BP - Health Care Compliance Association

Volume Eleven
Number Three
March 2009
Published Monthly
Meet
Bill Parke
Vice President
Corporate Compliance
Rutherford Hospital
page 14
HCCA is going green
HCCA conference attendees will NOT automatically
receive conference binders. If you would like to purchase
conference binders, please choose that option on your
conference registration form. Attendees will receive
electronic access to course materials prior to the conference
as well as a CD onsite with all the conference materials.
Earn CEU Credit
w w w.h c ca-i n f o.org/quiz, see page 13
Unauthorized access
to protected health
information: Educating
the workforce
page 10
Feature Focus:
Executive
compensation in
troubled times
page 32

What’s Your Ethical Climate?
Organizational climates change as
organizations grow and evolve. So, how can
you ensure attitudes and behaviors remain
consistent with core values? Look to Global
Compliance, the single provider offering a
comprehensive framework to protect your
organization from financial, legal, and
reputational harm.
• Ethics and compliance risk
assessment
• Code of conduct
• Communication campaigns
• Online, computer-based, and
instructor-led training
• Hotlines/Helplines
• Case management
• Investigations
• Data analytics
• Mystery shopping
• Ethics and compliance evaluations
• Employee exit interviews
Contact the ethics and compliance leader
that is already serving over one-half of
America’s Fortune 100 and one-third of
America’s Fortune 1000 along with colleges,
universities, and government entities. And,
we’re proud to claim greater than 450
health care organizations as clients.
With 27 years of experience and the most
comprehensive product and service offering
in the industry, Global Compliance can
help you develop and maintain an ethical
climate that’s appealing to employees,
patients, and stakeholders.
Making the world a better workplace TM
13950 Ballantyne Corporate Place • Charlotte, NC, USA 28277
866-434-7009 • contactus@globalcompliance.com
www.globalcompliance.com
© 2008 Global Compliance. All Rights Reserved.

Publisher:
Health Care Compliance Association, 888-580-8373
Executive Editor:
Roy Snell, CEO, roy.snell@hcca-info.org
Contributing Editor:
Gabriel Imperato, JD, CHC, 888-580-8373
Managing Editor/Articles and Advertisements:
Margaret R. Dragon, 781-593-4924, margaret.dragon@hcca-info.org
Communications Editor:
Patricia Mees, CHC, CCEP, 888-580-8373, patricia.mees@hcca-info.org
Layout:
Gary DeVaan, 888-580-8373, gary.devaan@hcca-info.org
HCCA Officers:
Rory Jaffe, MD, MBA, CHC
HCCA President
Executive Director, California Hospital
Patient Safety Organization (CHPSO)
Julene Brown, RN, MSN, BSN, CHC, CPC
HCCA 1st Vice President
Compliance Officer
MeritCare Health System
Jennifer O’Brien, JD, CHC
HCCA 2nd Vice President
Shareholder
Halleland Lewis Nilan & Johnson PA
Urton Anderson, PhD, CCEP
HCCA Treasurer
Chair, Department of Accounting and
Clark W. Thompson Jr. Professor in
Accounting Education
McCombs School of Business
University of Texas
Gabriel Imperato, Esq, CHC
HCCA Secretary
Managing Partner
Broad and Cassel
Shawn Y. DeGroot, CHC-F, CCEP
Non-Officer Board Member of
Executive Committee
Vice President Of Corporate Responsibility
Regional Health
Steven Ortquist, JD, CHC-F, CCEP, CHRC
HCCA Immediate Past President
Partner
Meade & Roach
CEO/Executive Director:
Roy Snell, CHC, CCEP
Health Care Compliance Association
Counsel:
Keith Halleland, Esq.
Halleland Lewis Nilan & Johnson PA
Board of Directors:
Marti Arvin, JD, CHC-F, CPC, CCEP, CHRC
Privacy Officer
University of Louisville
Angelique P. Dorsey, JD, CHRC
Research Compliance Director
MedStar Health
Dave Heller
Chief Ethics & Compliance Officer
Qwest Communications
Joseph Murphy, JD, CCEP
Co-Founder Integrity Interactive
Co-Editor ethikos
Karen A. Murray, MBA, FACHE, CHC, CHA
Corporate Compliance Officer
Yale New Haven Hospital
F. Lisa Murtha, JD, CHC
Managing Director
Huron Consulting Group
Daniel Roach, Esq.
Vice President Compliance and Audit
Catholic Healthcare West
Frank Sheeder, JD, CCEP
Partner
Jones Day
Debbie Troklus, CHC-F, CCEP, CHRC
Assistant Vice President
for Health Affairs/Compliance
University of Louisville
Sheryl Vacca, CHC-F, CCEP, CHRC
Senior Vice President/Chief Compliance
and Audit Officer
University of California
Greg Warner, CHC
Director for Compliance
Mayo Clinic
Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care Compliance
Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription
rate is $295 a year for nonmembers. Periodicals postage-paid at Minneapolis, MN
55435. Postmaster: Send address changes to Compliance Today, 6500 Barrie Road,
Suite 250, Minneapolis, MN 55435. Copyright 2009 Health Care Compliance Association.
All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this
publication may be reproduced, in any form or by any means without prior written consent
of the HCCA. For subscription information and advertising rates, call Margaret Dragon
at 781-593-4924. Send press releases to M. Dragon, PO Box 197, Nahant, MA 01908.
Opinions expressed are not those of this publication or the HCCA. Mention of products and
services does not constitute endorsement. Neither the HCCA nor CT is engaged in rendering
legal or other professional services. If such assistance is needed, readers should consult
professional counsel or other professional advisors for specific legal or ethical questions.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
INSIDE
4 New developments in payment and public reporting
of quality of care By Janice Anderson, Cheryl Wagonhurst,
and Anil Shankar
Penalties and incentives are steps toward pay for performance
in Medicare reimbursements.
10 CEU: Unauthorized access to protected health
information: Educating the workforce By Mark C. Rogers
Best practices to implement now to prevent fines, civil
lawsuits, and adverse publicity later.
14 Meet Bill Parke, Vice President, Corporate Compliance,
Rutherford Hospital An interview by Greg Warner
18 Letter from the CEO By Roy Snell
Ethics works if everybody is ethical
21 RAC demonstrations and inpatient rehabilitation—
Vision of things to come? By Jane Snecinski
Documenting “medical necessity” is key to avoiding RAC
denial of payment for inpatient rehab facilities.
25 Ask Leadership By John Falcetano
Red Flag identity theft rules
27 Newly Certified CHCs
28 Physician office compliance—Are you monitoring your
auditing and monitoring program? By Melissa Morales
Opportunities to identify needed changes and corrective
actions may be hiding just out of sight.
32 CEU: Feature focus: Executive compensation in troubled
times—Part 1 By Gerald M. Griffith
Economic pressures, increased transparency, fiduciary duties,
and stakeholder interests make compensation decisions more
than a numbers game.
38 Compliance 101: I just received a subpoena - Now
what? By Andrea Ebreck and Karen Cincione
State and federal privacy laws affect the appropriate response to
requests for protected health information.
40 Go Local
42 Standing at the crossroads By Michael Spake
Combining rules-based compliance with ethical and moral
decisions to form an integrated operations model for excellence.
46 Cyber Doctors By Sonya Burtner
Electronic communications facilitate telemedicine, but also
raise legal and compliance issues.
51 Mandatory Stark reporting: Is a denouement nigh, or
just another chapter in the saga?
By Edwin Rauzi and Lisa Hayward
CMS wants 400 hospitals to respond to its request for information.
53 CEU: Charge Description Master compliance
assessments By Joel W. Lipin
Tips for assessing the accuracy of your CDM.
55 Increased government oversight of managed care
plans— Are you ready? By Steven E. Skwara
Governmental requirements for detecting, investigating,
and reporting fraud and abuse by “downstream” entities.
61 New HCCA Members
3
March 2009

Affinity Group
Meetings
Hold your own
meeting in conjunction
with HCCA’s 2009
Compliance Institute!
Planning on attending the
Compliance Institute? Need to
hold a meeting of your own?
Affinity group meetings are now
available in conjunction with the
Compliance Institute.
Not only do you get the benefit
of holding your meeting alongside
the most comprehensive
compliance conference for
compliance professionals, but
you also receive complimentary
meeting room space at the
conference site, your choice of
a complimentary continental
breakfast or an a m or pm
break, and registration at the
HCCA Member rate for your
attendees.
Affinity Group Meetings may be
held on one of the following days:
Saturday, April 25, 2009
Wednesday, April 29,
2009 (afternoon)
Thursday, April 30, 2009
To apply, please visit
www.compliance-institute.org
(conference tab) and fill out the
Affinity Group Meeting form.
Please return the completed
form to the HCCA office.
Questions? Contact
Jodi Erickson Hernandez at
952.405.7926 or email her at
jodi.ericksonhernandez
@hcca-info.org
New developments in
payment and public
reporting of quality of
care
By Janice Anderson, Cheryl Wagonhurst, and Anil Shankar
Editor’s note: Janice A. Anderson is a partner
in Foley and Lardner, LLP in Chicago. She is a
member of the Health Care Industry Team with
25 years’ experience focusing on health regulatory
and compliance issues and over 30 years’
experience working in the health care industry.
She may be contacted by e-mail at janderson@
foley.com or by phone at 312/832-4500.
Cheryl L. Wagonhurst is a partner with the Los
Angeles office of Foley & Lardner LLP and a
member of the firm’s Health Care Industry Team
and White Collar Defense & Corporate Compliance
Practice. Ms. Wagonhurst is a former member
of the board of directors of the Health Care
Compliance Association and currently serves on
the advisory board of the Society of Corporate
Compliance and Ethics. She may be reached by
telephone at 213/972-4681 and by e-mail at
CWagonhurst@Foley.com.
Anil Shankar is an associate with Foley &
Lardner LLP in Los Angeles, California, and is a
member of the firm’s Health Care Industry Team.
He may be reached by phone at 213/972-4584
or by e-mail at ashankar@foley.com.
The long-term plan of Congress
and the Center for Medicare and
Medicaid Services (CMS) to tie
health care reimbursement to the quality
of health care services has been well-documented.
CMS recently issued final rules that
extend quality initiatives beyond inpatient
hospitals to health care professionals and hospital
outpatient departments. Authorized by
the Medicare Improvements for Patients and
Providers Act of 2008 (MIPPA), CMS has
now created incentive programs that affect
the reimbursement of certain healthcare
professionals and outpatient departments of
hospitals.
As a result of changes authorized by MIPPA
and implemented through the 2009 Physician
Fee Schedule Final Rule (PFS Final Rule),
physicians and other eligible professionals
may earn a 2% bonus for the reporting of
quality data specified by the Secretary of the
Department of Health and Human Services
(Secretary-HHS), and a separate 2% bonus
for successfully transitioning to an electronic
prescription system. The 2009 Outpatient
Prospective Payment System Final Rule
(OPPS Final Rule) implements a similar
quality data reporting incentive that applies
to hospital outpatient departments. The
OPPS Final Rule authorizes a 2% payment
reduction for outpatient departments that fail
to meet certain outpatient reporting requirements
during FY 2009. Finally, three recently
published National Coverage Determinations
from CMS will make certain “never events”
non-covered services.
The onset of “pay for reporting” incentives
can affect the pocketbook of professionals and
entities which treat Medicare patients, but
the incentives are also significant as a signal
of CMS’ continued commitment to tying
payment to the quality of services provided.
The long-term move toward a “pay for quality”
system (called a “value based purchasing
plan” by CMS) has been implemented
March 2009
4
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

incrementally, and CMS has made clear that
the programs discussed below are intended
as steps toward that goal. Many of the pay
for reporting initiatives began as voluntary
programs, designed to familiarize providers
with the process of reporting and allow CMS
to receive data on quality issues around the
country. Under the new incentive programs,
reporting remains voluntary, but there are
now significant financial implications for
reporting quality data. CMS makes clear that
future programs may make reporting mandatory,
and that payment may be tied to how
well a provider performs on reported quality
measures, rather than just on reporting.
Physician Quality Reporting Initiative
The Physician Quality Reporting Initiative
(PQRI) began with the passage of the
Tax Relief and Health Care Act of 2006
(TRHCA), which directed the Secretary-
HHS to implement a system for certain
healthcare professionals to report data on
selected quality measures. 1 Reporting began
in July 2007. (Previously, physician’s could
choose to participate in a Physician Voluntary
Reporting Program.) Reports were not
mandatory, but submission of the data in
accordance with prescribed standards generated
a bonus payment of 1.5% of the amount
paid to the eligible professional for covered
professional services during the reporting
period. In July, 2008, MIPPA extended
PQRI indefinitely and raised the bonus for
years 2009 and 2010 to 2%. 2 The eligible
professionals who can submit PQRI and
receive the reporting bonus include certain
midlevel practitioners, physicians, occupational
therapists, qualified speech-language
pathologists, and (starting in 2009) qualified
audiologists. 3
The importance of PQRI for physicians
and other eligible professionals should not
be underestimated. CMS has made clear
that “pay for reporting” programs are a step
toward a “pay for performance” or “pay
for quality” reimbursement model (called
a “value-based purchasing plan” by CMS).
MIPPA directs the Secretary-HHS to submit
to Congress a plan for the transition to
pay for performance (P4P) with regard to
physicians and other practitioners by May
1, 2010. 4 On November 26, 2008, CMS
presented an issues paper which outlines
the initial framework for such a plan, and
conducted a day-long listening session to
discuss the anticipated transition. 5
The incremental movement toward P4P
mirrors the approach taken with regard to
hospitals. The Deficit Reduction Act of 2005
(DRA) established a 2% penalty for hospitals
(referred to as subsection (d) hospitals) 6
that fail to report quality data, and directed
the Secretary-HHS to develop a plan for
implementing P4P for these hospitals for
2009. 7 That plan was submitted to Congress
in November of 2007, but legislation has
not yet been enacted in response. Subsection
(d) hospitals are hospitals in the 50 States,
Washington DC, and Puerto Rico, except for
psychiatric hospitals, rehabilitation hospitals,
hospitals whose inpatients are predominantly
under 18 years old, and hospitals whose
average inpatient length of stay exceeds 25
days. A current bill drafted by Senator Baucus
(D-Montana) and Senator Grassley (R-Iowa)
would implement P4P for subsection (d)
hospitals starting in 2012, and phase in
over a five year period until 2016. 8 Similar
legislation, or an expansion of the current bill,
which extends P4P to physicians and other
healthcare professionals should be anticipated.
The ability to measure the quality of health
care services accurately and efficiently is at
the heart of CMS’ vision of a value-based
purchasing plan. When PQRI was first
implemented in 2007, the data tracked 74
quality measures. The PFS Final Rule expands
PQRI to include 153 quality measures for
2009, up from 119 measures in 2008, but less
than the 175 measures originally proposed by
CMS. MIPPA requires the Secretary-HHS
to ensure that the affected professionals have
an opportunity to provide input during the
development or selection of quality measures,
and CMS has invited comments on the measures
both for PQRI and for the anticipated
transition to P4P.
The 2009 quality measures include the
2008 PQRI measures plus certain measures
endorsed by the National Quality Forum
(NQF) and/or the AQA (formerly the Ambulatory
Care Quality Alliance). The 2009
PQRI program also divides certain measures
into seven measure groups, which are subsets
of PQRI measures that have a particular clinical
condition or focus in common. Details
regarding the specific measures and measure
groups included in PQRI for 2009 can be
found at www.cms.hhs.gov/pqri. Technical
specifications for reporting the measures and
measure groups in the 2009 final listing can
be found in the “Measures/Codes” tab of the
PQRI section of CMS’ website.
In addition to the quality measures which can
be reported, the PFS Final Rule contains the
criteria for submission which must be met to
qualify for the incentive payment. In the past,
reporting has encountered numerous hiccups.
CMS data reveal that in 2007, just over half
of those who participated successfully met
the program and reporting requirements
and received the reporting bonus. 9 In
addition, many participants had difficulty
accessing the confidential feedback reports
CMS provided. These reports contained
information as to whether the participant
had met the criteria for satisfactory reporting,
the amount of the incentive earned, and
Continued on page 7
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
5
March 2009

AUTOMATE YOUR COMPLIANCE AND RISK MANAGEMENT PROGRAM
•
Enforce Consistency
Cost
Streamline Processes
•
Mitigate Risk
•
•
Reduce
Policy Management
Contract Management
Remediation Projects
Enterprise Risk Management
Incident Management & Reporting
Audit Management
Regulation Management
Surveys
Liability
Where Compliance Comes Full Circle
•
• Increase Productivity
Decrease
•
Drive Accountability
Enhance Compliance Visibility
•
Contact us today to view a free demo.
Compliance 360 assists Healthcare Organizations comply with:
CMS
OIG’s Annual Work Plan
US Sentencing Commission Guidelines
Stark Law
Medicare Part D
HIPAA
Integrity Agreements
March 2009
6
www.compliance360.com
678.992.0262

New developments in payment and public reporting of quality of care ...continued from page 5
their measure performance rates. CMS has
worked to streamline the process and educate
eligible professionals about how to meet the
requirements and is seeking ways to make
accessing the feedback reports easier, but
these difficulties emphasize the importance
of becoming familiar with the system prior to
the anticipated transition to a P4P reimbursement
scheme.
Eligible professionals have several options
available for reporting the data and qualifying
for the 2% bonus. The options differ
based on whether the professional chooses a
claims-based or registry-based approach and
whether the reporting pertains to individual
measures or measure groups. The options
available for claims-based submission of
individual measures are the most restrictive.
Registry-based reporting permits a physician
to report through an authorized outside
organization, such as certain trade associations.
Registry-based submission using several
different options is permitted and, for 2008
PQRI, there are 32 registries qualified to
submit quality measures on behalf of eligible
professionals. The PFS Final Rule sets forth
the process that registries must go through
in order to be qualified to submit data for
eligible professionals for the 2009 PQRI
program. There are six options available to a
professional reporting on measure groups.
CMS does not, at this time, accept quality
data through electronic health record (EHR)
submission; however, it intends to test EHR
vendors and their products during 2009 to
determine if EHR reporting can be used
in the future. If EHR vendors meet CMS’
qualifications to participate in the PQRI testing
process, their systems can submit quality
measure data to CMS for PQRI on behalf of
eligible professionals who use the systems.
In addition, MIPPA directs CMS to publicly
report the names of eligible professionals who
satisfactorily report quality data for 2009. 10
This marks a significant departure from the
PQRI programs of 2007 and 2008, and is
another of CMS’ strategies for improving the
quality of health care services. The names of
successful reporters will be posted in 2010 on
a “Physician and Other Health Care Professional
Compare” website. 11 Although the
individual quality data will not be posted, the
PFS Final Rule responded to comments about
publishing the data and stated that CMS’
goal was to “eventually make performance
information available.” 12 The public posting
of successful reporters should be regarded as
the first step toward this process, and will lead
to a website for physicians and other eligible
professionals comparable to http://hospitalcompare.hhs.gov.
E-Prescribing incentive program
MIPPA and the PFS Final Rule also enact
a separate incentive payment program for
health care professionals who transmit a
majority of their prescriptions electronically
(e-prescribe). As with PQRI, the e-prescription
incentive program is the next step in
a long-term plan to improve the quality
of care in the United States. Congress, in
response to findings that e-prescription
could prevent a significant number of
medical errors, enacted a law in 2003 to help
develop the infrastructure for its wider use. 13
The law made drug plans’ acceptance of
e-prescriptions a requirement for participation
in the part D prescription drug benefit
under Medicare, beginning in 2006, and
CMS proclaimed the measure to be “one
of the key action items in the government’s
plan to expedite the adoption of electronic
medical records and build a national
electronic health information infrastructure
in the United States.” 14 MIPPA takes the
next step toward greater use of e-prescribing
by creating significant financial incentives
for physicians and other professionals who
qualify as successful e-prescribers.
Under MIPPA, a successful e-prescriber is an
eligible professional who, for a given reporting
period, reports all the quality measures
specified by the Secretary-HHS that relate to
e-prescribing in at least 50% of the instances
in which the measure could be reported by
the professional. However, the PFS Final
Rule included only one quality measure to
be reported in the e-prescribing program,
which relates to the capacity for and use of
e-prescribing measures. In 2008, this quality
measure was included in the PQRI, but was
removed by MIPPA and made part of the
separate e-prescribing incentive program for
2009. Although there is only one measure for
the 2009 reporting period, CMS has said that
it intends to consider the use of additional
prescribing events as the basis of the incentive
payment in future years. 15
The reporting of e-prescription occurs through
Medicare billing codes. To report one of the
available codes for e-prescriptions, professionals
must have a qualified e-prescribing
system in place, and must have: (1) used it
for all the prescriptions; (2) not generated any
prescriptions during the encounter; or (3)
been prevented from using the system by law,
request of the patient, or the inability of the
pharmacy system to receive e-prescriptions.
CMS compares reported e-prescribing billing
codes against the events reported to determine
whether the professional qualifies as a successful
e-prescriber. 16 Professionals have discretion
in choosing the system they wish to use for
e-prescribing; however, the system chosen
must have the functionality established by the
Medicare Part D e-prescribing standards. 17
The financial incentives authorized by MIPPA
take two forms. Starting in 2009, successful
Continued on page 9
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
7
March 2009

