals.
State Medicaid links are available
through both government and private
sites such as http://www.geocities.com/
medicaid.geo/index.html, Murphy’s
Unofficial Medicaid Page.
Continued on page 12
11
August 2002

PHYSICIAN PRACTICE AND BILLING ISSUES...continued from page 11
Beware that a number of state sites may
still be under construction or may not
have any “search” capabilities. Further,
some states do not provide explicit written
guidance concerning physician
supervision, while others default to the
requirements established by Medicare
or their contracted managed care payers.
When you may be faced with a
lengthy, and oftentimes unsuccessful,
review of years of Medicaid program
bulletins, it is generally easier to solicit
information directly from their provider
relations group. Remember to always
get answers in writing. Send a letter or
fax to confirm answers provided over
the phone.
Finally, a number of state programs do
not enroll all types of NPPs. For example,
MediCal enrolls advance practice
nurses, but only pediatric nurse practitioners
and primary care nurse practitioners.
In these states, you may end up
having to petition the state program to
recognize a new type of NPP. Be prepared
to submit extensive information
regarding qualifications and types of
services provided (e.g., CPT codes).
Another important step in effectively
dealing with the issues presented by
NPPs requires careful reading and
interpretation of the AMA’s CPT
(Common Procedure Terminology)
manual. Many of the services provided
by physician practices in both the inpatient
and outpatient settings entail evaluation
and management (E&M) services
which, with the exception of 99211,
are described as requiring the presence
of a physician. However, in a state
where the supervision requirement is
“available by telephone,” E&M services
may be reported under an enrolled,
mid-level provider’s name and PIN.
Conversely, other E&M services performed
by an enrolled mid-level
provider should be reported under the
supervising physician’s name and PIN
even if the supervision requirements
have been met. For example, the 2002
CPT manual defines the neonatal critical
care codes as “services provided by a
physician directing the care of a critically
ill newborn [or managing the continuing
intensive care of the very low birth
weight (VLBW) infant].” The reported
service is the physician’s direction of the
critically ill newborn’s care, not the
individual services that may have been
rendered by the mid-level provider.
State laws and practice acts also need to
be researched to confirm that services
fall within the NPP’s scope of practice;
e.g., licensure. For example, Arizona
permits delivery services to be provided
by a licensed midwife without direct
physician supervision, but only to
Medicaid beneficiaries for whom an
uncomplicated prenatal course and a
low-risk labor and delivery can be
anticipated. Also, make certain that any
mid-level providers working in an inpatient
setting have been granted appropriate
privileges by the hospitals.
Once the regulatory research is complete,
the next step is to ensure that the
practice’s operations supports both the
billing and record keeping requirements;
i.e., are all NPPs properly
enrolled (including those cross-over
states), would existing documentation
evidence that supervision requirements
had been met, etc. All appropriate practice
personnel need to be educated
regarding pertinent requirements.
Lastly, don’t leave your fate to chance.
Conduct a follow-up review a short
while after implementing any changes
to ensure compliance. A few unintentional
errors may be acceptable, but a
pattern of errors may have serious consequences.
■
August 2002
WEB RESOURCES...continued from page 10
■ OIG ISSUES Draft Compliance
Program Guidance for Ambulance
Suppliers
http://oig.hhs.gov/fraud/docs/
complianceguidance/draftambulance
compliance060602.pdf
■ IG Testimony: Medicare pays above
12
market prices for medical supplies
http://oig.hhs.gov/testimony/docs/2002/
020611fin.pdf
■ Federal Register Notice RE: Revision
of OIG Compliance Guidance for
the Hospital Industry
http://oig.hhs.gov/authorities/docs/
cpg%20hospital%20solicitation
%20notice.pdf
■ OIG Advisory Opinion No. 9–concerning
whether a proposed singlespecialty
ambulatory surgical center
that would be wholly-owned by a
physician would violate the administrative
authorities related to the antikickback
statute
http://oig.hhs.gov/fraud/docs/advisory
opinions/2002/ao0209.pdf ■

feature
article
Editor’s note: This interview with James
Roosevelt, Senior Vice President and
General Counsel for Tufts Health Plan in
Boston and recently named President of
the American Health Lawyers Association
was conducted by F. Lisa Murtha, HCCA
Board member and Chief Audit and
Compliance Officer for Children’s
Hospital of Philadelphia. Mr. Roosevelt
may be reached at 781/466-8564 and
Ms. Murtha may be reached at 215/590-
9156.
LM:
Thank you so much Jim for
joining us. We really appreciate your
time this morning. I wanted to chat
with you a bit about your new role as
the President of American Health
Lawyers Association (AHLA). When
does your term begin or has it already
begun and what is your single biggest
mission for the AHLA for your term as
President?
JR:
My term with AHLA begins
at our annual meeting in San Francisco
on July 1st. The fundamental mission
of AHLA is education of lawyers and
others who work with health law and
regulations. So my single biggest mission
is to maintain and continue to
improve the high standard of education
both in in-person conferences and teleconferences
as well as publications. My
secondary mission is to expand the
audience and membership of AHLA.
LM:
Do you see any obstacles over
the course of the next year with AHLA
Meet James Roosevelt
Senior Vice President and General
Counsel for Tufts Health Plan
in achieving your mission. I mean, in
light of world events such as September
11th.
JR: Well, we have increased teleconferences,
some of them on issues
that come up quickly, and we’ve put
together a quick mini-seminar or discussion.
We’ve initiated a series of conversations
with major policymakers by
teleconference. However, our in-person
conferences have returned to the sort of
attendance that we were getting before
9-11. After 9-11, we had a little dip,
maybe 20 percent or so, but within
about two months, we came back to
the pre-9-11 level.
LM:
Well, as you know, the Health
Care Compliance Association is partnering
with the American Health
Lawyers Association on the Fraud and
Compliance Forum. And I was just
curious as to your perspective on partnerships
with associations like the
HCCA or others, as the case may be.
Do you think that that is the wave of
the future?
JR: I participated in the Fraud
and Compliance Forum last fall actually
and I was also a participant in another
joint conference that Health Lawyers
put on this year with the American
Association of Health Plans. And I do
think that joint events are valuable to
both organizations. Health Lawyers
bring a particularly high standard in
legal education and great resources in
terms of our speakers and writers. The
organizations of people who work in
the field bring both an important perspective
on planning the conferences so
that the conferences are relevant to very
current issues, not just what might have
come to a lawyer in a law firm six
months, a year, two years after the fact
when some litigation matter has arisen
or something like that. So, I think that
the collaboration between Health
Lawyers and some of the health care
industry organizations is valuable both
for the content and the attendance at
the events.
