JO - Health Care Compliance Association

Volume Eight 

Number Nine 

September 2006 

Published Monthly 

Save the Date! 

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 

Meet Lea Cobb 

Director of Compliance and Policy, HIPAA Privacy Officer 

Erickson Retirement Communities 

September 2006

The Health Care 

Compliance Association 

has moved to its new 

headquarters, located 

at: 

6500 Barrie Road, 

Suite 250 

Minneapolis, MN 55435 

Our address has changed, 

our telephone 

and fax numbers remain 

the same: 

Toll-free phone: 

888/580-8373 

Local phone: 

952/988-0141 

Fax: 

952/988-0146 

And you can always 

reach us via e-mail at 

info@hcca-info.org 

or on our Web site at 

www.hcca-info.org 

Health Care 

Auditing & 

Monitoring 

Tools 

Buy Now and 

Receive One 

Year of Updates 

Free! 

The Health Care Auditing & Monitoring 

Tools manual is a compilation of 

excellent resources donated by HCCA 

members to help others with their 

compliance programs. This valuable 

resource assists health care compliance 

professionals who want to save time and 

money by offering examples of what 

their colleagues are doing to address 

similar auditing and monitoring issues. 

Just as auditing and monitoring are 

ongoing activities, this manual is an 

evolving resource that will be updated 

twice a year to reflect new regulations 

and additional compliance concerns. 

Subscribers to updates will receive more 

auditing and monitoring tools, policies, 

and advice. 

The original purchase of Health Care Auditing & 

Monitoring Tools is $395, which includes the first two 

updates free. Afterwards, HCCA members can subscribe 

to annual updates for $195. 

6500 Barrie Road, Suite 250 

Minneapolis, MN 55435 

Phone 888-580-8373 

FAX 952-988-0146 


 

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

ASK 

John asks the leadership 

your questions 

Editors note: John Falcetano is 

Chief Audit/Compliance Officer for 

University Health Systems of Eastern 

Carolina and a long-time member of 

HCCA. This column has been created 

to give members the opportunity to submit their questions by e-mail 

to Jfalcetano@cox.net and have John contact members of HCCA 

leadership for their response. 

L E A D E R S H I P 

John Falcetano 

Is it okay for a health care facility to leave a message for a patient 

on the answering machine at their home or with a family member to 

remind them of an appointment, or would that be a violation of HIPAA? 

The Answer was provided by Marti Arvin, JD, CHC, CIPP/G CPC 

Privacy Officer, University of Louisville: 

As a general rule, calling a patient to leave an appointment reminder is 

not a violation of HIPAA. An appointment reminder can be left on an 

answering machine, with a family member, or with another person who 

answers the phone. When these types of calls are made, the concept of 

minimum necessary should always be kept in mind. The Office of Civil 

Rights addressed this issue in its Frequently Asked Questions which 

can be found at http://www.hhs.gov/ocr/hipaa/. The FAQ answer #198 

indicated that “... a covered entity might want to consider leaving only 

its name and number and other information necessary to confirm an 

appointment, or ask the individual to call back.” 

HIPAA does require the covered entity to put the patient on notice that 

protected health information might be disclosed for this purpose. See 

45 CFR 164.520(b)(1)(iii)(A). This means the covered entity’s notice 

of privacy practices must specifically state this as a potential disclosure. 

It would be a HIPAA violation to leave this type of message on the 

patient’s answering machine if the covered entity’s notice of privacy 

practices did not specifically address this situation. 

Finally, if a patient has made a reasonable request for a confidential 

communication, a message may not be left on the individual’s answering 

machine if this would violate the confidential communication 

request. For example, if the patient has asked that all communications 

be done through a cell phone number, then leaving a message on the 

home answering machine would be a violation of the confidential communication 

request. See 45 CFR 164.522(b). n 

Health Care Compliance Association 

2006 Conferences (by state): 

San Francisco, CA 

■ Physician Practice Compliance 

Conference 

October 1-3 

Orlando, FL 

■ Audit & Compliance Committee 

Academy 

September 20-22 

■ Compliance Academy 

November 6-9 

Honolulu, HI 

■ Hawaii Area Meeting 

October 19-20 

Chicago, IL 

■ North Central Area Meeting 

October 6 

Louisville, KY 

■ Tri-State Area Compliance 

Conference 

November 3 

Baltimore, MD 

■ Medicare Part D 


ON 

■ Fraud & Compliance Forum 


Boston, MA 

■ New England Area Meeting 

September 8 

Minneapolis, MN 

■ Upper Midwest Area Meeting 

September 15 

T H E 

C A L E N D A R 

Las Vegas, NV 

■ 3rd Annual Research Conference 


■ Advanced Academy 

October 23-26 

Pittsburgh, PA 

■ Mid Atlantic Area Meeting 

September 29 

Nashville, TN 

■ South Central Area Meeting 

November 10 

2007 

Chicago, IL 

■ Compliance Institute 

April 22-25 

■ National Corporate 

Compliance Week 

May 20-26 

INSIDE 

3 Ask leadership 

4 HIPAA compliance recipe 

5 Go local 

10 Corporate Integrity 

Agreement 

14 Meet Lea Cobb 

18 President & CEO letter 

20 Medical marketing 

compliance 

22 FYI 

24 New Medicare enrollment 

regulations 

32 Using mental health 

records for research 

36 Compliance investigations 

44 New members 

888-580-8373 • www.hcca-info.org 

September 2006

By Kathleen Street, JD, LLM 

Editor’s note: Kathleen Street is Director Perform a HIPAA walk-through audit— 

of Corporate Compliance and HIPAA First, poll your staff for areas of HIPAA risk, 

Privacy at Children’s Health System and then review the HIPAA Privacy and 

in Birmingham Alabama. She may be Security Rules (which can be found at U.S. 

reached by telephone at 205/939-5959. Department of Health and Human Services 

Administrative Simplification Web site 

From a HIPAA standpoint, health http://aspe.hhs.gov/admnsimp/ ) in light of 

care compliance professionals have those risk areas. 

similar items in their covered entity’s 

compliance cupboard: (1) auditing and monitoring 

privacy and security compliance, and (2) other organizations. There are helpful HIPAA 

Next, study the main HIPAA issues affecting 

implementing a workable plan to comply with Web site reference links and community 

HIPAA’s National Provider Identifier (NPI) Rule. discussion groups, which address areas for 

privacy and security controls. These Web 

This discussion will offer a few simple ingredients 

to use in your organization’s HIPAA Association (http://www.hcca-info.org) and 

sites include the Health Care Compliance 

compliance strategy to keep these HIPAA the Southern Healthcare Administrative 

issues from growing stale. 

Regional Process Workgroup (http://www. 

sharpworkgroup.com). 

Auditing and monitoring privacy and 

security compliance 

Additionally, you can also review the HIPAA 

Naturally, there is a significant difference audit plans academically available on consulting 

group Web sites, such as Audit Net 

between privacy and security. Privacy is the right 

of individuals to keep their individual health (http://www.auditnet.org), the Phoenix 

information from being disclosed, and security Health System HIPAA advisory site (http:// 

is the mechanism in place in protect the privacy www.hipaadvisory.com), or the HIPAA 101 

of that health information. The Privacy Rule sets site (http://www.hipaa-101.com). 

the standards of how protected health information 

(PHI) should be controlled by covered entities. 

The Security Rule sets the standards which fingertips, you can develop a HIPAA walk- 

With all these valuable resources at your 

require covered entities to implement reasonable through audit to serve as a checklist for the 

safeguards to protect the confidentiality, integrity, main HIPAA issues at your organization. 

and availability of Electronic Protected Health Whether it is ensuring PHI is shredded when 

Information (EPHI). In sum, security is a basic obsolete, or that computers are logged out 

food group in the privacy compliance pyramid. after each use, in no time flat you will have a 

useful HIPAA auditing tool. 

As a practical matter, privacy and security 

areas can be combined for auditing and monitoring 

purposes to yield the most effective audits—Your organization will likely have 

Utilize feedback from other departmental 

compliance results for your organization: audit or review results from other departments 

which can be beneficial in your 

privacy and security monitoring. Check 

with your Performance Improvement, Joint 

Commission on Accreditation of Healthcare 

Organizations (JCAHO), Risk Management, 

Internal Audit, Information Technology, and/ 

or Medical Information Services departments 

for any audit or review findings or observations. 

And, be sure to include representation 

from these areas when you perform your own 

HIPAA walk-throughs to add depth to your 

analysis. Be comfortable with the standards 

of these areas and how they can add variety 

to your compliance auditing and monitoring. 

For instance, JCAHO Standard RI.2.20 

addresses a patient’s right to privacy and 

states that the patient has the right to 

access his or her own health information 

and request changes to this information. 

The patient also has the right to receive 

information regarding who has been given 

his or her information. JCAHO Standard 

RI.2.1.30 requires hospitals to respect the 

needs of patients for confidentiality, privacy, 

and security. In addition, Standard IM 2.20 

requires that information security, including 

data integrity, is maintained. See Joint 

Commission Resource’s 2005 Hospital 

Accreditation Standards (HAS). 

Monitor your HIPAA walk-through 

audit—Periodically review your HIPAA 

Privacy and Security auditing with your 

organization’s employees. Set the “tone at 

the top,” by sharing key monitoring results 

within the top levels of your organization to 

flavor the HIPAA planning. 

Provide HIPAA educational materials and 

tools—Shop for new HIPAA educational 

materials and tools to match your organization’s 

HIPAA compliance interests. Ask your 

organization’s supervisors and management 

what’s on their HIPAA compliance “wish 

lists” for use at their staff meetings. Refer to 


 


the Health Care Compliance Association as 

well as other resources that you find helpful. 

Do not forget the value of your nurse educators 

in the training process, and the needs 

they are voicing for HIPAA education. Get 

involved with nursing departmental meetings, 

whether it be presenting at a nurse leadership 

meeting, providing a departmentallevel 

in-service, purchasing and distributing 

pamphlets of interest, or inventing your own 

training tools, such as flyers, posters, videos, 

games, or quizzes. 

Promote a HIPAA awareness day— 

No matter what date your privacy and security 

auditing and monitoring strategy was 

implemented, a HIPAA Awareness Day will 

never expire. Explore the possibilities of the 

day, and how you can best tailor it for your 

organization. Some ideas include: 

n Invite a special HIPAA speaker, 

n Distribute a HIPAA privacy or security 

quiz for all -employees with a chance to 

win prizes, 

n Recognize the year’s HIPAA high-achievers, 

featuring a press release on your 

organizational Web site, or ask your 

HIPAA team members to designate one 

of their employees to perform HIPAA 

walk-throughs and provide a small token 

of appreciation. 

The Health Care Compliance Association 

and other organizations, such as the 

American Health Information Management 

Association, have information to help you 

promote and celebrate your HIPAA Privacy 

and Security Program. 

Implementing a national provider identifier plan 

The HIPAA National Provider Identifier 

(NPI) Rule establishes health care providers 

and organizations, as covered entities, 

will have a unique 10-digit numeric identifier 

which will be a permanent identifier to 

replace all other provider identifiers previously 

used by the health care providers (i.e., Unique 

Physician Identification Number (UPIN), 

Medicare/Medicaid numbers). The objective 

is to establish a national standard and 

unique identifier for all health care providers 

and simplify the administration of the health 

care system, while encouraging the electronic 

transmission of health care information. 

The Centers for Medicaid and Medicare 

Services Web site (http://www.cms.hhs. 

gov/NationalProvIdentStand/) contains critical 

information on the NPI Rule and how 

to obtain an NPI through the National Plan 

and Provider Enumeration System. There 

are also helpful white papers on NPI topics 

on the Workgroup for Electronic Data 

Interchange Web site (http://www.wedi.org). 

As your organization’s NPI planning becomes 

more firm, consider these tips while going 

through the process: 

n Form a HIPAA NPI team. The HIPAA 

NPI rule is a regulation whose make-up 

calls for a committee-based approach, 

just like HIPAA privacy and HIPAA 

security. Your organization should assign a 

leader for this committee, likely a finance 

representative, because of NPI’s operational 

impact. As the NPI team assembles, 

it should include representation from 

Finance, Billing Office, Corporate Compliance, 

Information Technology, Medical 

Information Services, Corporate Communications, 

Medical Staff Services, and 

any of your organization’s off-site practice 

locations in order to evaluate the business 

and system process. 

n Develop NPI strategy and formulate 

timeline. To ensure compliance objectives 

are met as your organization develops and 

implements its NPI strategy, the following 

dates must be factored into the planning 

process. First, as of May 23, 2005, health 

care providers can apply for an NPI. 

Second, by May 23, 2007 all health care 

providers who utilize HIPAA standard 

electronic transactions must have a NPI to 

identify themselves. Additionally, applying 

for a NPI does not replace any enrollment 

or credentialing process with any health 

plan, including Medicare. 

n Develop a strategic NPI communication 

plan. Assist with setting forth an NPI 

Readiness Statement for your organization 

and obtain compliance assurances from 

your billing office, medical staff, information 

technology vendors, and health plans. 

Your organization should coordinate with 

its health plans on when it can submit its 

NPI on standard electronic transactions. 

This could occur prior to the May 23, 

2007 compliance date as part of a transition 

period. This transition period can 

serve as a testing function to ensure that 

your organization’s transactions will not be 

adversely impacted. 

In the end, if you include all these ingredients 

in your compliance cupboard, you will 

have a recipe for compliance success as you 

develop your HIPAA Compliance Program 

for 2006. n 


September 2006

HCCA’S New England Conference , September 8, 2006, Hilton Boston 

North, Woburn, MA (Boston) 

This year’s New England Local Annual Conference on September 8, 

2006 will explore a number of “Hot Issues” including: 

n Voluntary disclosures and repayments 

n Internal inquiries and investigations 

n CMS Program Integrity 

n HCCA Update, Hot Topics, and Current Events 

n Corporate governance, measuring compliance effectiveness, and 

creating an ethical culture 

n The relationship among the compliance department, the law 

department, and outside counsel 

The conference features regional regulatory and enforcement representatives: 

n Jim Bryant, Associate Regional Administrator, Division of Financial 

Management, US. Department of Health & Human Service, CMS 

Region 1 

n Luis Matos, Chief Civil Division, Assistant U.S. Attorney, Rhode Island 

And includes an expert faculty: 

n Rick King, CHC, Program Co-Chair, Privacy & Security Officer, 

Fresenius Medical Care North America 

n Frank Byrne, Compliance Officer, Southcoast Health System 

n Eileen McCarthy, Compliance Officer, Partners Healthcare System, Inc. 

n Stephen Morreale, Principal, Compliance & Risk Dynamics, HHS- 

ICG Assistant Special Agent in Charge (Ret.) 

n Karen Murphy, Associate General Counsel and Compliance Officer, 

Boston Medical Center 

n Charles Normand, Normand Law LTD 

n Elizabeth O’Keefe, Assistant General Counsel, Fresenius Medical 

Care North America 

n Jordan Perlin, Manager, Business Ethics and Conduct, Becton, 

Dickinson and Company 

n Roy Snell, CEO, HCCA 

n Marty Taylor, VP, Organizational Services, Institute for Global Ethics 

n Lawrence Vernaglia, Program Co-Chair, Partner, Health Law Practice 

Group, Hinckley, Allen & Snyder, LLP 

GO LOCAL 

Inexpensive Local 

Education and 

Networking Events 

Continued on page 

Compliance 101: 

The Second Edition 

Is Here! 

The new edition of this essential guide to 

health care compliance is now available 

Author Debbie Troklus has 

revised and updated 

Compliance 101 to reflect 

recent developments in 

compliance. 

The second 

edition includes: 

• Up-to-date compliance information 

• A brand-new chapter dedicated to HIPAA 

regulations 

• An expanded glossary with additional new 

terms and definitions 

• Expanded appendixes, including a 

selection of additional new and userfriendly 

sample documents 

If you’re planning to become Certified in 

Healthcare Compliance, Compliance 101 is an 

invaluable study aid for the CHC examination. 