March 2009
8
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

New developments in payment and public reporting of quality of care ...continued from page 7
e-prescribers will receive an incentive
payment. The bonus begins at 2% for years
2009 and 2010, but decreases in subsequent
years and is eliminated entirely by 2014.
The payment is separate from the incentive
payments made under the PQRI, meaning
eligible professionals could receive incentive
payments of up to 4% in 2009. Second,
beginning in 2012, a payment differential
takes effect which penalizes prescribers
by 1% if they do not qualify as successful
e-prescribers. The amount of this differential
increases in subsequent years to a maximum
reduction of 2% by 2014. Thus, eligible professionals
are offered incentives to transition
to e-prescribing in the short-term, but these
incentives steadily transition into penalties
for failure to adopt and use an e-prescribing
system in the future.
The definition of “eligible professionals” for
the e-prescribing initiative is the same as for
the PQRI, and includes physicians as well as
physician assistants (PAs), nurse practitioners
(NPs), clinical psychologists, registered
dietitians, physical therapists, and qualified
audiologists. However, eligibility is restricted
to only those professionals who have prescribing
authority, which may vary from state to
state for certain types of practitioners, based
on the scope of their practice. Moreover,
to qualify for the incentive, the reported
code for e-prescribing must constitute at
least 10% of the professional’s total Part B
allowed charges. This limitation was enacted
by Congress so that only those physicians
or other eligible professionals who have the
opportunity to prescribe a sufficient number
of prescriptions can receive the incentive.
CMS will publish the names of successful
electronic prescribers for the 2009 E-Prescribing
Incentive Program on the Physician and
Other Health Care Professional Compare
Website (http://www.medicare.gov/Physician/
Home.asp?bhcp=1). This means that both
successful PQRI reporters and successful
electronic prescribers now will be publicly
reported by 2010.
Hospital outpatient quality data reporting
program
The OPPS Final Rule, released November 18,
2008, implements another incentive program
designed to encourage reporting quality
data. 18 The rule expands upon existing
hospital reporting requirements for outpatient
services and implements the Hospital
Outpatient Quality Data Reporting Program
(HOP QDRP), which reduces hospital
outpatient payment rates by up to 2% if the
hospital fails to meet the outpatient reporting
requirements.
HOP QRDP was authorized by the Tax
Relief and Healthcare Act (TRCHA) in 2006,
to begin operating in 2009. 19 The 2008
OPPS Final Rule established seven quality
measures relating to outpatient services,
which were to be reported beginning in
April, 2008. 20 Five of these measures apply
to emergency departments and relate to acute
myocardial infarction treatment, and two
relate to outpatient surgery and the prevention
of surgical infection. This year’s OPPS
Final Rule adds four new quality measures for
FY 2009, focused on MRI of lumbar spine,
mammography, abdominal CT, and thoracic
CT. The adequate reporting of these measures
will be used to determine if a hospital should
be subject to the 2% reduction for FY 2010.
The OPPS Final Rule also lists 18 different
measures in nine measure sets from which
additional quality measures could be selected
for inclusion in HOP QDRP for FY 2011
and beyond.
The OPPS Final Rule explains the manner by
which CMS will apply the 2% reduction in
OPPS payment rates if a hospital fails to meet
reporting requirements under HOP QDRP.
The national unadjusted payment rates for
many services paid under OPPS equal the
product of the OPPS conversion factor and
the scaled relative weight for the ambulatory
payment classification (APC) to which the
service is assigned. The OPPS conversion
factor is updated annually, and CMS proposes
to apply the 2% reduction to the conversion
factor for purposes of implementing the
HOP QDRP payment adjustment. This
means that the payment reduction for failing
to report under HOP QDRP will only apply
to those OPPS services which are adjusted
annually based on the conversion factor. For
CY 2009, the reduction would be determined
by multiplying the full national unadjusted
payment rate for the applicable CPT code by
0.981.
Like the “Reporting Hospital Quality Data
Annual Payment Update” program, CMS
intends that reporting under HOP QDRP
will be made public and has stated that the
data will be posted to the CMS website by
2010. Hospitals will have an opportunity to
review the data prior to publication. CMS is
exploring whether Hospital Compare or other
sites might be used for reporting of hospital
outpatient quality data.
Health care-associated conditions and
“never” events
Part of the value-based purchasing program
already implemented by CMS has been a
denial of payment for certain conditions considered
to be preventable. In October 2008,
CMS implemented its Hospital-Acquired
Condition payment penalty to further that
initiative. 21 Applicable to inpatient services
only, the penalty denies any additional DRG
payment for certain preventable complications
that were not present on admission.
Examples of hospital-acquired conditions
Continued on page 52
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
9
March 2009

Unauthorized access
to protected health
information: Educating
the workforce
By Mark C. Rogers, Esq.
Editor’s note: Mark C. Rogers is a member of the more likely to encounter this problem in the
Health Care and Corporate Practice Groups at context of a workforce member inappropriately
accessing the medical record of either
The Rogers Law Firm (www.therogerslawfirm.
com) in Boston, Massachusetts. He is also a a co-worker or a family member or friend.
member of the firm’s Consulting Division (www. Beyond the consequences to the workforce
trcgsolutions.com). Mark is Co-Editor of The member who commits the violation, the
Boston Health Law Reporter and is an adjunct health care entity also faces exposure to fines,
faculty member at New England School of Law, civil lawsuits, and adverse publicity. This
where he teaches Health Law. Mr. Rogers may be article looks at the issue of unauthorized
reached by e-mail at mrogers@therogerslawfirm. access to PHI by workforce members and
com or by telephone at 617/723-1100, ext. 229. what health care entities can do to address
this growing problem.
Health care entities have come a long
way in terms of health information
privacy since the enactment Over the last two years, there has been an
Increasing number of incidents
of the HIPAA [Health Insurance Portability increase in the number of workers within
and Accountability Act] Privacy and Security health care entities who inappropriately
Rules. The overwhelming majority of health access, and in some cases disclose, the PHI
care entities have worked to create a culture of celebrities. Britney Spears, Maria Shriver,
of commitment to protecting the health and George Clooney are just a few of the
information of their patients. Nevertheless, celebrities who have reportedly had their
despite this commitment to privacy, health PHI inappropriately accessed in a health care
care entities continue to face violations of the entity setting. 1 Recently, Richard Collier, an
HIPAA Privacy and Security Rules by members
of their workforce--including physicians, League’s Jacksonville Jaguars, had his PHI
offensive tackle with the National Football
nurses, technicians, aides, administrative inappropriately accessed while he was recovering
from surgery at a Jacksonville, Florida
assistants, managers, and executives. One of
the more common of these violations, and hospital. According to reports of the media,
certainly one of the most well-publicized, is twenty hospital employees accessed Collier’s
online medical file using the hospital’s
unauthorized access to protected health information
(PHI). In layman’s terms: looking at computer system. 2
other people’s medical records when there is
no legitimate reason to be doing so.
Perhaps the most well-best known incident
of a celebrity’s PHI being inappropriately
Although there are well-publicized incidents accessed is that of Hollywood actress, Farrah
of this occurring with the medical records Fawcett. In February of 2008, Lawanda
of celebrities, a health care entity is much Jackson, a former administrative specialist for
the UCLA Health System, was indicted by a
federal grand jury for illegally accessing the
PHI of Fawcett and selling it to the National
Enquirer for $4,600. Jackson faces up to
ten years in prison if she is convicted. It is
also possible the National Enquirer could be
charged as a result of the ongoing investigation
by the U.S. Attorney’s Office. 3 The
indictment of Lawanda Jackson was the result
of an investigation by the State of California
into unauthorized access to PHI within
the UCLA Health System. The investigation
showed that in addition to celebrities,
workforce members had inappropriately
accessed the PHI of over 1,000 other patients
since 2003. 4
The problem with unauthorized access to
PHI is, of course, not unique to the UCLA
Health System. Health care entities across
the country face this problem on an ongoing
basis. For the most part, unauthorized access
to PHI within a health care entity is most
likely to occur in the context of a workforce
member inappropriately accessing the PHI
of a fellow co-worker, friend, neighbor, or
relative who was a patient at the facility.
Potential consequences
The unauthorized access of PHI by a workforce
member of a health care entity presents
a liability exposure to both the workforce
member and the entity. The workforce member
faces:
n Disciplinary action by the covered entity,
from a verbal warning to termination of
employment. If the individual is a member
of the health care entity’s medical staff, he/
she also faces disciplinary action under the
entity’s Medical Staff Bylaws.
n A potential civil lawsuit from the individual
whose PHI is the subject of the
unauthorized access. Depending upon the
circumstances of the underlying incident,
this can include such claims as invasion
March 2009
10
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

of privacy and infliction of emotional
distress.
n Criminal fines and/or penalties under
both state and federal laws. An individual
who knowingly obtains or discloses PHI in
violation of HIPAA faces a fine of $50,000
and up to one year in prison. The criminal
penalties increase to $100,000 and up
to five years in prison if the wrongful
conduct includes false pretenses, and up
to $250,000 and ten years in prison if the
wrongful conduct includes the intent to
sell, transport, or use individually identifiable
health information for commercial
advantage, personal gain, or malicious
harm. 5 In addition, the workforce member
likely will face state criminal charges as
there have been a number of states that
have recently strengthened their criminal
laws pertaining to the privacy of personal
information.
The health care entity also faces a significant
potential liability exposure as a result of a
workforce member’s unauthorized access to
PHI. First, the entity faces an investigation
by both the Office for Civil Rights (OCR) of
the United States Department of Health and
Human Services (HHS) which is the agency
that enforces the HIPAA Privacy Rule, and
the Centers for Medicare and Medicaid Services
(CMS) which is the agency that enforces
the HIPAA Security Rule. Such investigations
could lead to a potential fine of $100 per
failure to comply with each HIPAA Privacy or
Security Rule requirement. 6 Second, as with
a workforce member, the entity also faces a
lawsuit from the individual whose PHI is the
subject of the unauthorized access. The lawsuit
would likely include claims of negligence,
negligent supervision and negligent infliction
of emotional distress. Third, the entity faces
civil fines and penalties under state law.
Finally, workforce members’ unauthorized
access to PHI can result in adverse publicity
for the entity which has the potential to affect
patient volume and in turn, revenues.
All of this leads to the question as to how it is
that incidents of unauthorized access to PHI
are discovered. Certainly, audits performed by
the entity which are mandated by the HIPAA
Security Rule are a source of these discoveries.
7 However, it is more likely that the audits
are simply confirming what is already a
rumor within the halls of the entity. Just as
some may argue that it is human nature for
a workforce member to “snoop” into another
individual’s medical record, it is also human
nature for that workforce member to discuss
the contents of the medical record with others
within the entity. This “water-cooler effect”
necessitates that an entity undertake an
investigation to determine whether there was
indeed an incident of unauthorized access to
PHI. A covered entity must mitigate, to the
extent practicable, any harmful effect it learns
was caused by the use or disclosure of PHI
by its workforce in violation of the HIPAA
Privacy Rule. 8 If an entity has confirmed
through an investigation that an incident
of unauthorized access to PHI occurred, an
often overlooked provision of the HIPAA
Privacy Rule requires the entity to list the
incident and the name of the workforce
member who committed the violation
on the patient’s accounting of disclosures
maintained by the entity. 9 Thus, by reviewing
the accounting of disclosures, the patient will
know who accessed their PHI and under what
circumstances.
Addressing the problem
Even with the continued advancement of
health information technology, it is unlikely
that health care entities will ever be able to
eradicate the problem of unauthorized access
to PHI by members of their workforce. The
temptation by certain individuals to view the
PHI of others will, on occasion, overcome
the compliance efforts by health care entities.
Nevertheless, the response by health care
entities to this inevitable truth cannot be
to ignore the problem. To do so creates a
significant potential liability exposure in
an environment of increasing compliance
enforcement. The Office of Inspector General
of HHS recently criticized CMS for its failure
to oversee and enforce the HIPAA Security
Rule. 10 Such a public rebuke is likely to spur
an increase in HIPAA enforcement by both
CMS and OCR. Therefore, now is the time
for health care entities to address the issue of
unauthorized access to PHI by members of
their workforce.
Preventive measures
The first step for a health care entity to effectively
address the problem of unauthorized
access to PHI is to undertake an assessment of
its current HIPAA Privacy and Security policies
and procedures. At the time the HIPAA
Privacy and Security Rules became effective,
many health care entities rushed to promulgate
the required policies and procedures to
meet the government-imposed deadlines. In
doing so, they created the potential for generating
inaccurate or inappropriate policies and
procedures. Furthermore, the assessment and
evaluation of a health care entity’s HIPAA
Privacy and Security policies and procedures
presents an opportunity to incorporate the
best practices that have developed over the
last several years with respect to HIPAA
compliance. This includes best practices for
detecting and preventing unauthorized access
to PHI by a health care entity’s workforce
members.
This, in turn, leads to the second step a
health care entity should undertake to effectively
address the problem of unauthorized
access to PHI by members of its workforce
-- adoption of best practices. Obviously, a
Continued on page 13
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
11
March 2009

Enhance Quality of Care and Reimbursement Processing with:
A Compelling Case for Clinical
This one kit offers a handbook, strategy guide and
training system to improve your organization’s
clinical documentation quality.
A Compelling Case for Clinical Documentation introduces the CAMP Method for
Clinical Documentation Training – scientifically proven to substantially improve clinical
documentation quality. Nominated for the Best Theory to Practice Award by the Academy
of Management, this kit offers the most comprehensive guide on clinical documentation
training every published. The kit includes:
3 a two-volume strategy guide:
1. Use Clinical Documentation to Achieve Strategic
Alignment With Your Medical Staff
2. Use the CAMP Method to Improve Clinical
Documentation Quality
3 the CAMP Method Overview training DVD
3 the training system resource CD
Documentation
What is CAMP Method Training?
Developed by Ruthann Russo, PhD, JD, MPH, RHIT, a lawyer with more than
20 years of experience consulting for health care organizations, the CAMP Method is
based on the established theories and practices of self-efficacy education. It relies on four
components to increase participant self-efficacy: Coaching, Asking, Mastering, and Peer learning.
The CAMP training system gives physicians the tools needed to consistently produce high quality clinical
documentation and the conviction needed to do so.
A Compelling Case for Clinical Documentation offers a complete, scientifically tested training system you
can put to work, starting today. You are provided with a DVD that overviews the CAMP training system, as well as a resource
CD with the precise training sequence and all the needed testing forms. For more information, visit www.hcca-info.org/books/.
Qty
Cost
________ HCCA Member Price ...$355 $ _________
________ Non-member Price........$395 $ _________
________ Join HCCA!...................$200 $ _________
Non-members, add $200 to join HCCA, and pay
member prices for your order (regular dues $295/year)
Bulk discounts available for HCCA members only. See
chart at left to figure cost. All purchases receive free FedEx
Ground shipping within continental U.S.
Please make your check payable to HCCA.
For more information, call 888-580-8373.
Mail check to: 6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Fax order to: 952-988-0146
Total: $
Please type or print:
HCCA Member ID
First Name M.I. Last Name
Title
Organization
Street Address
City State Zip
Telephone
Fax
E-mail
My organization is tax exempt
Check enclosed
Invoice me PO #
Charge my credit card:
Mastercard VISA American Express
Account number
Expiration date
Cardholder’s name
Cardholder’s signature
Federal Tax ID: 23-2882664
Prices subject to change without notice. HCCA is required to
charge sales tax on purchases from Minnesota and Pennsylvania.
Please calculate this in the cost of your order. The required sales
tax in Pennsylvania is 7% and Minnesota is 6.5%.

Unauthorized access to protected health information: ...continued from page 11
health care entity needs to approach the issue
with a mindset that not all of the practices
are best suited for their entity. A health
care entity needs to go through the exercise
of what best practices work for them. The
following are just a handful of those best
practices which health care entities have
adopted in an attempt to detect and prevent
unauthorized access to PHI by members of
their workforce:
n Auditing, auditing, auditing: Health care
entities should enhance their auditing of
electronic health records to ensure that
members of their workforce are accessing
only those records to which access is appropriate.
Also, health care entities should
communicate this enhancement and auditing
to their workforce members.
n VIPs/Workforce members: Health care
entities should engage in targeted auditing of
the electronic health records of workforce
members and VIPs (celebrities, politicians,
sports figures, trustees, donors, etc.) to
assess for unauthorized access.
n Reminders: Health care entities should
consistently remind its workforce members
that they are prohibited under federal law
(and in some instances state law) from unauthorized
access to PHI. These reminders
should come in varying forms, including
e-mails and mailings to their departments,
offices, and homes. Also, it is worthwhile
to have the compliance and/or privacy officer
make these reminders in person (such
as at departmental meetings).
n Honeypots: Health care entities should
consider using “honeypots” —which is the
practice of creating a fictitious electronic
health record (oftentimes using the name
of a celebrity or VIP) and then monitoring
that electronic health record to see if it is
inappropriately accessed by a workforce
member. Honeypots can be used as a
general compliance tool or in instances
where there is a suspicion that a specific
workforce member or department is inappropriately
accessing electronic health
records.
n Disciplinary actions: Perhaps the best
method for a health care entity to demonstrate
to its workforce how serious it takes
the use of unauthorized access to PHI is to
take strong disciplinary action in response
to an incident. It is now common to
suspend or terminate a workforce member
who engages in this activity. A health
care entity can get the attention of its
workforce by publicizing these disciplinary
actions (without identifying the specific
workforce member involved).
The final and perhaps most important step
for a health care entity to take to effectively
address the issue of unauthorized access to
PHI is education. Health care entities need
to educate their workforce about this topic
and the consequences they face as individuals
as a result of engaging in this type of activity.
This education should take place at the time
the individual enters the entity’s workforce
(as part of a more comprehensive HIPAA
training program) and should be mandatory.
Continuing education programs should also
reinforce the importance of this issue and
should be mandatory. Again, it is critical that
workforce members be educated about the
potential consequences they face as a result of
unauthorized access to PHI.
Conclusion
Health care entities face a significant liability
exposure as a result of unauthorized access
to PHI by members of their workforce. The
most effective way for a health care entity to
address this serious problem is to undertake
(and follow through with) a comprehensive
assessment and education plan. Although it
is unlikely that a health care entity will be
able to completely eliminate incidents of
unauthorized access to PHI through such a
course of action, it will nevertheless serve to
minimize the entity’s liability exposure and
demonstrate its commitment to protecting
the health information of its patients. n
1 Orenstein, Charles, Ex-worker indicted in celebrity patient leaks, Los Angeles
Times (April 30, 2008); Orenstein, Charles, UCLA worker snooped
in Spears’ medical records, Los Angeles Times (March 15, 2008).
2 20 hospital workers fired for viewing Collier’s medical records, News-
4JAX.com (November 17, 2008).
3 Orenstein, Charles, Ex-worker indicted in celebrity patient leaks, Los
Angeles Times (April 30, 2008); United States of American v. Lawanda
Jackson, February 2008 Grand Jury Indictment.
4 AP News, Not-guilty plea in celebrity medical snooping case, (November
3, 2008).
5 42 U.S.C. § 1320d-6.
6 42 U.S.C. § 1320d-5.
7 45 C.F.R. § 164.312(b).
8 45 C.F.R. § 164.530(f).
9 45 C.F.R. 164.528.
10 Memorandum from Daniel R. Levinson, Inspector General of the
United States Department of Health and Human Services to Kerry
Weems, Acting Administrator of the Centers for Medicare and Medicaid
Services, regarding “Nationwide review of the Centers for Medicare and
Medicaid Services Health Insurance Portability and Accountability Act
of 1996 oversight” (A-04-07-05064) (October 27, 2008).
Be Sure to Get Your
CHC CEUs
The CEU quiz will no longer be mailed
with each issue of Compliance Today.
To take the quiz and obtain credit,
please go to www.hcca-info.org/quiz
and select a quiz. Fill in your contact
information and answer the questions.
Print the completed form and FAX or
MAIL it to Liz Hergert at HCCA.
Articles related to the quiz in this issue of
Compliance Today:
n Unauthorized access to protected
health information: Educating the
workforce — By Mark C. Rogers,
page 10
n Feature focus: Executive
compensation in troubled times—
Part 1 — By Gerald M. Griffith,
page 32
n Charge Description Master
compliance assessments —
By Joel W. Lipin, page 53
Questions? Please call Liz Hergert at
888/580-8373.
Please note that credit will be given only
for quizzes received before the expiration
date indicated on the quiz.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
13
March 2009

feature article
Meet Bill Parke
Vice President, Corporate Compliance, Rutherford Hospital
March 2009
14
Editor’s note: This interview with Bill Parke
was conducted by Greg Warner, Director for
Compliance, Mayo Clinic and a member of the
HCCA Board of Directors. Greg may be reached
by telephone at 507/284-9029. Bill Parke may
be reached in North Carolina by telephone at
828/286-5360.
GW: I always find it interesting to learn
how others found their way into Compliance.
Would you share a little of your background
and how you ended up in Compliance?
BP: I came to the health care field later,
rather than sooner. I graduated with a degree
in Economics from SUNY Cortland and
spent several years trying my hand at a variety
of “opportunities” in other industries. At
the encouragement of a former professor, I
interviewed for a position in administration
at a small nursing home in rural Ohio. It was
there that I started what has proven to be a
very fulfilling career in health care administration.
After doing some coursework at Ohio
State University, I obtained my nursing home
administrator license and worked for several
years in the long-term care industry. Moving
to western North Carolina, I eventually
became the administrator of a hospital-based
nursing home run by Rutherford Hospital,
Inc. (RHI), a position I held for several years.
As often happens in smaller hospital
systems, you end up wearing more than one
hat and that was my experience; I ended up
being one of the corporate vice presidents
with additional operational responsibilities. In
1998, our then-CEO called me into his office
for a chat. He said that there was a new push
in the industry to establish something called
a compliance program. Our CFO had been
putting the program together, but now he had
been informed that having a CFO heading
up a compliance program was not going to be
viewed as “a good thing.” That’s when I was
asked to take over the task of getting a compliance
program up and running across the
various divisions of the hospital. He assured
me that this was a time-limited project—that
once the program was in place, it would pretty
much take care of itself. Ten years later, as the
Vice President of Corporate Compliance, I’m
still trying to figure out how to finish the job!
GW: Please describe the scope of your
compliance responsibilities and your
reporting process – both management and
programmatically.
BP: As Vice President of Corporate
Compliance, I have a dual reporting relationship
- as a member of senior management, I
report directly to our CEO and I also have
the authority to report directly to our Board
of Trustees. Along with my compliance
officer duties, I still have responsibilities over
a couple of support services departments. In
addition, I serve as our Privacy Officer and I
oversee our contract management program.
With the addition of a Compliance Assistant
last spring, our Compliance department
is now a two-person shop. It goes without
saying that I rely heavily on the efforts of the
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
other members of our senior management
team to make compliance work at RHI.
Having such a strong leadership team to
work with, a team that has truly taken the
compliance discipline to heart, has been an
amazing help to me. They carry a substantial
part of the responsibility for the day-to-day
maintenance of the compliance program, and
without their support and assistance, my job
would be impossible.
Early on, our senior management team
decided to emphasize the link between quality
issues and compliance, so we’ve had quality
elements as part of our annual Compliance
Work Plan for several years. That linkage was
carried over to our governing body as well.
The board formed a separate committee called
the Personnel, Compliance, and Quality
Committee (PCQ) to oversee those three
areas. This has proven to be one of the more

prescient steps we’ve taken. When the emphasis
on issues of quality intensified nationally,
we were already well positioned at the governance
level with a well-informed board committee
that was ready and able to manage their
increasing oversight responsibilities.
I’m fortunate to have the opportunity to
have significant levels of personal interaction
with our board. I am chairman of our
Compliance Committee and there is board
representation on that committee. I make
regular compliance reports to the PCQ
Committee every month, and I attend the
monthly board meetings, having scheduled
time on their agenda quarterly to discuss
compliance issues. Being allowed to have
this amount of face time with our board is
a reflection of just how committed they are
to having a compliance program that is well
grounded and effective. Whenever there is
something new to be implemented or there
is an evolving issue that RHI is confronting,
getting the board’s support early on goes a
long way to keeping things moving forward.
GW: I understand Rutherford Hospital
participated in the OIG Roundtable discussion
regarding dashboards and quality indicators.
Tell us a little about your journey to
developing your dashboard and how you and
your organization are using the information.
BP: One of the unintended consequences
of developing the PCQ reporting channel
was the increasing amount of data that was
being reported to that committee. When you
consider all the regulatory requirements that
have been added to the compliance umbrella
in the last several years, add on all the issues
related to quality and patient safety, and
then mix in personnel matters and physician
credentialing, the PCQ members ended up
in the proverbial position of “drinking from
a fire hose.” There is only so much information
that can be taken in, and we found that
the PCQ members were being overwhelmed
with data. Ultimately, some sort of filtering
process had to be put into place and that’s
where the dashboard came into play.
We had already developed a basic dashboard
format for tracking issues reported to our
Quality Management Committee, so that
model served as the starting point for what later
became our corporate dashboard. Our CFO has
been instrumental in championing this effort
over the last 18 months, and it has proven to be
a much more complex process than one would
imagine. Identifying what information should
be on the dashboard was just the tip of the
iceberg. We then had to identify what objective
comparative benchmarks would be used, what
reporting thresholds would be established,
what sources of data would be used, what the
reporting period intervals would be, who would
be responsible for compiling the data, how
would the accuracy of the data be ensured, how
would differing lag times in data availability
be handled, etc. But in the end, the dashboard
is serving its purpose; it is focusing the PCQ
member’s attention on not only our current
status on important issues, but it is also allowing
them to monitor trending over time – something
that is critical when making decisions on
the appropriate allocation of finite resources.
GW: Tell us about the resources you find
helpful for moving your program forward.
BP: During my years as a nursing home
administrator, I looked to national and state
professional associations as my primary
resources for information and education.
When I became a compliance officer in 1998,
the first thing I did was try to find a comparable
professional organization that I could
look to for help. That’s when I first became
aware of HCCA, and I’ve depended on them
ever since for resources that would help me be
successful in my new role. I still have a well
worn copy of The Health Care Compliance
Professional’s Manual sitting on my office shelf.
It served me well when I was just getting
Greg Warner
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
started and it served me well when I was preparing
for my CHC credential.
I‘ve attended at least one HCCA conference
every year since 1998 and they have provided
more than just food for thought. There is
a real and obvious value in hearing what
the leaders in our industry have to say
about properly building and maintaining a
compliance program. But to also hear directly
from leaders of regulatory and enforcement
agencies - to actually hear first hand their
thoughts, concerns, and ideas – has provided
just so much more value. The conferences also
serve as my “early warning system” when new
things are coming down the pipeline. RHI
has a history of being an early adopter and
that has proven to be true for our compliance
program as well – thanks in large part to the
contacts I’ve made through HCCA.
GW: How do you see Compliance
evolving? That is, will we continue to integrate
with Quality, Accreditation, Safety, etc.
or should we be more stand–alone?
BP: When I started in this field, Compliance
was truly only about coding and billing, and
there was enough regulatory risk there (and
still is) to go around. But now we all know
that it’s not just coding and billing that can
land your organization in the hot seat. A
groundskeeper improperly disposing of excess
Continued on page 16
15
March 2009