LM:
Have you been involved in the
Continued on Page 14
13
August 2002

August 2002
James Roosevelt
you see as the future of health care
14
development of the compliance program
within Tufts Health Plan?
JR:
I am the senior corporate
sponsor of the compliance program at
Tufts Health Plan. I am not the compliance
officer or the senior compliance
officer but rather the next step above
that because we take compliance so
seriously. My role as a member of the
most senior group of management is to
sponsor the compliance program. So I
am very heavily involved in the ongoing
development of the program. There
was a good program in place when I
got there. We are working every day
and every month to improve it and to
respond to the changing demands of
compliance in such areas as HIPAA.
LM:
Excellent. I actually have a
question for you on that. Given the
things that you’ve done within the context
of the clients in your organization,
what do you think is the single biggest
dollar?
JR:
front, say $1,500, as an example, a
I would say, first of all, the $1,000 personal care account that can
most important thing in our compliance
program is our people, both our
people who design and implement the
program. We have a great compliance
officer, Anne Doyle, and a great senior
compliance officer, Russ Kopp, who
really take compliance seriously. But
ultimately what makes a good compliance
program is all 2,500 Tufts Health
Plan employees. And in order to
encourage that from day one, from orientation
to annual quizzes to training
during the year, keeping people aware
of compliance and explaining what it
means and adapting to changes in the
working environment, are where we
really get value.
LM:
compliance?
Tufts Health Plan and I think has to be
Oh, that’s excellent. The next an integral part of both every provider’s
factor for the success of your program? question I’d like to ask you is what do and every insurer’s operation because
JR:
I think health care compliance
is a dynamic field that keeps
evolving. So, I’m not sure I can predict
the future specifically other than to say
that I think as the areas of both health
care and health care coverage expand
and change, so will compliance. New
approaches in terms of assuring that
law regulation and ethics are complied
with will have to respond to the changing
field and the changing market.
Just to give you an example,
there’s a lot of planning being done
these days for offering defined contribution
health care coverage. This is a
plan where an employee is given a certain
amount of money by his or her
employer and he or she, first of all,
Would it be the training, the monitoring?
You know, where have you seen they’re going to have but, secondly,
chooses the sort of coverage that
the real bang for your compliance often has quite a high deductible up
be used for traditional health care and
also for things like wellness activities,
complimentary medicine, everything
from podiatry to massages. And the
compliance aspect of a plan like that is
probably going to be different from a
traditional HMO or even PPO. The
establishment of the network is going
to present new challenges of avoiding
conflicts of interest and things like
that.
LM:
So you really believe that
compliance has become an integral
part of your operation?
JR:
Yes, absolutely. Compliance is
an integral part of our operations at

there are so many issues that have to be
determined on both a regulatory and
an ethical basis.
LM:
What advice would you give
to organizations to assist in prevention
of fraud and abuse and exposure from
government investigations.
JR:
The most important thing is
to make people aware of what is permissible
and what is not, not just the
letter of the law, but what is in keeping
with the spirit of the law. Now, some
of that is just absolutely clear in black
letter. For example, you may have
noticed that Vermont has just enacted
a statute requiring that all gifts of over
$25 from pharmaceutical companies to
providers have to be reported to the
state. So there’s a new twist on compliance.
Some of us have had internal
policies similar to that but now here’s
an absolute need for compliance to a
regulatory approach.
LM:
As the general counsel of
Tufts Health Plan, how do you work
with the compliance department on
compliance issues, particularly investigations,
etc.
JR:
The legal department, which
I head as general counsel, and the compliance
department work together in
several ways. First of all, as the senior
corporate sponsor of compliance,
together with one of my associate general
counsels, Lois Cornell, we work
with the compliance steering committee
in drafting policies and adapting
them to real-life situations. Lois also
works on the gift and grant review
committee to make specific determinations
as to whether a particular gift or
grant is in compliance with our corporate
policies.
When we reach an issue that
is really in dispute in some way, the
legal department becomes involved in a
more, you might say, traditionally legal
way. We might well have one of our
litigators, Dave Abelman, conduct an
investigation. We might advise both
the operating department and the
compliance department as to statutory
and regulatory, as well as internal policy,
requirements on a specific issue.
LM:
What do you see as the
biggest compliance risk for health
plans as well as for providers?
JR:
Currently the biggest compliance
risk is probably meeting the
HIPAA requirements and deadlines.
That’s something that we can see on
the horizon and therefore define. So
that’s the greatest immediate risk. Long
term, and ongoing, I would say the
risk is trying to balance reality with
our aspirations. We need to assure that
our employees operate ethically and
legally every step of the way. We also
have to deal with a real world where
things are not always absolutely clear as
to what is the right thing to do. So the
important thing I think is having people
think about things in an ethical
fashion.
LM:
And that would be both for
health plans and providers?
JR:
That really applies to both
health plans and providers. It’s not a
whole lot different. The guiding principle
actually is something that we
think about and focus on a lot at Tufts
Health Plan, which is basically to do
the right thing and to put integrity
before everything else.
LM:
Have you been involved in
HIPAA implementation for Tufts
Health Plan? And, if so, can you
describe those efforts? Who is the chief
privacy officer and where does he or
she report?
JR: We have many people including
me involved in HIPAA implementation.
Our compliance officer is also
our chief privacy officer. One of her
staff members, Jeannette Frey, who formerly
worked on compliance generally
has been detailed solely to privacy and
HIPAA compliance. I have a legal
department staff member who is
devoted almost exclusively to HIPAA
implementation and compliance. So at
sort of every step of the way we’re
finding HIPAA compliance to be not
quite all consuming but a major task,
certainly no less than Y2K compliance.
LM:
I have one more question for
you. Is your organization combining
compliance and HIPAA activities.
JR: We do combine compliance
and HIPAA activities in terms of the
compliance side of the activities. Now
in terms of staffing there are people
who are dedicated solely on the IT side
and the business processes side but in
terms of compliance, we do integrate
compliance and HIPAA activities
because basically HIPAA raises to a
regulatory level the issues of privacy
that have had some legislative treatment
in the past but have primarily
been issues of internal policy in the
past.
LM: Thank you for your time today.