Debbie Troklus 

Greg Warner 

To order, visit the HCCA Web site at 

www.hcca-info.org. 


 



September 2006

Go Local ...continued from page 

n Michelle Wolf, Office of the General 

Counsel, Partners Healthcare System, Inc. 

Program sponsors: Fresenius, HCCS, 

MediRegs, MediTract 

Co-Sponsors: Atlantic Information Services’ 

AIS’s Report on Patient Privacy, Guide to 

Audit Health Care Billing Practices, Report 

on Medicare Compliance, and HIPAA 

Guide on Patient Privacy; and HCPro’s 

Health Care Auditing Strategies and Strategies 

for Health Care Compliance 

Continuing Education Credit: ACHE, 

HCCB (6.6 Credits), NASBA-CPE, AAPC n 

Upper Midwest Local Conference, 

September 15, 2006, Sheraton Bloomington, 


Hot issues to be addressed: 

n QIO: The Intersection between Quality 

and Compliance 

n Enforcement Trends in HealthCare 

n Self Disclosure/Overpayments 

n The Wave of Change in Government 

Enforcement: The DRA and Beyond 

n Case Study;: Working Collaboratively 

within an Organization to Identify, Investigate, 

Analyze, Audit, and Respond to a 

Complex Billing Issue 

n Electronic Medical Record 

Expert faculty includes: 

n Julene Brown, CHC, Billing Compliance 

Manager, MeritCare Health System, 

Fargo, ND 

n Shawn DeGroot, CHC, VP, Corporate Compliance, 

Regional Health, Rapid City, SD 

n Mary Jo Flynn, VP Audit Services (Interim), 

Allina Hospitals & Clinics 

n Keith Halleland, Program Chair, Shareholder, 

Halleland Lewis Niland & 

Johnson, PA 

n Betsy Jeppesen, Vice President of Program 

Integrity, Stratis Health 

n Jane McGrath, Program Integrity Analyst, 

Stratis Health 

n Ron McKinnon, Security Officer, St. 

Mary’s/Duluth Clinic Health System 

n Kelley Nueske, Director, Regulatory and 

Risk Excellian Project, Allina Hospitals 

and Clinics 

n Jenny O’Brien, Compliance Officer-VP 

Compliance and Regulatory Affairs, Allina 

Hospitals and Clinics 

n Jerry Wilhelm, Assistant United States Attorney, 

District of Minnesota 

Program Sponsors: Halleland Lewis Nilan 

& Johnson, HCCS, MediRegs, MediTract 









HCCB (7.2 Credits), NASBA-CPE, AAPC, 

MCLE (MN) n 

Northeast Local Conference, September 

29, 2006, Hospital Council of Western 

Pennsylvania Conference Center, 

Warrendale, PA (Pittsburg) 

Hot issues to be addressed: 

n Perspectives and Insights from the U.S. 

Department of Justice 

n Pennsylvania’s Response to the Deficit 

Reduction Act 

n OIG’s Open Letter to Health Care Providers: 

Still the Best Open Door for Your 

Organization? 

n The Future of Compliance Investigations: 

Spider Analysis of DR Reimbursed 

Inpatient Claims 

n Report on a New CMS IT Initiative to 

Improve Doctor’s Office Quality – Including 

Its Implications for Compliance and 

Emerging Public Health Threats 

n Compliance Challenges: A Panel Discussion 

Expert faculty Includes: 

n Eric Balm, Attorney, Sonnenschein Nath 

& Rosenthal LLP 

n John Beattie, Principal, Director of Healthcare 

Operational and Compliance Services, 

Parent Randolph, LLC 

n Norris Benns, Director, Bureau of Program 

Integrity, PA Dept. of Public Welfare 

n Deborah Hinton, Healthcare Consultant, 

Parente Randolph 

n Daniel Jones, Chief Operation Officer, 

Quality Insights of Pennsylvania, The 

Medicare Quality Im Darice McNelis, 

Buchanon Ingersoll & Rooney provement 

Organization of PA 

n Keith Robbins, Trial Attorney, U.S. Department 

of Justice, Washington DC 

Program sponsors: MediRegs and Parente 

Randolph 









HCCB (7.2 Credits), NASBA-CPE, AAPC, 

MCLE (PA) n 

This is a new monthly feature added to 

Compliance Today. If you have any questions 

about any of the programs or would like 

to participate in planning future programs, 

please contact Beckie Smith at 888/580-8373 

or by e-mail at beckie.smith@hcca-info.org 

or info@hcca-info.org. n 


 



September 2006

Editor’s note: Mike Walker, PhD, MA, 

MS, CHC is Chief Audit and Compliance 

Officer for the University of Connecticut 

and University of Connecticut Health 

Center. He may be reached by telephone at 

860/486-0031. 

What is a CIA? Two fruits growing from the 

same tree 

Federal agencies, such as the Health and 

Human Services Office of Inspector General 

(OIG), negotiate compliance obligations with 

organizations or individuals as a result of an 

investigation. The OIG has exclusion authority 

based on 42 U.S.C 1320a-7(b) (7). What 

this means is the OIG has the authority to 

exclude the organization or individual from 

doing business with the federal government, 

thus the organization or individual loses all 

revenue from any federal program. This substantial 

“stick” provides a strong motivation 

for an organization to settle the allegations 

with the investigating agencies such as the 

Department of Justice (DOJ), U.S. Attorney, 

OIG, etc. 

The agreement, commonly called a Corporate 

Integrity Agreement (CIA), generally takes 

two forms: one is the actual “Settlement 

Agreement,” specifying the dollar amount 

and the other is the “Compliance Agreement,” 

which details the specifics relative to 

establishing a compliance program, auditing, 

annual reporting, etc. While certainly costly 

and significant, the former only hurts when 

writing the settlement check, but with the 

latter, pains of implementation are felt over 

multiple years. The overarching intent of the 

CIA is to bring the organization or individual 

By: Mike Walker, Ph.D., MA, MS, CHC 

into compliance with the applicable laws, 

regulations, etc. 

The OIG uses the CIA (a.k.a., Institutional 

Integrity Agreement) extensively in addressing 

allegations of health care fraud, particularly 

in cases involving Medicare and Medicaid 

dollars. As of this writing, there are more 

than 400 CIAs listed on the OIG Web site 

(http://oig.hhs.gov/fraud/cias.html). A small 

percentage of these are in academic medicine, 

more often related to improper billing or possible 

violation of the teaching physician rules. 

Similar lists may be found with other federal 

agencies related to research misconduct, for 

example, the National Institute of Health, 

Office of Research Integrity (http://silk.nih. 

gov/public/cbz1bje.@www.orlist.html). 

While some lists are predominantly institutional 

(e.g., CIAs and Excluded Party 

List System [EPLS]), others may contain 

individual names (e.g., List of Excluded 

Individuals/Entities [LEIE]). The latter lists 

are for debarment (exclusion from participation), 

while the OIG list specifically addresses 

settlement agreements that routinely allow 

the entity to continue to do business with the 

federal government. Institutional or entity 

debarment from receiving federal dollars is 

and can be the ultimate punishment imposed 

by a settlement action. The OIG and other 

federal agencies have used total debarment in 

a judicious and sparing manner. 

In the mid 1990s the OIG and other federal 

agencies launched a series of investigations 

called PATH audits (Physicians at Teaching 

Hospitals), and subsequently, a significant 

number of academic medical centers negotiated 

a CIA, which generally lasted five years, 

with the OIG. However, CIAs are not just 

The Announcement 

“While admitting no wrongdoing, 

(your organization) settled the case 

to avoid lengthy and costly litigation 

and to protect its ability to participate 

in Medicare, Medicaid, and federally 

funded grant programs. (Your organization) 

cooperated fully with the Federal 

Government to reach the settlement.” 

in health care or academic medicine. Like 

orange juice and breakfast, “CIAs are not just 

for health care anymore.” Other federal agencies, 

such as the Environmental Protection 

Agency (EPA), are using the CIA as a means 

of addressing violations as well. Copies of 

settlement agreements involving the EPA can 

be secured via their Freedom of Information 

Office at http://cfpub.epa.gov/compliane/ 

foia/readingroom/. The general requirements 

of the CIA mirror the Federal Sentencing 

Guidelines (Chapter 8) for establishing 

a compliance program (http://www.ussc. 

Continued on page 12 


10 


You’re a compliance professional, which means 

you can’t rest at simply knowing one or two 

key areas when it comes to compliance matters. 

With the CCH Health Care Compliance Portfolio 

Deluxe you get the need-to-know information 

that affects every aspect of health care compliance. 

It comes as four resources (Health Care 

Compliance Professional’s Manual, Journal of 

Health Care Compliance, Health Care Compliance 

Reporter, and the Health Care Compliance Letter) 

that are designed to work seamlessly together. 

Visit health.cch.com or call 888-224-7377. 

When your company’s 

compliance steps rest 

on your decisions, 

look to Wolters Kluwer. 

Presenting the CCH Health Care 

Compliance Portfolio Deluxe. 



11 

© 2006 Wolters Kluwer Law & Business. All rights reserved.

Corporate Integrity Agreement ...continued from page 10 

gov/guidelin.htm). The seven well-recognized 

elements (paraphrased) include: 

n Developing and distributing written standards 

(e.g., Code of Conduct) 

n Governing by a knowledgeable authority, 

appointing a high level official(s) (e.g., 

compliance officer) 

n Exercising care in delegating authority 

(e.g., screened and restricted hiring of 

ineligible persons or entities) 

n Developing and implementing an education 

and training program 

n Using auditing and monitoring systems 

and a disclosure mechanism to detect 

criminal conduct 

n Establishing and maintain consistent 

enforcement and disciplinary procedures 

n Ensuring the institutional response is reasonable 

and appropriate to the offense 

CIAs come in two flavors: sweet and sour 

The sweet side first: If an organization has 

entered into a CIA agreement, it means the 

investigation stage, which could last several 

years, is finally over. Federal investigations are 

long and tiresome for both the investigator 

and those being investigated. The investigation/pre-investigation 

phase, often initiated 

by a subpoena for documents, is routinely followed 

by an interview process and culminates 

with findings and negotiation of the settlement 

agreement. During the course of the 

investigation and subsequent negotiations, 

tensions may be high, particularly if there 

are possible criminal violations (potential jail 

time) and significant fines at stake. Significant 

effort by senior administrators is required 

to facilitate the investigation, and this effort 

acts as a major distraction in terms of time, 

effort, etc. However, given the high stakes, 

particularly the potential loss of federal revenue, 

organizations should devote their best 

talented and most experienced staff members 

to represent them during this process. This is 

the time to have your “A” team on the field. 

Staff assigned to this process should possess 

strong negotiation skills, tact, and an indepth 

knowledge of the subject area. 

The DOJ, OIG, and other federal investigations 

are serious business. Criminal convictions, 

possible debarment, and multi-million 

dollar fines are not uncommon. From the 

mid-1990s to the present, fines have ranged 

from thousands to hundreds of millions of 

dollars. Common mistakes made by organizations 

during these investigations include 

not cooperating fully with the investigation 

(sometimes obstructing justice) and the 

destruction of documents. When this occurs, 

the organization’s culpability may rise and 

settlement fines may include double or treble 

damages. Damage calculations and culpability 

“scoring” are described in Chapter 8 of the 

Federal Sentencing Guidelines. The sweet side 

is the investigation is over and the organization 

can re-focus its efforts on its primary 

mission (e.g., patient care, research, education, 

etc.). 

Another upside is that a CIA can provide 

leverage for the board, senior administration, 

and the compliance officer to increase 

oversight, initiate a culture change, or implement 

new policy. The status quo must be 

abandoned: key members of senior management, 

the faculty, and staff must embrace the 

mandate for change. Often additional assets 

will be required to comply with the compliance 

agreement. In particular, there will likely 

be costs associated with establishing a disclosure 

process (commonly called a hotline): 

hiring appropriate staff for the conduct of 

education/training, space for new hires, costs 

associated with an external audit requirement, 

etc. The conclusion and final settlement 

also mark the beginning of rebuilding the 

organization’s external credibility and internal 

self-esteem. Recriminations on who was 

at fault should be cast aside. The survivors 

should focus as a team to set a new course of 

improvement and achievement. The signing 

of the compliance agreement marks the end 

of one process and opens the door for the 

beginning of another, which can ultimately 

improve the organization as a whole. 

The sour side of a CIA: Change, individual 

and institutional stress, costs, and diversion 

of scarce resources, are examples of the sour 

side of a CIA. In addition to the general 

requirements outlined in the seven step process 

for establishing a compliance program, 

the CIA may include specific mandates 

unique to the organization receiving the CIA. 

For example: 

n Budget and Accounting Records. 

Enhance records maintenance to demonstrate 

compliance with the applicable 

regulations. 

n Internal Audits. Conduct an annual 

comprehensive audit of the organization’s 

compliance with applicable federal regulations. 

n External Audits. Retain an independent 

auditing firm to perform a comprehensive 

audit of internal controls. 

n Implement and Report Remedial 

Actions. Identify and report any material 

violations and remediation efforts within a 

specified time period. 

n Training/Education. Initiate or expand 

on-going training for each officer, faculty 

member, physician, or relevant employee. 

n Confidential Disclosure Program. 

Establish or expand a confidential disclosure 

mechanism. 

n Annual Reporting. Submit an annual 

report to the lead federal agency providing 

a comprehensive description of the status 

of organizational compliance. 

n Record Retention. Retain documents in 

accordance with FAR, OMB Circular 


12 


A-110, or applicable regulation. 

n Debarred or Suspended Persons or Entities. 

Screen employees and applicants to 

avoid knowingly employing an individual 

or entity who is listed by a federal agency 

as debarred, suspended, or otherwise 

ineligible for federal programs. 

The Board, the Audit Committee, the 

President, and the Chief Compliance Officer: 

“A shotgun wedding of necessity” 

Board and Audit Committee Oversight. 

Boards and board members have been 

increasingly reviewing their responsibilities 

since the publication of the Sarbanes-Oxley 

Act of July 30, 2002. While mandated for 

publicly traded corporations, many nonprofit 

organizations have taken a “Best Practices” 

approach to comply with the spirit of the law. 

Subsequently, audit/compliance committees 

have taken an increasing interest and 

leadership role in regulatory oversight and 

external audit engagements. The CIA will undoubtedly 

be brought to the attention of an 

organization’s board and committee structure 

to provide understanding and future oversight 

of the CIA mandates. Most certainly, the 

chief compliance officer (CCO) or chief audit 

executive (CAE) will be directly interacting 

and providing mandated reporting to the 

board and the respective audit/compliance 

committee. 

The President’s (CEO) Role. Many CIAs 

require the president or chief executive officer 

(CEO) to certify to the lead federal agency 

that the organization has an adequate and appropriate 

comprehensive compliance program 

to prevent and detect fraud, abuse, and false 

billing for Medicare, Medicaid, federal grants, 

etc. The president will rely on the CCO for 

establishing the compliance program, reporting 

to the board, and providing the annual 

report to the federal agency with oversight 

responsibility. Visible leadership and resource 

support are key considerations. Ultimately, 

the president is responsible for all his or her 

organization does or fails to do. 

Chief Compliance Officer. The CCO is 

responsible for overall compliance operations, 

including billing processes, review of 

grants and contracts, development of training 

programs, and the submission of comprehensive 

reports at least annually to the board of 

trustees and the lead federal agency. He or 

she will chair an organizational compliance 

committee and coordinate enterprise-wide 

compliance operations. The CCO will be 

required to provide the comprehensive annual 

and institutional attestation report for the 

mandated period (usually five years). A team 

effort and a supporting institutional structure 

are requirements for success. 

Summary: Leadership obstacle or 

opportunity? 

The bottom line is that most organizations 

generally do not operate in reckless disregard 

of the law. As a former Inspector General and 

currently as a COO working with a university 

and academic medical center, I find the very 

opposite is true. Board members, particularly 

in nonprofit organizations, volunteer 

significant time without pay or benefits. 