Meet Bill Parke ...continued from page 15
pesticides can get you into an awful lot of
difficulty, too. In an increasingly complex
regulatory environment, the Compliance discipline
we have honed over the years with its
metrics of clear standards – responsible leadership,
adequate training, internal controls,
reporting mechanisms, and corrective action
– are applicable across the entire enterprise.
Our philosophy is to make our compliance
program a resource for helping stakeholders
manage regulatory risk wherever it is found
– from EMTALA to disaster preparedness,
from HIPAA to wage and hour laws.
That doesn’t mean we “own” those operational
processes, only that we assist those
who do own them to manage them in a more
consistent manner. For example, in the last
couple years we found ourselves assisting in
matters related to governance. Specifically,
we helped our board incorporate certain
elements of Sarbanes Oxley into their committee
processes and we also helped establish
a rebuttable presumption process to protect
against excess benefit transactions. This year
we’ll be keeping up with the work being
done to comply with the new IRS Form 990
reporting requirements and, relatedly, assisting
in the refinement of the processes for the
gathering and compiling of information that
will be incorporated into our Community
Benefit program. Our assistance is pretty
much always the same, no matter what regulation
is at issue. We go back to those basic
compliance metrics and try to apply them
through the same model.
Personally, I think that Compliance will
soon become so common an expectation that
it will become essentially ubiquitous in all areas
of operations. I can envision a time when we
will no longer have discussions about what
operational process is – and what operational
process is not – included in “Compliance.”
The real discussion will be (1) What’s the
regulation? (2) How do we ensure an on-going
compliant process that meets the regulation?
and (3) How do we prove it? Much like Performance
Improvement, I think that Compliance
will ultimately be a built-in expectation.
GW: What areas of your compliance
responsibilities do you find particularly challenging
and/or rewarding?
BP: I see several emerging issues on the
horizon that are going to be challenging. I
am just now starting to sort through how to
identify my role in ensuring the integrity of
the data that RHI collects and presents to
others. In this day of reimbursements that
are linked to performance outcomes, etc.,
just how far down in the weeds should a
compliance officer go to validate the accuracy
of data being reported and to ensure that no
one has “tinkered” with it?
I also think that we’ll need to revisit data
privacy and security again soon. The electronic
world that we now live in is far different
from that of even 5 years ago. Because
potable devices and the Internet are now
pervasive everywhere in our lives (and perhaps
because we are now hiring a generation
of workers who literally grew up with them),
it is my perception that we have grown far
too casual in the use of emerging technologies.
Staff are going to need renewed privacy
and security training that has been updated
to the paradigm of smart phones, picture
phones, instant messaging, social networking,
etc. I find it inexplicable that the same staff
who would never share sensitive information
in the course of their job duties are having a
hard time seeing why it’s a problem putting
that same sensitive information on MySpace.
Likewise, our IT departments are going to
need a lot of support in painting bright–lines
as they move towards the goal of an interoperable
health record. I serve on a work group in
western North Carolina that is helping with
the development of a RHIO [Regional Health
Information Organization]. The potential
benefits are amazing, but ensuring that proper
internal controls are effectively deployed to keep
up with the rapid evolution of connectivity and
data-sharing regionally is a unique challenge.
But by far, the place where I find myself
spending the most time recently is in the area
of contracts. Like the rest of the country, our
area is experiencing a realignment of hospital
and local medical community. Through
employment and/or acquisition, RHI has
been changing the nature of our relationships
with several physicians/physician practices.
That has meant a lot of work to ensure that
every process step along the way was compliant.
Whether that step involved business
valuation, facility appraisal, pro forma development,
compensation modeling, or crafting
purchase or employment agreements, we had
a great deal of due diligence to complete.
GW: In your role as a mentor, what advice
would you give to a junior associate who is
interested in Compliance?
BP: As I said, I was fortunate to be
allowed to hire a Compliance Assistant this
year. Although she has health care experience,
none of it is in the compliance field. As we
talked about her interest in the position, I
gave her some things to think about as she
considered whether or not she wanted to
jump into Compliance as a career. First, be
patient and take it one piece at a time. There
is no way that anyone can absorb all there
is to know about health care compliance
without spending a good amount of time
in the field working and studying. No one
has it all under their belt – that is why peer
relationships are so important.
Second (and this may reflect my own
experiential bias), be willing to get out of the
office, walk around, and be visible. Get to
know health care operations whenever and
wherever you can; spend time in peoples’
work environment to get a better understanding
of what they are really dealing with.
Be curious and don’t be afraid to ask ques-
March 2009
16
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

tions anytime, anywhere.
Third, understand that when you have seen one compliance program you have
seen just that – one compliance program. The model that I helped put together,
though based on the OIG’s Model Guidance, is unique to RHI and may be absolutely
wrong for another organization. Guidance is just that, guidance. It’s the level
of commitment of the people working within that proven, general framework who
will ultimately make a compliance program rise or fall.
Fourth, understand that you have to work with and through other people in the
organization to get things done. The overwhelming majority of them want to do
their jobs correctly, so appreciate them and value their time and efforts accordingly.
And lastly, when push comes to shove (and it will), be willing to stand for
what is right, even when that stance is less than popular. A zeal for doing things
right, coupled with a thick skin and a measure of compassion, will go a long
way in making a successful compliance officer.
GW: In the slowing economy with health care entities needing to reduce
expenses, what are the best arguments we can make to our management to
preserve our Compliance budgets?
BP: Trying to quantify the financial benefit of a compliance program has
always been hard. How do you identify the cost of a violation that didn’t happen
because there was a mechanism in place that ensured that the process in question
was compliant? I don’t know. But I do know that it is extremely expensive when
things do go wrong. Conducting even an internal investigation is costly - much
more so when a third party has to be brought in to assist or advise. And the time
spent on such an investigation has an associated opportunity cost as well, i.e.
every hour spent investigating is an hour not spent on the training, monitoring,
etc. necessary to prevent the next problem from happening.
Maybe we should try to identify other ways that the compliance program can
be leveraged to help an organization. If you look around today, the demand for
accountability and transparency is coming from everywhere. I would think that
an effective compliance program may have added value to the organization in
meeting those demands. Perhaps using some of the metrics of the Compliance
discipline as a spring board for driving performance improvement efforts is
another way of demonstrating value. As I said earlier, Compliance is not going
away, but it may become something much more built-in.
GW: Bill, thanks for taking time to share these comments. What other
observations would you like to share with your HCCA member colleagues?
BP: I feel privileged to have been allowed to work in this field for the last 10
years and I’ve enjoyed seeing it grow and mature into a valued field of expertise.
I find it refreshing to see the new faces of a younger generation joining our
ranks. They are young professionals seeking careers in a field that, not so long
ago, didn’t even exist. That’s amazing. It’s an exciting time to be in health care,
I hope they think so too. Compliance is a fascinating field with new adventures
every day. It is the very best job there is. n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
17
March 2009

Ethics works if everybody is
ethical
I have been in a constant battle with the entire universe about Compliance
vs. Ethics. I feel ethics is an outcome (there is at least one exception)
and compliance is a process that leads to ethical behavior. You
can’t talk about ethical behavior and achieve an ethical environment;
you must enforce it with the Seven Elements of Compliance. Please
send all your hate mail to Dan Roach at droach@chw.edu. He will
agree with you, he is on our Board, and he will beat me up personally.
If you want to get to me directly, e-mail me at roy.snell@hcca-info.org.
I will forward them all to Dan.
Let’s talk about the exception I know of. There may be more, but I
haven’t seen it. By looking at this exception, I think you will see how
rare it is. You will see how unrealistic it is. It’s extremely difficult
to duplicate. The exception is professional golfers. I am sure there
are a few exceptions, but these guys are maniacally honest. They call
penalties on themselves all the time. They can do it, because they all
do it. Everyone expects it. It is an ethical culture, because somebody
said it would be ethical and it worked. Everyone agreed and followed
through.
Let me give you the most amazing example. J.P. (John) Hayes was
playing in the PGA tour qualifier. Qualify and you play in most any
tournament you want the next year. If you don’t qualify, you can still
play in some tournaments but the financial difference is staggering.
J.P. played in the qualifier and, for two strokes, used a ball that was not
“approved.” He realized his mistake immediately and changed balls.
On the hole where he used the unapproved ball, he played badly, one
over par. A few days after the qualifier, he realized that there was a
rule stating that if you used an unapproved ball, even for one shot,
you were disqualified. He called the ball manufacture, who said the
ball would probably be approved but it was as he thought, not yet
approved.
No one saw him play it. No one would
ever know he played it. If he called and
turned himself in, it would make life very
difficult for him and his family. He did
not hesitate. He called and told the Professional
Golfers Association that he must
be disqualified. With a few exceptions, he
will not be playing on tour next year.
ROY sNELL
As a side note, almost all tournaments have a couple exemptions they
give out to anyone. They often give their few exemptions to someone
who will be a big draw, some young up-and-comer for example. J.P.
Hayes does not qualify as a draw, but those people better all give him
one of their exemptions or they will be hearing from me. I am sure
they are quaking in their boots.
Golfers are the real deal. J.P. Hayes exemplifies what we are all
fighting for in compliance and ethics. The number of exemptions J.P.
gets will be a great test of our society’s respect for integrity. Don’t hold
your breath. As I write this, two Minnesota Viking football players
have been suspended for the last four games of the season for using a
banned substance. The Vikings have a shot at winning the division.
The press has covered it more than the Hayes case. Lawyers are fighting
to block the suspensions. A judge has issued a stay. The players
union is spending hours defending these guys. Pardon my pessimism,
but I just don’t think that the average person really gives a crap about
Hayes. It was an interesting story for a while, but if you want to get
everyone’s attention, start talking about winning a football game. That
is why I think it is difficult to expect “ethics” to be enough or better
or more effective than compliance. People don’t do what you expect;
they do what you inspect. They don’t reward integrity; they reward
winning, productivity, the bottom line, glamour, etc.
When people tell me ethics is enough or better than compliance, I get
mad. Like everyone, I wish it were true. I wish it would work. But
if you look at the facts, such as there are few examples of cases where
it works, it is difficult to support the concept that ethics is enough.
Have I seen it work anywhere? Do I see constant examples where
the ethics video by the CEO and code of conduct are not enough? I
just don’t think that flailing away at variations of “do the right thing”
works in many environments. Can you tell me another example,
other than golf? I am sure there are a few companies. I can’t imagine
there are many. And, if you do find an ethical environment, there
is probably no tolerance for poor behavior. In other words, there are
Continued on page 24
March 2009
18
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

The Jones Day/HCCA iPod ® Nano Giveaway!
July 1, 2008 through June 30, 2009
Contribute a compliance-related document to the HCCA Compliance Library and you could
win an iPod Nano. Each month, the individual who submits the most documents to the library
receives one of 12 iPod Nanos! This Giveaway begins July 1, 2008 and ends June 30, 2009.
Log on to the HCCA web site (www.hcca-info.org) and go to “Communities” for more details
about the Jones Day/HCCA iPod Giveaway!
Share your ideas — contribute compliance-related documents to the HCCA Compliance
Library by emailing them to Caroline Lee Bivona at caroline.leebivona@hcca-info.org.
About Jones Day . . .
Jones Day’s Health Care Practice is an interdisciplinary practice team of legal counsel
aligned to facilitate the exchange of information and targeted knowledge about the health
care industry and the ever-changing health care regulations, to better meet our clients’
needs. Learn more about Jones Day at www.jonesday.com.
you can only win one iPod. hCCA/SCCe and Jones Day staff are not eligible for the giveaway.
2300 lawyers in 30 locations. www.jonesday.com

HCCA’s New Research Compliance Guide
Research Compliance
Professional’s Handbook
The Practical Guide to Building and Maintaining
a Clinical Research Compliance & Ethics Program
Clinical research is highly regulated,
so the role of compliance professionals
is vital to meeting the demands
of a wide range of governing entities.
HCCA’s new reference manual,
Research Compliance Professional’s
Handbook, offers comprehensive, upto-date
guidance to get you on the right
track. Written by experts with hands-on
experience in clinical research compliance,
this book is intended for anyone
with compliance duties or a need to
understand such key areas as:
Order Now
• human subject protections
• scientific misconduct
• conflicts of interest
• grant and trial accounting
• effort reporting
• privacy and security
• clinical trial billing
• records management
• data monitoring committees
• role of oversight entities
• auditing & monitoring
• integrating research compliance
into corporate compliance
Qty
Cost
HCCA Members ...................................$149.00
Non-members .....................................$169.00
Join HCCA! Non-members, add $200
and pay the member price for your order ................$200.00
(Regular dues $295/year)
Please type or print:
HCCA Member ID
First Name M.I. Last Name
Title
Organization
Street Address
City State Zip
Telephone
Fax
E-mail
Mail check to: 6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Fax order to: 952-988-0146
Total: $
My organization is tax exempt
Check enclosed (payable to HCCA)
Invoice me PO #
Charge my: Mastercard VISA American Express
Credit Card Account Number
Credit Card Expiration Date
Cardholder’s name
Cardholder’s signature
Prices subject to change without notice. HCCA is required to charge sales
tax on purchases from Minnesota and Pennsylvania. Please calculate this
in the cost of your order. The required sales tax in Pennsylvania is 7% and
Minnesota is 6.5%. All purchases receive free FedEx Ground shipping
within continental U.S. (Federal Tax ID: 23-2882664)
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373 | Fax 952-988-0146
www.hcca-info.org | info@hcca-info.org

RAC demonstrations
and inpatient
rehabilitation –
Vision of things to
come?
Editor’s note: Jane Snecinski is Principal at Noblis,
Center for Health Innovation, headquartered
in Falls Church, VA. Ms. Snecinski may be
reached by e-mail at jane.snecinski@noblis.org
for additional information.
The past two years have proven to be
very challenging for providers of rehabilitation
services—both inpatient and
outpatient. This article is one of two specifically
written to focus on the compliance issues
that have been brought into focus by the
Recovery Audit Contractors (RACs). These
issues have increased the financial risk for
providers of rehabilitation services. This article
specifically looks at the issues for providers of
inpatient rehabilitation services.
For providers of inpatient rehabilitation
programs, the change with the greatest public
awareness has been the increased focus on the
“75% Rule,” which has been modified in regulation
to have a 60% threshold; that is, 60% of the
patients admitted to an inpatient rehabilitation
program must have a diagnosis that is included
in a list identified in regulation. In addition to
having the diagnosis identified, the medical
record must support that the beneficiary has
received treatment for the identified diagnosis.
If the threshold is not maintained on an annual
basis, the organization stands the risk of losing
their Medicare rehabilitation provider status.
However, although the enforcement of the
By Jane Snecinski, FACHE
75% Rule has placed an increased focus
on the diagnoses of the patients admitted
to inpatient rehabilitation programs, the
work of the demonstration Recovery Audit
Contractors (RACs) has the potential to
have a staggering significant and immediate
financial impact on any provider of
inpatient rehabilitation programs/services.
The focus of these audits, primarily, has been
on “medical necessity,” as defined by federal
regulation, guidelines, and the Conditions
of Participation for inpatient rehabilitation.
Moreover, even though medical necessity is a
long-standing cornerstone of health care, the
review of medical necessity is relatively new
to the rehab market. This issue, it appears,
is even more important than a diagnosis
that is identified as compliant with the 75%
Rule, because if the admission to inpatient
rehabilitation is not deemed medically necessary,
then the admission is denied—even if
the patient has a “compliant” diagnosis.
As addressed in Section 306 of the Medicare
Prescription Drug Improvement and
Modernization Act of 2003, the RAC demonstration
project began in 2005 in Florida,
California, and New York. The RACs have
several objectives, but they are incentivized
to recoup reimbursement for the Medicare
program through denials of reimbursement
for services. Inpatient rehabilitation was
a primary focus of the RAC efforts in the
demonstration states, including California
and Florida. Although the plan was for CMS
to expand the RAC program to all states
within an established timeline, they have
accelerated their implementation plan, due
to the perceived success of the program. It
is anticipated that the RAC program will
be instituted in all states by 2009 (slightly
delayed from the original plan).
The mission of the RAC demonstration
project (announced January 11, 2005) was to
“reduce Medicare improper payments through
the efficient detection and collection of overpayments
and underpayments and the implementation
of actions that will prevent future
improper payments.” 1 Because the range of
providers that receive Medicare payment is so
broad, post acute providers, specifically providers
of inpatient and outpatient rehabilitation,
were reviewed by the RACs within the scope
of their contract. As with all Medicare providers,
improper payments in the post acute settings
can be received for three primary reasons:
n Services are provided and payment
received for services that have not been
deemed as ‘medically necessary’ for the
level of care in which they were provided;
n Codes/scores are submitted that result in
payment that may not be completely correct
or accurate, (e.g., inaccurate diagnostic
coding, inaccurate coding of functional
status, coding of diagnoses without documentation
of treatment); and
n The medical record/documentation does
not ‘tell the story’ and provide enough
support for the claim for which payment
has been received.
The understanding of these issues and integration
into the documentation of inpatient
rehabilitation, as well as proactive auditing and
associated corrective actions, will be critical to
surviving under the permanent RAC program.
Continued on page 22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
21
March 2009

RAC demonstrations and inpatient rehabilitation – Vision of things to come? ...continued from page 21
The impact on inpatient rehabilitation
The RAC demonstration project resulted in the
identification of approximately $1.03 billion in
improper payments (actual figures vary slightly,
based on source). Of that amount, $59.7 million
or 6% of the total was identified from inpatient
rehabilitation providers. (These figures represent
the dollar amounts without adjustment for
successful appeal processes.) The efforts focusing
on inpatient rehabilitation providers did not take
place in all three RAC demonstration states, but
only in California. The most recent evaluation
of the demonstration project reports: “The RAC
demonstration had a limited financial impact
on most providers,” however this was clearly not
the case for the inpatient rehabilitation providers
in California. Moreover, even an informal
extrapolation to all of the 50 states will provide
the reader with the potential impact of these
denials on a larger scale.
The following table depicts the circumstances,
or noted errors that resulted in the improper
payments.
Table 1: Overpayments Collected by Error
and Provider Type 2
Error Type
Percent of Total
Medically Unnecessary 5.63
Incorrectly Coded 0.00
No/Insufficient Documentation
0.44
Other 0.00
Total 6.07
When considering the error type, it is clear
that the comprehensiveness and accuracy of
the documentation of the patient’s stay in an
inpatient rehabilitation program is a key factor
in the denial process; that is, the ability of the
medical record to “tell the story” and demonstrate,
without a doubt, that the patient required
an admission to an inpatient rehabilitation program
to care for their medical and rehabilitation
needs, and that the diagnoses identified were
treated during the hospital stay.
Medical necessity – What does that mean?
There is no standardized definition or interpretation
of ‘medical necessity,’ which leads to
confusion as to the necessary content of medical
record documentation and what to review
as part of a proactive audit. It is important to
keep in mind that inpatient rehabilitation beds
are licensed as acute care beds and certified
by Medicare as inpatient rehabilitation beds.
Therefore, it is important to document that the
patients have a medical condition(s) that, in
conjunction with their needs for an intensive,
inpatient rehabilitation program, require
admission to a licensed acute care bed that has
been certified by Medicare as a ‘rehabilitation
bed.’ If a patient does not exhibit the medical
need or does not need, cannot tolerate therapy,
or could make as much progress from another
level of care, then it is the perception of the
RAC that the patient could be admitted to
another level of care and medical necessity for
inpatient rehabilitation is not demonstrated.
When describing medical necessity for
inpatient rehabilitation, all sources refer
to the Medicare Beneficiary Manual, 3
Chapter 1, Section 110: Inpatient Stays for
Rehabilitation Care, and the Code of Federal
Regulations. 4 In the Medicare Beneficiary
Manual, the following caveats are provided:
n “The services must be reasonable and
necessary (in terms of efficacy, duration,
frequency and amount) for the treatment
of the patient’s condition; and
n It must be reasonable and necessary to
furnish the care on an inpatient hospital
basis, rather than in a less intensive facility
such as a SNF, on an outpatient basis.”
In order for the admission to be medically
necessary, patients admitted to an exempt
inpatient rehabilitation program must require
and receive care as described in Medicare
Beneficiary Manual, Chapter 1, Section
110. There are several components in the
chapter that note: if a particular component
in isolation was not provided, that, in and
of itself, would not be justification of denying
payment. However, although the RAC
identification of improper payment for
“medical necessity” did not identify specific
components of the referenced chapter as not
having been demonstrated, it stands to reason
that when documentation does not support
several of the components, medical necessity
may be questioned. The specific components
identified in this document are:
1. Preadmission screening
2. Admission orders
3. Inpatient assessment of individual’s status
and potential for rehabilitation
In addition to these issues, there are basic
Hospital Screening Criteria as identified in
the Code of Federal Regulations, Section 42:
1. Close medical supervision by a physician
with specialized training or experience in
rehabilitation;
2. Rehabilitation nursing;
3. Relatively intense level of rehabilitation
services;
4. Multi-disciplinary team approach to
delivery of program;
5. Coordinated program of care;
6. Realistic goals; and
7. Significant practical improvement.
What is interesting to note is that although
most inpatient rehabilitation providers are
knowledgeable about these conditions, they
have not internalized them into practice
within their delivery of care. Therefore, the
documentation of the patient’s care is unlikely
to focus on the issues to demonstrate the
medical necessity as described in the Manual
chapter. It is this situation that places an inpatient
rehabilitation provider at risk under the
March 2009
22
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