JR: Thank you and we’ll see you
in September at the Fraud and
Compliance Forum. ■
15
August 2002

BACK
TO BASICS
For gathering facts, nothing beats
16
Conduct-
August 2002
there is no substitute for facts.
allow. If you think a person has said
ing a
Compliance
Interview
speaking directly with an individual
involved in the alleged non-compliance.
Interviews, therefore, are vital parts of
By Ryan D. Meade
investigations and can make or break
the integrity of the investigation report
Editor’s note: Ryan Meade is a partner in
the Chicago office of the law firm
Michael Best & Friedrich. Mr. Meade is
as well as the government’s perception
of the competency of the compliance
staff and program.
also adjunct professor of law in the
Health Law Institute at Loyola
University of Chicago Law School. He
may be reached at 312/222-6686 or
rdmeade@mbf-law.com
You don’t have to be a lawyer to conduct
a compliance interview, but a few
tips from a lawyer might not hurt.
Interviewing to get at facts is not an
easily taught skill. It is mostly learned
When the Department of Health and
Human Services’ Office of Inspector
through experience and the awkward
trial and error method.
General (OIG) issued its “Compliance
Program Guidance for Hospitals” (63
FR 8987) in 1998, it set out the basic
seven elements the OIG expected to see
in an effective compliance program.
One of those elements was stated as:
Development of a system to respond
to allegations of improper/illegal
activities and the enforcement of
appropriate disciplinary action
against employees who have violated
internal compliance policies, applicable
statutes, regulations, or Federal
health care program requirements.
Id. At 8989.
Investigations are critical for getting a
handle on what has gone wrong or to
support a determination that nothing
has gone wrong. Investigations should
be quick, yet thorough. Investigations
should be focused on gathering facts.
There may be a time for pointing fingers,
but initially it is more critical to
get to the bottom of things. It is a simple
concept which is often forgotten:
Below are tips for conducting compliance
interviews. They are not by any
means exhaustive and they are not in
any particular order of importance.
Most of them constitute plain old-fashioned
common sense, but often common
sense approaches can be lost in the
heat of the moment or can go unrecognized
unless articulated. Some of the
following also reflect the author’s own
personal style of interviewing so that
the reader may need to adjust these tips
to meet the unique circumstances of an
interview or investigation.
1. Take copious notes
Few of us have photographic memories
and few of us are able to keep in the
forefront of our mind all the different
views on the same set of facts. It doesn’t
take many interviews before an interviewer
gets confused as to who said
what about an event. Focus on the person
you are interviewing and take as
many notes as time and circumstances
RYAN D. MEADE
something particularly important, write
down the person’s words verbatim.
Don’t be embarrassed to pause the
interviewee and repeat the quote back
to him or her to ensure you have
recorded the words precisely.
2. Don’t tape an interview
Written notes are preferable to recorded
voice tapes. Taping voices picks up
all words, even those which might be
corrected later on in the interview and
possibly heard (or played) out of context.
Also, in those instances in which
it is legitimate to erase tapes, erased
recordings are often found to be not as
successfully erased as the erasor presumes.
Technology grows by leaps and
bounds such that techniques exist that
can sometimes recover voices from cassette
tapes that are presumed to be
erased with magnets. Additionally, digital
voice recordings may leave a recoverable,
electronic impression on the
computer system supporting the
recordings. If anything has been placed
on a computer, the document usually
exists forever as stored or “backed-up”
somewhere. As a practical suggestion
for any recording, be sure you want to
create an inextinguishable document
before you create it.

3. Have a witness! Do interviews with
yourself when accused of wrongdoing.
do two people remember the exact
a partner
When people are confronted with an
same set of facts the same way. Just
A team of two is always a good idea
accusation of personal liability, then he
because a person’s memory may seem-
when conducting a compliance inter-
or she typically become more selective
ingly contradict another person’s mem-
view. Not only is a witness important to
in the facts that are revealed. Try to
ory does not mean that one of the indi-
help substantiate what a person said at
avoid conclusions of wrongdoing dur-
viduals is lying. Each person may have
a particular interview, but the witness is
ing the interview and stick to the facts.
witnessed the same set of facts from a
also valuable should the interviewee
different angle, so to speak, so that
allege that something unsavory
6. Ask job employment and education
assembling all the angles constructs the
occurred during the interview (e.g.,
history–get a sense of the intervie-
best view of an event. Plus, under some
harassment or threats of retaliation).
wee’s background
circumstances, attempting to influence
The interviewee’s background is rarely a
a person’s memory could be considered
4. Put a person at ease: Strike a
determinative factor in getting at the
obstruction of justice.
balance between casual conversation
facts surrounding an allegedly improper
and formality
activity. Nevertheless, job employment
9. Identify what is the interviewee’s
There is no way around the fact that
and educational history can provide a
personal knowledge versus knowl-
most people are nervous when they are
context in which to evaluate whether
edge learned from other people
being interviewed in the course of an
the requisite intent or breach of duty
This is a matter of parsing out ambigu-
internal investigation. Try to put the
existed so as to raise a simple mistake to
ous sources of information. Often peo-
person at ease. While it is not appropri-
that of a civil false claim or worse, a
ple will state a fact as if they know the
ate for the interview to be excessively
crime. In some circumstances, an inves-
information first hand, but when you
casual so that it is indistinguishable
tigation can rule out criminal intent
press further it is revealed that the
from a chat with your best friend over a
when it is clear that a person submitted
information is nothing more than
cup of coffee, nevertheless the interview
an erroneous claim not for nefarious
hearsay. If a person “understands” a fact
need not be a star chamber interroga-
purposes but as the result of lack of
to be true, press him or her on how he
tion. Try chatting briefly about innocu-
education and training.
or she knows it to be true. Likewise, if a
ous topics at the beginning of the inter-
person “heard” a fact, press him or her
view to set the person at ease. Consider
7. Don’t assume the interviewee has
on who the source of the information
asking about the person’s weekend or
the same level of knowledge as
is.
their children or a local topic of inter-
you–ask basic questions to establish
est. Often times a person can be put at
the person’s understanding
10. Have the interviewee clarify
ease if the interviewer is simply friendly.