Their intentions are focused on preserving the 

reputation, assets, and oversight of the administration 

to ensure appropriate stewardship of 

the organization. Additionally, presidents and 

CEOs, as a rule, do not intentionally guide 

their organizations down the unrighteous 

path of regulatory disregard. Senior leadership 

impacts the culture and the organizational 

culture influences attitudes relative to regulatory 

compliance. 

Inertia, lethargy, or the long-standing culture 

of an organization may be leadership challenges. 

Historical practices, coupled with a 

failure to stay abreast of change, is analogous 

to putting one’s head in the sand and waiting 

for the danger to go away. The reality is 

that regulations change daily, with new ones 

being published while older ones are thrown 

out or worse yet, retained to help preserve 

the arcane nature of the regulatory environment. 

Compliance programs and enhanced 

auditing activities are proactive tools that help 

organizations face regulatory obligations and 

decipher the secret code that enables progress 

without the fear of punishment. CIAs, 

although costly, can act as a change agent and 

are, figuratively, the sweet and sour fruit of 

the regulatory tree. n 

Errata 

We’d like to thank Gynelle Baccus, RN, 

PhD, Compliance Analyst Corporate 

Compliance, Southern Illinois 

HealthCare, and acknowledge her as the 

author of “First Year in Compliance- 

--A Survival Guide” published in the 

July 2006 Compliance Today, page 19. 

Thank you Gynelle Baccus, for your 

time and your talent. 



13


14 

feature 

Editor’s note: Lea Cobb, RN, MBA, 

CHC, CPHQ, CPHRM, CLNC; Director 

of Compliance and Policy, HIPAA 

Privacy Officer at Erickson Retirement 

Communities was interviewed in July by 

HCCA Board Member Jennifer O’Brien. 

Lea may be reached by telephone at 

443/883-4607. 

JO: Tell us about your background and 

the journey that brought you to your current 

role. 

LC: I have worked in health care for over 

20 years. I began my career and eventual 

track to compliance as a home health staff 

nurse working in the acute care hospital setting. 

After completing my MBA, I started 

my career in health care management with 

responsibilities for areas such as quality/peer 

review, utilization review/case management, 

patient safety, JCAHO 1 accreditation, and 

risk management in various health care settings. 

These settings included rural health 

clinics, physician practices, home health services, 

and hospitals. 

My first compliance position began in 

1998, when I became the corporate compliance 

officer for a hospital in West Virginia. 

In 2000, I moved from West Virginia to 

Maryland where I began working in a hospital 

as the director of risk management and 

performance improvement, and eventually 

obtained the corporate compliance officer 

responsibilities as well. I had the opportunity 

to begin working for Erickson Retirement 

Communities, LLC (a continuing care 

community management and development 

company) in the Risk Management department 

with responsibilities for risk management 

and compliance. This eventually led 

article 

Meet Lea Cobb 

Director of Compliance and Policy, HIPAA Privacy Officer 

Erickson Retirement Communities 

to my current position as the Director of 

Compliance and Policy and HIPAA Privacy 

Officer. I saw the career move to Erickson 

Retirement Communities as an exciting challenge, 

since I had many years of experience 

in a variety of other health care settings. 

JO: What are some of your responsibilities 

as Director of Compliance and Policy? 

LC: Simply stated, I oversee all on-going 

compliance and ethics activities throughout 

the organization. These activities are 

related to the development, implementation, 

maintenance of, and adherence to the organization’s 

policies and procedures governing 

compliance. The privacy of and access to 

protected health information and compliance 

with federal and state laws also falls 

within the scope of my responsibilities. This 

includes: conducting an organizational compliance 

risk assessment; ensuring on-going 

compliance monitoring activities; reporting 

compliance activities to the Erickson and 

community boards and Compliance and 

Ethics committee; ensuring compliance education 

and training for all employees, board 

members, management and professional 

staff; conducting compliance investigations; 

and maintaining the organization’s values 

line. I work closely with the HIPAA security 

officer to ensure alignment between security 

and privacy practices, policies and procedures. 


JO: What is your reporting structure? 

LC: The chief compliance officer reports 

to our four boards of directors. As the director 

of compliance and policy and HIPAA 

privacy officer, I report to the chief compliance 

officer. Each of the Continuing 

Care Retirement Communities (CCRCs) 

has a community compliance liaison who 

manages compliance responsibilities at the 

community level. Community management 

and corporate line of business management 

also play a roll in the reporting structure of 

compliance. There is also a HIPAA security 

officer in the Information Technology 

department with whom I work on HIPAA 

initiatives. The Compliance and Ethics committee 

consists of representatives from legal, 

health services, finance, compliance, senior 

campus physicians, information technol-

ogy, human resources, Erickson Advantage, 

and operations. The Corporate Compliance 

department consists of four staff members: 

the chief compliance officer; the director of 

compliance and policy (a HIPAA privacy 

officer); the assistant director of coding and 

compliance; and a project manager. 

JO: Tell us about Erickson Retirement 

Communities and the services it provides? 

LC: Erickson Retirement Communities 

(www.EricksonCommunities.com) is a 

development/management company based in 

Baltimore County, Maryland, since 1983. For 

middle-income people, the Erickson lifestyle 

offers unparalleled opportunities and is the 

best financial and health decision people can 

make. Our mission is to create communities 

that celebrate life. 

The Erickson network currently 

comprises 18 Continuing Care Retirement 

Communities (CCRCs). Thirteen campuses 

in Illinois, Maryland, Massachusetts, 

Michigan, New Jersey, Pennsylvania, Texas, 

and Virginia, are home to 17,000 people. 

New developments in the Chicago, Dallas, 

and Philadelphia areas will open in 2006, 

and new sites in the Denver and Kansas City 

areas are scheduled to open in the coming 

years. The company is currently pursuing site 

acquisition opportunities across the U.S. and, 

by 2025, expects to bring together 750,000 

people as residents, customers, and colleagues. 

Each Erickson CCRC is supported by 

Erickson HealthSM, the nation’s largest and 

most completely integrated wellness and 

health care system for people older than 62 

years of age. 

Nationwide, 2,320 people across the 

country moved to Erickson CCRC in 2005, 

and the company added 1,433 new employees, 

bringing the total to more than 12,000 

employees. The company is on pace to reach 

nearly 20,000 residents by the end of 2006. 

Comprehensive health services are provided 

based on the maturity of the CCRC 

including: certified home health; emergency 

medical services (emergency response); rehabilitation; 

assisted living, skilled nursing, 

long-term care services; and a resident health 

benefit plan. Each community houses a medical 

center staffed by primary care physicians 

who specialize in geriatrics and practice only 

at Erickson CCRCs. In addition, hospice services 

will soon be added to the wide array of 

services available for our residents. 

JO: What are unique compliance challenges 

you face working in a CCRC? 

LC: Compliance risk areas and challenges 

are similar for most health care facilities. The 

major challenge for a CCRC is maintaining 

compliance with regulations in the current 

atmosphere where CCRCs are not specifically 

addressed in guidelines or rules and regulations 

as a single entity. CCRCs are made up 

of many different health services, all of which 

need to comply with specific regulations and 

requirements. 

Erickson is unique in that we currently 

have 18 communities spanning 10 

states; therefore, communication and follow 

through are essential. This is where our annual 

risk assessment becomes a vital tool. Faced 

with continuous legislative changes, we must 

be diligent regarding all compliance activities 

and ensure that our risk assessment process is 

on-going, not periodic. 

JO: What are the biggest compliance risk 

areas for the CCRC? 

LC: In light of the continuing focus on 

regulatory compliance, we are committed to 

ensuring compliance with our requirements 

under state and federal regulations relating 

to business ethics, Medicare, HIPAA privacy 

and security, employment law, and Sarbanes 

Oxley as it may apply to not-for-profit 

CCRC’s. 

Compliance risk is the possibility that 

an employee will fail to follow an internal 

policy or procedure or an external law, rule, 

or regulation that applies to the activity in 

which they are engaged. It is important that 

CCRCs have processes, methods and tools in 

place to deal with the consequences of events 

that have been identified as significant threats 

related to fraud, waste, and abuse. 

Other areas of compliance risk include 

document management, research, contract 

management, Medicare D, and the Deficit 

Reduction Act of 2005. 

JO: You are also the HIPAA privacy 

officer. What are some of the most common 

HIPAA issues you respond to for your organization? 

LC: The most common HIPAA questions 

that I have encountered concern uses and 

disclosures of protected health information. 

Also, because we are unique and have communities 

in multiple states, state preemption 

analyses become a concern and driving force 

for HIPAA compliance. 

JO: Where are you in the development of 

your compliance program? 

LC: We have a fully developed and comprehensive 

compliance and ethics program 

at Erickson. PREVENT is an acronym we 

use for the seven elements of a compliance 

program (P = Policies and procedures, R = 

Responsible person, E = Education and training, 

V = Venting complaints, 

E = Enforcement of standards, N = Need 

for internal audits, T = Taking corrective 

action) as outlined in the United States 

Sentencing Guidelines and the Office of 

Inspector General Compliance Guidances. 

We want to PREVENT fraud, waste, and 

abuse. Our program spans all of the health 

services provided at the CCRCs in addition 

to incorporating human resources and inter- 



Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 15

Meet Lea Cobb ...continued from page 15 

nal audit functions. HIPAA privacy, security, 

and Transaction Code Set requirements have 

all been addressed and implemented. We 

are currently working on National Provider 

Identifier (NPI) compliance. 

JO: Does your compliance program play a 

role in quality-of-care issues, and if so, how? 

LC: We have a comprehensive compliance 

program process that integrates compliance, 

risk management, and quality. These 

functions work in tandem. Quality-of-care 

reporting is part of the compliance auditing 

and monitoring program. Quality-of-care 

issues are managed at the CCRC through the 

Community Performance Improvement/Risk 

Management/Safety Committee with compliance 

as part of the structure. 

JO: How do you go about getting 

employee and staff support for your compliance 

efforts? 

LC: Compliance is an integral part of the 

everyday work of all employees, staff, and 

management members. Compliance is woven 

into the everyday job duties, “Erickson Way 

Values,” and responsibilities of the employees. 

Management plays a key role in employee 

and staff buy-in and continued compliance 

support. The “Erickson Way Values” are our 

organization’s approach to creating an atmosphere 

of accountability for ethical employee 

behavior. 

JO: How do you keep education and 

training interesting and effective? 

LC: We are constantly looking for new 

and innovative ways to conduct education 

and training to keep it humorous, interesting, 

and interactive. We employ a variety 

of venues to reach our widespread and 

diverse employee workforce. We use faceto-face 

training provided at the CCRC by 

the compliance liaison and at Erickson by 

corporate human resources. Additionally, 

we have established an Internet compliance 

site specifically for staff to have access 

to new or revised policies, education and 

training materials, and to alert them to new 

information. We send information through 

published compliance articles in newsletters 

or via e-mail. Compliance updates are 

provided at the CCRC by the compliance 

liaison and at Erickson by the compliance 

department through executive leadership 

team meetings, departmental meetings, and 

staff meetings. The director of compliance 

and policy/HIPAA privacy officer and the 

assistant director of coding and compliance 

also provide face-to-face education and training 

by traveling to the CCRC’s. Compliance 

training is also provided through the use of 

Web-based training sessions. We are beginning 

to embark on an interactive, comprehensive, 

on-line compliance education and 

training program. We use posters, keycards, 

brochures, and magnets to provide awareness 

training to all staff on the Code of Conduct, 

PREVENT program, and Values Line reporting. 

I also look to the Compliance and Ethics 

committee and executive leadership team to 

generate ideas for training. It is very important 

to consistently evaluate the compliance 

education and training program from the 

view point of a staff member. This allows 

us to make changes when necessary to keep 

the training as interesting and interactive as 

possible. 

JO: What do you see as the greatest compliance 

challenges for the CCRC industry in 

the next three years? 

LC: I see many challenges in the next 

three years, including recruitment and retention 

of high quality staff, escalating insurance 

costs, and regulatory compliance coupled 

with uncertain financial markets and increasing 

consumer demand for cutting-edge aging 

services. 

Other challenges include: CCAC/ 

CARF 2 accreditation standards and compliance; 

keeping current with emerging technology, 

such as the electronic health record; 

government initiatives related to health and 

technology; and HIPAA enforcement. 

Living in times of constant change, we 

never truly know what to expect as there will 

always be regulatory and legislative initiatives 

and enforcement practices for which a 

CCRC will have to be prepared. 

JO: You attended the HCCA Compliance 

Academy and are certified in healthcare 

compliance (CHC). Why did you decide to 

attend the academy and has it helped you in 

your role? 

LC: I decided to attend the academy due 

to its reputation, industry knowledge of key 

constituents, resources available, educational 

and networking opportunities, and national 

organizational notoriety. The CHC designation 

has given me creditability among my 

peers and colleagues as well as professional 

recognition in the area of health care compliance. 

JO: HCCA offers a number of educational 

opportunities. Which most closely match 

your needs? 

LC: I received great value from my 

attendance at the Fraud and Compliance 

Conference which is conducted in conjunction 

with the American Health Lawyers 

Association. Additionally, I found the 

Compliance and Ethics Institute and 

Medicare D Compliance Institute to be most 

useful. The Health Care Compliance Manual 

is a must for all compliance professionals. 

JO: What advice would you give to someone 

who is just starting out in compliance 

and setting up a program? 

LC: Keep it simple, make it fun, and 

know the regulations affecting the compli- 



16 




17

Roy Snell and Dan Roach 

As part of our efforts to improve member services, the HCCA leadership 

has reviewed all of the evaluations submitted by participants at 

the Annual Institute in Las Vegas in April. Over the coming weeks, 

we will be responding to some of the more common questions/concerns 

raised in your comments. These questions include: 

1. How do you pick the city in which to hold the Institute? 

Picking the location for an Institute is a difficult and risky proposition, 

made more difficult as we grow. In making the decision, the 

management and board are weighing three important factors—cost, 

ease of travel, and the ability to accommodate the meeting. The cost 

analysis includes the cost of getting to and from the conference, hotel 

room cost, and the cost of staging the conference. The ease of travel 

analysis includes the time needed to travel to and from the venue and 

takes into account both flight length and the number of flights in and 

out of the city to dozens of destinations. The ability to accommodate 

the number of registrants is also an important consideration. 

Unfortunately, when all these factors are considered, there are relatively 

few cities that work. While New York and San Francisco are 

easy to get to, they are both prohibitively expensive (close to $300 

per night for hotel rooms). Other cities have inexpensive rooms, but 

are more costly to fly to, and may not have hotels large enough to 

accommodate our meeting. Other cities are more difficult to get to 

for a large segment of our members (Orlando and San Diego). While 

not complaining about our growth, the reality is that there are fewer 

than 10 cities that have hotels with adequate space (unless we want to 

move to a convention center). In short, there are less than a handful of 

cities that have the right mix of cost, accessibility, and space. 

Both the staff and the board work hard to chose a location and 

deliver a conference that enables us to cater to a very diverse group 

of members. Because our conferences are booked at least two and a 

half years in advance, it is a difficult and somewhat risky proposition. 

Unfortunately, we will never be able to address the needs of all prospective 

participants with respect to cost and location. However, we 

will continue to work diligently to do the very best we can with the 

constraints and options available. 

2. What can we do about the size and weight of the conference 

materials? 

We received a significant number of complaints about the size and 

weight of materials. In fact, we printed millions of pages of handouts 

for the last Institute, and the HCCA management would love to figure 

out a way to reduce the volume of materials. Consequently, you will 

soon be receiving an invitation to participate in an Internet survey 

that, among other questions, seeks your input on how to most effectively 

distribute conference materials to the participants. 

3. Caesar’s Palace ran out of rooms very early last year. What can 

be done to ensure that more participants get rooms in the conference 

hotel? 

Our 2006 Institute included 400 more participants than in previous 

years and 800 more participants than we anticipated when we initially 

booked Caesar’s Palace. When we sign a contract with a hotel, we 

need to agree on a “room block.” This means that the HCCA needs to 

guarantee between 4,000 and 5,000 room nights. If we fail to deliver 

attendees to fill those rooms, we will be stuck paying the hotel for the 

value of the unused rooms. Particularly in a post-9/11 era, we have 

tried to mange this risk by agreeing to room blocks that accommodate 

approximately 80% of our expected attendance. Unfortunately, when 

we signed the contract with Caesar’s Palace, we did not anticipate 

the 70% increase in attendance over 3 years. 