RAC program. The documentation of these
conditions, then, is integral to a successful
proactive audit of inpatient rehabilitation.
Proactive auditing in preparation for the RACs
A proactive RAC audit should be conducted
by individuals who have clinical knowledge
of multiple levels of post acute care as well as
the regulations, Medicare Beneficiary Manual,
and Hospital Screening Criteria for inpatient
rehabilitation, so it can be determined if the
medical record supports the admission of
the patient to inpatient rehabilitation versus
any other level of care. An in-depth working
knowledge is valuable, not only in identifying
issues, but in developing corrective actions to
improve document and support the admission
to inpatient rehabilitation, if possible. Because
the definition of “medical necessity” is not
crystal clear, it is suggested that the strictest
interpretation of the criteria for inpatient
rehabilitation be used during the audit.
A word of caution is given, however, that after
the audit is complete, it may become evident
that the documentation does not support
admission to inpatient care, because the
patient’s condition is actually more appropriate
for another level of care. Hopefully
however, the audit will reveal that the patient
is appropriate for an inpatient rehabilitation
program, but some components are missing
from the medical record. Then, corrective
actions can be implemented to improve
documentation to support the admission.
The following questions should be positively
answered, without a doubt, as a result of an
audit of inpatient rehabilitation records:
1. Preadmission screening
Does the documentation of the preadmission
screening reflect the decision-making process
and justification for why the patient has to
be admitted to an inpatient rehabilitation
program versus any other level of care?
2. Admission orders
Do the admission orders for inpatient
rehabilitation reflect care and an intensity
that cannot be provided in any other level
of care? (For example, many orders reflect
services to “evaluate and treat,” but evaluation
and treatment can be provided in
many levels of care, not only an inpatient
rehabilitation setting.)
3. Inpatient assessment of individual’s
status and potential for rehabilitation
oes the result of the assessment of the
patient, in the initial assessment period,
support the lack of functional abilities
that would require an admission to an
inpatient rehabilitation level of care?
4. Close medical supervision by a physician
with specialized training or experience
in rehabilitation
Is there a rehabilitation physician providing
close medical supervision, and does
the medical record (e.g., physician progress
notes, etc.) demonstrate the medical necessity
of the physician’s involvement in the patient’s
care? (For example, a physician’s note
consisting of “Vital signs stable. Continue
rehab” does not contain the content necessary
to support an inpatient rehabilitation
stay, a physician’s visit, or a hospital stay.)
5. Rehabilitation nursing
Is the nursing documentation unique for
inpatient rehabilitation and reflect the
need for rehabilitation nursing?
6. Relatively intense level of rehabilitation
services
Is there evidence that the patient received
a minimum of three hours of physical
and occupational therapy and/or speech
language pathology for a minimum of five
days for each seven days?
7. Multi-disciplinary team approach to
delivery of program
Is there team documentation clearly
reflected as the primary focus of care, or
is care represented by documentation of
unique disciplines,(e.g., physical therapy,
nursing, etc.)?
8. Coordinated program of care
Is there an interdisciplinary plan of care
and is there discussion of the implementation
and accomplishment of the plan of
care in a conference?
9. Realistic goals
Can the patient achieve the identified goals
and does the patient need intensive rehabilitation
services, rehabilitation nursing, and
an interdisciplinary approach to do so?
10. Significant practical improvement
Did the patient make significant improvement
as a result of participation in the
program or did the progress occur regardless
of the program? (For example, if a patient
did not receive an interdisciplinary approach,
rehabilitation nursing, and an intensive level
of therapy, then the patient could have made
the same progress in another level of care.)
In summary, the regulations and criterion
referenced in order to demonstrate medical necessity
are not new, but the RACs significantly and
quickly increased the scrutiny placed on inpatient
rehabilitation providers to demonstrate meeting
these criteria. The majority of denials for improper
payments to inpatient rehabilitation providers in
the RAC demonstration project were the result
of a lack of documentation as medical necessity.
A proactive audit is the best way to identify and
resolve any potential issues beforehand that could
be problematic during a RAC audit for inpatient
rehabilitation. n
1 Available at www.cms.hhs.gov/RAC/05_MissionStatement.asp
2 The Medicare RAC Program: An Evaluation of the 3-Year Demonstration,
June, 2008. Available at http://www.cms.hhs.gov/RAC/Downloads/RAC%20Evaluation%20Report.pdf.
3 Medicare Benefit Policy Manual, Chapter 1 – Inpatient Hospital Services
Covered Under Part A, “Inpatient Stays for Rehabilitation Care”
Available at http://www.cms.hhs.gov/manuals/downloads/bp102c01.pdf
4 Available at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&rgn=div
6&view=text&node=42:4.0.1.4.18.1&idno=42
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
23
March 2009

CEO: ...continued from page 18
probably auditing and monitoring, enforcement discipline, etc. supporting
the ethical behavior. Golf is the only place where I see little enforcement and
tremendous results. It doesn’t work in any other sport I know of. If a player
called a foul on themselves in football, they would be gone in 60 seconds.
Quality of Care
March 5 and 13, 2009, Two Parts
The Agency for Healthcare Research and Quality
(AHRQ) Guide on Adoption of Health Care
Innovations – What does mean? Where are we
now?
Lisa Murtha, Managing Director Health and
Education Consulting Practice Huron Consulting
Group, and Compliance Officer
Cheryl Wagonhurst, Partner, Foley and Lardner
Cory Flickinger, Huron Consulting Group.
Conflict of Interest
March 12, 2009
Kendra Diamond, Director,
Daylight Forensic & Advisory LLC,
Angelia Dorsey, Research Ccompliance Officer,
MedStar Health
Health Care IT Security –
A Corporate Compliance
Matter March 24, 2009
Carolyn Regen, Interim Chief Compliance Officer
and Privacy Officer of the Corporate Compliance
and Privacy Administration of Gwinnett Hospital
System, Inc.
Michele Madison, Partner
Morris, Manning & Martin LLP
J. Tom Jinks, Director,
Moore Colson
Bret Roy, Partner,
Moore Colson
To Register visit
www.hcca-info.org
Past Audio/Web conferences are
available on CD at
www.hcca-info.org/pastweb
For instance, all four of my girls play(ed) volleyball. The coaches don’t teach the
players to call fouls on themselves. I used to play volleyball in pick-up games
without refs at the YMCA. We had to use the honor system, somewhat like golf.
There were disagreements, but most of the players were pretty good about it. In
volleyball, you can’t touch the net. The one rule that stood out the most was: If
you touched the net, you would grab the net and shake it until the play stopped.
My friends and I often called ourselves on the net when no one would ever have
seen it. Some touches were so slight that the net hardly moved, but we knew and
we would call it. I liked the integrity of those games at the YMCA. I want my
daughters to play with integrity, but they don’t. They can’t.
If they called a foul on themselves, nobody would accept it. The coach would
blow a gasket. The players would ostracize them. The fans would boo them.
In most cases, the refs wouldn’t even acknowledge the call. The system is set
up to “get away with it if you can.” The system that works in golf is the only
effective ethics system I know.
I don’t think ethics alone will work. That is why the enforcement community
requires compliance programs in some settlements and encourages them
everywhere else. The US Sentencing Commission added ethics to the US
Sentencing Guidelines recently, but judges still look for compliance programs
to determine if a company is trying to find and fix problems. The judges don’t
mandate ethics programs. Recently, a law was passed to mandate compliance
programs for government contractors. The lobbyists got it reduced to a code of
conduct, just before the regulation was published. The Department of Justice
(DOJ) got mad and supported a “Contractors Fraud Loophole Act.” The
Act said that government contractors had to implement the seven elements as
described in the Sentencing Guidelines. The DOJ considered the last minute
change from compliance to ethics to be a loophole. They want both, but they
really are looking for compliance programs. I keep hearing the people who
are horribly conflicted (they don’t want the pain and cost of compliance) or
idealistic saying that ethics is enough. I keep hearing the people who are tired
of chasing down cheaters (the enforcement community) say that if you want to
be effective or if you want a break, put in a compliance program.
Ethics works if every one is ethical. Everyone else needs a compliance
program. Ethics is important. Having a code of ethics and telling everyone
to do the right thing is important. However, if you want to get people to
be ethical, you must establish standards and procedures, audit and monitor,
investigate, discipline, train and educate, and report to the Board. n
March 2009
24
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

ASK
LEADERSHIP
Compliance Today
Needs You!
The Health Care Compliance Association
(HCCA) is seeking authors for
Compliance Today. Every month
Compliance Today offers health care
compliance professionals information
on a wide-variety of enforcement, regulatory,
legal, and compliance program
development and management issues.
To do this we need your help!
We are particularly interested in articles
covering compliance concerns involving
all segments of the health care industry,
including Behavioral Health, Rehabilitation,
Physician practices, Long-Term
Care, Homecare and hospice, Ambulatory
Surgery Centers, etc.
For Details: E-mail Margaret Dragon
with your topic ideas, format questions,
etc. at margaret.dragon@hcca-info.org or
call her at 781/593-4924.
Articles generally run between 1,250
and 2,500 words; this is not a limit, just
a guide. Compliance Today uses the
Chicago Manual of Style. We require
footnotes to be 10 or less. All references
must appear at the end of the article.
Please do not use the footnote feature in
Word. The author’s contact information
must be included in the article as well as
the article title. Articles should be submitted
as a Word document with very
limited formatting. Anyone interested
in submitting an article for publication
in Compliance Today should send an
email to margaret.dragon@hcca-info.
org which includes the article topic and
deadline selected from the list below.
IMPORTANT: For those who are
Certified In Healthcare Compliance
(CHC), please note that CCB awards
2 CEUs to authors of articles
published in Compliance Today.
Upcoming Compliance Today Deadlines:
n April 2
n April 20
n May 6
n May 18
n June 1
n June 15
John Falcetano
John asks the leadership
your questions
Editor’s note: John Falcetano is Chief Audit/Compliance
Officer for University Health Systems of Eastern Carolina and
a long-time member of HCCA. This column has been created
to give members the opportunity to submit their questions by
e-mail to jfalcetano@suddenlink.net and have John contact
members of HCCA leadership for their response.
QUESTION: What are Red Flag Identity Theft Rules and do they apply to health care
organizations?
Answer: provided by John C. Falcetano, MA, CHC, CIA, Chief Audit & Compliance Officer,
University Health Systems of Eastern Carolina Greenville, NC
The FDIC, along with the other federal financial institution regulatory agencies and the
Federal Trade Commission, issued the Red Flags provision of the Fair and Accurate Credit
Transactions Act in October 2007. The final rules and guidelines on identity theft red flags
took effect on November 1, 2008, although enforcement has been suspended until May 2009.
The rules require financial institutions to establish reasonable procedures for identifying and
preventing identity theft.
The rules apply to health care providers because they use consumer reports to check for
criminal backgrounds and credit histories as part of their employment process. In addition,
many health care providers are considered creditors, because they do not require payment when
services are rendered. Creditors in the health care field must also watch for signs of medical
identity theft (i.e., someone obtaining medical services or benefits by using stolen health insurance
information).
Although the rules allow organizations flexibility in establishing their own internal compliance
programs, there are some mandatory requirements that must be included in order to comply
with the rules. For example, the rules require:
n Each financial institution or creditor to develop and implement a written identity theft
prevention program to detect, prevent, and mitigate identity theft in connection with the
opening of certain accounts or certain existing accounts.
n Credit and debit card issuers to assess the validity of notifications of changes of address
under certain circumstances.
n If there is a conflict between information provided on applications and credit reports, financial
institutions must review discrepancies.
Examples of identity theft red flags that financial institutions should consider as part of their
identity theft prevention programs are also included in the rules. Information about the rules
can be found at: http://www.fdic.gov/news/news/financial/2007/fil07100.html n
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
25
March 2009

Health Care Compliance Association’s
13th Annual Compliance Institute
April 26–29, 2009 | Caesars Palace | Las Vegas, NV
Register now at
www.compliance-institute.org
Register in MARCH
and receive a free copy of Building
a Career in Compliance and Ethics *
*New registrations only
Updated Sessions
• 512 Running Successful Hospital Exercises: Planning, Execution,
and Assessment (Mitch Saruwatari, VP Quality and Compliance,
LiveProcess; Michael Bowers, Director of Facilities & Engineering,
Riverside County Regional Medical Center)
• 711 Where’s That Policy? Solving the Pitfalls of Paper-Based
and Internally Built Policy & Procedure Systems
(Robert Tietjen, CEO, PolicyTech)
• W1 The Road Ahead and How to Navigate It: Panel Discussion
on Challenges for Health Care Organizations in 2009 and
How to Address Them (Frank Sheeder, Partner, Jones Day)
AGENDA
AVAILABLE
ONLINE
GROUP
DISCOUNTS
AVAILABLE
(see registration
form)
VISIT WWW.COMPLIANCE-INSTITUTE.ORG
March 2009
26
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

YOUR
INFORMATION
FYIFOR
Declining economy has increased
compliance risks
On January 6, 2009, the Health Care
Compliance Association reported the results
of a survey it recently conducted with the
Society of Corporate Compliance and
Ethics. The survey reveals that the declining
economy may be increasing the risk of legal
and ethics violations in business. In addition,
this increased risk is occurring at a time when
budgets to manage those risks are expected to
at best hold steady, if not decline.
The survey, based on an online questionnaire
completed by more than 600 compliance and
business ethics professionals, showed that
85% feel that the current economy greatly
or somewhat increases the risk of compliance
and ethics failures. To download the entire
survey results: http://www.hcca-info.org/
Content/NavigationMenu/ComplianceResources/Surveys/Survey_Form.htm
For the press release: http://www.hcca-info.
org/Content/NavigationMenu/AboutH-
CCA/PressReleases/SurveyResults.pdf
Former HCCA President Odell Guyton
recognized
Society of Corporate Compliance and Ethics
Co-Chair, Health Care Compliance Association
Past President and Microsoft Corporation
Director of Compliance Odell Guyton
has been named to Ethisphere Magazine’s 100
Most Influential People in Business Ethics
2008. Also named to the prestigious list
are United States President Barack Obama,
Hedge Fund Chairman T. Boone Pickens,
and Triple Pulitzer Prize winner and New
York Times columnist Thomas Friedman. For
the complete list: http://ethisphere.com/100-
most-influential-people-in-businessethics-2008/
n
certified in
CHC
compliance
healthcare
The Compliance Certification Board (CCB) compliance certification
examination is available in all 50 states. Join your peers and become
Certified in Healthcare Compliance (CHC).
CHC certification benefits:
n Enhances the credibility of the
compliance practitioner
n Enhances the credibility of the
compliance programs staffed by
these certified professionals
n Assures that each certified
compliance practitioner has the
broad knowledge base necessary
to perform the compliance
function
n Establishes professional standards
and status for compliance
professionals
n Facilitates compliance work
for compliance practitioners in
dealing with other professionals
in the industry, such as
physicians and attorneys
n Demonstrates the hard work and
dedication necessary to perform
the compliance task
Since June 26, 2000, when CHC
certification became available,
hundreds of your colleagues have
become Certified in Healthcare
Compliance. Linda Wolverton,
CHC, says she sought CHC
certification because “many
knowledgeable people work in
compliance and I wanted my peers
to recognize me as one of their
own.”
For more information about CHC
certification, please call 888/580-8373,
e-mail ccb@hcca-info.org or click on the
CCB Certification button on the HCCA
Web site at www.hcca-info.org
The Compliance
Professional’s Certification
Congratulations on achieving CHC status! The Compliance
Certification Board announces that the following individuals
have recently successfully completed the Certified in Healthcare
Compliance examination, earning CHC designation:
Lisa J Adamson
Katherine E Baxter
Michael David Beck
Robert H Bowker
Pamela Elaine
Brotherton-Sedano
Camille Ann Cassell
Michelle Lynn Castle
Rocio Chavez
Terri L. Clark
Maureen Ann Clements
Patrick Collins
Charla R. Craig
Lucas D. Crater
Benjamin D. Cripps
Tammy L. Danek
Haley Beth Denzer
Connie S. Dunn
Michele Renee Durocher
Deana Anne Estes
Nayfe S. Faillace
Grace Pamandanan
Fernandez
Diana D. Fourney
Stephen Glenn Gerwolds
Nancy Annette Godby
Kim Renae Gonseth
Carolyn Denise Graham
Regina F. Gurvich
Elizabeth Wade Hall
Janet Anne Herbold
Natalie A. Herron Welch
Karla M. Homelvig
Sharon K. Howard
Dianna Dawn Johnson
Donald R. Jones
Thomas Robert Kane
Jean Kelly
Holly A. Kessler
Ginny Kim
Jennifer D. Malone
Jennifer J. Mayberry
Tina M. Meli
Harlan L. Menkin
Keith L. Morgan
Lorelei C. Mulanax
Joyce K.
Nakamura-Tanoue
Kimberly J. Oka
Jeff Brian Paul
Maria D. Pearson
Shannon Ladon Perkins
Karen Theresa Quintal
Christy Heather
Richardson
Andrew Thomas Rosdahl
James S. Rundell
Marilyn K. Schmidt
Debbie Schneider
Patricia S. Slater
Roianne Summers
Donald Tannenbaum
Tiffany Brooke Thompson
Robert N. Ulrich
Peggy Jo Upson
Kayme L. Voelker
Cynthia Lou Vordenbaum
Blaire Ann Zummak
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
27
March 2009

Physician office
compliance – Are
you monitoring
your auditing and
monitoring program?
Editor’s note: Melissa Morales is a consultant
working in the Healthcare Industries section of
PricewaterhouseCoopers in San Francisco. She
may be reached by e-mail at
Melissa.Morales@us.pwc.com.
Physician compliance auditing and
monitoring programs can be unique,
depending on the practice and
type of provider operations. Such programs
require specific experience and skill sets such
as expertise in audit and coding, to determine
what areas need to be monitored and how
to develop work plans that encompass the
organization’s high risk areas. Auditing and
monitoring programs conduct various types
of review throughout the year as part of an
organization’s compliance plan to help prevent,
detect, and correct noncompliance with
regulations. The program is established on
the fundamental aspects of the organization’s
processes, such as charge capture, billing
forms, claim scrubber functionality, physician
education, compliance, and billing office
operations.
With the day-to-day perspective of an organization’s
operation, it’s not uncommon for
staff to become consumed with the routine of
scheduled reviews, which may cause them to
loose sight of the direction they are heading
and any imperative trends. It’s important
to take a step back and evaluate any data
collected and analyze those results. Careful
By Melissa Morales, CPC
analysis of such data can help identify trends
and/or abnormalities that are not often apparent
on the surface of a review. Without such
analysis, you could be missing key opportunities
for change and corrective action.
So what should be incorporated in an
auditing and monitoring program to prevent
process breakdown?
First, you must ascertain the organization’s
compliance mission and objectives, such as
safeguarding health information, assigning
subject matter experts to the audit process,
and identify key high-risk areas. Organizations
should also use the current year’s Office
of the Inspector General (OIG) Work Plan 1
as a base to identify various factors, events,
emerging issues, and any priority shifts within
Congress that may be an area of concern in
the upcoming year.
Secondly, the organization should perform a
risk assessment, and determine areas of high
concern. This will allow for better determination
of what should be a high priority within
the practice, allow for planning and implementation
of the work plan.
Thirdly, set up an internal audit plan that
outlines audit coverage, scope, and objectives,
such as formal vs. informal reviews, type of
review (e.g., compliance, coding, or payment),
and areas of concern (e.g., high dollar
procedures, or teaching physician environments).
Internal audits should have a quality
review process to verify accuracy, establish
controls, identify best practices, and measure
results against national benchmark data.
Part of the audit plan should establish a
reporting and feedback mechanism to provide
information regarding the audit and its findings.
Monthly reports should be generated
for management and those being audited
to review audit results, provide education,
establish corrective action plans, and review
any trends identified. It is imperative that the
information found through audit is communicated
to those who were audited, not just
the chiefs or management of the department.
In order to assist with accuracy rate improvement
and address any noncompliance with
regulations, everyone participating in the
audit should be notified of their results. If
there were deficiencies identified through
the audit, the reporting mechanism can help
determine what departments or areas need
to be re-evaluated and need continuous
monitoring. When auditing accuracy and
proper documentation of evaluation and
management (E&M) codes, the accuracy rate
needs to be established by the organization.
Any physician who falls below that range
should be continuously monitored until their
accuracy rate has improved.
Routine reports are instrumental in performance
improvement initiatives as well
as in making recommendations for process
improvements or corrective actions.
Fourthly, evaluate the performance of the
process by analyzing the results along various
factors as well as monitoring the process
frequently to make sure there are no loop
holes within the process.
Lastly, examining and re-evaluating your
March 2009
28
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