It may be important to ask individuals
ambiguous pronouns (the infamous
for their understanding of very rudi-
“they”)
5. Never criticize the interviewee
mentary operations, even of high-level
Never let an ambiguous “they” go by.
during the interview
management. This line of questions is
Press the interviewee as to who the
Remember that in an investigation, the
used not so much as a vehicle for the
“they” is. Don’t assume you know who
goal is to gather facts. You can make a
interviewer to understand the subject in
“they” are.
judgment about the meaning of those
question but as a means to gauge the
facts later, but when interviewing, keep
level of a person’s personal level of cul-
11. Let the interviewee talk–don’t
your eyes on the prize: facts. Criticizing
pability and the institutional intent
interrupt!
the interviewee or expressing judge-
involved in an activity.
Interviewees will likely be nervous and
ments during interviews can cause the
they will likely feel more at ease the
likely already agitated person to retreat
8. Don’t attempt to correct or influ-
more they talk. It is also important to
inward, closing off fact-finding oppor-
ence the person’s memory
let the interviewee talk virtually without
tunities. It’s human nature to defend
Let memories be what they are. Rarely
Continued on page 18
17
August 2002

CONDUCTING A COMPLIANCE INTERVIEW...continued from page 17
interruption on the chance that the
interviewer is not “clicking” with the
interviewee intellectually. In such circumstances,
letting the interviewee talk
offers a greater chance for facts to spill
out. While this can make interviewing
tedious, the interviewer might obtain
facts he or she would never have
obtained if the interview was presumptively
cut short.
12. Reassure the interviewee that
“it’s OK” if he or she doesn’t remember
Memories are not perfect. Sometimes a
person’s memory needs time to “brew.”
A day after the interview a person
might recall with great clarity a fact that
was completely lost or buried the day
before. Encourage interviewees to call
the interviewer if there are facts that
need correcting or a discovery of a new,
relevant fact. Reassure an interviewee at
the end of the interview that if he or
she remembers anything else, you are
available to talk–and assure the person
that it is OK if he or she needs to clarify
or correct something said during the
interview
13. Plan plenty of time for an interview–they
are almost always longer
than you expect
Often times interviews do not go as
planned. A new fact is frequently identified
or an issue is raised which takes
the investigation in an unexpected
direction. Within reason, time must be
allotted to go where the interview goes.
This author’s experience is that an issue
that begins an investigation rarely looks
the same by the end of the investigation.
14. If interviews identify an important
meeting, interview everyone at the
meeting
Meetings which are at the center of
events should be investigated thoroughly,
including interviewing everyone at
the meeting. You can be sure that the
government will investigate a critical
meeting thoroughly, and so should you.
Even if a person would not seem on the
surface to hold any key information, go
through the process of interviewing him
or her on the events of the meeting.
15. End all interviews by asking the
interviewee if there is anything else
he or she wants to relay to you or any
other compliance he or she wants to
talk about
If the interviewee answers with an
answer of “I don’t know anything else,”
then this puts the person on record as
having told the interviewer everything
he or she knows about a particular issue
as well as not knowing of any other
compliance problem. This is important
not only to be sure that nothing else is
lurking which the interviewer should
know about but if there is something
which is later revealed that the interviewee
knew but did not disclose, then
compliance personnel are insulated
from accusations of lack of thoroughness
or cover-up. Of course it is not
uncommon for an interviewee to supply
the interviewer with another wholly
different compliance issue. ■
FOR
CA and
LA County
to pay $73
million to U.S.
for overbilling Medicaid program
On June 20, the U.S. Department of
Justice announced that the State of
California and the County of Los
Angles will pay the federal government
$73.3 million to settle allegations that
they violated the False Claims Act with
August 2002
18
YOUR INFO
respect to claims submitted to
Medicaid.
This settlement resolves allegations that
the state and the county directly or indirectly
billed the federal health care program
for services provided to certain
minors when these jurisdictions had no
basis for concluding that these individuals
financially qualified for Medicaid
services. The services included drug and
alcohol abuse, pregnancy and pregnancyrelated
services, family planning, sexual
assault treatment, sexually transmitted
diseases, and mental health services.
The Whistleblower, Singh Khalsa, an
employee of the LA Department of
Mental Health, will receive approximately
$1.36 million of the total recovery
as his statutory award. For more;
http://www.usdoj.gov/opa/pr/2002/June/
02_civ_364.htm ■

leagues. Physicians can hear the message
from Physicians. CEO’s hear
from CEO’s.
The HCCA
2003 Compliance
Institute,
New Orleans,
April 27-30
ROY SNELL
A melting pot of compliance
intellectual capital
The Compliance Institute is completely
geared to the needs of the Compliance
Professional. It is a comprehensive program
offering the latest information for
all levels of experience. We are currently
developing the program for the April 27-30 CI 2003, New
Orleans, LA–Keeping that in mind I’d like you to answer the following
questions:
■ Are you having trouble justifying your budget?
■ Is your Compliance Program stalled out or moving forward
too slowly?
■ Do you hear? “I am too busy to do compliance.”?
■ Do you have someone in your organization that needs to be
more committed?
■ Is there someone who needs a better understanding of compliance?
■ Are you having trouble getting your colleagues to commit the
time and energy?
“Yes”
If you have answered “yes” to any of the above questions–and I
expect that most of you have–please consider bringing a colleague
to the Compliance Institute. Compliance requires all
employees of the organization to pull in the same direction–and
we all know how challenging that can be. However, Compliance
Professionals have been pulling this off for years. Compliance
professionals who have brought a colleague to one of our
Compliance Institute meetings have left with an individual who
has a new appreciation and commitment to compliance.
Compliance Institute
Getting and keeping your organization’s leadership on board
with the Compliance Program is vital to the success of your organization’s
program. When leadership and Board members attend
the Compliance Institute, they have a better understanding of
budget requests. Speakers from the enforcement community
share future objectives. Department heads learn from their col-
Your colleagues will leave with a
renewed commitment. They gain a
greater understanding and appreciation
through hearing the message
from their peers, the enforcement
community, and others. This helps to motivate them to commit
the time, resources, and energy necessary to move their piece of
the organizations compliance program forward.
This is all possible because the Compliance Institute facilitates a
sharing of ideas between health care professionals. Speakers from
all walks of health care (see pp. 20/21) share ideas in general
sessions, breakout sessions, panels, networking sessions, preconference
workshops, and post-conference workshops.
Cross functional and cross industry compliance melting pot
The Compliance Institute is a melting pot of compliance professionals.