As soon as it appears that we will have a room shortage, we move 

rapidly to obtain additional rooms in the conference hotel or 

adjacent hotels. Depending on what other events are happening in the 

city and adjacent hotels, this may or may not be possible. One thing 

you can do to help the HCCA manage this problem more effectively 


18 


is to make your hotel reservations as soon as 

possible. Part of the analysis that goes in to 

selecting a hotel includes the availability of 

the right room block and the potential availability 

of additional rooms in adjacent hotels, if 

we run out of space in the conference hotel. 

4. Some of the breakout sessions were very crowded last year. 

What can we do to accommodate larger breakout sessions? 

As noted above, the attendance at the Institute last year was 

substantially more than we anticipated. While we are pleased 

with the increased attendance, we concede it causes logistics issues. 

We are working to increase the size of some of the breakout 

rooms and to more effectively predict turnout at the sessions. 

Members can help us by giving us an idea, when registering, 

which sessions they anticipate attending (you will not be held to 

your choice, however). n 

Meet Lea Cobb ...continued from page 19 

ance areas required by your organization. Find ways to gain 

buy-in and maintain synergy and support from upper management. 

Integrate compliance into the employee’s everyday 

job duties, so compliance is not seen as yet another “thing 

to do.” Always look for new and interesting ways to make 

compliance fun and interesting. Network with your colleagues. 

Continually increase your knowledge of compliance 

by staying current with news and events. Become certified 

in compliance to increase your professionalism. And 

by all means, have fun, have fun, have fun! n 

1 JCAHO is the Joint Commission on Accreditation of Health Care Organizations 

2 CCAC/CARF is the Continuing Care Accreditation Committee/Commission on Accreditation of 

Rehabilitation Facilities 

CHC 

The Healthcare Compliance 

Certification Board (HCCB) 

compliance certification 

examination is available in all 50 states. 

Join your peers and become Certified 

in Healthcare Compliance (CHC). 

certified in 

healthcare 

compliance 

The Compliance 

Professional’s Certification 

Congratulations on achieving 

CHC status! The Health Care Compliance 

Certification Board announces that the following 

individuals have recently successfully 

completed the Certified in Healthcare Compliance 

(CHC) examination, earning CHC 

designation: 

CHC certification benefits: 

■ Enhances the credibility of the 

compliance practitioner 

■ Enhances the credibility of the 

compliance programs staffed by 

these certified professionals 

■ Assures that each certified compliance 

practitioner has the broad 

knowledge base necessary to 

perform the compliance function 

■ Establishes professional standards 

and status for compliance 

professionals 

■ Facilitates compliance work for compliance practitioners in dealing 

with other professionals in the industry, such as physicians and attorneys 

■ Demonstrates the hard work and dedication necessary to perform the 

compliance task 

Catherine Lynn Gibson 

Nancy Sheftel 

Nancy R. Vasto 

Kurt William Wood 

Rebecca A. Buegel 

Danny Vaughn Harrison 

CHC certification, developed and managed by HCCB, became available June 

26, 2000. Since that time, hundreds of your colleagues have become Certified 

in Healthcare Compliance. Linda Wolverton, CHC, says that she sought CHC 

certification because “many knowledgeable people work in compliance, and I 

wanted my peers to recognize me as ‘one of their own’.” With certification she 

is “recognized as having taken the profession seriously, having met the national 

professional standard.” 

For more information on how you can become CHC Certified, 

please call 888/580-8373, e-mail hccb@hcca-info.org, or visit the 

HCCA Web site at www.hcca-info.org and click on the HCCB Certification 

button on the left. 


Health Care Compliance Association 888-580-8373 • www.hcca-info.org 19

Pros 

n Single point of data entry 

n No data duplication 

n Entrenched in-house process 

By Matt Dowell 

Editor’s Note: Matt Dowell is the President following states: Alaska (HB454), California 

of Collaborative Reporting, Inc. He may be (AB45), Colorado (SB 1), Hawaii (HB 32), 

reached by e-mail at http://www.collabreports.cosetts 

(HB 2659), Michigan (HB 5706), New 

Illinois (HB 656), Iowa (HB 503), Massachu- 

Hampshire (HB 703), New York (AB 2160), 

Many states have recently passed Oklahoma (HB 1542), Pennsylvania (SB 

laws calling for the reporting of 320), Rhode Island (HB 6141), Tennessee 

medical marketing data. A larger (SB 1441), and Washington (SB 5149). 

number of states and districts are currently 

considering similar laws. This article will The data required for reporting in each state 

briefly touch on some of the newer reporting includes, but is not limited to: 

requirements and a few technical and business 

solutions that can reduce the time spent Who: Name, credentials, and “type” of recipient 

gathering and reporting on your sales events What: Gifts, with quantity and cost, and 

and keep your company compliant, without where given 

fines, and out of the news. 

Where: What clinic, hospital, or conference 

When: Date gift was given 

The medical marketing laws vary in their 

requirements, for example: 

Reporting this data poses several challenges. 

For a significant portion of pharmaceutical 

Minnesota 

and medical device manufacturers this requires 

A company cannot spend more than $50 per a new business process. This process requires 

practitioner, and must file annual reports with gathering the necessary information from each 

the Board of Pharmacy. 

field sales representative after each marketing 

event. Your solution will need to conform to 

Vermont 

your current and future compliance needs or 

Annual reporting of all marketing activities you risk being caught in a constantly changing 

is required through the state’s Web site or a business process cycle. The following section 

custom batch process. 

will summarize a few current options along 

with their pros and cons. 

Maine 

Reporting of all pharmaceutical marketing Using and customizing current tools 

activities greater than $25 is required, starting Your current in-house financial reporting or 

in July 2007. 

customer relationship management (CRM) 

tool might have customization options that 

Marketing disclosure laws have also been would be beneficial in your annual reporting. 

enacted in California, Washington D.C., Check with your sales operations team to see 

and West Virginia. Very similar laws, with if you can generate reports based upon dollar 

reporting requirements, are pending in the spent per client and location. 

Cons 

n Not flexible 

n Most likely not accessible for remote sales 

team 

n Can be expensive to customize 

Manually gathering the data 

If your sales team is small enough, the gathering 

of data could be maintained by a single 

person who creates a spreadsheet or small 

database to maintain the data. Currently, a 

handful of states accept data in spreadsheet 

format. The sales team members could use 

e-mail to send the data to the person who 

maintains the spreadsheet. 

Pros 

n Quickly implemented 

n No new business process to integrate 

n Flexible 

Cons 

n Resource intensive 

n Low quality 

n High risk 

n Can easily fall behind new regulations 

The new breed of marketing compliance 

tools 

New to the market are a handful of companies 

and legal firms that specialize in medical 

marketing compliance. Some offer services 

and software built specifically to help companies 

compile, search, and report their state 

marketing information. 

Pros 

n Integrate with many CRM applications 

n Web enabled 



20 



Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 21

Medical marketing compliance ...continued from page 20 

FYI FOR YOUR 

INFORMATION 

n Hosted by a vendor for easy updates 

n Full web-services integration [MS Office] 

n High quality of data and reporting 

n Additional features include inventory management 

Cons 

n Cost 

n Potential for duplicate data entry 

n New process requirement for field sales people · 

Summary 

Your solution needs to be comprehensive and flexible enough so each 

new state regulation does not disrupt your sales process. Each company 

has specific needs based upon size, market, and resource availability. 

The solution your company implements should take all of those factors 

into consideration. 

The state medical marketing regulations are as varied as they are 

confusing. As a person responsible for helping your company stay 

compliant, your solution must become a seamless part of your business 

process and yet be flexible enough to handle the myriad of current and 

future state laws. n 

Aimset Corporation 

New Compliance Software 

Guaranteed Productivity 

Free trial period 

Let’s face it…saving the world is not 

an easy job. It requires you to do a 

million things at once with pinpoint 

precision. 

Rule #1: Don’t make your job harder 

than it needs to be. 

It’s time to manage your work more 

efficiently and go home on time. 

Make this your reality today. 

Owners of Defunct Nurse Staffing Company Indicted 

U.S. Attorney for Colorado Bill Leone announced on July 27 that 

William C. Crabbe and James S. Rowan, owners of Columbine 

Health Care Systems, Inc. of Greeley, Colorado, were indicted by a 

federal grand jury in Denver on Tuesday, July 25, 2006, for failure 

to pay federal payroll taxes, failure to pay taxes, and tax evasion. 

Crabbe was also charged with filing false tax returns. Both defendants 

received summons to appear in U.S. District Court in Denver 

on August 10, 2006 at 2:00 pm, where they will be advised of the 

charges against them. Columbine Health Care Systems went out of 

business in June 2003. 

According to the indictment, Crabbe and Rowan were the owners 

and principal officers of Columbine Health Care Systems, a 

national nurse-staffing agency. Columbine would charge its clients 

a fee for placing nurses in such places as hospitals, healthcare facilities, 

and doctor’s offices. Columbine would then pay wages to the 

nurses. The company’s corporate offices were located in Greeley, 

Colorado, with a few small sales offices located in other states. 

For more: http://www.usdoj.gov/usao/co/press_releases/2006/ 

July06/7_27_06.html 

UMDNJ Remains in the News 

On July 26, The Star-Ledger reported that “New Jersey’s troubled 

medical university and its major teaching hospital swallowed a 

tough pill yesterday in addressing mounting financial problems: 

more than 100 layoffs, program cutbacks, and an indefinite delay in 

the opening of a new $110 million cancer center in Newark. 

“The cuts at the University of Medicine and Dentistry of New 

Jersey come in the wake of the state’s own budget woes, which led 

to cuts of millions of dollars for charity care and higher education. “ 

For more: http://www.nj.com/news/ledger/jersey/index.ssf?/base/ 

news-4/1153892605261510.xml&coll=1 

UMDNJ Trustee Steps Down 

On July 29, Newsday reported that “Another trustee at the 

embattled University of Medicine and Dentistry of New Jersey is 

stepping down. 


22 

Contact us today for a Free Demo 

www.aimset.com 

650-281-7997 

info@aimset.com 

Special Code: HCCA 

Frederic C. Sterritt is leaving UMDNJ’s board, about a week after 

the state started an ethics probe into how he helped his brother get 

a job. 


Continued on page 43



23

By John J. Eller, Esq, and Donna J. Senft, Esq. 

John J. Eller 

Editor’s Note: John J. Eller is a principal 

and Donna J. Senft is an associate at 

Ober Kaler, a Baltimore law firm serving 

business, commercial finance, construction, 

health, and litigation. Mr. Kaler can be 

reached at jjeller@ober.com or 410/347- 

7362; Ms. Senft can be reached at djsenft@ 

ober.com or 410/347-7336. 

On April 21, 2006, the Centers for 

Medicare and Medicaid Services 

(CMS) published its final rule, 

“Medicare Program: Requirements for 

Providers and Suppliers to Establish and 

Maintain Medicare Enrollment,” which made 

changes to the existing Medicare rules that 

significantly affect existing providers and 

suppliers, as well as new enrollees. Although 

providers and suppliers have always been 

required to comply with the Medicare enrollment 

rules, both for initial enrollment and 

on a continuing basis thereafter, the new 

rules require that at some point in the near 

future, every provider or supplier will need to 

have a complete CMS 855 form on record. 

The new requirements contain procedural 

safeguards for CMS to verify that a provider 

or supplier is compliant with the enrollment 

requirements, and also contain significant 

sanctions for non-compliance. Understanding 

and adhering to the requirements is, therefore, 

not only important for a provider or 

supplier to ensure that initial enrollment is 

expeditiously obtained, but also critical to 

help ensure that its Medicare enrollment 

remains activated without interruption or the 

imposition of sanctions. 

The changes contained in the final rule, published 

just days before the end of the three-year 

time period to implement the proposed rule 

that was published on April 25, 2003, became 

effective June 20, 2006. They are the latest in a 

series of initiatives to strengthen the Medicare 

enrollment process to prevent initial or continued 

enrollment by unqualified or fraudulent 

providers or suppliers. Prior initiatives included 

contracting with the National Supplier Clearinghouse 

(NSC) regarding initial or continued 

enrollment of durable medical equipment, 

prosthetic, and orthotics suppliers (DMEPOS) 

and authorizing fiscal intermediaries and 

carriers to conduct site visits to verify if the 

provider or supplier was eligible to participate 

in the Medicare program. 

Just as providers and suppliers were learning 

about the new requirements contained in the 

final rule, on May 1, 2006, CMS released 

revised enrollment forms, (i.e., the CMS 

855 series) used by providers and suppliers 

to apply for initial enrollment and to request 

changes to the enrollment file. A one-month 

grace period was established, with providers 

and suppliers required to use the new forms 

for any submission after June 2, 2006. The 

following are direct Internet links to the all of 

the new enrollment forms: 

CMS 855A for Institutional Providers: 

www.cms.hhs.gov/cmsforms/downloads/ 

cms855a.pdf 

CMS 855B for Clinics/Group Practices and 

Certain Other Suppliers: 

www.cms.hhs.gov/CMSforms/downloads/ 

cms855b.pdf 

CMS 855I for Physicians and Non-Physician 

Practitioners: 


cms855i.pdf 

CMS 855R for Reassignment of Medicare 

Benefits: 


cms855r.pdf 

CMS 855S for DMEPOS Suppliers: 


cms855s.pdf 

Key provisions of the final rule 

New enrollment forms completion 

From the inception of the CMS 855 forms in 

1997, providers or suppliers who were already 

enrolled in the Medicare program did not 

have to complete and submit the entire CMS 

855 application form. With the release of the 

new versions of the CMS 855 forms, CMS 

will require all providers and suppliers--- even 


24 


those that have already enrolled in the Medicare 

program and obtained billing numbers--- 

to submit a completed enrollment application 

on the applicable new form. 

By requiring all providers and suppliers to 

complete a CMS 855 enrollment form, the 

Provider Enrollment, Chain, and Ownership 

System (“PECOS”) database will be more 

comprehensive. CMS developed PECOS following 

a policy decision to create a national, 

uniform electronic database for recording and 

retaining enrollment data to combat fraud 

and abuse. In July 2002, fiscal intermediaries 

began entering enrollment data for Medicare 

Part A providers into the system, with carriers 

following in November 2003, entering data 

on Part B providers and suppliers. 

The final rule did not indicate the timing or 

discuss the process that will be used to notify 

previously enrolled providers or suppliers 

that they will need to complete and submit 

a CMS 855 form. The Medicare enrollment 

contractors are suggesting the completion of 

the entire form when a provider or supplier 

needs to make changes to its provider or supplier 

file, even though this completion may be 

well in advance of the requirement to do so. 

Historically, Medicare enrollment contractors 

would often accept an enrollment application 

that was missing certain required information 

or documentation. The new procedures 

require the Medicare contractors to use an 

initial screening process which identifies 

omissions requiring an automatic rejection 

of the application. Any rejection and return 

of the application further delays an already 

lengthy time period to complete the initial 

enrollment process. 

Another new requirement is that any provider 

or supplier who submits new enrollment 

applications or enrollment forms to report 

changes will need to not only indicate its 

National Provider Identifier (NPI) number, 

but also provide verification of the NPI 

number in order for the enrollment or change 

forms to be processed. The Health Insurance 

Portability and Accountability Act (HIPAA) 

required the adoption of a standard unique 

health identifier for health care providers. 

CMS adopted the NPI number as this 

unique identifier but previously indicated 

that covered entities would not need to use 

this identifying number until May 23, 2007. 

As a result of the advanced notice and delayed 

implementation date, providers and suppliers 

may not previously have seen the need to 

obtain an NPI number as a priority. 

As of May 1, 2006, providers and suppliers 

are able to obtain an NPI number through an 

online process or the submission of a paper 

application. Either process is fairly efficient 

with a number assigned in just days. More 

information about obtaining an NPI number 

is available on the CMS website at: https:// 

nppes.cms.hhs.gov/NPPES/StaticForward. 

do?forward=static.npistart. 