sampling methodology is vital in determining
any flaws in the system and to ascertain that
the appropriate sample is being reviewed. The
proper sampling methodology ties back to the
type of review that you are performing. The
frequency and type of review, whether payment
or coding related, should be determined
before setting the sample size. There are
several mechanisms and methodologies that
can be used to determine sample sizes. A
common method is to use software to assist
with the sampling. RAT-STATS (statistical
software available through the Office of the
Inspector General website) assists in selecting
random samples and evaluating results. 2
In addition to reviewing the process of an
effective auditing and monitoring program,
organizations should review common
and potential risk areas that Compliance
departments face. Common issues that are
often missed or not addressed properly are
the overuse and misuse of modifiers, claims
scrubbers, and thorough review of charges
and payments. The misuse of modifiers 24
and 25 leads to overpayment for services that
are either included in an E&M visit or part
of the global surgical package. In this case,
the sampling method needs to be carefully
analyzed to make sure various factors are
reviewed as well as the frequency of use. If
only high level evaluation and management
codes are sampled, a potential exists for missing
the use of modifier 25. Another sampling
issue can lie with pulling procedure codes and
not breaking them down to individual global
period days to determine if there were distinct
services provided where the modifier would
have been appropriate.
Use of modifier 25 (to identify a significant
and separately identifiable service was provided
on the same date as another service) 3
requests additional reimbursement from
payers when performing additional work. It’s
imperative to monitor so inappropriate payment
isn’t received. The frequency of the use
of this modifier should be monitored closely.
OIG published a report on “Modifier 25”
in November 2005, and in this report, OIG
indicated that if modifier 25 is appropriately
appended in an encounter when an E&M
service and a minor procedure were performed
on the same day. It should not exceed
more than 50% of the billable items. 4 The
requirements for the proper use of this modifier
should be carefully reviewed to prevent
incorrect application. Some areas to watch
for are:
n Is the modifier being used every single
time there was a procedure and E&M
performed?
n Is the modifier being appended by alternate
staff, such as billing staff, through
claim scrubber edit work queues?
Modifier 24 poses another issue of receiving
payment for services that are encompassed
with in the global surgical package and
separately billable. Part of the problem begins
with not knowing the global period associated
with certain procedures, and there is often
confusion with how physicians are designated
when they belong to the same group specialty
and practice. Physicians are often unaware
that they are considered one physician when
they belong to the same specialty/department
within the organization. Medicare defines
the “same physician,” within the definition
of modifier 24, as the same physician who
performed the procedure or a member of the
same group within the same specialty. 5 Application
of modifier 24 should not be done
automatically during a post-operative period.
The modifier should be appended by the
physician or by coding staff who have access
to the surgical dates and are able to review
medical records to determine if the service
provided during the post-operative period was
unrelated to the surgery. Understanding the
appropriate use of modifier 24 allows providers
to append the modifier correctly and helps
reduce compliance risks.
An auditing and monitoring process should
also include a review of the use of claims
scrubber edits to ensure that there are no hard
stop edits that will randomly append modifiers
24 and 25. Overview of billing work
queues to resolve modifier edits is essential in
ensuring proper reimbursement. This can be a
daunting task, because some of these reviews
can require review of the medical record to
make certain procedures were unrelated to the
E&M service, or in the case of modifier 25, if
the procedure was indeed separately identifiable
from the original service provided.
Ensuring processes are in place to monitor
your audit program and the frequency of
modifier use is critical. Monthly reporting
will allow the organization to monitor
various departments and processes to ensure
billing, coding, and operations are compliant.
Reporting is one step to improve your
program, in addition to having a comprehensive
communication mechanism to assist
in improving overall processes. An effective
auditing and monitoring program requires
expertise from several individuals and areas
within an organization. Compliance departments
that decide to partake in a thorough
audit program will benefit from step-by-step
planning that will help determine the fundamentals
that are needed to provide direction
for an accurate and compliant review.
Participation from everyone with in the
organization is central to having a successful
program and facilitating any recommendations
and changes. n
1. 2009 OIG Work Plan is available at: http://www.oig.hhs.gov/publications/docs/workplan/2009/WorkPlanFY2009.pdf
2. RAT-STATS software is available at: http://www.oig.hhs.gov/organization/oas/ratstats.asp
3. Current Procedural Terminology 2009, AMA
4. OIG report, No.OEI-07-03-00470, Nov.1, 2005 retrieved from http://
www.oig.hhs.gov/oei/reports/oei-07-03-00470.pdf
5. Medicare Claims Processing Manual, Chapter 12: Physician and nonphysician
practitioners
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
29
March 2009

March 2009
30
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
31
March 2009

focus
feature
Executive compensation in troubled times
– Part 1
By Gerald M. Griffith, JD
Editor’s note: Gerald Griffith is a partner in the Chicago office of Jones
Day where he practices as a member of the Health Care and Tax Practice
Groups. He may be reached by telephone at 312/269-1507 or by email at
ggriffith@jonesday.com.
For many nonprofit healthcare organizations, front page stories
on executive compensation have become an annual event due
to the information publicly available on Form 990. Recently,
the Internal Revenue Service (IRS) has increased the scrutiny of
executive compensation among all nonprofits, including hospitals and
academic medical centers, with three separate, detailed compliance
checks sent to several hundred organizations in the past five years. In
addition to educating the nonprofit sector, those compliance checks
have sought to enforce the excess benefit sanctions that impose excise
taxes of up to 225% on any insider compensation above reasonable
amounts.
With healthcare and other sectors facing a difficult economic situation,
including the highest rate of mass layoffs rates in more than ten years, 1
compensation for health care executives is coming under increasing
scrutiny. Executive compensation packages that may be viewed as rich
in cash compensation by “Joe the Plumber” standards, or include hot
button perquisites (e.g., first class travel), are drawing more intense
media and government scrutiny. This article will explore how that
added scrutiny has manifested itself, and what steps can be taken to
minimize the negative publicity associated with executive compensation,
protect it against IRS sanctions, and demonstrate to policy
makers, regulators, and charitable donors that nonprofit healthcare
organizations can control executive compensation without additional
regulation or investigations. Those proactive steps can be described as
following best practices in the compensation approval process, obtaining
appropriate comparability data, and adopting a compensation
plan design that ties compensation to both financial and non-financial
goals.
Effect of economic downturn on executive compensation
It is unusual now to hear news stories about prospective bailout packages
that do not also include calls for limits on executive compensation.
Just as the Sarbanes Oxley Act arguably started a transparency
trend that has permeated healthcare governance thinking, so too may
rules on executive compensation in Corporate America from the
bailouts filter through to healthcare organizations facing their own
financial challenges.
Economic pressures
Many health care organizations are feeling the pressure of the struggling
economy, through reductions or delays in payment from government
payment programs such as Medicaid, tougher negotiations with
private payers, increased numbers of uninsured patients, mounting
property tax exemption challenges, tighter credit, and plummeting
investment returns. In what is not likely to be an anomaly, one highly
regarded suburban hospital in a particularly hard-hit industrial state
recently announced a voluntary turnaround plan to reduce a projected
multi-million dollar loss in 2008, including a 10% pay cut for the
CEO and other top executives and employed doctors, and a 4% pay
cut for department managers as an alternative to lay offs. Sources estimated
the pay cuts would save 225 jobs at the hospital. 2 With rising
unemployment rates, other health care organizations may feel the need
to make similar reductions as part of an overall cost-cutting strategy.
With various sectors (e.g., financial, automotive) seeking federal
bailouts, Congress has turned its attention once again to potential
abuses in executive compensation. In a recent press release regarding
the federal financial rescue program, the Senate Finance Committee
strongly urged the Secretary of the Treasury to implement proposed
limits on executive compensation for senior executives of institutions
that receive federal bailout funds and ensure transparency in the
bailout process. 3 Those limits in Sections 162(m)(5) and 280G(e)
of the Internal Revenue Code would limit deductibility to the first
$500,000 of compensation and eliminate the exception allowing
higher deductibility for performance-based compensation. 4 In response
March 2009
32
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

to earlier concerns over corporate governance and transparency in the
wake of the Enron scandal, Congress enacted other limits on executive
compensation for public companies in the Sarbanes Oxley Act (SOX),
including clawback provisions that would require repayment of certain
compensation received by the CEO and CFO of any public company
that issues a material restatement of its financials to comply with
securities laws. Affected executives are required to repay (1) any bonus,
incentive-based or equity compensation received within twelve months
after release of the noncompliant financials; and (2) any profits realized
from the sale of any securities of the employer during that same
period. 5
Congress also has a recent history of closely examining executive
compensation in the nonprofit healthcare sector. 6 Senator Grassley
in particular has been very vocal about compensation levels in the
nonprofit sector, noting that the “lack of transparency” in executive
compensation and “the champagne lifestyles of certain non-profit
executives” leave no room for doubt that the IRS needs to adopt
clear guidelines on disclosure and acceptable compensation levels for
nonprofits. In Senator Grassley’s view, “some individuals running
charities view it as an opportunity to do well for themselves as opposed
to doing good for those in need.” 7 As pressure mounts on health
care organizations to care for the uninsured and deal with declining
reimbursement while stemming losses to keep programs afloat, executive
compensation levels and program design are likely to come under
increased legislative scrutiny.
Moreover, a high ranking IRS official recently noted the current
economic situation makes it even more important to ensure “proper
stewardship of the tax subsidy” that nonprofits receive and to improve
transparency in governance. 8 In that regard, the IRS also remains
highly interested in executive compensation at nonprofit organizations
as reflected in the new Form 990 (described below). The same official
noted that a pending report on the 2006 survey of nonprofit hospital
executive compensation practices “will reveal high levels of executive
compensation as well as extensive use by nonprofit hospitals of the
rebuttable presumption of reasonableness.” He also implied that the
IRS will look more closely at how well that process is being followed
in upcoming audits, noting that the existing excess benefit rules of Section
4958 may not be adequate to challenge high compensation levels
that may be defensible under the rebuttable presumption standard but
may not satisfy the public and other interested parties. He also raised
questions about the propriety of current law that allows a nonprofit to
use compensation at for-profit companies as part of the comparable
data in determining reasonable compensation at the nonprofit. 9
Effects of increased transparency
Many local papers run annual stories listing top paid executives,
including senior management of hospitals and other healthcare organizations.
For public companies, these figures are reported in securities
filings and can be readily compared on public websites, 10 or gleaned
manually from reviewing SEC filings online. 11 For nonprofits, this
information is typically drawn from annual Forms 990 filed with the
IRS, which are subject to public inspection after filing at the organization’s
offices and, after a lag time, are available online. 12
In recent years, the level of detail and number of executives included
in the Form 990 compensation disclosures has expanded steadily.
With the redesigned Form 990 for tax years beginning in 2008, that
expansion will result in disclosure of base compensation, bonus and
incentive compensation, other compensation reported on Forms W-2
or 1099-MISC (e.g., debt forgiveness, gross-up payments for taxes
on cell phones), deferred compensation, and non-taxable benefits for
all current and former (within the past five years) officers, directors,
trustees, “key employees” and the top five highest paid other employees.
13 In addition, Parts I and III of Schedule J will require disclosure
of a variety of hot button perquisites provided to executives, including
first class or charter travel, spousal/companion travel, tax gross-up
payments (e.g., to pay the executive’s tax liability on certain fringe
benefits), discretionary spending accounts, housing, health club or
social club dues and initiation fees, and various personal services (e.g.,
maid, chauffeur, chef). Organizations are also required to disclose
whether they follow the IRS-prescribed rebuttable presumption
procedure (described below) for approving executive compensation, 14
and whether they intend to rely on the initial contract exception for
any compensation arrangements. 15
The IRS is also becoming more attuned to process issues in audits
and compliance checks. For example, the executive compensation portion
of the Hospital Project Compliance Check Questionnaire (May
2006) asked:
n Whether officer, director, trustee and key employee compensation
was approved in advance by disinterested individuals (The
Instructions to the new Form 990, Core Form, Part VII define “key
employees” as the twenty highest paid employees paid more than
$150,000 for the year by the organization and all related organizations,
and who have responsibilities, power or influence over the
organization as a whole, manage a discrete segment or activity of
the organization accounting for more than 10% of the organization’s
activities, assets, income or expenses, or have sole or shared
Continued on page 35
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
33
March 2009

egister now for hcca’s
2009 Academies (revised dates)
Research Compliance Academy
San Francisco, CA | June 15–18
With a wide range of research-related issues becoming hot topics with enforcement
agencies, this academy provides attendees with the opportunity to get information
on many areas that affect research compliance officers and their staff on a day-today
basis. A small audience encourages hands-on educational techniques, small
group interaction, and networking.
AdvAnced compliance Academies
San Francisco, CA | June 22–25
HCCA’s Advanced Compliance Academy offers four days of intensive, in-depth health
care compliance education for the experienced compliance professional.
basic compliance academies
March 9–12 | Dallas, TX
June 1–4 | Scottsdale, AZ
October 26–29 | Denver, CO
November 16–19 | Orlando, FL
This four-day intensive program focuses on subject areas at the heart of health care compliance
practice. Courses are designed for participants who have a basic knowledge of compliance
concepts and some professional experience in a compliance function.
March 2009
34
register now at www.hcca-info.org
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Executive compensation in troubled times – Part 1 ...continued from page 33
authority or control over determinations of 10% or more of the expanded questions regarding board independence, conflicts of interest
organization’s capital expenditures, operating budget or employee procedures, disclosure of financial statements, governance policies,
compensation);
and compensation review procedures. These questions are consistent
n Who exactly approves the compensation,
with the IRS’s view that a well governed exempt organization is also a
n What comparability data is relied on in the process,
compliant one. Now the IRS intends to prove that theory.
n Whether the compensation was within the range of that data, and
n Whether the comparables included compensation levels at other In its FY2009 work plan released in late November, the IRS Exempt
tax-exempt hospitals. 16
Organizations Division (EO) announced a new three-part initiative
aimed at nonprofit governance issues. EO will continue its work in the
The IRS has also instructed agents to focus on the effectiveness of nonprofit governance area by focusing on three areas:
internal financial controls when auditing exempt organizations to help
shape the course and scope of the audit – consistent with the IRS view First, EO will develop a checklist to be used by agents in examinations
of exempt organizations to determine whether the organization’s
(and a theme of the new Form 990) that organizations following good
governance practices are more likely to be in compliance with the tax governance practices impacted the tax compliance issues identified in
laws. 17 As part of the opening document requests in hospital audits, the examination and to educate organizations about possible governance
considerations.
IRS agents are now asking for compensation committee minutes as
well as internal audit reports.
Second, EO will commence a training program to educate its employees
about nonprofit governance implications in the determinations,
Fiduciary duties
Setting appropriate parameters for executive compensation is not only rulings and agreements, and education and outreach areas.
likely to be viewed by the public as the right thing to do in tough
economic times, it is also good business and in the best interest of Third, EO will begin identifying Form 990 governance questions
the organization. In that regard, directors and officers of nonprofit that could be used in conjunction with other Form 990 information
corporations owe fiduciary duties of care, loyalty, and obedience to the in possible compliance initiatives, such as those involving executive
corporation. Those fiduciary duties require directors and officers to act compensation, transactions with interested persons, solicitations of
in good faith and in a manner they believe to be in the best interests noncash contributions, or diversion or misuse of exempt assets. 21
of the corporation as opposed to their own personal interests. 18 In
fulfilling those duties in the area of executive compensation, directors Given the emphasis on compensation matters in recent IRS compliance
initiatives, it is likely that these new governance initiatives also
and officers may rely on:
will include close scrutiny of executive compensation processes. Failure
“information, opinions, reports, or statements, including financial to provide proper oversight of the executive compensation process,
statements and other financial data, if prepared or presented by … including an appropriate conflict of interest policy and ensuring that
legal counsel, public accountants or other persons as to matters the compensation levels and plan design are reasonable, also may lead to
director reasonably believes are within the person’s professional or state law allegations of a breach of fiduciary duty. Compensation decisions,
however, are more than a pure numbers game, whether for state
expert competence.” 19
law or federal tax purposes. Simply limiting total compensation does
When the process breaks down, directors and officers are at risk for not necessarily better serve the organization, if it is done at the expense
state attorneys general seeking to recoup excessive payments, including of recruiting and retaining qualified executives or compromising job
bonuses and other insider deals. 20
performance (by providing little or no incentive for improving the
organization’s performance in financial and non-financial areas).
Although fiduciary duties for nonprofits arise under state law, they
also can lead to federal tax compliance concerns including imposition Emphasis on process
of excise taxes at rates up to 225% for excess benefits under Section Real estate experts are fond of saying that the value of property is all
4958 if executive compensation exceeds fair market value. In the about location, location, location. For executive compensation, at least
redesigned Form 990, the IRS will be asking a number of new and
Continued on page 36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
35
March 2009

Executive compensation in troubled times – Part 1 ...continued from page 35
as far as the federal tax-exemption rules are concerned, it is all about
process, process, process.
Rebuttable presumption
Despite recent criticism of the rebuttable presumption process as
potentially protecting compensation levels that the public would not
be satisfied with, the law remains clear. If an organization successfully
establishes a rebuttable presumption of reasonableness, the burden
shifts to the IRS to prove that compensation of disqualified persons
(including many senior executives) is unreasonable. As noted above,
by the admission of a senior IRS official, that is often a difficult task.
In addition, establishing the presumption ordinarily protects organization
managers against imposition of the 10% excise tax that applies to
anyone approving an excess benefit transaction. 22 Given the increased
scrutiny of executive compensation decisions in nonprofit health care,
it is more important than ever for hospitals to take steps to establish a
rebuttable presumption of reasonableness for executive compensation
packages.
To establish a rebuttable presumption, the compensation package
must be reviewed and approved in advance by an independent board
or committee as being consistent with fair market value based on
appropriate market data for comparable compensation arrangements.
The decision also must be documented on a timely basis (within 60
days or prior to the next meeting) in the board or committee records
(e.g., minutes), and the minutes or other records of the board or
committee must note the terms of the compensation package that was
approved, the members who were present for the debate and voted
on the arrangement, the comparability data relied on and how it was
obtained, and any actions taken with regard to the arrangement by
any member with a conflict of interest in relation to the transaction. 23
The presumption is available for all fixed compensation (i.e., specific
dollar amounts, fixed formulas that are not subject to discretion such
as certain percentage formulas or payments conditioned on achieving
specific goals, or approval of a maximum payment as reasonable). 24 To
avoid disagreements over whether a particular compensation methodology
is a “fixed formula,” organizations may wish to include a cap on
total compensation at a reasonable level.
If the board or committee approves compensation that exceeds the
range of comparable data reviewed, the rebuttable presumption can
still be established if the reasons for exceeding the range are recorded
in the minutes. 25 Acceptable reasons for exceeding the range may
include some combination of a prior history of below-market compensation,
specific increased duties or time commitment, truly exceptional
performance that far exceeds expectations (which may be easier to
demonstrate with reasonable performance goals clearly defined in
advance), bona fide competing offers from unrelated entities, and
demonstrated difficulty in recruiting or retaining executives. 26 Failure
to follow the rebuttable presumption procedure does not necessarily
mean that compensation is excessive, 27 but the IRS reports on the
Executive Compensation Initiative and the Hospital Project suggest
that following this procedure is a best practice.
Conflicts of interest
In recent years the IRS also has shown an increasing interest in good
governance practices in general, issuing and revising both a model
conflicts of interest policy (available in the Instructions to Form 1023)
and good governance guidelines. 28 The model conflict of interest policy
is a starting point for many health care organizations in developing
their own conflict of interest policy, which can be helpful in minimizing
the excess benefit, inurement, and tax risks of executive compensation
and other insider transactions. The IRS also included specific safe
harbors in the regulations to determine when a board or committee
will be sufficiently independent to be able to meet the requirements
for establishing the rebuttable presumption of reasonableness.
Specifically, a member of the reviewing body will be deemed to be
independent for that purpose if he or she:
n Is not a disqualified person (insider) or family member of a
disqualified person who participates in or benefits economically
from the transaction (For this purpose, “family members” include
spouses, ancestors, brothers and sisters (whether whole or half
blood), children (whether natural or adopted), grandchildren, great
grandchildren, and spouses of brothers, sisters, children, grandchildren,
and great grandchildren);
n Is not an employee of or supervised by a disqualified person who
participates in or benefits economically from the transaction;
n Does not receive compensation or other payments subject to
approval by a disqualified person who participates in or benefits
economically from the transaction;
n Has no material financial interest affected by the transaction; and
n Does not engage in vote swapping (i.e., trading his/her vote
for approval of another transaction that benefits the member
economically). 29
Board independence is also relevant for disclosure purposes on Form
990, and the degree of independence of the board may affect how the
IRS, the media and the public perceive an organization and its compensation
practices. The Instructions for the new Form 990 define
March 2009
36
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