Health care executives from all segments of the industry
benefit from this comprehensive and instructive program. The
Compliance Institute brings us all together to learn from each
other and strives to address the compliance concerns of the
health care industry–as opposed to exclusive conferences where
people from all one segment of health care meet. The Health
Care Compliance Association does this because compliance does
not operate in a vacuum; we interact with many parts of the
organization. The Compliance Institute facilitates interaction
between departments just as we do in our organization. At the
HCCA Compliance Institute lawyers learn from consultants,
who learn from compliance officers, who learn from educators,
who learn from the enforcement community and visa versa.
The following is a list of individuals that have attended past
HCCA meetings and have left with a renewed understanding
and appreciation for their role in moving the organizations compliance
program forward.
Compliance Professionals
■ Auditors
■ Coders
■ Educators
■ Internal Investigators
■ Billers
■ Medical Records
Continued on page 20
19
August 2002

LETTER FROM THE CEO...continued from page 19
■ In-house Counsel ■ Outside Counsel
■ Consultants
■ Software Vendors
■ Publishers
■ Administrators
■ Chief Executive Officer ■ Chief Financial Officer
■ Physicians
■ Board Members
■ Compliance Officers ■ Risk Managers
■ Nurses
■ Researchers
■ Information Technology ■ Natl. Office of Inspector General
■ District Dept. of Justice ■ Local Office of Inspector General
■ National Dept. of Justice ■ Medicaid Fraud Control Unit
■ Attorney General ■ Commercial Fraud Investigators
■ Managed Care Fraud Investigators
Industry Segments Represented
■ Managed Care ■ Commercial Payor
Peter Adler, Partner, Foley & Lardner,
Health Care Privacy Officer Compliance
Pre-Conference
William Altman, Vice President of
Compliance and Government Programs,
Kindred Healthcare, Long Term Care
Compliance; 102 Compliance Effectiveness for
2002 and Beyond
Bob Arnot, NBC News, Bio-terrorisom’s
Impact on Health Care Operations
Marti Arvin, Compliance Office University
of Pittsburgh Physicians, Governance: The
Balance of Power
Victor Blanchard, Manager, Arthur
Andersen, Security and Transactions and
Code Sets, the Technical Side of HIPAA
Compliance
Christine Boras, Corporate Compliance
Officer, United Health Services, The
Compliance Officer Forum Pre-Conference
Tony Boswell, Chief Compliance Officer,
Laidlaw, Health Care Privacy Officer
Compliance Pre-Conference
Elizabeth Carder, Reed Smith, Compliance
Officer Personal Liability and Insurance
Coverage Issues
Lisa Clark, Partner, Duane Morris, LLP
August 2002
20
■ Long Term Care
■ Laboratory
■ Group Practices
■ Pharmaceuticals
■ Research
■ University Hospital
■ Durable Medical Eqpt.
Privacy Primer -The Overview You Have
Been Waiting For!
Eileen Coggins, Vice President of
Compliance, Genesis Health Ventures,
Long Term Care Compliance Pre-Conference
Darrel Contreras, Manager, Ernst &
Young, Sample Techniques for Auditing and
Monitoring
Lisa Dahm, Partner, DDF & Associates,
HIPAA Document Workshop
Shawn DeGroot, Compliance Officer
VISN 13, Veteran’s Healthcare
Administration, Compliance Officer Forum
Pre-Conference; The Value of Compliance in
the VHA
Joette Derricks, CEO, Healthcare
Management Solution Inc., Physician
Compliance Training
Suzie Draper, Compliance Administrator,
Intermountain Health Care, What CCOs
are Doing with Their On-line Training
Monte Dube, Partner, McDermott Will &
Emery, Conflicts of Interest–Individual and
Organizational
Jim Finnegan, Manager, Ethics and
Compliance Program Assessment, HCA,
Inc., Integrated Heralth Care Systems
■ Home Health
■ Hospitals
■ Integrated Delivery Systems
■ Pharmacy
■ Pharmacy Benefit Management
■ University Group Practice
■ Clinical Research Organizations
The 2002 Compliance Institute had a remarkable assortment of
distinguished speakers who covered an extensive number of subjects
from a wide-variety of industry perspectives. Give your
compliance program a Boost–join your compliance colleagues in
New Orleans, April 27-30, 2003 and bring a member of your
leadership team with you! See below for a partial listing of the
Compliance Institute 2002 speakers and their topics. ■
HCCA Compliance Institute 2002: Speakers & Topics (partial listing)
Compliance Pre-Conference
Ken Fody, HIPAA Project Executive,
Independence Blue Cross, Integrating
HIPAA Into Your Compliance Program
Robert Freeman, Assoc. General Counsel
& Compliance Officer, BCBS of
Massachusetts, Payors/Managed Care
Compliance Pre-Conference
Kent Giles, PricewaterhouseCoopers, To
De-Identify or Not to De-Identify? That is the
Question
Georgette Gustin, Director,
PricewaterhouseCoopers, Coding for
Attorneys and Compliance Professionals
Mindy Hatton, VP and Chief Washington
Counsel, American Hospital Association,
The New Proposed Changes to the Privacy
Regulations
Sharon Hayman, Director of Healthcare
Management Administration, Blue Cross
Blue Shield of NJ, Payors/Managed Care
Compliance Pre-Conference
Michael Hemsley, VP/Corporate
Compliance & Legal Services, Catholic
Health East, Integrated Health Care Systems
Compliance Pre-Conference; Compliance
Effectiveness for 2002 and Beyond: Taking
Compliance Effectiveness to the Next Level

Alyse Hutchinson, Associate Compliance
Counsel, Laidlaw, Health Care Privacy
Officer Compliance Pre-Conference
Margaret Hutchinson, Assistant US
Attorney, US Dept. of Justice, Updates on
the False Claims Act
Bruce Japsen, Chicago Tribune, Health
Care Fraud & Abuse Issues: The Media’s
Perspective
Chris Jedrey, Attorney, McDermott Will
& Emery, Academic & Research Compliance
Kristin Jenkins, Compliance & Quality
Officer, JPSHealth Network, Quality Issues
and Compliance; HIPPA Document
Workshop
Vreeland Jones, Attorney, Foley & Lardner,
Managed Care Compliance Risks
Mike Kendall, Partner, McDermott, Will,
& Emery, Advanced Investigations, Privileges
and Disclosure
Carole Klove, Principal, Deloitte &
Touche, Integrating HIPAA Into Your
Compliance Program
Doug Lankler, Corporate Counsel, Pfizer
Inc., Advanced Investigations, Privileges, and
Disclosure
Robert Lower, Partner, Akston & Bird,
HIPAA Document Workshop
Allison Maney, Compliance Officer,
Lovelace Health System, Graduate
Level–Compliance 202
Vickie McCormick, Special Counsel,
Halleland Nilan Lewis Sipkins & Johnson
PA, Payors/Managed Care Compliance-Pre-
Conference; Practical Tools for Auditing &
Monitoring; Managed Care Compliance Risks
Ryan Meade, Partner, Michael Best &
Fridrich, Current Events and Hot Topics in
HIPAA
Mark Meaney, Executive Director,
Bioethicist, Institute for Clinical and
Corporate Ethics, Health Care Privacy
Officer Compliance Pre-Conference; 403
Ethics and the Compliance Professional
Kathy Merlo, Director, St. Louis
University, Compliance Officer Forum
Bill Middleton, Case Manager
HCA, Inc., Integrated Health Care Systems
Compliance Pre-Conference
Elizabeth Moran, Halleland, Lewis, Nilan,
Sipkins & Johnson, Payors/Managed Care
Compliance Pre-Conference
Lewis Morris, Asst. Inspector General for
Legal Affairs, Office of the Inspector
General, US Dept. of HHS, Regulatory
Panel–Hot Topics and Current Events
Emil Moschella, Asst. General Counsel,
Horizon BCBS of New Jersey,
Payors/Managed Care Compliance
Pre-Conference
F. Lisa Murtha, Chief Audit and
Compliance Officer, Children’s Hospital of
Philadelphia, Academic & Research
Compliance Pre-Conference; Research
Compliance & Human Subject Research
Jody Ann Noon, Principal, Deloitte &
Touche, Business Associates–What Should you
be Doing Now?