Although the prior version of the CMS 855 

forms could be completed electronically, 

CMS has not provided software to complete 

the new version of the CMS 855 forms 

electronically. CMS has indicated its intent 

to have a Web-based enrollment process 

operational in 2007. 

The new CMS 855 forms continue to be 

very far-reaching in the scope of information 

to be reported initially and to be updated 

in a timely fashion as changes occur. This is 

particularly true with respect to ownership 

and control information, which is relevant to 

CMS’ principal concern to protect Medicare 

beneficiaries from unqualified or fraudulent 

providers and suppliers. For example, providers 

and suppliers who enroll in the Medicare 

Donna J. Senft 

program are required to disclose information 

about individuals or entities that have 

either a five percent or more direct or indirect 

ownership interest or a controlling interest 

in the provider or supplier entity. Even a 

lending institution with a secured interest in 

the provider’s or supplier’s property or assets 

(e.g., with a mortgage, deed of trust or note) 

may be considered to have an “ownership or 

controlling interest” for these purposes. In the 

case of a corporation, officers and members of 

the governing board (e.g., the board of directors 

or board of trustees) are considered to be 

among those with a controlling interest. The 

officers include not only those listed in the 

articles of incorporation or corporate bylaws, 

but also officers named by the governing 

board. Therefore, within 30 days of a change 

in an officer or member of the governing 

board, updated forms must be submitted to 

report the officer or board member being removed 

and the officer or board member being 

added. Other frequent types of changes that 

require timely reporting include a change in 

legal or trade names, addition of practice locations, 

and changes in managing employees. 

Sanctions for failure to provide timely 

updates 

Included in the regulations are specific time 

frames for submitting updated enrollment 




25

Consult with our team 

of national experts on compliance issues. 

Compliance Effectiveness | Medicare & Medicaid Fraud Defense | Corporate Integrity Agreements 

Pharmaceutical Contracts | Research Compliance & Billing 

Revenue Cycle Analysis | Sarbanes Oxley & Internal Audit Services 

Coder Certification & Training | Charge Master Analysis & Implementation 

Serving clients in 45 states since 1985. 

For more information, contact our specialists: 

John Beattie, CPA, CFE Victor Blanchard, CISA James Cesare John Foley, CPA 

717.540.4709 215.972.2392 717.540.4702 570.820.0126 

jbeattie@parentenet.com vblanchard@parentenet.com jcesare@parentenet.com jfoley@parentenet.com 


26 

www.parentehealthcare.com 

An Independent Member of Baker Tilly International 


New Medicare enrollment regulations ...continued from page 25 

forms. Within 30 days of any change in ownership 

or control for any provider or supplier, or 

any reportable change for a DMEPOS supplier, 

updated enrollment forms must be submitted. 

For all other reportable changes, updated enrollment 

forms must be submitted within 90 days 

following the effective date of the change. 

CMS has stated its intention to require 

deactivation for failure to report changes in a 

timely manner, which may even result in revocation 

of the provider’s or supplier’s billing 

privileges. Deactivation is the temporary suspension 

of billing privileges. Although billing 

is suspended, the deactivation does not have 

any effect on the provider or supplier agreement. 

Specific procedures for reactivating a 

provider number, including the submission of 

a new CMS 855 enrollment application, are 

included in the new regulations. Reactivation 

in those circumstances will not require a new 

survey or certification. 

When billing privileges are revoked, the provider 

or supplier agreement is also terminated. 

Additionally, when a revocation occurs, 

CMS will automatically review any related 

Medicare enrollment file. For example, if a 

reported owner (i.e., 5% or greater ownership 

interest) is also an owner or a person in 

control of another Medicare enrolled entity, 

CMS will review the revocation to see if it 

warrants an adverse action for the associated 

provider or supplier (i.e., associated in this 

case by a person with ownership in both 

enrolled entities.) 

Revalidation process 

CMS has developed a procedure to allow it 

to determine if updated information has been 

promptly submitted. Under the new regulations, 

CMS has established a five-year cycle 

for revalidation, with the ability to perform 

an “off cycle” revalidation if conditions so 

warrant. The revalidation process will be 

an opportunity to ensure that a provider 

or supplier has remained in compliance 

with Medicare requirements. In addition to 

confirming the validity of the enrollment information 

submitted through the revalidation 

process, CMS reserves the right to perform 

unannounced site visits to verify enrollment 

information. Revalidation is designed to 

protect beneficiaries and the Medicare trust 

fund by ensuring services are received from 

legitimate providers and suppliers. 

CMS does not expect the revalidation activities 

to be significant until 2008, and has not 

yet announced how providers and suppliers 

will be chosen to enter into the 5-year cycle, 

though the first revalidation efforts will focus 

on providers or suppliers who never previously 

submitted a complete CMS 855 form. 

CMS has indicated that the first priority for 

enrollment contractors should be to process 

new enrollment applications. Such prioritizing 

of effort is intended by CMS to address 

the concern expressed by providers and 

suppliers regarding the ability of the Medicare 

enrollment contractors to handle the 

increased workload. In its final rule, CMS announced 

the intent to conduct approximately 

500 on-site visits to Community Mental 

Health Centers and 2,800 annual visits to 

Independent Diagnostic Testing Facilities. 

Once the revalidation process becomes 

established, the burden on providers and suppliers 

should be relatively minimal. CMS has 

indicated its intent to send the provider’s or 

supplier’s current CMS 855 form on record 

to the provider or supplier, to verify the 

accuracy of the information and report any 

changes to be made regarding the information 

in the enrollment file. 

Initial enrollment 

The new regulations delineate situations in 

which the initial enrollment application may 

be rejected. If the application is submitted 

with missing information and any missing 

information or requested supporting 

documentation is not submitted on time, the 

application will be rejected and the applicant 

will need to restart the enrollment process. 

There are no appeal rights granted when an 

application is rejected. 

Additionally, an entity may be denied enrollment 

or have its enrollment revoked when 

individuals with ownership or controlling 

interests have been sanctioned or convicted of 

certain federal or state crimes. The new regulations 

delineate the specific offenses, such 

as exclusion sanctions, that will result in an 

automatic rejection or revocation, and other 

offenses that may result in rejection or revocation 

because the offense has been determined 

to be detrimental to the best interests of the 

Medicare program or its beneficiaries. 

Enrollment may be denied if there is a 

determination, based upon the on-site review 

or other reliable evidence, that the provider or 

supplier is not in compliance with the Medicare 

requirements. Appeal rights are granted 

in this situation. If, however, the decision is 

appealed, then a new application may not be 

submitted until a decision is made to uphold 

the original determination. If the provider or 

supplier elects not to appeal the decision, a 

new application may be submitted when the 

time frame to appeal has lapsed. 

Change of ownership 

Consistent with prior requirements, if a 

change of ownership involves providers, both 

the buyer and seller need to submit provider 

enrollment application information. Under 

the new regulations, the seller risks sanctions 

if it fails to complete the enrollment materials 

prior to the change in ownership. When the 

seller agrees to assign and the buyer agrees to 




27

American Health Lawyers Association 

and 


presents 

FRAUD AND COMPLIANCE FORUM 

September 25-27, 2006 

Renaissance Harborplace Hotel • Baltimore, MD 

PLAN NOW TO ATTEND 

Visit: www.hcca-info.org for more information 

Don't miss the Fraud and Compliance Forum! 

The program will provide legal analysis and practical compliance guidance 

on issues including: 

• Fraud and Abuse Issues for Physicians, Long Term Care 

Facilities, Managed Care Organizations, Hospitals and Health 

Systems and Pharmaceutical Manufacturers 

• Stark II Phase II Regulations and Fair Market Value 

• EMTALA 

• Legal Ethics 

• Research Compliance and Billing 

• Auditing and Monitoring Compliance Plans 

• Internal Investigations 

has provided sponsorship in support of this program. 

To register visit us online at: www.hcca-info.org 

For questions call HCCA at: (888) 580-8373 

SAVE THE DATE! 

Continuing Education Credits: AAPC • ACHE • AHIMA • HCCB • NASBA • MCLE 


28 


New Medicare enrollment regulations ...continued from page 27 

accept the assignment of the seller’s provider number, the new regulations 

allow for deactivation of the billing number any time before 

the final transference of the provider agreement to the buyer, if the 

buyer fails to submit what is required within 30 days of the change of 

ownership. With respect to a change of ownership or control involving 

suppliers, appropriate CMS 855 forms must be submitted within 

the 30 days immediately following the change. 

Conclusion 

It is strongly advisable to become familiar with the new CMS 855 

forms, the information required to be reported using these forms, and 

the supporting documentation to be sent to CMS. This is certainly 

important for new providers or suppliers, and existing providers 

and suppliers when they are called upon to complete the CMS 855 

form for the first time as part of the revalidation process, or as part 

of a change of ownership transaction. It is particularly important for 

existing providers and suppliers who have never completed a CMS 

855 form and have changes that would require updating the enrollment 

file. Existing providers, especially those not familiar with the 

CMS 855 process, may not be aware that they are required to report 

certain changes that occur during the ordinary course of conducting 

their business affairs. Any changes in the categories of information 

required on these forms—even if the forms had never previously been 

submitted, and the provider or supplier had never previously reported 

such information to CMS—must now be reported using the new 

forms. If unfamiliar with the reporting requirements, a provider or 

supplier may not realize the broad scope of information that CMS 

requires to be maintained in its enrollment files and used by CMS 

for its monitoring activities, and that a failure to properly report any 

changes in that information using the CMS 855 form creates a risk 

of being subject to serious sanctions. Providers and suppliers should 

develop a clear understanding of what is legally required to complete 

the CMS 855 forms, use them to report changes appropriately, and 

obtain assistance as necessary in this regard to help assure compliance 

or deal with regulatory authorities. This will allow providers 

and suppliers to avoid delays in processing and initial activation, but 

more importantly to minimize the potential for deactivation of their 

Medicare number, revocation of billing privileges, further adverse 

consequences to the provider or supplier, or adverse consequences to 

other Medicare-enrolled entities having common ownership with the 

provider or supplier. n 



29


30 




31

By Salvatore G. Rotella, Jr., Esq. 

with a valid authorization from the patient; 

or under certain other, limited circumstances. 

One of these other circumstances is for 

research purposes. 1 

As a threshold matter, the Privacy Rule’s 

research provision applies only if a research 

undertaking’s “primary purpose” is to obtain 

“generalizable knowledge.” Accordingly, providers 

can customarily review patient records 

for quality assessment and improvement 

purposes without worrying about the restrictions 

on unauthorized disclosure, because 

such reviews constitute health care operations, 

not research. 

Research-related disclosure of medical records 

in general. If a provider is participating 

in an effort to obtain “generalizable knowledge,” 

it may disclose records that contain 

PHI only with a valid patient authorization 

or under the following scenarios: 

First, the provider may de-identify the 

records, so that they no longer constitute 

PHI. This process entails either removing 

18 separate indentifiers or having a qualified 

statistician determine that there is minimal 

risk that the intended recipient could use the 

information to identify the subject, either 

alone or in combination with other reasonably 

available information. 2 

Second, the provider may create a so-called 

“Limited Data Set,” which involves removing 

certain identifiers from the records and 

entering into a data use agreement with the 

researcher who will receive the data. 3 

Third, the provider may obtain a waiver of 

the patient authorization requirement, for 

the specific research use at issue, from an appropriate 

Institutional Review Board (IRB) or 

Privacy Board. 4 

Editor’s note: Mr. Rotella is an attorney 

and a member of the law firm of Cozen 

O’Connor. He may be reached by telephone 

at 215/665-3729. 

The Health Insurance Portability and Accountability 

Act’s Privacy Rule (the Privacy 

Rule) strikes a balance between restricting the 

unauthorized disclosure of medical records 

and permitting health care providers to 

operate effectively, including participation 

in research studies. Specifically, the Privacy 

Rule takes into account that getting patient 

authorization for a disclosure can be problematic 

for researchers who do not interact 

directly with their research subjects. Health 

services researchers, for example, typically 

analyze large amounts of patient data to reach 

evidence-based conclusions about ways to 

improve the quality and efficiency of health 

care services. 

State laws and, to some extent, the Privacy 

Rule itself afford significant additional protection 

to records of mental health treatment. 

As a result, the careful balance between 

ensuring confidentiality and fostering studies 

to improve health care can shift dramatically 

in the case of research involving mental health 

records. Pennsylvania offers a good test case 

jurisdiction for understanding how to navigate 

the often complex overlay of federal and 

state laws governing a provider’s disclosure 

of mental health records to an independent 

researcher. 

Federal law: The Privacy Rule 

The Privacy Rule sets a floor as to a provider’s 

obligation to maintain the confidentiality of 

all protected health information (PHI). It 

generally allows disclosure of a patient’s PHI 

only: for treatment, payment, or operations; 

Fourth, a provider may disclose records for 

activities preparatory to research, such as for 

the researcher to prepare a research protocol. 5 

As a practical matter, the Department of 

Health and Human Services (HHS) has 

issued guidance clarifying that a researcher 

who is the intended recipient of a covered 

entity’s de-identified records can also be the 

person to de-identify the records. 6 This is so 

because the process of creating de-identified 

health information from PHI is itself deemed 

a health care operation, and not part of the 

research project. Especially in the case of 

health services research involving large databases 

of patient information, the fact that the 

researcher can undertake the de-identification 

may well allow a provider to participate in 

an independent research project that would 

otherwise be out of the question because of 

the significant resources the provider would 

have had to devote to itself de-identifying the 

patient records before disclosing them to the 

researcher. Because the HHS guidance on this 

issue contemplates that the researcher will 

be a “business associate,” it makes sense for 

a provider to enter into a business associate 

agreement with any researcher to whom it 

provides PHI to be de-identified and used for 

research purposes. 

Finally, if a provider discloses PHI without 

a valid authorization, it must further ensure 

that it both limits the PHI disclosed to the 

“minimum amount necessary” to accomplish 

the research purpose and is prepared to 

provide an accounting of its disclosures to the 

relevant patients. 7 Notably, the regulations 

reasonably allow a provider to rely on the 

researcher’s request as one that, by definition, 

seeks the minimum necessary PHI to achieve 

the researcher’s purpose in cases involving a 


32 


properly documented IRB or Privacy Board waiver, a review preparatory 

to research, or research on decedents’ PHI. 8 

Research-related disclosure of mental health records. Notwithstanding 

the other mechanisms generally allowing disclosure of 

PHI to a researcher absent patient consent, federal law permits 

a provider to make such a disclosure of so-called “psychotherapy 

notes” only with a valid patient authorization; 9 and this remains 

the case even if the notes have been de-identified. 

The Privacy Rule defines psychotherapy notes as notes of a private 

counseling session taken by a mental health professional. The term 

encompasses only such notes kept separately from the rest of the 

patient’s medical record, and the definition explicitly excludes 

treatment-related information, such as medication prescription 

and monitoring, counseling session start and stop times, and any 

summary of the patient’s symptoms, prognosis, and progress to 

date. 10 Consistent with this narrow definition, HHS has observed 

that information critical to the treatment of a patient is normally 

maintained in the medical record, and thus, by definition, separate 

and apart from psychotherapy notes. According to HHS, the 

regulations provide additional protection to psychotherapy notes 

precisely because they are usually of little value to anyone (presumably 

including a researcher) not present at the counseling session. 11 

State law: The Pennsylvania Mental Health Procedures Act 

Pennsylvania’s Mental Health Procedures Act (MHPA or “the Act”) 

presents a much more formidable obstacle than does the Privacy 

Rule to researchers seeking access to records of mental health treatment. 