independence for board members in this context using a three-part
test, and all three parts must be met:
1. No compensation to the member as an officer or employee of any
related entity;
2. Total of all other payments to the member for the tax year from
any related entity do not exceed $10,000 (reasonable directors’
fees for board service and reimbursement of expenses under a plan
requiring documentation of amounts and business purpose do not
count toward the $10,000); and
3. Neither the member nor his/her family were directly or indirectly
involved in a transaction with any related entity that must be
reported on Schedule L (or would be reportable on Schedule L if
the related entity were a 501(c)(3) organization). 30
IRS compliance checks
The IRS, however, is doing more than just talk about the compensation
process – it is also examining developing trends among nonprofits
and building a database for more effective, focused audits. For
example, the report on the IRS Executive Compensation Initiative
noted among other things that:
n Over 30% of the organizations surveyed did not report compensation
correctly on Form 990;
n Form 990 reporting requirements for executive compensation
needed clarification (which the IRS has since addressed);
n The IRS should revisit (i.e., expand) the circumstances under which
it assesses penalties for filing an incomplete Form 990;
n Following the rebuttable presumption procedure to establish executive
compensation levels is a common practice, though only 51%
of organizations surveyed addressed all three requirements for the
presumption and many organizations may have difficulty in understanding,
applying or meeting all of the requirements;
n Future compliance initiatives should focus on the correlation
between meeting the rebuttable presumption requirements and reasonableness
of compensation (including 5% of organizations where
the affected person did not leave the meeting prior to a vote on his
or her own compensation); and
n Loans to insiders present a high potential for abuse (followed by
excessive compensation and personal use of exempt organization assets
– likely a reference in part to employer-provided cell phones). 31
responses (to February 6, 2009). With the substantial increase in
disclosure requirements for executive compensation in the new Form
990 (described above), it is also likely that the IRS will continue to
use similar compliance checks to find potentially abusive or excessive
compensation arrangements among nonprofits nationally, including in
health care. Those compliance efforts at the IRS likely will be aided to
some extent by whistleblowers, who are able to recover a bounty of up
to 30% of the taxes and penalties collected by the IRS in cases over $2
million, or 15% in smaller cases. 32 n
Part 2 of this article will appear in the April issue of Compliance Today
and will address comparability data and compensation plan design.
1 See J. Carlson, “Healthcare Nears 10-year Record for Mass Layoffs,” ModernHealthcare.com (Nov. 21, 2008)
(mass layoffs are more than 50 employees from a single employer).
2 See J. Greene, “Beaumont Hospitals to lay off employees, cut millions from 2009 budget,” Crain’s Detroit Business
(Nov. 17, 2008).
3 The November 19, 2008 news release is available on the Committee’s website at http://finance.senate.gov/press/
Bpress/2008press/prb111908e.pdf.
4 See Notice 2008-94, 2008-44 I.R.B. 10.
5 15 U.S.C. § 7243.
6 G. Griffith and J. King: “The dollars and sense of executive compensation,” Compliance Today p. 20 (HCCA,
April 2007).
7 Press Release, “IRS report on non-profits’ executive compensation” (March 1, 2007), available online at http://
finance.senate.gov/press/Gpress/2007/prg030107.pdf.
8 Remarks of Steven T. Miller, Commissioner TEGE (IRS), Western Conference on Tax-exempt Organizations
(Nov. 20, 2008), available online at http://www.irs.gov/pub/irs-tege/stm_loyolagovernance_112008.pdf.
9 F. Stokeld, “IRS Interest in EO Executive Compensation Strong, Official Says,” Tax Notes Today, 2008 TNT
226-3 (Nov. 21, 2008).
10 Two such websites are http://www.vault.com and http://swz.salary.com/.
11 SEC filings are available on the EDGAR system at http://www.sec.gov/edgar.shtml.
12 Forms 990 can be accessed free of charge for three years on www.guidestar.org, or for all available years with a
paid subscription.
13 Form 990 (2008), Schedule J, Part II, available at www.irs.gov/charities/article/0,,id=185561,00.html.
14 Form 990 (2008), Part VI, Line 15a & b, Schedule J, Part I, Line 3 and Schedule L, Part II, Column (f).
15 Form 990 (2008), Schedule J, Part I, Line 8; see also 26 C.F.R. § 53.4958-4(a)(3).
16 Copies of the questionnaire and IRS report are available online at http://www.irs.gov/charities/charitable/
article/0,,id=172267,00.html.
17 See F. Stokeld, “IRS to Ask About Internal Controls During EO Exams,” Tax Notes Today, 2008 TNT 226-3
(Nov. 21, 2008).
18 See Griffith & King, supra; Revised Model Nonprofit Corporation Act, § 8.30(a)(1) (1987) (the “Model Act”).
19 Model Act, § 8.30(b).
20 See, e.g., J. Glater & V. Bajaj, “Coumo Seeks Recovery of Bonuses at A.I.G.,” N.Y. Times (Oct. 16, 2008) (demand
for repayment of multimillion dollar bonuses citing “unwarranted and outrageous expenditures” including
“a lavish golf outing and an overseas hunting trip that cost nearly $100,000”); State v. Anclote Manor Hospital,
566 So. 2d 296 (Fla. Dist. Ct. App. 1990), rev. den., 576 So. 2d 296 (Fla. 1991) (suit to require directors of a
nonprofit to disgorge the profits from a self-dealing transaction); 2008 Fla. Stat. § 617.2003; E. Brody, “A Taxing
Time for the Bishop Estate: What Is the I.R.S. Role in Charity Governance?”
21 University of Hawaii Law Review 537 (Winter 1999) (removal and repayment of excessive compensation allegedly
paid to trustees of nonprofit school).
21 IRS Exempt Organizations Division Work Plan (FY2009), p. 20, available online at www.irs.gov/pub/irs-tege/
finalannualrptworkplan11_25_08.pdf.
22 26 C.F.R. § 53.4958-1(c)(4)(iv).
23 26 C.F.R. § 53.4958-6(c)(3)(i) & (ii).
24 26 C.F.R. § 53.4958-4(a)(3)(ii) & -6(d).
25 26 C.F.R. § 53.4958-6(c)(3)(ii).
26 See, e.g., Choate Construction Co. v. Commissioner, 74 T.C.M. (CCH) 1092 (1992); Medina v. Commissioner,
46 T.C.M. (CCH) 76 (1983); 26 C.F.R. § 53.4958-6(c)(2)(i). In one exempt organization case where such
arguments were made they were rejected for lack of substantiation. See Northern Illinois College of Optometry v.
Commissioner, 2 T.C.M. (CCH) 664 (1943).
27 26 C.F.R. § 53.4958-6(e).
28 The revised good governance guidelines are available on the IRS website at http://www.irs.gov/pub/irs-tege/
governance_practices.pdf. For a summary of the good governance guidelines and other considerations for good
governance please see the Commentary at http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S4013.
29 26 C.F.R. § 53.4958-6(c)(1)(iii) and 26 C.F.R. § 53.4958-3(b)(1).
30 Form 990, Instructions for Core Form, Part VI, Line 1.
31 The full report is available online at http://www.irs.gov/pub/irs-tege/exec._comp._final.pdf.
32 26 U.S.C. § 7623; 26 C.F.R. § 301.7623-1(c).
A report on the executive compensation phase of the Hospital Project
that started in May 2006 is expected to be released in early 2009.
Another compensation review project involving approximately 400
colleges and universities, including some academic medical centers, is
currently in progress, following an extension of the due date for initial
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
37
March 2009

COMPLIANCE
101
March 2009
38
I just received a
subpoena – Now
what?!
By Andrea Ebreck and Karen Cincione
Editor’s note: Andrea Ebreck and Karen
Cincione are health care attorneys at the law
firm of Vorys, Sater, Seymour and Pease LLP in
Columbus, Ohio. Ms. Ebreck may be reached at
614/464-4951 or by e-mail at alebreck@vssp.
com. Ms. Cincione may be reached at 614/464-
6201 or by e-mail at kacincione@vssp.com.
As a new health care compliance
professional, it is just a matter of
time before you are called upon to
respond to a request from an attorney for the
production of medical records. In responding
to these requests, you must be very careful
to do so in compliance with the Health
Insurance Portability and Accountability Act
(HIPAA) and other state and federal confidentiality
laws.
Identifying the request
The first order of business after receiving a
subpoena is to review it in order to determine
what is being requested, when, by whom, and
in what type of legal action. Each state has
laws governing the form, content, and service
of a subpoena, and some state laws require
witness or mileage fees to be included with a
subpoena.
To determine how to best respond to a subpoena,
you must first identify the basics of
the request. These include:
n What type of legal action is involved (federal
or state court, juvenile, probate, etc.)?
n What is the name of the individual for
whom information is being sought?
n What is the information that is being
sought (entire record vs. certain specific
information)?
n What does the subpoena direct the health
care provider to do (produce records,
testify, both)?
n Who is requesting the information (attorney
for the person about whom information
is sought or attorney for another
party)?
n Whether the individual whose information
is sought is currently, or has ever been, a
patient for whom the health care provider
has records.
n Whether the health care provider has
the specific information sought by the
subpoena.
n Whether the individual whose information
is sought has authorized the disclosure.
n Whether the information sought is confidential
or privileged under federal or state
law (see discussion below).
n Whether the person seeking the information
has provided evidence of “satisfactory
assurances” that the person has notified or
attempted to notify the individual whose
information is sought (see discussion below).
n Whether a court has ordered the disclosure
of the information sought (apart from
issuance of the subpoena).
Many times, a call to the subpoenaing
attorney can resolve questions about what
information is sought (perhaps the entire
record is not really needed), whose information
is sought (surprisingly often, this is not
clear from the face of a subpoena), whether
authorization for disclosure is sought,
whether appearance at a trial or deposition is
really necessary, or whether a certified copy of
records will suffice.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
Applying the law
Once you have identified the request, you
must then determine whether there are any
federal or state laws that would prevent you
from complying with the subpoena. In
this regard, it is important to consider the
application of HIPAA, the physician-patient
privilege, and a number of other state and
federal confidentiality laws.
HIPAA. Generally, HIPAA prohibits covered
entities from disclosing protected health
information (PHI) except as permitted or
required by law. PHI is defined as information
held or disclosed by the covered entity
in any form (electronic, paper records, oral
communications) that identifies an individual
and relates to the individual’s past, present, or
future physical or mental health or condition,
the provision of health care to the individual;
or the past, present, or future payment for the
provision of health care to the individual. 1
HIPPA allows for the disclosure of PHI in
response to a subpoena in the following two
instances. First, the information may be
disclosed if the individual who is the subject
of the information properly authorizes the
disclosure. Second, the information may be
disclosed without the individual’s authorization
if the covered entity receives “satisfactory
assurance” from the party requesting the PHI
that it has made reasonable efforts to give
notice of the request to the individual who is
the subject of the PHI or has made reasonable
efforts to obtain a qualified protective order. 2
Generally, “satisfactory assurance” that efforts
have been made to provide notice to the
individual requires a written statement and
accompanying documentation that:
1. The party requesting such information
has made a good-faith attempt to provide
written notice to the individual;

2. The notice included sufficient information
about the litigation or proceeding to
permit the individual to raise an objection
to the court or administrative tribunal;
3. The time for individual to raise objections
to the court or administrative tribunal has
elapsed; and
4. No objections were filed, or any objection
filed by the individual have been resolved
by the court or administrative tribunal. 3
A “qualified protective order” means an order
of a court or tribunal or stipulation of the
parties to the proceeding that:
1. Prohibits the parties from using or disclosing
the protected health information
for any purpose other than the litigation
or proceeding for which the information
was requested, and
2. Requires the return to the covered entity
or destruction of the protected health
information at the end of the proceeding. 4
Other federal and state laws
Even if disclosure is permitted under HIPPA,
there may be other reasons to hesitate before
disclosing medical records without a patient’s
written authorization. Practically speaking,
the subpoena will likely be issued without any
determinations regarding the application of
privilege. Although no federal law governs
the application of the physician-patient
privilege, state law generally recognizes a
patient’s right to keep information shared
with their doctor and other health care
practitioners from being disclosed in a legal
proceeding. State laws establish privileges
and often create exceptions to their application.
Often, a health care practitioner
served with a subpoena will not have enough
information to know whether an exception to
privilege exists or whether or not the patient
may have waived the privilege. The patient
may also indicate that he or she does not
want the information sought to be disclosed.
In these situations, it is best for the health
care practitioner to assert the privilege and let
the court determine an exception to privilege
exists or a waiver has occurred. Depending
on a particular state’s laws, a health care
provider that prematurely hands over patient
records to opposing counsel in response to
a subpoena could be sued for negligence for
failing to protect the privilege, even if the
disclosure is authorized under HIPAA or
other state confidentiality laws.
Additionally, medical information may be
protected under state and federal law when it
relates to a specific medical condition or type of
information. For example, federal law protects all
information about any person who has applied
for or been given diagnosis or treatment for alcohol
or drug abuse at a federally assisted program. 5
This law further states that a subpoena or warrant
signed by a judge or an order agreed upon by the
parties is insufficient to support the disclosure of
patient identifying information by any federally
assisted program unless: (1) the subpoena and/
or warrant is accompanied by an authorizing
court order issued after specified procedures are
followed; or (2) the individual has authorized the
disclosure. When the patient does not consent to
the disclosure, the law prohibits substance abuse
treatment programs from releasing information
in response to a subpoena unless a court has
issued an order that complies with applicable
law. 6 Most states also have laws governing the
confidentiality of HIV-related information,
mental health treatment records, and medical
records. When a state or federal confidentiality
law is more restrictive than HIPPA, health care
providers must follow the stricter state law. For
example, if a program has disclosed patient
records that include references to HIV treatment
after the patient has signed a consent form that
is proper under HIPAA, compliance personnel
must also determine whether the state imposes
any additional requirements for disclosing this
type of information, such as a special consent
form. Conversely, in instances in which a state
confidentiality law or any other state law is less
protective of confidentiality than the federal law,
however, federal HIPPA rules will control.
The role of the compliance professional
Many health care providers find that the most
effective way to ensure a correct response
to subpoenas is to designate a compliance
professional to review and coordinate or assist
in responding to subpoenas.
By becoming knowledgeable about the
records, staff credentials, and the laws governing
information in the health care provider’s
possession, compliance professionals can
facilitate appropriate disclosures and protect
the privacy of the provider’s patients. Compliance
professionals often play a crucial role
in ensuring that clinical staff who have been
subpoenaed to testify are aware of any limitations
or requirements with respect to their
testimony. In many instances, compliance
professionals are also called upon to communicate
with attorneys who seek privileged or
otherwise confidential information and make
them aware of governing health care laws.
Above all, the role of the compliance professional
is to ensure that a subpoena is never
ignored! Even if a federal or state law prohibits
the requested information from being
disclosed, you must still take some action with
respect to a subpoena. When in doubt, you
should always seek advice from legal counsel
to ensure that your response or objection to a
subpoena is appropriate and lawful. n
1 45 C.F.R. §§ 164.501, 164.502(a)
2 45 C.F.R. § 164.512(e)
3 45 C.F.R. § 164.512(e)(iii)
4 45 C.F.R. § 164.512(e)(1)(v)
5 42 CFR §2.11
6 42 CFR §§ 2.63 through 2.67
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
39
March 2009

HCCA Regional Conferences
Join us at HCCA’s 2009 Regional Conferences
HCCA’s regional conferences take place throughout the year, all over the United States.
You’re sure to find one that works for you!
2009 Regional Conferences
Columbus, OH....................... May 8
New York, NY....................... May 15
Seattle, WA........................... June 5
Los Angeles, CA................. June 26
Boston, MA...............September 11
Minneapolis, MN......September 12
Kansas City, KS........September 26
Pittsburgh, PA..................October 9
Honolulu, HI...................October 16
Denver, CO.....................October 23
Nashville, TN................November 6
Louisville, KY.............November 13
Phoenix, AZ................November 20
March 2009
40
Visit www.hcca-info.org for registration information
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Upcoming Regional Conferences
June 5
Seattle, WA
September 18
Minneapolis, MN
September 11
Boston, MA
October 23
May 8
Denver, CO Columbus, OH
October 9
Pittsburgh, PA
May 15
New York, NY
June 26
Los Angeles, CA
September 25
Kansas City, KS
November 13
Louisville, KY
November 20
Phoenix, AZ
November 6
Nashville, TN
October 16
Honolulu, HI
HCCA is going green
HCCA conference attendees will NOT automatically receive
conference binders. If you would like to purchase conference
binders, please choose that option on your conference
registration form. Attendees will receive electronic access to
course materials prior to the conference as well a CD onsite
with all the conference materials.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
41
March 2009

March 2009
42
Standing at the
crossroads
Editor’s note: Michael Spake is Director,
Compliance & Privacy with MCG Health, Inc.
in Augusta, Georgia. He may be reached by
e-mail at mspake@mcg.edu or by telephone at
706/721-0900.
“A new beginning has to be made from the
lowest foundations, unless one is content to go
round in circles forever”.
—Francis Bacon 1
Ethicists and hospital ethics committees
originated as support functions
of hospital operations during
the second half of the 20th century. 2 The
idea of a hospital employing an ethicist to
create, implement, and oversee a hospital
ethics committee materialized as a result of
technological developments in the medical
field, new ideas about patients’ rights,
and scenarios that brought to the forefront
conflicts between moral perspectives and
medical judgments. As a result, the function
of hospital ethics committees and the definition
of ethics in the hospital setting centered
on clinical-based decision-making between a
physician and a patient, case consultations,
and closed-door discussions about humansubjects
research.
By Michael Spake, MHA, JD
Since 1990, almost every US hospital has
similarly hired a compliance officer to create,
implement, and oversee a legal compliance
program. Compliance programs have been
built around systems focused on preventing,
detecting, and punishing violations of the
law. Their existence and function was a direct
response to the federal government’s scrutiny
and challenge to hospitals to reduce fraud,
waste, and abuse, as well as the cost of health
care to federal, state, and private health insurers.
The goals of a compliance program center
on demonstrating the seven elements of a
compliance program as identified by the U.S
Department of Health and Human Services
Office of the Inspector General. 3 These are
viewed as fundamental to an effective compliance
program. The seven elements are:
1 Designing and distributing standards of
conduct including policies and procedures
to address areas of potential fraud, such
as claims development and submission
process, and financial relationships with
physicians and other health care professionals;
2 Designating a chief compliance officer
and other appropriate bodies charged
with the responsibility of operating and
monitoring the compliance program and
who report directly to the CEO and the
governing body;
3 Developing and implementing regular,
effective education and training programs
for all affected employees;
4 Maintaining a process, such as a hotline,
to receive complaints, and adopt
procedures to protect the anonymity of
complainants and to protect whistleblowers
from retaliation;
5 Developing a system to respond to allegations
of improper/illegal activities and to
enforce appropriate disciplinary action
against employees who have violated
internal compliance policies, applicable
statues or regulations of federal health
care program requirements;
6 Auditing evaluating, and monitoring
compliance and assist in the reduction of
identified problem areas; and
7 Investigating and taking remedial actions.
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
The Next Generation model
Today, many hospitals are questioning the
status quo of both their hospital ethics committee
and compliance program in an effort
to determine their effectiveness. In addition,
hospitals are being challenged by the
United States Sentencing Commission to
establish organizational cultures that promote
compliance and ethics. Pursuant to
the United States Sentencing Commission,
an organization may mitigate criminal fines
and penalties by establishing and implementing
an effective compliance program. 4 As a
result both ethics and compliance programs
are simultaneously striving to gain greater
effectiveness by achieving a level of success
coined “Next Generation” status. 5 The Next
Generation model is guided by the following
principles:
1 Committees are proactive, not just
reactive;
2 Committees are organizationally
integrated, not isolated;
3 Committees are accountable for performance,
based on demonstrable outcomes,
not just good intentions; and
4 Committees are oriented around organizational
core values, not just regulatory/
accreditation requirements.
Today, compliance programs are making
improvements towards greater effectiveness
by moving from prevention and detection
programs of retrospective review to programs
that promote organizational ethics and
encourage employee commitment to organizational
values. Hospital ethics committees
are simultaneously moving from mechanisms
that provide only clinical consultations to
becoming the center of ethical responsibility
for operational decision-making. However,
neither will independently achieve Next
Generation status. Instead, Next Generation
status will only be achieved when ethics and
compliance are molded into an integrated
operational model that (1) aligns the
organization’s separate ethics and compliance
support functions to build capacity into the

operational decision-making process and (2)
shifts from programmatic and individual
responsibility for compliance and ethics to
organizational commitment that permeates
the entire organizational culture.
Most compliance programs put in place by
health care organizations have been designed
and implemented to meet the legal requirements
established by federal and state government.
They tend to set minimum standards
aimed at meeting a clear and measurable
goal: “Is it legal?” Such compliance programs
are rules-based and often result in a policing
function that “pushes” individuals and the
organization away from awareness of an
institutional ethic. Unfortunately, many compliance
programs have not striven beyond this
minimum-standard mentality of achieving
and documenting legal compliance. Ethics
and values, by contrast, are managed on an ad
hoc basis or as a retrospective review to either
justify a decision or analyze a failure. As a
result, values analysis and ethical discernment
remain excluded from management decision
making. In most cases, decision making is
limited to financial, legal, and market share
analyses.
Many hospitals have inadvertently created
this shortfall by creating an erroneous
division between compliance and ethics. The
narrow concentration of ethics and compliance
has lead to the correlation of compliance
with business transactions (i.e., Business
Ethics) and ethics with clinical care (i.e., case
consultation). Values analysis and ethical
discernment should be carefully distinguished
from compliance analysis.
Compliance requirements do not always
reflect society’s moral standards and values,
even when the law is directly concerned with
ethical or moral problems. The mere fact that
something is legal does not make it morally
acceptable. At the same time emphasizing
ethics without stressing the necessity of rules
and laws can leave employees in a vulnerable
position. Taken as a whole, hospitals should
acknowledge this distinction; but it should
be acknowledged by recognizing compliance
and ethics within the scope of an overall
intuitional ethic composed of the following
elements:
n Clinical ethics
n Research ethics
n Social responsibility
n Professional responsibility
n Business ethics, and
n Compliance
Currently, hospitals are operating each ethics
component as a separate and divergent function
through ethics committees, institutional
review boards, Mission departments, Human
Resources, and Compliance offices. However,
when aligned in an integrated ethics
model (Figure 1) they assert an institutional
ethic that embraces compliance with legal
requirements and the values of the entire
organizational culture. Such a model not only
takes into account the minimal considerations
of the organization’s legal duties and
the moral rights of others, but it aligns ethics
components in a manner that emphasizes a
systematic approach and takes into account
Figure 1: The integrated
operations model
Governance
Clinical
Ethics
Research
Ethics
MISSION
INSTITUTIONAL ETHIC
Clinical Operations
Financial Operations
Risk Management
Human Resources
Business Ethics
& Compliance
that a single compliance/ethics incident can
be reflective of a larger organizational ethic.
This integrated operating model develops
organizations beyond meeting the basic
compliance and regulatory requirements and
better positions them to react to changing
expectations. The model moves past rulesbased
compliance, policing employee actions,
and catching lawbreakers, and simultaneously
expands the current, narrow ethics strategy
of clinical consultations to a larger total
organizational ethic. Such a model clarifies to
employees what conduct is appropriate to the
mission and values of the organization – and
what it not. At the same time it acknowledges
that emphasizing mission, ethics, and values
without stressing the necessity of rules and
laws can leave employees in a vulnerable
position. As a result, the integrated operations
model would answer the question “Is it
legal?” however, it would continue its evaluation
to include identification of all stakeholders,
identification of values and concerns, and
consideration of alternatives.
Moreover, an integrated operational model
would be capable of not only defending its
choice, but also helping the organization
understand why it decided against other
Continued on page 45
Social
Responsibility
Executive Management
Professional
Responsibility
OPERATIONAL SUPPORT ELEMENTS of COMPLIANCE & ETHICS
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
43
March 2009

SAVE THE DATES
AHLA/HCCA Fraud & Compliance Forum
October 4–6, 2009 | Baltimore, MD
Register online now at www.hcca-info.org/fraud
Quality of Care Compliance Conference
October 11–13, 2009 | Philadelphia, PA
Register online now at www.hcca-info.org/quality
Physician Practice Compliance Conference
October 11–13, 2009 | Philadelphia, PA
Register online now at www.hcca-info.org/physicians
Research Compliance Conference
October 18–20, 2009 | Minneapolis, MN
Register online now at www.hcca-info.org/research
March 2009
44
Health Care Compliance Association
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
888-580-8373 (p) | 952-988-0146 (f)
helpteam@hcca-info.org | www.hcca-info.org