Jeffrey Oak, Chief Compliance & Business
Integrity Officer, Veterans Health
Administration, Ethics and the Compliance
Professional; The Value of Compliance in the
VHA
David Orbuch, Corporate Compliance
Officer, Allina Health System, Compliance
Effectiveness for 2002 and Beyond: Taking
Compliance Effectiveness to the Next Level
Ronald Orth, Director of Utilization
Compliance , Kindred Healthcare, Inc.,
Long Term Care Compliance Pre-Conference
Sandy Piersol, Senior Manager, Deloitte &
Touche, Sampling Techniques for Auditing
and Monitoring
Susan Postal, VP of Health Information
Management Services - Government
Programs, HCA, Coding for Attorneys and
Compliance Professionals
Sue Prophet, Director of Coding, Policy &
Compliance, AHIMA, Current Events and
Hot Topics in HIPAA
Dan Roach, VP/Corporate Compliance
Officer, Catholic Healthcare West, What
CCOs are Doing with Their On-line
Training
Ted Sanford, Compliance Officer,
University of Michigan Health System,
Current Events and Hot Topics in HIPAA
Brent Saunders, Partner,
PricewaterhouseCoopers, Enron Panel
Regulatory Panel - Hot Topics and Current
Events
Rubin Shaw King, Chief Operating
Officer, CMS, An Update from CMS
Edward Shay, Partner, Post & Schell, P.C.
Security and Transactions and Code Sets, the
Technical Side of HIPAA Compliance
John Steiner, Director of Corporate
Compliance, Cleveland Clinic Foundation,
HIPAA Readiness Survey/Tools for Self
Assessment
Mike Treash, Senior Manager, Ernst &
Young, Payors/Managed Care Compliance
Pre-Conference
Debbie Troklus, Manager,
PricewaterhouseCoopers, Privacy Assessments,
Beginning the Process; Compliance 101
Sheryl Vacca, Director, Health Care
Services, Deloitte & Touche, Practical Tools
for Auditing & Monitoring; Graduate Level-
Compliance 202
L. Stephan Vincze, Ethics and Compliance
Officer, TAP Pharmaceutical Products Inc.,
Update on HCCA Coalition to Study
Compliance Program Effectiveness
Greg Warner, Director of Compliance,
Mayo Clinic, The Compliance Officer Forum
Pre-Conference
Gadi Weinreich, Partner, Shaw Pitman,
STARK 2002: A detailed Overview of the
Law
Holly Winn, Compliance Training Analyst,
HCA, Inc., Integrated Health Care Systems
Compliance Pre-Conference
Amanda Yoh, Compliance Manager,
Laidlaw, Privacy Primer-The Overview You
have Been Waiting For!
Alan Yuspeh, Senior VP, Ethics,
Compliance and Corporate Responsibility,
HCA, Inc., Integrated Health Care Systems
Compliance Pre-Conference
21
August 2002

Implementing
a HIPAA
work plan in
an academic medical environment
By Maria Gonzales, J.D.
Editor’s note: Marcia Gonzales, JD, is Compliance
Officer & Privacy Officer for Long
Hospital in Indianapolis, Indiana. She may
be reached at marcgonz@iupui.edu
Ms. Gonzales is a member of the HCCA’s
Academic/Research Special Interest Group
(SIG). To learn more about joining this
SIG, please contact Marti Arvin–
412/647-3388–arvinm@msx.upmc.edu
Many Privacy Officers and Compliance
Officers know by now that there are no
one size fits all approaches to developing
and implementing compliance program
in accordance with the Administrative
Simplification provisions of the
Health Insurance Portability and
Accountability Act (HIPAA). Therefore,
the only experience that I am able to
share with my colleagues is the
approach chosen for the Indiana
University School of Medicine, through
the Office of Compliance Services.
Unlike many physician practices and
some smaller hospitals, more complex
health care systems such as an academic
medical center (AMC), have several
covered entities situated among other
covered entities. Not only does an
AMC have to consider its own needs,
but it must also consider the immediate
ripple effects that may impact its affiliates
when implementing any changes.
As with any implementation strategy
involving a complex health care system,
the structure and the collaboration
process are two of the most important
SPECIALINTEREST
GROUP
August 2002
22
SPECIAL
variables that will govern the shape of
the outcome.
Structure
To better explain the approach chosen
by the School of Medicine, a brief
description of the medical center’s structure
is necessary. The Indiana University
School of Medicine provides training
for over 1,200 medical students. In conjunction
with 19 practice plans and five
hospitals on campus, training is also
provided to over 1,000 residents as well.
Additionally, the School of Medicine
also provides training through its allied
health and public health programs.