Rather than focusing only on psychotherapy notes, Section 

111 of the MHPA provides that “[a]ll documents concerning 

persons in treatment shall be kept confidential and, without the 

person’s written consent, may not be released or their contents disclosed 

to anyone” except those engaged in providing treatment, to 

the county administrator in connection with emergency examinations, 

to a court in connection with proceedings authorized by the 

MHPA, and pursuant to federal rules when treatment is undertaken 

in a federal agency. 12 Regulations promulgated by the Pennsylvania 

Department of Public Welfare (DPW) that implement the 

Act add some additional permissible disclosures, but likewise do 

not include researchers among those enumerated third parties to 

whom an entity may potentially release or disclose mental health 

records without written consent from the patient. 13 




33

Using mental health records for research ...continued from page 33 

The scope of the MHPA. 

The MHPA’s virtual blanket prohibition 

on the disclosure of mental health records 

without patient consent applies directly to all 

involuntary treatment and voluntary inpatient 

treatment of mentally ill persons, and, 

effectively, to voluntary outpatient treatment 

provided in a facility as well. In addition to 

stating that the Act “establishes rights and 

procedures for all involuntary treatment 

of mentally ill persons whether inpatient 

or outpatient, and for all voluntary inpatient 

treatment of mentally ill persons,” the 

MHPA’s “scope” provision defines the term 

“facility” broadly to include, among other 

things, community mental health centers. 14 

DPW’s implementing regulations, in turn, 

provide that the agency’s rules regarding the 

confidentiality of mental health records—including 

the nonconsensual release of patient 

information regulation that parallels Section 

111 of the Act—more generally apply to 

records of persons receiving mental health 

services from any “facility.” 15 In addition to 

making its MHPA confidentiality regulations 

apply to facilities that treat voluntary 

outpatients, DPW also makes compliance 

with those regulations an express condition of 

licensure for both psychiatric outpatient clinics 

and partial hospitalization facilities. 16 

An argument could be made that to be 

consistent with the statute, the DPW regulations 

should be interpreted to apply only 

to records in a facility that are also records 

within the scope of the MHPA itself—i.e., 

records of inpatient or involuntary treatment. 

To be safe, however, providers should assume 

that Pennsylvania law permits the disclosure 

(to a researcher or otherwise) of records of 

voluntary outpatient mental health treatment 

provided in a “facility” only to the same 

limited extent it permits disclosures of records 

of mental health treatment provided to inpatients 

or on an involuntary basis. 17 

Permissible disclosures under the MHPA. 

Because the MHPA provides even greater 

privacy protection with respect to the 

disclosure of mental health records than does 

the Privacy Rule, the federal rule does not 

preempt the state rule in this respect. 18 That 

means that Pennsylvania providers can only 

disclose mental health records covered by the 

MHPA as permitted by Section 111 and its 

implementing regulations. And under those 

state rules, a provider can only disclose such a 

record to a researcher if the patient consents 

in writing. 

Two final, practical issues are worth noting: 

First, it is possible to comply with both the 

DPW-required elements of a written consent 

pursuant to Section 111 of the MHPA and 

the Privacy Rule’s mandate that a valid patient 

authorization include certain core elements 

and required statements, be written in plain 

language, and that the individual authorizing 

the disclosure receive a copy of the signed 

authorization. 19 As a result, a provider should 

ensure that the “written consent” it obtains 

prior to disclosing records to a researcher under 

the MHPA also meets all of these requirements 

of a valid Privacy Rule authorization. 

Second, because de-identified records do not 

constitute PHI, the Privacy Rule would allow 

a provider to disclose de-identified mental 

health records (other than psychotherapy 

notes) without an authorization. The MHPA, 

by contrast, seems to prohibit the disclosure 

even of de-identified records absent patient 

consent. While this approach may seem 

overly restrictive, it is consistent with the rest 

of the MHPA, as well as with how the courts 

and DPW have interpreted the Act. 

Like the Privacy Rule, for example, the 

MHPA makes allowances for a facility to 

undertake internal quality assessment and 

improvement. While the federal rule permits 

a provider to use patient-identified records 

for these efforts, the state law permits such 

reviews only on the express condition that 

the provider does not identify individual 

patients. 20 

Federal and state courts interpreting the 

MHPA have likewise consistently found 

that, unless one of the four exceptions set 

forth in Section 111 applies, the Act “absolutely 

forbids [the] disclosure” of documents 

concerning persons receiving mental health 

treatment without the patient’s written 

consent. Hahnemann Univ. Hosp. v. 

Edgar, 74 F.3d 456, 465 (3d Cir. 1996). See 

also Pearson v. Miller, 211 F.3d 57, 70 (3d 

Cir. 2000) (finding that “[i]t is settled under 

Pennsylvania law that the MHPA gives rise to 

an ‘absolute confidentiality privilege’ covering 

documents related to the treatment of mental 

health problems”); Zane v. Friends Hosp., 

836 A.2d 25, 32 (Pa. 2003) (“The terms 

of [Section 111] are eminently clear and 

unmistakable and the core meaning of this 

confidentiality section of the Mental Health 

Procedures Act is without doubt—there shall 

be no disclosure of the treatment documents 

to anyone.”) Significantly, the courts have 

adopted this strict interpretation of the provision 

even in cases in which doing so meant 

denying the victim of a violent crime access to 

potentially key evidence. See, e.g., Zane, 575 

Pa. at 251 (denying female hospital patient 

access to mental health treatment records of a 

male patient who had kidnapped and sexually 

assaulted her); Hahnemann, 74 F.3d at 465 

(prohibiting lower court from requiring the 

hospital to allow the court to examine mental 

health records of two hospital patients who 

raped a female patient). 

DPW has taken the position, finally, at least 

in the labor and employment contexts, that 

the MHPA prohibits the disclosure even of 

de-identified records of mental health treat- 


34 


ment, on the theory that although de-identified, they still constitute 

“documents concerning persons in treatment.” 

Conclusion 

Special federal and state confidentiality protections present significant 

challenges to research involving records of mental health 

treatment. Under the federal Privacy Rule, providers can generally 

disclose to researchers de-identified records and limited data sets 

without patient authorization. They can also disclose complete records 

containing PHI for reviews preparatory to research or pursuant 

to a waiver of the patient authorization requirement by an IRB or 

Privacy Board. Only the patient, however, can authorize disclosure of 

psychotherapy notes within a record. 

Publisher: 

Health Care Compliance Association, 888-580-8373 

Executive Editor: 

Roy Snell, CEO, HCCA, roy.snell@hcca-info.org 

Contributing Editor: 

Dan Roach, President, HCCA, 888-580-8373 

Managing Editor and Advertisments: 

Margaret R. Dragon, HCCA, 781-593-4924, margaret.dragon@hcca-info.org 

Style Editor: 

Sarah Anondson, HCCA, 888-580-8373, sarah.anondson@hcca-info.org 

Copy Editor: 

Patricia Mees, HCCA, 888-580-8373, patricia.mees@hcca-info.org 

Layout: 

Gary Devaan, HCCA, 888-580-8373, gary.devaan@hcca-info.org 

HCCA Officers: 

Board of Directors: 

State laws often impose even greater confidentiality measures with 

respect to mental health records, and thus are not preempted by the 

Privacy Rule. Providers must take care to adhere to these local rules 

as well. In Pennsylvania, for example, many mental health records are 

subject to the strict provisions of the MHPA and its implementing 

regulations. Under that regulatory scheme, a provider cannot disclose 

any documents concerning mental health treatment, probably even 

including records that have been de-identified, without the patient’s 

written consent. 

Ultimately, a second look at both what laws apply and what those 

laws permit is always wise when confronting issues involving the 

disclosure of mental health records. n 

Acknowledgement: The author wishes to thank his colleagues, 

Kate Layman and Melanie Martin, for their help with this 

article. 

1 45 C.F.R. § 164.512(i). 

2 45 C.F.R. § 164.514(a)-(c). 

3 45 C.F.R. § 164.514(e). 

4 45 C.F.R. § 164.512(i)(1)(i) & (i)(2). 

5 45 C.F.R. § 164.512(i)(1)(ii). The regulations also allow for research based on an existing patient consent that 

predated the applicable compliance date of the Privacy Rule and for research involving decedents’ PHI. See 45 

C.F.R. §§ 164.532(c) & 164.512(i)(1)(iii). 

6 See HHS’ “Health Services Research and the HIPAA Privacy Rule” at pp. 9-11 and 45 C.F.R. § 164.502(d)(1). 

7 45 C.F.R. §§ 164.502(b) & 164.514(d) (minimum necessary); 45 C.F.R. § 164.528 (accounting for disclosures). 

8 45 C.F.R. § 164.514(d)(3)(iii)(D). 

9 45 C.F.R. § 164.508(a)(2). 

10 45 C.F.R. § 164.501. 

11 See 65 Fed. Reg. 82462, 82623 (December 28, 2000). 

12 50 Pa. Stat. Ann. § 7111 (“confidentiality of records”). 

13 55 Pa. Code § 5100.32 (“nonconsensual release of information”). 

14 50 Pa. Stat. Ann. § 7103 (“scope of act). 

15 55 Pa. Code §§ 5100.31 (“scope and policy”). 

16 55 Pa. Code §§ 5200.41(c) & 5210.26(d). 

17 The Privacy Rule provisions (discussed in Section 1) would appear to govern the disclosure by a Pennsylvania provider 

to a researcher of a mental health record not covered by the MHPA, such as a record of voluntary outpatient 

treatment not provided in a facility. 

18 45 C.F.R. § 160.202(b). 

19 Compare 55 Pa. Code § 5100.34(f) (DPW required elements for consent form) with 45 C.F.R. § 164.508(c) 

(Privacy Rule authorization elements). 

20 50 Pa. Stat. Ann. § 7111(a). 

Daniel Roach, Esq. 

HCCA President 

VP & Corporate Compliance Officer 

Catholic Healthcare West 

Steven Ortquist, CHC 

HCCA 1st Vice President 

Senior Vice President, Ethics and 

Compliance/Chief Compliance Officer 

Tenet Healthcare Corporation 

Rory Jaffe, MD, MBA, CHC 

HCCA 2nd Vice President 

Executive Director–Medical Services 

University of California 

Julene Brown, RN, BSN, CHC, CPC 

HCCA Treasurer 

MeritCare Health System 

Jennifer O’Brien 

HCCA Secretary 

VP Corporate Compliance 

Allina Hospitals & Clinics 

Odell Guyton 

HCCA Immediate Past President 

Senior Corporate Attorney, 

Director of Compliance, 

U.S. Legal–Finance & Operations 

Microsoft Corporation 

Frank Sheeder 

Non-Officer Board Member of 

Executive Committee 

Partner 

Brown McCarroll, LLP 

CEO/Executive Director: 

Roy Snell, CHC 


Counsel: 

Keith Halleland, Esq. 

Halleland Lewis Nilan Sipkins & Johnson 


Urton Anderson 

Associate Dean for Undergraduate Programs 

at McCombs School of Business 

University of Texas 

Cynthia Boyd, MD, FACP, MBA 

Chief Compliance Officer 

Rush University Medical Center 

Anne Doyle 

Director, Corporate Learning and 

Organizational Development 

Tufts Health Plan 

Gabriel Imperato 

Managing Partner 

Broad and Cassel 

Al W. Josephs, CHC 

Senior Director Policies and Training 

Tenet Healthcare Corporation 

Joseph Murphy 

Partner, Compliance Systems Legal Group 

Chairman, Integrity Interactive Corp 

F. Lisa Murtha, Esq., CHC 

Managing Director 

Huron Consulting Group 

Mark Ruppert, CPA, CIA, CISA, CHFP 

Director, Internal Audit 

Cedars-Sinai Health System 

Debbie Troklus, CHC 

Assistant Vice President for Health Affairs/ 

Compliance 

University of Louisville, School of Medicine 

Sheryl Vacca, CHC 

Director, National Health Care 

Regulatory Practice, Deloitte & Touche 

Cheryl Wagonhurst 

Partner, Foley & Lardner LLP 

Greg Warner, CHC 

Director for Compliance 

Mayo Foundation 

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance 

Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $357 a year 

for non-members. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes 

to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright 2006 

the Health Care Compliance Association. All rights reserved. Printed in the USA. Except where specifically 

encouraged, no part of this publication may be reproduced, in any form or by any means without prior written 

consent of the HCCA. For subscription information and advertising rates, call Margaret Dragon at 781-593- 

4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908. Opinions expressed are not those of 

this publication or the HCCA. Mention of products and services does not constitute endorsement. Neither the 

HCCA nor CT is engaged in rendering legal or other professional services. If such assistance is needed, readers 

should consult professional counsel or other professional advisors for specific legal or ethical questions. 


35

COMPLIANCE 

101 


36 

Investigations 101: Practical advice for 

new compliance officers 

By Kenny A. Johnson, Esq. 

Editor’s note: Mr. Johnson is the Director, 

Legal Compliance for Quest Diagnostics, 

Incorporated. He may be reached by email 

at kenny.a.johnson@questdiagnostics.com 

or by telephone at 972/884-1063. 

A health care organization’s ability to perform 

timely and thorough compliance investigations 

is critical in helping to demonstrate an 

Effective Compliance and Ethics Program as 

required by the Federal Sentencing Guidelines 

for Organizations (FSGs). 1 Specifically, 

a good investigative process satisfies the FSG 

elements that require an organization to: 

(1) ensure its compliance program is followed, 

promoted, and consistently 

enforced; 

(2) take appropriate disciplinary measures for 

confirmed violations; and 

(3) take reasonable steps to respond appropriately 

to an offense. 2 

In addition to the FSGs, the Office of Inspector 

General (OIG) has issued numerous compliance 

guidance documents that echo these 

requirements and emphasize the importance 

of an independent and rigorous investigative 

process. For example, the OIG’s Compliance 

Program for Clinical Laboratories Guidance 

contains a specific section entitled “Corrective 

Action – Investigating, Reporting and Correcting 

Identified Problems.” 3 

This article is designed to provide Compliance 

officers—particularly new Compliance 

officers—with practical advice on how to 

conduct compliance investigations that satisfy 

the FSGs and program guidance requirements 

listed above. 4 This guidance is tailored to 

the internal compliance investigation that a 

Compliance officer is likely to perform in the 

normal course of business. It is not intended 

as guidance on how to investigate more serious 

matters that may require a formal legal 

investigation, such as in response to a government 

subpoena. For these matters, compliance 

officers should immediately contact legal 

counsel or senior management for advice 

before taking any actions. 

Initial considerations—Should legal counsel 

direct the investigation? 

In many cases, compliance infractions not 

only constitute policy violations, they may 

also constitute violations of federal and state 

laws (e.g., the federal anti-kickback statute, 

Stark legislation, and civil false claims act). 

Confirmed violations of these laws can 

result in significant liability and negative 

consequences for any health care provider, 

including severe fines, restitution payments, a 

Corporate Integrity Agreement, or in extreme 

cases, exclusion from participating in federally 

funded health care programs. 

Due to these perils, compliance officers 

should carefully evaluate compliance allegations 

prior to beginning any investigation. 

For example, if the allegations relate to 

potential violations of federal or state fraud 

and abuse laws, it may be in the organization’s 

best interest to have legal counsel perform 

or direct the investigation to help ensure the 

review will be protected by the attorney-client 

privilege. 

In general, a compliance officer’s investigation 

is protected by the attorney-client privilege 

Kenny A. Johnson 


only if legal counsel directs the investigation 

and only if the investigative findings are 

reported to counsel for the purpose of providing 

legal advice. This privilege cannot be 

claimed after the fact—any review performed 

prior to involving legal counsel is not privileged, 

even if legal counsel is subsequently retained. 

As such, it may be advisable for health 

care providers to adopt specific policies and 

procedures that provide compliance officers 

with advance directives on how to investigate 

compliance matters and when to involve legal 

counsel. Compliance officers should be aware 

that even if an attorney performs or directs an 

investigation, it does not automatically mean 

the matter will be privileged. For example, 

some courts have ruled that no privilege exists 

for matters performed or directed by in-house 

counsel on the basis that the work was performed 

in the ordinary course of business and 

not to provide legal advice. 

Beginning the investigation 

A compliance officer’s primary role in 

performing a compliance investigation is to 

obtain all relevant facts to help management 

determine if a violation has occurred. In 

almost all cases, this will require interviewing 

employees and reviewing pertinent documents. 