Standing at the crossroads ...continued from page 43
alternatives. Finally, by practicing such
discernment, a health care organization can
clearly identity its motivations by having a
deeper understanding of its actions.
This integrated operating model cannot be
achieved by a single department or ethic
component. Instead it involves an integrated
structure (as described above) that, through
a broader ethics mechanism, builds capacity
within the operating functions 6 of a hospital.
Creating capacity throughout such a broad
ethics mechanism includes building tools
as uncomplicated as a simple checklist for a
single decision maker to ensure that he or she
is considering all the relevant dimensions of a
complex issue.
Also, and more importantly, it integrates ethical
discernment into the organizational decision
making process. For example along with
financial, legal, and market share analyses,
an organization’s management team that is
practicing an integrated ethics model would
also consider the following when evaluating a
project or course of action:
n Is the action consistent with the organization’s
basic duties?
n Does the action respect the rights and
other legitimate claims of the identified
stakeholders?
n Does this action reflect a “best practice?”
n Is the action consistent with the organization’s
mission, vision, and values? 7
These questions elicit minimal considerations
that address the organization’s duties and
the moral rights of others. However, it also
raises considerations beyond the minimum
standard and emphasizes an ethic demonstrative
of leadership organizations.
Leadership
Once a health care organization has achieved
an integrated ethics model, the final barrier
to achieving Next Generation status is
shifting the organizational culture from one
of individual responsibility for compliance
and ethics to one in which the organization
is committed to achieving operational
excellence in ethics. The compliance officer
cannot serve the roles of both oversight and
owner of corporate compliance. Similarly,
ethicists should not be the sole decisionmakers
when evaluating an organizational
situation. Instead, leadership should embrace
the integrated model under the framework
that everyone is responsible for pursuing the
institutional ethic. Success in building such
an integrated model requires leaders across
all disciplines who have a clear conception of
the organization’s values, talent management,
mission, and community commitment.
Leaders must learn and build ethical awareness
into the culture of the organization.
This type of compliance and ethics strategy
cannot be guided by one ethics officer, but
requires a multi-dimension strategy built
from each ethical component that facilitates
values-based decision-making at every level
of management on a day-to-day basis. Such
a strategy is based upon having a culture
of openness, organizational responsibility,
and a commitment to ethics within each
business goal. Successfully implementation
of this strategy requires not only intellectual
commitment of leadership and all employees,
but also a sense of shared values and purpose
throughout the organization. The end result
is leadership committed to problem finding,
not merely problem solving, and to accepting
responsibility at all levels.
Finally, an organization’s compliance and/or
ethics failure cannot be viewed as a programmatic
failure or individual shortfall. Instead,
it is an organizational opportunity to reflect
upon the entire ethical situation as opposed
to scrutinizing the situation. For example,
after screening employee applications and
qualifications, interviewing candidates,
background checks, and calling references,
the department of an organization hires a new
employee. After the first six months, which
included training and later a remedial workplan,
the employee continues to have below
average productivity. During this period, it
is evident the new employee is becoming
frustrated and angry at his situation. Finally,
the new employee gives-up; but rather than
resign from his position, he/she commits an
act of workplace violence, nearly injuring his
supervisor and co-worker. His actions result
in a criminal charge of attempted murder.
Afterwards, a compliance investigation is
conducted. The investigation concludes that
all actions taken to “help” the new employee
were in accordance with the organization’s
formal published policies. The investigation
further includes that no one was hurt and
the wrong-doer will be punished not only
by immediate termination, but also in his/
her upcoming criminal trial. The investigation
is completed and documented in the
Compliance log. Overall, the situation was a
near-miss, but considered a success.
An organization that practices the integrated
ethics model would examine the incident
beyond the facts/legalities and consider
whether or not this one instance is reflective
of a larger organizational ethic. The organization
would identity and explore its motivations
and the new employee’s, and thereby
have a deeper understanding of the actions
of all parties involved. More specifically, the
organization will take accountability and ask
if it failed the new employee.
n Did the organization’s screening process
fail?
n Did the organization fail to develop the
new employee appropriately?
Continued on page 50
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
45
March 2009

Cyber doctors
By Sonya Burtner, MA, CHC, CPC, CPC-H
Editor’s note: Sonya Burtner works as a compliance
specialist for Shands Health-Care in medical information exchanged from one site
(ATA) defines telemedicine as “the use of
Gainesville, Florida, a seven-hospital health care to another via electronic communications
system. She may be reached at 352/733-0057 or to improve patients’ health status.” Medical
by e-mail at burtnsf@shands.ufl.edu.
information can now be communicated via
the Internet, video conferencing equipment,
When my parents lived in Chicago in the and satellite technology. Telemedicine is
1950s, it was not uncommon for my mother to as basic as a telephone call between two
call our family doctor, about me or one of my providers discussing the case of a patient, or
siblings, to discuss a medical issue. The doctor as complex as using satellite technology for
would direct the sick child to cough into the robotic surgery.
phone. A prescription was then called in.
The terms telehealth and telemedicine are
Patient care at a distance is certainly not a often used interchangeably. Telemedicine is
new practice. There are many examples in most often defined as focusing on clinical
our history illustrating this concept. In 1642, services and the curative aspect, whereas
Theophraste Renaudot, a French physician telehealth has a broader meaning and can
and philanthropist, created a patient booklet refer to clinical and non-clinical services, such
with lists of symptoms and simple body as medical education, administration, and
diagrams. The patients would check off the research, in addition to clinical services.
symptoms they were experiencing from the
list and used the diagrams to identify the Other terms used in the industry are the
body parts that were troubling them. This “originating site” which is the site where the
innovative booklet enabled a patient to patient receiving the service is located, as
receive a diagnosis and treatment by post opposed to the “distant site,” the site where
without a personal visit to the physician. the physician providing the service is located.
Other doctors also engaged in such practices, Also, services where both parties are interacting
at the same time with a communications
such as William Cullen (1710-1790) of
Edinburgh, Scotland and John Morgan link between them are called “real time”
(1735-1789) of Philadelphia, who were both services or synchronous telemedicine. In
equally active with postal consultations. 1 contrast “store and forward technology” refers
to the asynchronous transmission of medical
In more recent years, due to the vast improvement
of modern technology, care at a distance
information to be reviewed at a later time.
has become more sophisticated and developed Current applications
into what we now know as telemedicine. This The dramatic growth of technology and the
article explores current applications of telemedicine,
the benefits, and some of the associated care. Consumers all over the world have a
Internet has provided great benefits to health
compliance and legal risks that hospitals have to wealth of health information at their fingertips
contend with when practicing telemedicine. and can receive diagnostics and purchase
pharmaceuticals. A few of the many applications
Definitions
of telemedicine are described below.
The American Telemedicine Association
Teleradiology/telepathology - One of the
most common applications of telemedicine
is teleradiology and telepathology. A smaller
hospital, for example, with limited staffing
resources may contract with a bigger hospital
for the purposes of interpretation and/or
consultation of tests for trauma patients after
hours. Radiological patient images, such as
x-rays, CAT scans, and MRIs, are transmitted
from the originating site to the distant site.
This saves time and improves patient care by
allowing hospitals to access radiology services
24/7. Teleradiology can be accomplished with
an international distant site as well. In fact,
outsourcing teleradiology services overseas (in
countries such as India, Israel, and Australia)
is becoming popular to cover the night hours
along with radiologists in other US time
zones, hence the term of “nighthawk” radiology
services. Similarly, telepathology activities
occur to provide urgent services at sites
without a pathologist. Both teleradiology and
telepathology are instrumental in providing
consultative services with immediate access.
This can be extremely beneficial to physicians
in rural areas or for a physician seeking a
second opinion in emergency situations.
Telephone and online patient consultations
Patients consulting their physicians over the
phone or by e-mail via the Internet is not a
new practice, but until recently, there were no
CPT codes to report these services. The CPT
codes for telephone services have been updated
for 2008 to 99441, 99442, and 99443 and are
based on the amount of time spent discussing
the medical issue. And in 2008, the CPT
code 99444 became available to report online
services. According to the AMA Current Procedural
Terminology (CPT), the services can only
be reported for an established patient and only
once for the same episode of care in a sevenday-period.
The service must include all other
communications, such as related phone calls,
March 2009
46
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

prescription, and lab orders. The e-mails must
be kept in permanent electronic or hardcopy
storage. Even though the guidelines are strict,
the assignment of these CPT codes is very
encouraging for telemedicine providers, because
it is a start towards acknowledging these types
of services for reimbursement purposes in a
time where phone and Internet communications
have so many appeals to patients.
Note: The above CPT codes were the only
existing “tele” codes before July 1, 2008,
because all other telemedicine activities are
reported using the same CPT codes as the
service conducted without telemedicine.
Effective July 1, 2008, the AMA introduced
new CPT Category III Codes to
report remote real-time interactive videoconferenced
critical-care services. The codes
are 0188T and 0189T. The creation of new
CPT codes to accurately capture telemedicine
activities will probably increase every year.
Telemarker
A special portable phone used in Israel can assist
in the determination of a real heart attack. The
process is simple. If a patient is experiencing
chest pain, a simple self blood test (called Telemarker)
is performed. The test can detect the
presence of two proteins, which are bio-chemical
precursors of a heart attack. The device sends
the information to a center through a modem,
and the doctor can analyze the results and
determine if there is a real medical emergency.
This device avoids unnecessary hospitalizations
and reduces unnecessary costs. 2
iPath
A telemedicine network developed at the
University of Basel, iPath allows publication and
discussion of medical cases for second opinion
consultations. iPath is a secure teleconsultation tool
that enables virtual communities of care professionals
to exchange advice about the management
of clinical cases in several expertise domains. The
network has been active since 2001 and is used in
15 French-speaking African countries, including
Mali, Mauritania, Morocco, Tunisia, Senegal,
Cameroon and the Ivory Coast. 3
Telesurgery
On September 7, 2001, a team of French
surgeons located in New York performed a gall
bladder removal with the Zeus Robotic System
(at this time, no longer on the market) on a 68
year-old woman located in Strasbourg, France
– 4,000 miles away. “Operation Lindbergh”
took 45 minutes and was the first robotic
transAtlantic telesurgery. The procedure was
successful with no complications and the patient
was discharged two days after the operation. 4
Telesurgeries (also known as remote surgeries)
have not yet occurred with patients in the
U.S.; however, robotic systems are being used
for surgeries when a physician is in the same
room with the patient. The Food and Drug
Administration (FDA) first cleared the da Vinci
Robotic System in 2000 for general laparoscopic
surgeries, such as a gall bladder removal and for
treatment of severe heartburn. Since then, use
of the system has increased and expanded into
several other surgical areas.
The da Vinci Robotic System allows surgeons
to operate from a distance with a minimally
invasive approach that uses small incisions. The
robotic system includes a post with multiple
arms which is positioned over the patient. The
surgeon is seated across the room from the
patient and has his/her arms inserted in a console.
The surgeon manipulates the robot’s arms
while looking at magnified 3D images of the
surgical site. Remote surgery is still considered
investigational within the U.S. and “should
not be performed except under IRB [Investigational
Review Board] approval and by persons
thoroughly familiar with the technology.” 5
Nevertheless, the revolutionary event of Operation
Lindbergh supports the incredible potential
of telesurgery, bringing new opportunities to the
delivery of patient care. Some day, telesurgery
may enable surgeons to operate from remote
locations to help fallen soldiers in a battlefield or
even astronauts in space.
Benefits of telemedicine
The Internet is dramatically changing the way
consumers access health information, receive diagnostics,
and purchase pharmaceuticals, and plays
a key role in expanding the reach of telemedicine.
Telemedicine appeals for a host of reasons:
n Increased access to health care –
Telemedicine increases access to health
care in a variety of situations: the
Emergency department physician can seek
a second opinion quickly, the isolated
community can access a specialist when
there is none in the area, the understaffed
hospital can contract radiology services after
hours and support emergency services.
n Cost savings to patients – Telemedicine
offers certain conveniences, such as allowing
the patient to contact his/her family
doctor without leaving home or to use the
Telemarker test to save a trip to the emergency
room. Internet communications are
convenient and efficient for simple medical
problems and save both time and money.
The health care consumer nowadays is
much more informed, educated, and accustomed
to using electronic sources to gather
and transfer information, and is more likely
to ask for advice by e-mail or phone.
n Cost savings to providers – Providers also
benefit from telemedicine. Travel time for
providers can be significantly reduced as
well. Many radiologists have opted to get
the applicable equipment installed in their
homes when participating in teleradiology
services, thus saving on transportation
expenses with the additional attraction of
flexible working hours. 6
n Improved patient outcomes –
Telemedicine provides quicker delivery of
Continued on page 48
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
47
March 2009

Cyber doctors ...continued from page 47
care, which leads to improved continuity
of care. Doctors can get a more accurate
diagnosis of their patients with the quick
access to a second opinion by teleconsulting
with a specialist.
n Cutting edge opportunities – State of the
art equipment, such as remotely controlled
surgical robots, are opening up many
future opportunities for research, the
military, and NASA.
Compliance and legal issues
The telemedicine industry faces many challenges.
Hospitals and other providers need to conduct
due diligence before engaging in any telemedicine
activities. Below are some of the issues.
Interstate licensing
The essence of telemedicine is practicing
medicine without borders. Technology enables
the provider to render an opinion or interpret
a test on a patient who lives down the road as
easily as one living in a different state or across
the world. However, when telemedicine is
practiced across state lines, licensure becomes
an issue. The patient’s physical location (i.e.,
the originating site) identifies the location
where the health care is provided, so a provider
must abide by the laws of that state. In many
cases, this may mean that the provider has to
get licensed in that state. This can be quite
burdensome for a telemedicine provider
who may have to fill out multiple licensure
applications and pay multiple registration fees
in order to practice. In addition, each state has
its own licensure laws regulating telemedicine
with varying degrees of restrictions or exemptions.
In Arizona, licensure requirements do
not apply if a doctor licensed in another state
engages in an episodic consultation about
a patient with a doctor licensed in Arizona.
Montana, on the other hand, prohibits the
practice of telemedicine without a telemedicine
certificate issued by the State Board of Medical
Examiners. 7,8 Some states have not determined
how they want to address the out-of-state
providers licensure issue.
It is not just a physician issue. Hospitals may be
viewed as “aiding and abetting” the physician
who is practicing telemedicine without a license
in another state. A hospital must carefully review
each state’s requirements with their Legal department
before engaging in any kind of telemedicine
involving physicians in other states.
Several medical specialties, such as the American
College of Radiology (ACR), have developed
guidelines for telemedicine activities to ensure
the protection of the patient. On the topic of
overseas contracting for teleradiology, the ACR
recommends that the overseas radiologist “be
licensed by the state(s) and credentialed by the
U.S. hospital(s) that contracts for their services as
stated in the American College of Radiology Teleradiology
Technical Standards.” The interpreting
physician should also be covered by medical
malpractice insurance. Hospitals should conduct
due diligence when entering into contractual
arrangements with teleradiology companies.
Discussions are underway to try to resolve
these licensure dilemmas. The 2001 Telemedicine
Report to Congress outlined different
alternatives to address these issues, including
assessing the feasibility of developing
common licensure application forms.
Credentialing issues
Another dilemma for which solutions are not
clearly defined by the regulations are credentialing
issues. Must a telemedicine provider be
credentialed in the state in which the patient
is located? Various credentialing organizations,
such as the Joint Commission of
Accreditation (JCAHO), have provided some
standards for telemedicine which indicate that
a licensed practitioner who is responsible for
the care of a patient via a telemedicine link
is subject to the credentialing and privileging
processes of the originating site. However,
the originating site can use the credentialing
information from the distant site, if the
distant site is a JCAHO–accredited organization
(Standard MS.13.01.01). JCAHO does
not address all areas of telemedicine services.
Consultative services, for example, fall outside
the scope of the JCAHO telemedicine standards.
9 And, what about the teleradiologist
who is unaffiliated with a particular hospital
and practices independently? Telemedicine is
still an underdeveloped medical-legal frontier.
Security and privacy issues
Privacy, security and confidentiality issues
are not unique to telemedicine. Similar to
any other electronic transactions, hospitals
must ensure that adequate precautions are
taken when transmitting protected health
information (PHI) out of the hospital
networks. Because telemedicine activities
can be broadcast anywhere, the concerns are
perhaps more prevalent. The America Medical
Association (AMA) has developed guidelines
for physician–patient e-mail communications.
Advances in technology have brought great
benefits as well as drawbacks in this area.
Informed consent
Physicians who practice telemedicine must also
consider informed consent requirements, which
vary from state to state. In some states, the
informed consent requirements do not apply if
the patient is not involved directly in the telemedicine
activity (such as consultative services).
In addition, the physician’s home state may have
different informed consent requirements than
the state where the patient resides. The treating
physician should explain to the patient, not only
the risks associated with the telemedicine service,
but issues such as which state the telemedicine
provider is licensed/credentialed in, the process
for follow up care, the equipment required, and
the operating staff that may be required at the
originating site and at the distant site. 10
March 2009
48
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Telemedecine equipment
The technology involved with a telephone or
simple videoconference hookup for telemedicine
services is easy to use and readily available.
However, depending on the type or equipment
or technology used in the telemedicine service,
the provider may be required to abide by state
and federal regulations related to the use of
such equipment. The Federal Food and Drug
Administration (FDA) has the responsibility for
regulating the safety and effectiveness of medical
devices, and therefore, may regulate software and
hardware used to practice telemedicine. Also, telemedicine
providers must consider particular state
regulations. Some states have instituted specific
rules governing the use of the Internet, e-mail and
similar technologies when treating patients.
Hospitals and telemedicine providers need
to review FDA and state regulations in
telemedicine arrangements in reference to
equipment, related technologies, and the use
of the Internet in the treatment of patients.
Reimbursement issues
The lack of reimbursement for the provision
of this mode of treatment is an obstacle to the
expansion of telemedicine. Congress has taken
some action in the Balanced Budget Act (BBA)
of 1997 where some Medicare reimbursement
for telehealth services was authorized. Congress
has further directed The Centers for Medicare &
Medicaid Services (CMS) to establish a payment
methodology for telemedicine services in rural
shortage areas if certain conditions are met. 11
Medicare
The Medicare Policy Benefit Manual has
specific guidelines for coverage and payment for
telehealth services. The list of services covered
are: consultations, office visits, individual
psychotherapy, pharmacologic management,
psychiatric diagnostic interview examination,
end-stage renal disease-related services, individual
medical nutrition therapy, and most recently
added in 2008, neurobehavioral status exam.
The CPT codes used to report telehealth services
are no different than regular services performed
without the use of a telecommunications system
(with the few exceptions already mentioned
for telephone and online consultations and
remote-real time interactive video-conferenced
critical care services). The originating site must
be located either in a rural health professional
shortage area (HPSA) or in a county outside of a
metropolitan statistical area (MSA). Authorized
originating sites are limited to a physician’s office,
a hospital, a critical access hospital, a rural health
clinic, or a federally qualified health center. On
July 16, 2008 Congress passed H.R. 6331, which
expanded Medicare coverage beginning January
1, 2009, to include skilled nursing facilities, inhospital
dialysis centers, and community mental
health centers as telemedicine sites.
The guidelines further state:
“For Medicare payment to occur, interactive
audio and video telecommunications
must be used, permitting real-time
communication between the distant
site physician or practitioner and the
Medicare beneficiary. As a condition of
payment, the patient must be present and
participating in the telehealth visit.”
The payment amount is equal to the
reimbursement of the service without the use
of telemedicine. There is one exception to the
interactive telecommunications requirement in
the case of federal telemedicine demonstration
programs, such as the ones conducted in Alaska
or Hawaii. In those cases, Medicare payment is
permitted for “store and forward technology”. 12
Telephone calls and online consultations
Medicare does not pay for telephone calls or
online consultations at this time. In fact, the
Medicare Benefit Manual Medicare, Chapter
15 states that telephone call services are considered
an integral part of the physician services
and there is no separate payment. Though this
article does not focus on non-federal payers, it
is worth mentioning that Aetna and CIGNA
HealthCare are already paying some physicians
for online patient consultations. 13
Home health
Federal regulations require face-to-face visits
for home health, and telemedicine cannot be
used as a substitute for those visits. However,
a telemedicine encounter may be used as a
supplement to the required face-to-face visits.
The Medicare Benefit Policy Manual, Chapter
7 can be reviewed for further detail.
Teleradiology outsourcing
With respect to teleradiology that is outsourced
to a different country, CMS prohibits payments
to providers outside the United States.
Hospitals with such arrangements would have
to pay the overseas radiologists directly. The
ACR has voiced concern about the interpretation
of radiology images outside of the U.S.,
because of the risk that a US radiologist would
be signing off on the “ghost-read” radiographs
without a careful review. 14
Medicaid
CMS has not formally defined telemedicine
services for the Medicaid program; however,
in some states, Medicaid reimbursement is
available for certain services.
2009 OIG WorkPlan
It is noteworthy that some form of telemedicine
auditing is included in the 2009 Work
Plan. OIG will be reviewing the appropriateness
of Medicare claims for long-distance
evaluation and management services:
“Pursuant to the CMS ‘Medicare Benefits
Policy Manual,’ Pub. No. 100-02, ch. 15, §
30, a service may be considered a physician’s
service if the physician either examines the
Continued on page 50
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
49
March 2009