The practice plans have clinic sites
throughout the campus including those
located within the hospitals and
University buildings. Some computer
and other technological support is also
provided to the practice plans through
the University. As a result of this intermingling,
employees of the University,
hospitals, and practice plans work side
by side on a daily basis at all of the various
sites. Organizational control often
varies from entity to entity. Following
an analysis of HIPAA and its potential
effects on the School of Medicine and
its affiliates, it was decided that the
School of Medicine should consider
itself as a separate covered entity from
the practice plans and the hospitals.
However, this decision did not mean
that the School of Medicine’s responsibility
to work with its affiliates during
this HIPAA implementation process
ended. While there is a great deal of
independence among these health care
institutions, a collaborative process was
necessary in order to have a practical
and effective HIPAA program.
Academic/Research
Collaboration process
The first plan of action was to assemble
the stakeholders at the School of
Medicine. This did not only include
University employees, but it also included
members of the practice plans who
also, served as faculty members at the
School of Medicine. During this kickoff
meeting, it was announced that four
task forces would be created. These task
forces included clinical operations,
administrative operations, education,
and research. The administrative operations
task force focused on privacy and
security issues that arise while performing
the administrative and non-clinical
functions of the health care facilities
such as billing, answering requests for
medical records, quality assurance activities,
and other related claims processes.
The clinical operations task force
focused on privacy and security issues
that arise while providing or arranging
for patient care or treatment. This
included scheduling, medical records
access, transcription, appointment cards
and reminders, and communications
with other treating providers. This differentiation
assisted both the task force
members and the Office of Compliance
Services in focusing on separating health
care operations issues and treatment
issues as they relate to privacy and security.
The importance of this would later
be beneficial in explaining the applicability
of the minimum necessary rule
during training and in policy development.
The education task force jurisdiction
involved the medical students,
interactions with the residents, and gift
development.
Members of the practice plans were
strongly encouraged to participate in as

many tasks forces as they deemed
appropriate. It was in their best interest
to participate in this process so that
their organizational structures and opinions
on how to implement HIPAA at
the School of Medicine would be taken
into consideration. The main goals were
to identify the use and disclosure of
protected health information at the
University, identify potential areas of
risk, and to provide training and guidance
to the practice plans. Unlike the
hospitals affiliated with the School of
Medicine, many practice plans did not
have the manpower or resources in
which to develop a HIPAA compliance
begin with a blank canvas. As a result,
flow chart templates for each task force
were developed to allow the task force
members to react to a base model
rather than brainstorming on a blank
sheet of paper. These templates were
developed from flow charts from other
organizations and from the experiences
of our staff who have worked in physician
practices. In addition to these task
force meetings, the Office of Compliance
Services also convened meetings
with the specific practice plans in order
to provide a more detailed inventory
of protected health information use,
disclosure, and storage.
similar to the need to know basis, and
safeguards were essentially policies and
procedures. This explanation was necessary
in order to allow those who had
not participated in the initial HIPAA
process to understand the goals of the
privacy and security regulations enough
to assist the administrators in the assessment
process. Simplifying this process
will hopefully allow each work force
member to assess the privacy and security
risks present in their own areas.
Training
The next area of concern involved training.
Pursuant to Section 164.530(b)(1),
program alone. Therefore, guidance
from the School of Medicine was necessary.
Additionally, to mimic the structure
developed for the Compliance
Program at the School of Medicine,
each practice plan would be required to
have a HIPAA compliance program that
would need to be consistent with the
yet to be finalized requirements of the
School of Medicine’s HIPAA
Compliance Program.
The main charge for these task forces
Assessments
Identifying the use, disclosure, and storage
of protected health information was
only half the battle. The other half
involved determining whether sufficient
safeguards were in place. If these safeguards
were not in place, what guidance
would the School of Medicine need to
provide to the practice plans to allow
them to assess their current risks and to
prioritize the privacy and security issues
that needed to be addressed?
covered entities must train all members
of its work force as necessary and
appropriate. However, in an academic
medical setting, it is extremely difficult
to keep track of who has met this training
requirement. Many work force
members wear several hats and go in
and out of the several covered entities
on campus on a daily basis. So, who has
a responsibility of providing this training?
Therefore, the various affiliates of
the School of Medicine decided that a
reciprocal training program had to be
was to develop a flow chart of how protected
health information was used, disclosed,
and stored within their practices.
Based on these findings, a checklist was
developed to assist with the assessment
of the uses, disclosures, and storage of
protected health information. The purpose
of the flow charts was not to identify
every detailed use, disclosure, and
storage of protected health information,
but the main concern was to identify
the more common processes that were
likely to occur among the various practice
plans. In an effort to make their
time more valuable and efficient, it was
imperative that the task forces did not
Clearly, the administrator of each practice
plan alone could not accomplish
this process. One of the main themes
that the Office of Compliance Services
wanted to get across during its initial
training for HIPAA awareness was that
the confidentiality of patient information,
now known as protected health
information, was not a new phenomenon.
Therefore, part of the training
would entail reintroducing a familiar
topic in the health care industry under
different names. Protected health information
was simply confidential patient
information, minimum necessary was
developed. Open training schedules
were advertised and any member of the
work force from any of the covered
entities at the medical center were permitted
to attend any training session.
Uniform attendance sheets were developed
so that the information could be
consistently tracked.
Perhaps one of the greatest hurdles to
overcome in the HIPAA implementation
process was the development of
policies and procedures that are consistent
among the various covered entities
at the medical center. Initially, develop-
Continued on page 24
23
August 2002

IMPLEMENTING A HIPAA WORK PLAN...continued from page 23
August 2002
ment of these policies and procedures representatives from the hospitals. The ally being done with trepidation.
by the School of Medicine and the hospitals
were going to be done independ-
and then individually tailored to meet The implementation process described
policies would be drafted collectively
ently. The practice plans were waiting the needs of each covered entity.
above is unique to the School of
for the completed draft prepared by the However, the main requirements of Medicine given its current structure,
School of Medicine to use as a template each policy and procedure would be however many of the issues that arise will
in the development of their own policies
and procedures. The Office of extent possible. As with all the covered institution or health care practice.
required to remain intact to the greatest be applicable regardless of the size of the
Compliance Services was often asked entities throughout the nation, this Identifying potential opportunities for
when the provider was moving from process as well as the training implementation
process is still under way and tion will not only streamline the imple-
collaboration and the sharing of informa-
one covered entity to another, whose
policies would govern their activities? As given the recent modifications that were mentation process, but also help each
a result, a policies committee was convened.