Most internal investigations involve 

only employee interviews. If individuals 

Continued on page 38

The Health Care Compliance Association presents 

Medicare Prescription Drug 

Par t D Compliance Conference 

The Health Care Compliance Association (HCCA) will be holding 

a Medicare Prescription Drug Part D Compliance Conference in 

Baltimore, MD, September 10–12, 2006. Topics to include: 

Part D Drug Coverage 

Fraud and Abuse Under Part D 

Long-Term Care Issues 

Pharmacy 

Appeals & Grievance 

Auditing & Monitoring 

Discipline & Enforcement 

Save the Date 

September 10–12, 2006 

Renaissance Baltimore Harborplace Hotel 

202 East Pratt Street, Baltimore, MD 21202 

Tel 800-535-1201 • Fax 410-539-5780 

To register, please visit www.hcca-info.org 



37

Investigations 101 ...continued from page 36 

outside of the organization need to be 

interviewed (e.g., clients, former employees), 

the compliance officer should first consult 

with the Legal and or Human Resources 

(HR) departments. Regarding investigative 

strategy, experienced investigators may differ 

on the exact steps or sequence to be followed, 

although almost all will agree that speed, 

objectivity, and thoroughness are paramount 

to success. 

Employee interviews: Minimizing 

intimidation 

As a preliminary matter, compliance officers 

should recognize that compliance investigations 

can be an intimidating experience and 

that, if performed in a heavy handed manner, 

can impact the investigation and undermine 

the credibility of both the Compliance 

department and the investigative process. 

It is also important to remember that many 

employees interviewed during compliance 

investigations have done nothing wrong. 

Therefore, compliance officers should take 

steps to minimize the daunting perceptions 

surrounding the process and constantly reinforce 

its importance. 

One way to accomplish these goals is for 

compliance officers to begin all interviews 

by introducing themselves, explaining their 

job responsibilities, the investigative process, 

and finally, their specific role in the investigation—that 

of objective fact finder. If applicable, 

they may also share that others will 

be interviewed during the investigation. In 

my experience, this simple introduction helps 

reduce anxiety by diverting attention away 

from the investigation and by reinforcing that 

the investigator and process are fair. 

During this introduction, compliance officers 

also should establish ground rules, specifically 

the need for confidentiality. Compliance 

officers should be aware that even if an 

attorney performs or directs an investigation, 

it does not automatically mean the matter 

will be privileged. For example, some courts 

have ruled that no privilege exists for matters 

performed or directed by in-house counsel on 

the basis the work was performed in the ordinary 

course of business and not to provide 

legal advice. It is important to stress that the 

employee is not to discuss the investigation 

with anyone without prior approval. The 

compliance officer should explain that this is 

a reciprocal obligation with one exception— 

that the investigative findings will be shared 

with those who have a “need to know” for the 

purpose of determining any necessary corrective 

measures. This admonishment is essential 

to protect the reputation of those accused 

of violations, to preserve the investigation’s 

integrity by preventing witness tampering 

and collusion, and to help identify “chain of 

command” issues, (i.e., whether the employee 

acted independently or at the direction of a 

superior). 

Finally, before beginning formal questioning, 

it may be helpful to ask a few simple background 

questions (e.g., about the employee’s 

tenure, current supervisor, and brief description 

of current job duties). Again, such 

questions are easy to answer, help put the 

employee at ease, serve as a good transition 

into the actual interview, and in many cases, 

help compliance officers quickly assess the 

employee’s job experience and compliance 

sophistication. 

Questions for the formal interview 

In each interview, compliance officers should 

allow employees to explain events in their 

own words and avoid asking questions that 

suggest a particular answer. If possible, they 

should start with broad, general questions and 

narrow the questioning as necessary, depending 

on the employee’s responses. 

For example, if requested to investigate an 

allegation that a sales employee offered Super 

Bowl tickets to Dr. Smith in violation of the 

organization’s gift and entertainment policy, 

the compliance officer should avoid making 

the first and only question “It has been 

reported that you lavishly entertained Dr. 

Smith at the Super Bowl—did you?” Instead, 

the compliance officer should begin the questioning 

broadly. One initial question could be 

to ask the employee to explain the company’s 

gift and entertainment policy. Depending 

on the response, the next question may be to 

ask for examples of past entertainment, how 

frequently the employee entertains clients at 

sporting events, and so on, until the specific 

question is either asked or answered. 

A seasoned investigator also attempts to 

clarify ambiguity in a witness’ answers. Using 

the example above, if the employee acknowledged 

entertaining Dr. Smith “a while ago,” 

the investigator should clarify this answer, 

if it’s relevant to the investigation. In such 

cases, provide clarifying parameters. In this 

example, ask if “a while ago” means more 

than three years ago, between one and three 

years, and so on, until the witness narrows 

the time frame. If the witness remains evasive, 

document each attempt to clarify and the non 

responsive or ambiguous answers. 

This interviewing technique is critical for 

several reasons. First, it allows witnesses to explain 

the facts in their own words. Second, it 

allows the investigator to evaluate the witness’ 

understanding of the policy, issue, or event in 

question. Third, it prevents the investigator 

from consciously or unconsciously steering 

the investigative conclusion to support a preexisting 

theory of what may or may not have 

happened. Fourth, the witness may divulge 

unexpected information or admit to compliance 

violations that were otherwise unknown. 



38 


Register Today! 

Physician Practice 

Compliance Conference 

October 1–3, 2006 

Renaissance Parc 55 Hotel 


SAVE $250 

Register by 

September 6 for a 

$50 early discount 

plus $200 

pre-conference 

for free! 

Hot Topics 

• The future of health care compliance as 

related to physicians 

• Current government initiatives in the 

field of health care compliance specific 

to physicians and group practices 

• Quality of care issues, training, and 

residency compliance issues 

• How the information acquired applies 

to their professional responsibilities 

For more information, visit www.hcca-info.org or call (888) 580-8373 



39

Investigations 101 ...continued from page 38 

Fifth, it minimizes any bias or preconceived 

notions that the investigator or person reporting 

the potential violations may have relative 

to the witness. Sixth, it helps the investigator 

evaluate credibility. And finally, it limits the 

witness’ ability to testify differently in a future 

legal proceeding. 

Evaluate credibility, bias, and motive 

Another important but often overlooked 

factor when conducting interviews is to assess 

witness credibility, motive, and bias—especially 

for those accused of and those reporting 

violations. Unfortunately, there are occasions 

when employees falsely report violations. 

For example, a chronically poor-performing 

employee, who knows he is about to be 

terminated, may accuse his manager of billing 

improprieties to try and suggest that the 

expected discipline is retaliatory. 

A key to evaluating witness testimony, if possible, 

is for the investigator to interview each 

witness in person to observe demeanor, facial 

expressions, and body language. However, 

depending on an organization’s size, structure, 

and geography, this may be impractical. If 

face-to-face interviews are not possible, the 

compliance officer should consider having an 

HR representative or another management 

member accompany the employee during a 

phone interview and assist in assessing these 

crucial elements. In general, it may be a good 

idea to perform all compliance investigations 

jointly with an HR representative or another 

management member. 

Always maintain composure 

Compliance officers should prepare for the 

unexpected—indignant employees who refuse 

to answer questions, emotional outbursts, 

the cathartic admission, the “I can’t remember 

anything,” and the “yes/no” responder. 

However, no matter how rude, evasive, or indignant 

an employee may be, always maintain 

composure and treat employees with dignity 

and respect. If an employee threatens physical 

harm, the compliance officer should terminate 

the interview and immediately contact 

HR or Corporate Security. Additionally, avoid 

making rash comments or decisions based on 

emotion. In some cases, employees who know 

the organization has solid evidence against 

them may behave offensively to trigger an irrational 

response. By maintaining composure 

and control during all interviews, Compliance 

officers will eliminate an employee’s potential 

claim that the organization acted arbitrarily, 

improperly, or unfairly. 

Always interview those accused 

On occasion, the compliance officer may 

receive credible information that appears 

to conclusively prove that an employee has 

violated a compliance policy. For example, a 

well-respected employee with an impeccable 

record discovers and turns over documents 

prepared by a chronically poor-performing 

employee that appear to be incontrovertible 

evidence of a compliance violation. Based 

on the information source and the alleged 

author’s reputation, a compliance officer’s 

initial reaction may be to contact the HR department 

and the employee’s manager to set 

up a termination meeting. Although termination 

may be likely in this example, failing to 

interview the employee is a mistake. 

Unless compelling reasons are present (e.g., 

threats of physical violence), compliance 

officers should always interview those accused 

of violations to obtain their side of the story. 

Strategy may dictate when to perform the 

interview—some prefer to interview the 

accused first, others as the last interview. My 

preference is to interview those accused last, 

as my experience has been that I am better 

prepared to ask relevant questions if I already 

have a general understanding of the issues and 

circumstances. It also is advisable to inform 

those accused that follow-up questioning may 

be necessary. 

Interviewing those accused of violations is a 

matter of fundamental fairness and probably 

consistent with most organization’s values. In 

some cases, it is quite possible that the employee 

may provide a legitimate explanation Others 

may admit to the allegations or offer such a 

poor excuse that the disciplinary action originally 

contemplated will be more than justified. 

Likewise, failing to interview the accused can 

undermine the Compliance Department’s 

credibility and can perpetuate negative perceptions 

about the investigative process. Finally, 

this omission may ultimately help an otherwise 

poor performer establish a discrimination 

or retaliation claim against the organization. 

The employee will “spin” the facts and suggest 

that the organization deviated from standard 

practice and “rushed to judgment” to “prevent 

the real truth from being told.” 

Take detailed notes 

Compliance officers must take detailed notes 

of each interview, as they ultimately are 

responsible for justifying the actions or inactions 

taken relative to the investigation. Additionally, 

all facts are important and should 

be captured—oftentimes, facts that initially 

appear to be unimportant turn out to be key 

pieces of evidence. Finally, because the issues 

under investigation may become the subject 

of future legal proceedings, compliance officers 

should avoid hyperbole, inflammatory 

or derogatory statements, and defamatory 

characterizations of employees. 

Review pertinent documentation 

Most investigations require some document 

review (e.g., computer records, training 

acknowledgements, billing invoices, patient 

records, physician orders). It is imperative 

to review these records, as they are the best 

evidence of whether a violation has occurred. 


40 


They also are extremely credible and have no 

bias or improper motive. Finally, records are 

invaluable in helping establish timelines and 

event chronologies. 

Consider employee suspensions pending 

investigation 

Some allegations may warrant removing 

employees from the work site pending the 

investigation’s completion. A typical example 

involves the threat of continuing harm to the 

organization if immediate action is not taken 

to remove a problem employee. 

Prior to suspending an employee, the compliance 

officer should consult with the Legal 

or HR departments for guidance on the 

suspension and whether it should be with or 

without pay. In many cases, state laws and 

the employee’s job classification—exempt 

versus nonexempt—may impact this decision. 

Conservative organizations generally suspend 

accused employees with pay because it affords 

the presumption of innocence and also protects 

those exonerated of wrongdoing. It also 

undermines any argument that the company 

“rushed to judgment” or acted arbitrarily. 

Concluding the investigation 

Compliance officers frequently ask how they 

will know when they have thoroughly investigated 

a matter. Although each investigation 

is different, I often answer this question by 

having compliance officers imagine that they 

have been chosen as a juror to hear evidence 

related to the incident they will be investigating. 

As a hypothetical juror, I ask them to 

assume that as a result of their investigation, 

they will confirm a compliance violation has 

occurred, that the company will terminate 

those responsible, and additionally, a regulatory 

agency will pursue sanctions against the 

company for the compliance infractions. 

As a juror hearing evidence on whether the 

organization acted reasonably under the 

circumstances, what evidence and information 

would they need to reach a verdict? Who 

would they expect to testify at the trial? What 

expectations would they have of the organization? 

What expectations would they have of 

the terminated employees? Also, what actions 

would they have expected the organization 

to have taken before, during, and after the 

incident in question? Chances are, these questions 

and answers probably mirror the questions 

and answers compliance officers need to 

obtain during their investigation. And, when 

asked and answered, the investigation likely 

is finished. 

Determining appropriate remedial actions. 

Upon concluding all interviews and evidence 

gathering, the final step is to evaluate the evidence 

and implement any necessary remedial 

measures. Compliance officers should remember 

that remedial measures involve more than 

employee discipline. They include anything a 

reasonable organization would do to remedy 

and prevent violations. For example, such 

actions may include employee re-education, 

auditing, modifying business practices, making 

refunds, and identifying and eliminating 

root causes. 

In many ways, determining remedial actions 

for compliance infractions is analogous to 

completing a jigsaw puzzle. In a perfect 

world, all evidentiary “pieces” will be present 

to complete the “picture.” In these circumstances, 

appropriate remedial measures are 

easy to determine. 

Unfortunately, there are many occasions 

when the investigation is missing one or 

more key pieces and a complete picture is 

not attainable. In these cases, the organization 

still may be obligated to take corrective 

actions depending on the pieces present and 

the picture assembled. What is important 

to remember, especially when determining 

employee discipline, is that violations do not 

have to be proven beyond a reasonable doubt. 

The standard is one of reasonableness and 

whether or not it is likely that a violation occurred. 

Therefore, if it appears that a violation 

likely occurred, the compliance officer should 

work with management to ensure remedial 

measures are taken proportionate to the 

evidentiary findings and consistent with past 

precedent. 

Conclusion 

In today’s regulatory environment, it is crucial 

for health care providers to quickly investigate 

and remediate confirmed compliance 

infractions. In doing so, these organizations 

will fulfill key elements of the FSGs as well 

as strengthen and enhance the credibility of 

their own compliance programs. n 

1.) United States Sentencing Commission (USSC), Guidelines Manual, 

Chapter 8 – Sentencing of Organizations. 

2.) USSC Guidelines Manual, Chapter 8, B2.1(b) (4) – (6). 

3.) OIG Model Compliance Plan for Clinical Laboratories, 62 Fed. Reg. 

9435, March 3, 1997. See also, OIG Compliance Program Guidance for 

Hospitals, 63 Fed. Reg. 8987, February 23, 1998. 

4.) This article presumes the compliance officer is not an attorney. 

Call for Authors 

Interested in submitting an article for 

publication in Compliance Today? 

Send an email to Margaret Dragon 

margaret.dragon@hcca-info.org. 

IMPORTANT: HCCB awards 2 CEUs to 

authors of articles published in Compliance 

Today for CHC certification. 

Upcoming Deadlines: 

• September 11 - November Issue 

• October 12 - December Issue 

• November 1 - January 2007 Issue 

• December 1 - February 2007 Issue 

Thank you for your time and attention. 

We look forward to hearing from you and 

reading your articles. 



41


42 


FYI ...continued from page 22 

Sterritt denied any impropriety in a letter 

to Gov. Jon S. Corzine, in which he said 

he was resigning immediately.” For more: 

http://www.newsday.com/news/local/wire/ 

newjersey/ny-bc-nj--umdnj-trusteeresi- 

0729jul29,0,3946144.story?coll=ny-region-apnewjersey 

Massachusetts PT Pleads Guilty to Health 

Care Fraud 

On July 22, Medical News Today reported 

“A physical therapist pleaded guilty earlier 

this week in federal court to a charge of 

health care fraud in connection with her causing 

Medicare to be billed for at least $55,000 

worth of physical therapy she either did not 

provide or provided incompletely to patients. 

“United States Attorney Michael J. Sullivan 

and Joseph C. Moraski, Special Agent in 

Charge of the Department of Health and 

Human Services, Office of the Inspector 

General for New England, announced that 

Ho Ling Lai, age 38, of Framingham, Massachusetts, 

pleaded guilty on Tuesday, July 18, 

2006 before U.S. District Judge Reginald C. 

Lindsay to a one-count Information charging 

her with knowingly and willfully committing 

health care fraud.” For more: http://www. 

medicalnewstoday.com/medicalnews. 

php?newsid=47876 

Massachusetts Man and His Three 

Companies Charged with Fraud 

According to a July 28 report in the Metro 

West Daily News “A Westborough, Massachusetts 

resident and three companies that 

he owned were charged yesterday with federal 

health care fraud. 

“James Taylor, 67, over-billed Medicare and 

Blue Cross/Blue Shield for equipment, according 

to the U.S. attorney’s office. In some 

cases, according to a statement from the U.S. 

attorney, he charged for respiratory equipment 

that was never delivered. 

“The three companies that Taylor owned— 

Vejay Oxygen, Inc., West Suburban Medical 

Rental, Inc., and Westborough Home Health, 

Inc.—allegedly defrauded Medicare and Massachusetts 

Blue Cross/Blue Shield of more 

than $915,000 from 1993 to 2003. 

“Taylor could face a maximum 10 years in 

prison and a fine up to $250,000. Each of 

the Westborough-based companies could face 

fines of up to 1.6 times the loss to Medicare 

and Blue Cross/Blue Shield.” For more: 

http://www.metrowestdailynews.com/local- 

Regional/view.bg?articleid=136578 n 

& 

Present 

IMPROVING GOVERNANCE PRACTICES 

Audit 

& 


Committee 

Academy 

September 20 - 22, 2006 

Orlando World Center Marriott Resort | Orlando, FL 



43

The Health Care Compliance Association 

welcomes the following new members and 

organizations. Please update any contact 

information using the Member Center on 

the Web site, or e-mail Karrie Hakenson 

(karrie.hakenson@hcca-info.org) with 

changes or corrections. 

California (continued from August) 

■ Andrea F. Jones, Kaiser Permanente 

■ Deborah A. Jones, RN, Oroville Hospital 

■ William A. Keeler, LCWS, Solano Co 

Mental Hlth 

■ Gail L. Kent, Providence Health System 

■ Linda Kenworthy, Salus Surgical Group 

■ Waynna A. Kershner, CalOptima 

■ Dennis Kikuno, Torrance Memorial Med 

Ctr 

■ Kevin Kirby, Central Health Plan of CA 

■ Rebecca La Londe, Kaiser Permanente 

■ Francis J. LaPallo, Manatt, Phelps & Phillips, 

LLP 

■ Lori Laratro, Kaiser Permanente 

■ Diane B. Liepins, RN,BSN,MMIS, Kaiser 

Permanente 

■ Kevin N. Lillywhite, Central Health Plan 

of CA 

■ Eunice Little, RHIA, CHC, UCSF 

■ Donna V. Lupinacci, MSN, NVA, Kaiser 

Permanente 

■ David A. Mack, Lodi Memorial Hospital 

■ Lauren K. Mack, Sonnenschein Nath & 

Rosenthal 

■ Christina MacKenzie, Kaiser Permanente 

■ Luanne Magee, Saint John's Hlth Ctr 

■ Janet Marcus, Sinaiko Hlthcare Consulting, 

Inc 

■ Danielle M. Martin, Kaiser Permanente 

-CSC-SD 

■ Nina H. Maruyama, On Lok Senior 

Health Services 

■ Chantel Masengale, Merced County 

■ Sandra L. McCreary, Kaiser Permanente 

Hosp 

■ Dianne McNeal, Kaiser Permanente 

■ Ed A. Meyer, Marshall Medical Center 

■ Jennifer F. Miller, NHIS, RHIA, Loma 

Linda Univ Hlth Care 

■ Carole Morris, UCDHS COMPLIANCE 

■ Susan Morris, Kaiser Permanente 

■ Catherine A. Nichol, Titan Health Corporation 

■ Richard A. Nielsen, VNA & Hospice of 

Southern CA, Inc 

■ Corinna Nyquist, BSN, Indian Health 

Council, Inc 

■ Tonya Okon, BA-HSA, CHP, Loma Linda 

Univ Med Ctr 

■ Eva Osur, Kaiser Permanente 

■ Tracie Paiva, Kaiser Permanente 

■ Janet Parnell, El Dorado County Public 

Health 

■ Rebecca Partridge, Stanford Medical 

Center 

■ Annette Pereira, Kaiser Permanente 

■ Alex M. Perez, MS, MHA, Kaiser Permanente 

■ Diane Premeau, EMQ Children & Family 

Svcs 

■ Keith Pugliese, Brown & Toland Medical 

Group 

■ Kathryn S. Pyke, JD, Stanford Hosp & 

Clinics 

■ Alejandra Quintana-Clyde, Health Net 

■ Dede Ramsey, Kaiser Permanente 

■ Mary Ritner, Kaiser Foundation Hospital 

■ Cheryl G. Robinson, Kaiser Permanente 

■ Carol Roccuzzo, The Children's Health 

Council 

■ Liz Rothberg, Kaiser Permanente 

■ Mark P. Ruppert, Cedars-Sinai Health 

System 

■ Kenneth Schell, Kaiser Foundation Health 

Plan 

■ Hester Scherman, Kaiser Permanente 

■ Melissa A. Schlichting, Karshmer & Associates 

■ Joseph Schohl, DaVita Inc 

■ Susan Sekada, RN, Aptium Oncology, Inc 

■ Nancy Sheftel, Tarzana Hospital 

■ Rebecca Siddiqui, County of Orange/Auditor-Controller 

■ Niraj Singh, Kaiser Permanente 

■ Melinda Skeath, Kaiser Permanente 

■ Roger Skinner, Kaiser Permanente 

■ LeeAnn Skorohod, Exodus Recovery, Inc. 

■ Charles Steen, Catholic Healthcare West 

■ Bonnie L. Studler, CPC, Pacific Alliance 

Medical Ctr 

■ Joan Taylor, St. Jude Medical Center 

■ Robyn Todd, Davis Wright Tremaine LLP 

■ Jerry J. Trammel, Kaiser Foundation Hlth 

Plan Inc 

■ David L. Trotter, Temple Community 

Hospital 

■ Debora A. Turner, BS, San Antonio Community 

Hosp 

■ Fred Ung, S. CA Permanente Med Group 

■ Rita D. Vandervall, MedAmerica 

■ Richard S. Vasquez, Kaiser Foundation 

Health Plan 

■ Antionette M. Velasquez, Planned Parenthood 

LA 

■ Emmaly Vielhauer 

■ Leslie Waudby, Kaiser Permanente 

■ Jim Weber, MBA, UCLA Medical Center 

■ Matthew Werner, Pacific Medical 

■ Gerald Gregory Williams 

■ Debrah D. Wonder, RN, MS, CPHQ, 

Kaiser Permanente Hospital 

■ Lynette Wong, Kaiser Permanente 

■ Cheryl Wyborny, Kaiser Permanente 

■ Robert Yeargin, HSD Sutter County 

Colorado 

■ Linda Burch-Pierce, Kaiser Permanente 

■ Patricia Callin, CPA, Kaiser Permanente 

■ Joanne P. Davidson, Presbyterian/St Luke's 

Med Ctr 

■ Catharine Fischer, Centura Health 

■ Peggy Givens, Percision Practive Advisors 

■ J Christopher Heidrich, RIA/Invision 

■ Jerry Johnson, Hanger P & O 

■ Susan E. Maly, Kaiser Permanente 

■ Jasmine Martin, Genentech, Inc 


44 


■ William Munson, North Colorado Medical 

Center 

■ Albert P. Schwindt, Copic Insurance 

Company 

Conneticut 

■ Mary Ann Alberino, 

■ Erin K. Callahan, JD, Bayer HealthCare, LLC 

■ Debra Carney 

■ Margaret DeMeo, RN, UCONN Health 

Center 

■ Jeffrey M. Greenman, JD, Bayer Health- 

Care, LLC 

■ Susan Hostage, Gaylord Hospital 

■ Virginia S. Pack, BS, MSN, U of CT 

Health Center 

■ Lowell Peterson, Charter Oak Health 

Center, Inc 

■ Deborah Schmidt, Haven Healthcare of 

Soundview 

■ Sandra Tackitt, Bayer HealthCare, LLC 

■ Debora M. Welch, JD, Bayer HealthCare, 

LLC 

Washington, DC 

■ Eric Baim, Sonnenschein Nath & Rosenthal 

■ Saundra Brown-Savoy 

■ Emilie Deady, Peace Corps 

■ Virginia Evans, KPMG, LLP 

■ Adam Falk, JD, MPH, George Washington 

Univ 

■ Ramy Fayed, Sonnenschein Nath & 

Rosenthal 

■ Rebecca C. Fayed, Epstein Becker & Green 

■ Mark Fitzgerald, J.D., Powers, Pyles, Sutter,& 

Verville PC 

■ Wendy L. Krasner, Manatt, Phelps & Phillips, 

LLP 

■ Kirk Ogrosky, JD, Skadden, Arps, Slate, 

Mayher & Florn, LLP 

■ Deborah A. Randall, JD, Esq, Arent Fox 

PLLC 

■ Michael F. Ruggio, Manatt, Phelps & 

Phillips, LLP 

Florida 

■ Lance Bradley, JD, MPA, Shands Healthcare 

■ Yvonne Brinson, University of Florida 

■ Shannon Buckner, CMS 

■ Susan Burgess, JD, CPC, Univ Community 

Health 

■ Jean Butler, BCBS of Florida 

■ Robert P. Cleary MBA,CHC, Health Care 

Compliance Partners 

■ Jeffrey L. Cohen, Strawn, Monaghan & 

Cohen, P.A. 

■ Julie Ann Dewey, HCPCS, Inc 

■ Susan L. Evans, Sarasota Memorial Hospital 

■ Silvia C. Fajardo, DoctorCare, Inc 

■ Barbara Diane Farb, JD, University of Fl 

■ Jennifer Ferrer, Ruden McClosky 

■ Mary Fisher, CCA, Aptium Oncology, Inc 

■ Guillermina Gomez, Orlando Regional 

Healthcare 

■ Rose M. Gomez, Access Diabetic Supply, 

LLC 

■ Susan Griffin, Citrus Health Care 

■ Marta G. Hernandez, CHC, RHIT, 

Mount Sinai Medical Center 

■ Lea Isea, Sheridan Healthcorp 

■ Kristy M. Johnson, CHC, Carlton Fields, 

PA 

■ Gary Keilty, Navigant Consulting, Inc 

■ Stephanie Keith, Orlando Regional 


■ Val Kight, Jr., Mayo Clinic Jacksonville 

■ Justin Kuperberg, Leavitt Mgmt Group 

■ Juliet Labossiere, BSHM, Pediatrix Medical 

Group 

■ Bruce Lamb, Ruden,McClosky,Smith,Sc 

huster 

■ John T. Mackin, Jr., AIRC, Universal 

American Financial Corp 

■ Becky McIntire, NS, Aptium Oncology, 

Inc 

■ Al Meyer, Leavitt Mgmt Group 

■ Karen Morrison, Brain & Spine Center ,LLC 

■ Michelle Onisawa, Physician Independent 

Mngt Svcs Inc 


■ Maria Panyi, CISA, Mt. Sinai Medical Ctr 

■ Shonta Peterson, Dept of VA 

■ Beverly Pitts, Family Medical & Dental 

Centers 

■ Ishwar Ramsingh, Univ of Miami 

■ Lou Ann Ray, Healthpoint Mgmt Services 

■ Stephanie S. Reid, Health First, Inc 

■ Sandra Rivera, South Florida ENT Associates 

■ Thomas Safko, JD, Clark & Daughtrey 

■ Diana Salinas, Jackson Health Systems 

■ Ron Samuelian, Northwest Florida Surgery 

Ctr 

■ Tracy Schmidt, NationsHealth 

■ David M. Shapiro, MD, CHC, 

■ Karen Soehner, Family Senior Care 

■ Robin L. Supler, Nova Southeastern 

University 

■ Donna Vincent, RN, JD, Bay Medical 

Center 

■ Mark Weber, Jr., Orlando Regional 


■ Thomas G. Wilson, BCBS of Florida 

■ Teresa Wong, LLB, LLM, America's 

Health Choice 

Georgia 

■ Jo Ellen Abigando, RN, West GA Health 

System Inc 

■ Christine Adams, Medical College of 

Georgia 

■ Rebecca Bodie, Beverly Enterprises 

■ Jason E. Bring, Arnall Golden Gregory 

LLP 

■ Doreen Carter, St. Josephs/Candler Hlth 

Sys 

■ Donna Crouse, Hanger P & O 

■ Sara M. DeKutowski, Visiting Nurse/Hospice 

Atlanta 

■ Margaret F. Fay, Clinical Research Facilitators 

■ Raquel Gayle, JD, Powell Goldstein 

■ Mitchell Goodman, National Vision, Inc. 

■ Randy D. Graham, FTI Consulting 

■ Jorge J. Hernandez, Northside Hospital 


45

Research 


Conference 


Caesars Palace 

Las Vegas, NV 

Conference Sponsors 

BNA’s Medical Research Law & Policy Report 

Conference Supporters 

Clinical Research Compliance Manual: 

An Administrative Guide 

Health Law and Compliance Update 

Journal of Health Care Compliance 

Medical Ethics: Policies, Protocols, 

Guidelines & Programs 


Brochure is available online 

46For more information Health visit Care www.hcca-info.org, Compliance Association call •(888) 888-580-8373 580-8373, • www.hcca-info.org 

or fax 952-988-0146

® 

SMART2.o : 

bringing HIM people 

and HIM technology 

together.* 

On one side, it’s a technology solution. On the other, a service 

solution. SMART2.o is more than a software tool, it’s a technology 

solution designed to help you continuously assess coding 

accuracy and data quality as an important part of your hospital’s 

compliance program. 

SMART2.o 

For more than 15 years, we’ve worked with HIM professionals 

providing affordable tools and services that help them with coding 

accuracy, regulatory compliance, data management and reports 

to monitor PPS requirements. 

So, whether you look at your hospital’s compliance program from 

a technology perspective or a service perspective, SMART2.o is 

a very smart, very budget-friendly way to work. 

To start an in-depth conversation about your particular needs, 

contact Doug Barry at 866-792-4920 or visit pwc.com/healthcare 

*connectedthinking 

© 2005 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as 


the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinking 

and SMART2.o are trademarks Health of PricewaterhouseCoopers Care Compliance LLP Association (US). • 888-580-8373 • www.hcca-info.org 

47

HCCA Presents Its Fall 

2006 Conference Calendar 

For complete details go to HCCA 

Web Site: www.hcca-info.org 

HCCA has a number of National Specialty, Academies, and Local Area Conferences planned for this Fall. 

Please check this listing below. Local Area Conferences are offered by HCCA to provide inexpensive compliance education 

and local networking opportunities for compliance officers and their staff. You will find conference details on the 

HCCA Web site www.hcca-info.org, or you may call HCCA at 888/580-8373 with questions. 

National Specialty Conferences and 

Compliance Academies 

Medicare Part D Compliance Conference 


Renaissance Harborplace Hotel 

Baltimore, MD 

Research Compliance Conference 


Caesars Palace 

Las Vegas, NV 

Audit & Compliance Committee Academy 


Orlando World Center Marriott Resort 

Orlando, FL 

AHLA/HCCA Fraud & Compliance Forum 


Renaissance Harborplace Hotel 

Baltimore, MD 

Physician Group Practice Compliance 

Conference 

October 1–3, 2006 

Renaissance Parc 55 Hotel 


Advanced Compliance Academy 

October 23–26, 2006 

Harrah’s Las Vegas 

Las Vegas, NV 

Compliance Academy 

November 6–9, 2006 

Portofino Bay Hotel 

Orlando, FL 

Local Area Conferences 

New England Area Compliance Conference 

Boston, MA 

September 8, 2006 

Upper Midwest Area Compliance Conference 



Mid Atlantic Area Compliance Conference 


Pittsburgh, PA 

North Central Area Compliance Conference 

October 6, 2006 

Chicago, IL 

Hawaii Area Compliance Conference 

October 19–20, 2006 

Honolulu, HI 

Tri-State Area Compliance Conference 

November 3, 2006 

Louisville, KY 

South Central Area Compliance Conference 

November 10, 2006 

Nashville, TN 


48

JO - Health Care Compliance Association

Create successful ePaper yourself

Delete template?

Save as template?