This committee involved not al modifications in the future, much of orative process in identifying areas that
proposed and the potential for addition-
covered entity participating in this collab-
only the School of Medicine, but also the implementation process is continu-
may have been originally overlooked. ■
SPECIAL
INTEREST GROUPS
To get involved or ask a question, just email or call the following SIG chairs; be sure to include your telephone and fax numbers,
and best time to contact you. Alternately, you may fill in this form and fax it to 215/545-8107 or mail it to The
Health Care Compliance Association, 1211 Locust Street, Philadelphia, PA, 19107 ■
❏ I am interested in the Special Interest Group(s) checked at right ❏ Health Care System
❏ I have a question about:
Michael C. Hemsley, Esq., 610/355-2047
mhemsley@che.org
❏ Payor/Managed Care
Vickie McCormick, 612/204-4156
Name
vmccormick@halleland.com
❏ Long Term Care
Title
Terri Graham, 502/596-7356
Organization
terri_graham@kindredhealthcare.com
❏ Home Care
Address
Chris Anderson, 631/501-7390
chris.anderson@gentiva.com
City
❏ Behavioral Health
State
Zip
John Ciavardone, 610/260-4610
Jciavardone@nhsonline.org
Phone
❏ Academic/Research
Marti Arvin, JD, CHC, CPC, 412/647-3388
Fax
arvinm@msx.upmc.edu
❏ Pharmaceutical
Email
Charles Brock, 847/937-5210
HCCA member #
charles.brock@abbott.com
24

Editor and Publisher:
Margaret R. Dragon, 781/593-4924, mrdragon@ziplink.net
Consulting Editors:
Sheryl Vacca, President, HCCA, 916/498-7156
Roy Snell, CEO, HCCA, rsnell@hcca-info.org
Advertising Department:
Joni Lipson, 888/580-8373, joni.lipson@rmpinc.com
Design & Layout:
Robin Taliesin, Raven Creative, 781/631-4639, robint@raven2.com
HCCA Officers and Board of Directors:
Sheryl Vacca, CHC
HCCA President
Director, West Coast Compliance Practice,
Deloitte & Touche
Alan Yuspeh, JD, MBA
HCCA 1st Vice President
Senior Vice President
Ethics, Compliance and Corporate
Responsibility
HCA
Al W. Josephs, CHC
HCCA 2nd Vice President
Compliance Officer
Hillcrest Healthcare System
Odell Guyton
HCCA Treasurer
Director for Compliance
Microsoft Corporation
Daniel Roach
HCCA Secretary
VP and Corporate Compliance Officer
Catholic Healthcare West
Greg Warner
HCCA Imme. Past President
Director for Compliance
Mayo Foundation
Shawn Y. DeGroot, CHC
Compliance Officer
Upper Midwest Network & VA Medical
& Regional Office Center
Suzie Draper, BSN, RN
Corporate Compliance Officer and Privacy
Officer, Intermountain Health Care
CEO/Executive Director:
Roy Snell, CHC
Health Care Compliance Association
Rory Jaffe, MD, MBA
Chief Compliance Officer
U.C. Davis Health System
Allison Maney, CPA, CHC
Compliance Officer
Lovelace Health System
Vickie McCormick
Special Counsel
Halleland Lewis Nilan Sipkins & Johnson
Lewis Morris, Esq.
Assistant Inspector General
for Legal Affairs
DHHS Office of Inspector General
F. Lisa Murtha
Chief Audit and Compliance Officer
Children’s Hospital of Philadelphia
Jeffrey Oak, PhD
Associate Chief Financial Officer for
Compliance
Veteran’s Health Administration
Teresa L. Mullett Ressel
Deputy Assistant Secretary
U.S. Treasury
Brent Saunders
Partner
PricewaterhouseCoopers
Debbie Troklus, CHC
Manager
PricewaterhouseCoopers
L. Stephan Vincze, JD, LL.M, CHC
Ethics and Compliance Officer
TAP Pharmaceutical Products, Inc.
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance
Association (HCCA), 1211 Locust Street, Philadelphia, PA 19107. Subscription rate is $287 a year
for non-members. Periodicals postage-paid at Philadelphia, PA 19107. Postmaster: Send address
changes to Compliance Today, 1211 Locust Street, Philadelphia, PA 19107. Copyright 1998
the Health Care Compliance Association. All rights reserved. Printed in the USA. Except where
specifically encouraged, no part of this publication may be reproduced, in any form or by any
means without prior written consent of the HCCA. For subscription information and advertising
rates, call HCCA at 888/580-8373. Send press releases to M. Dragon, PO Box 197, Nahant, MA
01908. Opinions expressed are not those of this publication or the HCCA. Mention of products
and services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering
legal or other professional services. If such assistance is needed, readers should consult professional
counsel or other professional advisors for specific legal or ethical questions.
PEOPLE
Editor’s note: If you have received
a promotion, award, degree, or
recently changed jobs, please let CT
know. Call or fax 781/593-4924, email
mrdragon@ziplink.net, or mail your news to Margaret
Dragon, HCCA, P.O. Box 197, Nahant, MA 01908.
➤ Anne Connor, MPA, RN is now the Compliance Officer
at Nursing Sisters HomeCare in Westbury, NY. She may
be reached at 516/705-4026.
➤ Dennis Olson is now Corporate Compliance Officer at
Enloe Medical Center in Chico, CA. He may be reached
at 530/332-6758.
➤ Letitia Damron is now AVP Compliance/Education
Coordinator for University of Louisville in Louisville, KY.
Letitia may be reached at 508/852-8680.
➤ Regina V. Maier has been named Compliance Officer for
MCG Health, Inc. located in Augusta, GA. She may be
reached at 706/721-0900.
➤ Kathleen Salazar is now with the VA Medical Center in
Houston, TX. Kathleen may be reached at 713/791-1414
Ext. 4924. ■
Here it Comes Again
The HCCA’s Annual Compliance Officer Survey. Over
the next few weeks you will receive the HCCA’s 5th
Annual Survey, 2002 Profile of Health Care Compliance
Officers. When you receive it, please take a few minutes
to answer the questions and return it in the envelope
provided. If you have any questions call Lana Bandy,
Walker Information, 317/843-8870 or Margaret
Dragon, HCCA, 781/593-4924. ■
25
August 2002