Cyber doctors ...continued from page 49
patient in person or is able to visualize some
aspect of the patient’s condition without a
third person’s judgment. Although services
provided by means of a telephone call between
the physician and the beneficiary may
be covered under Medicare, there are certain
services that require a face-to-face visit.
Previous OIG work identified instances of
physicians billing for services that would normally
require a face-to-face examination for
beneficiaries who lived a significant distance
from the physician. We will also examine
factors that contribute to the submission of
long-distance physician claims.”
Per the Medicare Benefit Policy Manual,
Chapter 15, Section 270.2,
“the use of a telecommunications system may
substitute for a face-to-face, ‘hands on’ encounter
for consultations, office visits, individual
psychotherapy, pharmacologic management,
psychiatric diagnostic interview examination,
end stage renal disease related services, and
individual medical nutrition therapy.”
However, because the CPT codes used are,
CCB Accredited
in most cases, the same as non-telemedicine
encounters, it is unclear how the OIG will
pull the data for this review.
Conclusion
Telemedicine plays a critical role in providing
access to health care, especially in underserved
areas. Providers must ensure that the risks of
providing telemedicine services do not outweigh
the benefits, carefully enter into agreements
with the assistance of their Legal department,
and should develop telemedicine policies. n
1 Wikipedia, the Free Encyclopedia – http://en.wikipedia.org/wiki/
In_absentia_health_care
2 Official Site of the French/Israeli Chamber of Commerce - Article by
Michael Finkelstein – 9/27/2008 - Available at: http://www.israelvalley.com/
news/2008/09/27/19708/israel-medical-abecedaire-telemedecine-peut-savoirsi-le-risque-de-crise-cardiaque-est-reel-grace-a-un-telephone-portable-special
3 Reseau RAFT Network - http://raft.hcuge.ch/
4 Surgeons perform successful near real time telesurgery from New York
on patient in France. Available at: http://www.hoise.com/vmw/01/
articles/vmw/LV-VM-10-01-20.html
5 Society of American Gastrointestinal Endoscopic Surgeons (SAGES)
2000 - Remote Surgery Guidelines
6 Radiology Today - “Remote Reading -PACS and Teleradiology Let
Radiologists Work Almost Anywhere.” - Dan Harvey - 4/10/06
7 AMA - Physician Licensure: An Update of Trends – Janice Robertson-
2/27/2008
8 Lynn D. Feisher and James C. Dechene, Eds: Telemedicine and
E-Health Law. Law Journal Seminars Press; Lslf edition (December 5,
2004) Chapter 1
9 JCAHO Perspectives - Existing requirements for telemedicine practitioners
explained – Feb 2003. Available at: http://americantelemed.i4adev.
com/files/public/abouttelemedicine/JCP_2_2_2003.pdf
10 Lynn D. Feisher and James C. Dechene, Eds: Telemedicine and
E-Health Law. Law Journal Seminars Press; Lslf edition (December 5,
2004) Chapter 1
11 Lynn D. Feisher and James C. Dechene, Eds: Telemedicine and
E-Health Law. Law Journal Seminars Press; Lslf edition (December 5,
2004) Chapter 8
12 Medicare Benefit Manual – Chapter 15 – Section 270 – Telehealth Services
13 New, Revised CPT Codes Target Online, Telephone Services - Sheri Porter
– 2/29/08 – Available at: http://www.aafp.org/online/en/home/publications/news/news-now/practice-management/20080229cptcodes.html
14 The American College of Radiology ( ACR) - Revised Statement on the
Interpretation of Radiology Images Outside the United States – 5/23/06
C R E D I B I L I T Y
Standing at the crossroads
...continued from page 45
n Is there a higher-level management issue
within the department?
n Because the employee has a pregnant
wife who is about to deliver, should the
organization maintain their benefits? If so,
for how long?
Overall organizational responsibility and
commitment to the institutional ethic
recognized by this model is dependent on the
commitment of the organization’s governance
and executive leadership. Almost every hospital
operates each of the ethics components
described in this model. The model proposed
in this paper, though, is just a model. At
the end of the day, what counts is how the
organization places this model (or any model)
into practice; and more importantly, how it
is promoted and practiced by its executive
leadership and board.
As organizations and the delivery of health
care evolves, our system of caring is becoming
more complex. As a result, we as providers
of health care, both clinical and non-clinical,
will face more multifaceted ethical and legal
challenges. The strategy above is neither
a “golden hammer,” nor a one-size-fits-all
resolution to the challenge. Instead, it is
an attempt to encourage rethinking of our
overall ethics strategy and commitment to
mission driven health care. n
Certificate in Health Care Compliance
Gain the knowledge compliance officers need in a unique setting
• Interactive courses from industry leaders
• Part time program for working professionals
• Practical knowledge to prepare for the
certification exam—and a meaningful new career
1 Bacon, Francis, ed. Lisa Jardine. New Organon. Cambridge University
Press. March 2000.
2 See “Success and Failures of Hospital Ethics Committes: A National
Survey of Ethics Committee Chairs” Gleen McGee. Cambridge
Quarterly of Healthcare Ethics, Volume 11, Issue 1, January 2002 p87.
(Healthcare ethics committees formally began with the adoption of
Committees for the Discussion of Morals in Medicine at U.S. Catholic
hospitals in the 1960s.).
3 See 63 Fed Reg No. 35, 8987 (February 23, 1998).
4 U.S. Sentencing Commission Guidelines, November 1, 2006, Chapter
8.
5 See Murphy PhD, Kevin. “A ‘Next Generation’ Ethics Committee.”
Health Progress. March-April 2006.
6 Clinical Operations, Finance, Risk Management, and Human Resources
7 Paine, Lynn Sharp. Ethics: A Basic Framework. Harvard Business
Review. October 12, 2006.
www.hamline.edu/law/health | 651-523-2625 | mmiller14@hamline.edu
March 2009
50
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Mandatory Stark
reporting: Is a
denouement nigh, or
just another chapter in
the saga?
Editor’s note: Ed Rauzi and Lisa Hayward are
partners in the Seattle Office of Davis Wright Tremaine,
LLP. They work for clients in the health
care delivery system full-time, all the time. Ed
may be reached by telephone at 206/757-8127
and Lisa’s number is 206/757-8058.
Although it receives scant attention,
the Stark Law has always
authorized the Secretary of Health
& Human Services to require hospitals to
submit information concerning financial
relationships such hospitals have with physicians.
Regulations purporting to implement
that authority have existed since 1991. 1 To
date, however, there is no evidence that the
Centers for Medicare and Medicaid Services
(CMS) has ever used its authority, even in an
investigation. That may soon change.
In a filing with the Office of Management
and Budget (OMB) on December 18, 2008,
CMS sought approval of documents that
will require selected hospitals to disclose
in writing the financial relationships they
had with physicians in calendar year 2006.
OMB’s permission is required under the
Paperwork Reduction Act, which prohibits a
federal agency from subjecting any person to
a penalty for failing to respond to a request
for information unless the request includes an
OMB authorization number.
If CMS gets its way, 400 hospitals will soon
be receiving a form letter transmitting a
By Edwin Rauzi and Lisa Hayward
packet of information and eight Microsoft
Excel spreadsheets. The letter will inform the
hospitals that they have 60 days to compile a
comprehensive list and provide documentation
of virtually all financial relationships
with physicians and their immediate family
members. 2 The disclosing hospitals will need
to identify and disclose each financial relationship
with each physician. As compliance
officers know, a hospital is prohibited from
submitting a claim to the Medicare program
based on an order or referral from a physician
with whom the hospital has a financial
arrangement that does not satisfy a Stark
exception. The CEO, CFO or “comparable
officer” will be required to certify that the
information is “true and correct, to the best of
my belief and knowledge.”
This is not CMS’s first attempt at obtaining
approval to send out a demand for information.
As Compliance Today noted in its September
2007 edition, CMS has been pursuing this
initiative for some time. 3 Perhaps in response to
criticism by lobbyists and the hospital industry,
the last iteration of the packet was withdrawn by
CMS on April 10, 2008. CMS began retracing
its steps with the publication of a notice soliciting
additional comments in the April 30, 2008,
edition of the Federal Register.
The details CMS changed in the new packet
include:
n Reducing the number of hospitals to be
surveyed from 500 to 400;
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
n Increasing the estimate of time that will be
spent in responding from six to 100 hours;
n Disclosing that the responses will be
evaluated initially by a Program Safeguards
Contractor;
n Requiring the disclosure of the National
Practitioner Identifier numbers of
physicians (instead of Unique Physician
Identification numbers);
n Acknowledging that “some” hospitals may
solicit legal review of the information
before it is submitted;
n Clarifying that transactions in each direction
(e.g., leases to physicians by hospitals
as well as leases from physicians by hospitals)
are included; and
n Warning that the government will not be
“estopped” from asserting that an arrangement
the hospital characterizes as compliant
is non-compliant.
Many more things in the packet stayed the same.
In addition to the certification requirement:
n The deadline to respond remains 60 days
after receipt (although CMS will consider
granting extensions);
n The sanction for late responses is potentially
$10,000 per day;
n Unless the hospital has a calendar fiscal
year, information (and contracts) for two
fiscal years will be required;
n Unless groups of agreements are “substantially
the same,” copies of each agreement
must be submitted;
n The hospital must assert whether each
agreement satisfies all of the elements
defined in the applicable regulation;
n The hospital must identify not only
recruiting, personal service and rental arrangements
that they believe fit within an
exception, but also relationships that are
“implicated” by those exceptions; and
n That the information obtained may be
“shared” with other government agencies.
Continued on page 52
51
March 2009

Mandatory Stark reporting:
...continued from page 51
New developments in payment and public reporting of quality of care ...continued from page 9
One conundrum that hospitals are likely
to face is whether each contract with each
physician for each portion of the two year
period must be provided to CMS. If the
hospital’s contracts are “uniform,” then only
a sample must be provided. An agreement is
uniform if “all of the elements present in the
arrangements are materially the same.” Given
the language in the certification, the stakes
involved, and the nature of contracts between
physicians and hospitals, contracts that are
“uniform” may prove to be the exception
rather than the norm.
The names of approximately 290 hospitals
that will receive the packet can be identified.
Those hospitals are either physician-owned
or competitors, who failed to respond to an
earlier “voluntary” request for information.
At the time this article goes to press, it is
not possible to identify the remaining 110
hospitals. It seems likely, however, that at least
one hospital in each state (and more likely,
two) will be chosen.
Hospital compliance officers are well-advised
to show the Certification Statement and
Worksheet 7 to the CEO and CFO, along
with the form’s cover letter. 4 A candid discussion
of whether the hospital could respond
with the scope and quantity of information
required and in the time allotted should
ensue. The hospital may choose to play
“Russian Roulette” and gamble that it is not
one of the hospitals chosen, but woe to the
compliance officer whose senior management
is “surprised” at receiving CMS’s demand. n
1 56 Fed. Reg. 61374
2 The instructions state: “For any question pertaining to the financial relationship
between a physician and the Hospital or entity or individual,
“physician” shall include each immediate family member of the physician,
as defined in 42 CFR §411.351.”
3 CMS sought public comment in Federal Register notices that published
on May 18, 2007 (72 FR 28056), and September 14, 2007 (72 FR
52568). CMS began the process anew in the FY 2009 IPPS proposed
rule (73 FR 23700).
4 The full packet is available at http://www.cms.hhs.gov/PaperworkReduc-
tionActof1995/PRAL/itemdetail.asp?filterType=none&filterByDID=-
99&sortByDID=2&sortOrder=descending&itemID=CMS1218565&in
tNumPerPage=10
include: retained foreign object after surgery,
air embolism, blood incompatibility, stage III
& IV pressure ulcers, falls and traumas such
as electric shock and burns, and manifestations
of poor glycemic control.
Two recent developments signal CMS’ intent
to expand this policy to professionals and to
entities other than inpatient hospitals. First,
in the OPPS Final Rule, CMS discussed
in detail its intent to expand its Hospital-
Acquired Conditions program to outpatient
hospital and other settings. Coining the
term “healthcare-associated conditions,”
CMS signaled its intent to extend the IPPS
policy to hospital outpatient departments,
ambulatory surgical centers (ASCs), skilled
nursing facilities (SNFs), home health,
physician practices, and other settings where
preventable conditions can arise. Although
no definitive policy changes were adopted in
the OPPS Final Rule, CMS made clear that
it views the ongoing problem of preventable
healthcare-associated conditions in outpatient
settings as a key strategy in its attempt to
use Medicare payments to drive quality of
care. This issue likely will be included in the
joint IPPS/OPPS listening session that CMS
intends to schedule this winter.
Second, CMS has taken its focus on “never”
events in a different direction. Instead of
including certain “never” events among the
hospital-acquired conditions for which it
currently denies payment if not present on
admission, CMS has proposed three National
Coverage Determinations (NCDs) eliminating
payment for three serious medical errors: performing
the wrong surgical or other invasive
procedures on a patient; surgical or other invasive
procedures performed on the wrong body
part; and surgical or other invasive procedures
performed on the wrong patient. The three
NCDs were released on December 2, 2008,
and CMS’ goal is to issue them in final form
by March, 2009. By using the NCD approach,
the payment denial policy will extend beyond
inpatient hospital care, affecting payment to
physicians, hospital outpatient departments,
and all other health care providers or suppliers
which may be involved.
Conclusion
As the foregoing developments indicate, CMS
continues to aggressively pursue strategies
to tie payment to quality. It is expanding
the scope of its pay-for-reporting initiatives
to new settings and types of providers as a
transition to pay for quality (value-based
purchasing), and continues to expand the
number of measures used to monitor quality.
All healthcare entities and professionals are
well advised to stay abreast of these new
developments and to participate in them if
they can, as payment tied to demonstrated
quality of care is the Congressional goal in the
not too distant future. n
1 Tax Relief and Health Care Act of 2006, Pub. Law 109-432 (Dec. 20,
2006), adding subsection (k) to SSA § 1848 and 42 U.S.C. § 1395w-4.
2 The Medicare Improvements for Patients and Providers Act of 2008,
Pub. Law 110-275 § 131(b) (July 15, 2008), amending SSA § 1848(k),
(m) and 42 U.S.C. § 1395w-4(k), (m).
3 SSA § 1848(k)(3)(B); 42 U.S.C. § 1395ww-4(k)(3)(B).
4 Pub. Law 110-275 at § 131(d).
5 HHS, Development of a Plan to Transition to a Medicare Value-Based
Purchasing Program for Physician and Other Professional Services (Nov.
26, 2008), available at http://www.cms.hhs.gov/PhysicianFeeSched/
downloads/PhysicianVBP-Plan-Issues-Paper.pdf.
6 Subsection (d) refers to SSA § 1886(d); 42 U.S.C. § 1395ww(d).
Subsection (d) hospitals are hospitals in the 50 States, D.C., and Puerto
Rico, except for psychiatric hospitals, rehabilitation hospitals, hospitals
whose inpatients are predominantly under 18 years old, and hospitals
whose average inpatient length of stay exceeds 25 days.
7 Deficit Reduction Act of 2005, Pub. Law 109-171 § 5001(a), (b) (Feb.
8, 2006).
8 The drafted legislation is currently titled the Medicare Hospital Quality
Improvement Act of 2008 (not yet numbered).
9 CMS, Physician Quality Reporting Initiative: 2007 Reporting Experience
(Dec. 3, 2008) available at http://www.cms.hhs.gov/PQRI/Downloads/PQRI2007ReportExperience.pdf.
10 Pub. Law. 110-275 § 131(b)(3), adding SSA § 1848(m)(5)(G); 42
U.S.C. § 1395w-4(m)(5)(G).
11 2009 Physician Fee Schedule Final Rule, 73 Fed. Reg. 69725, 69846-47
(Nov. 19, 2008).
12 Id. at 69845.
13 Medicare Prescription Drug Improvement and Modernization Act of
2003, Pub. Law 108-173 (Dec. 8, 2003), adding SSA § 1860D-4(e), 42
U.S.C. § 1395w-104(e).
14 CMS, Overview of E-Prescribing program, http://www.cms.hhs.gov/
eprescribing/.
15 2009 Physician Fee Schedule Final Rule, 73 Fed. Reg. 69725, 69848
(Nov. 19, 2008).
16 For specific codes, see CMS, Medicare’s Practical Guide to the E-
prescribing Incentive Program (Nov. 2008), available at http://www.
cms.hhs.gov/partnerships/downloads/11399.pdf.
17 Information about the qualified e-prescribing systems can be found at
CMS, 2009 Electronic Prescribing Incentive Program – Adoption/Use
of Medication Electronic Prescribing Measures, (Nov. 7, 2008) available
at http://www.cms.hhs.gov/PQRI/Downloads/E-PrescribingMeasure-
Specifications.pdf.
18 73 Fed. Reg. 68502, 68758 (Nov. 18, 2008)
19 Pub. Law. 109-432 Part B § 109 (Dec. 20, 2006), adding SSA § 1833(t)
(17), 42 U.S.C. § 1395(l)(t)(17).
20 72 Fed. Reg. 66580, 66860 (Nov. 27, 2007).
21 Inpatient Prospective Payment System FY 2009, 73 Fed. Reg. 48434,
48471 (Aug. 19, 2008).
March 2009
52
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Charge Description
Master compliance
assessments
Editor’s note: Joel W. Lipin is Managing
Director, Reimbursement Services with Sinaiko
Healthcare Consulting, Inc. in Los Angeles. He
may be reached by telephone at 310/551-5252.
Years ago (not to reveal my age)
the Charge Description Master
(CDM) was an unknown entity.
I remember numerous occasions in which I
entered a CFO’s office and tried to convince
the staff that they needed to pay attention
to the data within their CDM. Many times
I experienced reluctance during these visits.
I now look back on those times and realize
that CDM awareness has truly evolved to
a point now where most healthcare-related
magazines have an article about the CDM on
some regular basis.
The CDM is a critical component within
the middle section of the revenue cycle that
brings together charging, coding, and billing
functions as the computerized warehouse for
charge descriptions, coding, and pricing for
all charges incurred within a hospital setting.
Because there are two distinct sources of
coding, from the CDM (hard-coded) and
Health Information Management (HIM)
(soft-coded), it is important to understand
where the coding is derived for each of the
various departments. Some examples are the
laboratory, which usually is hard-coded from
the CDM; the Surgical Services areas are
usually soft-coded by HIM, based upon the
medical record documentation.
To ensure that your CDM maintains accurate
information, it is mandatory to conduct
CDM compliance assessments at least once a
By Joel W. Lipin, MD, MPH
year. With CPT/HCPCS codes being revised
as each Centers for Medicare and Medicaid
Services (CMS) memorandum is issued, it is
even more important to review the accuracy
of each line item within your CDM in
accordance with federal, state, and third-party
regulatory requirements. The basic assessment
should include, at a minimum, an evaluation
of appropriate CPT/HCPCS codes, UB-04
revenue codes, accurate and consistent
descriptions, appropriate and consistent
pricing of line items, as well as verification
that services are accurately identified during
the charge capture process.
The project scope should include all line items
within the CDM, because several procedures
and services will occur across many departments.
In most cases, these procedures and services
are performed in a like manner and should
be represented from a description, coding, and
pricing perspective as the same. Not only is this
a potential compliance risk if one department
is charging a different price than another or
charging the same for services that should be
efficient by setting, but pricing transparency and
defensible pricing issues are also at risk.
More than ever, hospitals need to be cognizant
of how their charges are established,
whether they reflect prices above the highest
fee schedule price, are greater than calculated
costs, and are mindful of CPT/HCPCS
coding hierarchy relationships. One example
of the coding relationship includes the three
CPT codes within radiology for magnetic
resonance imaging of the brain, (i.e., CPT
codes 70551, without contrast; CPT code
70052, with contrast; and CPT code 70553,
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
without followed by contrast). In this case,
the price for the procedure without contrast
should be lower than the procedure with
contrast, which in turn should be lower than
the procedure that includes both a study
without contrast followed by the procedure
with contrast. Too often a CDM becomes
incongruent as a result of yearly percentage
price increases without a concern for these
relational hierarchy issues.
The CDM assessment should also include
detailed face-to-face meetings with each
department and should include an analysis
of existing processes surrounding charge
capture, CDM maintenance, and updates.
Discussions with the department directors
should identify potential breakdowns within
the middle section of the revenue cycle
(where the CDM resides) and work towards
developing recommendations to resolve
any identified issues. The approach for the
departmental meetings should include discussions
toward:
n Compliance, medical necessity, charge
capture, current correct coding initiatives,
and national and local coding decisions;
n Procedures and services that are provided
and not currently captured;
n Procedural methodology confirmation;
n Controls, reconciliation, and/or policies
and procedures related to charge capture,
CDM, and pricing;
n Charge tickets or electronic order entry
screens to the CDM for appropriate line
item additions, deactivations, or variances;
n Line-by-line review to determine accuracy
of the charge description, CPT/HCPCS
code(s), UB-04 revenue code(s) and the
price;
n Procedures that may or may not be appropriate
for bundling or unbundling;
n Inclusion of separate line-item billing
for Medicare-reimbursable supplies and
Continued on page 54
53
March 2009

Charge Description Master compliance assessments
...continued from page 53
pharmaceuticals and other Ambulatory Payment Classification
(APC) pass-through items, and identifying chargeable verses nonchargeable
line items;
n Appropriate use of modifiers (especially related to the rehabilitation
services, physical, occupational, speech, audiology); and
n The use of unlisted CPT codes as potential “black holes” for
lost charges, as well as other pertinent coding issues as needed.
As more hospitals create positions for CDM coordinators, we are
seeing the need for a specific skill set; one which includes knowledge
of the clinical terminology and an understanding of the various
procedures performed in a given specialty area, coupled with
a solid understanding of coding and billing functions. Therefore,
the CDM coordinator has evolved into a liaison between the front,
middle, and back ends of the revenue cycle. This person, supported
by the appropriately sized departmental staff (depending on the
size of the facility), needs to maintain a proactive approach to the
compliance and maintenance of the CDM. Staying current regarding
specific regulatory changes and relating them to the applicable
department must be a critical component of this individual’s job
description.
It is recommended that a CDM task force team be developed in
order to continually communicate, monitor, maintain, and meet
with each department at various intervals throughout the year. The
task force should be comprised of the CDM coordinator, Compliance
coordinator, director of HIM, director of Patient Financial
Services (PFS), representative from Information Technology
(IT), and the department director(s) relevant for a given meeting.
Maintaining an accurate and compliant CDM is a complex task
that requires the full time attention of a CDM coordinator and the
CDM task force.
Compliance Today Editorial Board
The following individuals make up the Compliance Today Editorial Advisory Board:
Gabriel Imperato, JD, CHC
CT Contributing Editor
Managing Partner
Broad and Cassel
Christine Bachrach, CHC
Senior Vice President –
Compliance Officer
HealthSouth
Bonnie-Lou Bennig
Director of Corporate Compliance
& Quality Improvement
Vanguard Healthcare Services, LLC
Cynthia Boyd, MD, MBA
Associate Vice President
Chief Compliance Officer
Rush University Medical Center
Becky Cornett, PhD, CHC
Director, Fiscal Integrity
Finance Administration
The Ohio State University
Medical Center
Gary W. Herschman
Chair, Health and Hospital Law
Practice Group
Sills Cummis & Gross P.C.
Deborah Randall, JD
Partner
Arent Fox LLP
Kirk Ruddell, CHC, MBA
Compliance Officer
Island Hospital
James G. Sheehan, JD
New York State
Medicaid Inspector General
Lisa Silveria, RN BSN
Home Care Compliance
Catholic Healthcare West
Jeffrey Sinaiko
President
Sinaiko Healthcare Consulting, Inc.
José A. Tabuena,
JD, CFE, CHC
VP Integrity and Compliance/
Corporate Secretary
MedicalEdge Healthcare Group, Inc.
The efforts described above should be coupled with intermittent,
more detailed compliance audits, including sample charge capture,
coding and documentation assessments, audits of claims data relative
to charge entry, and effective staff education on accurate CDM
usage to mitigate significant compliance risks for your facility. The
heightened scrutiny by governmental agencies has made it more
important than ever to tighten your controls over these areas. So,
when and if CMS or another governmental fraud agency sends
a letter, your facility will be in a position to react quickly and
your response won’t be one which is defensive, but rather one of
confidence, knowing that these issues have already been monitored
and explored for potential exposure. n
David Hoffman, JD
President
David Hoffman & Associates
Eric Klavetter, JD, MS, MA
Privacy and Compliance Officer
Mayo Clinic
F. Lisa Murtha, JD, CHC
Managing Director
Huron Consulting Group
Debbie Troklus, CHC, CCEP
Assistant Vice President for
Health Affairs/Compliance
University of Louisville
School of Medicine
Cheryl Wagonhurst, JD, CCEP
Partner
Foley & Lardner LLP
March 2009
54
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Increased government
oversight of
managed care plans—
Are you ready?
Editor’s note: Steven E. Skwara is a partner in
the Washington, DC offices of Epstein Becker
& Green, P.C. He may be reached by telephone
at 202/861-4192 or by e-mail at SSkwara@
ebglaw.com.
Medicare Advantage, Medicare Part D, and
Medicaid managed care plans should assess
whether they are prepared for sure-to-beincreased
governmental oversight of their
monitoring, investigating, and reporting of
providers and other “downstream” entities
for fraud and abuse. To that end, the first
part of this article discusses specific governmental
compliance requirements for fraud
and abuse programs, particularly as they
pertain to third-party monitoring, auditing,
and investigation. The second part of this
article discusses the implications of those
fraud and abuse compliance requirements
for government-contracted health plans, the
reasonableness of those requirements (or lack
thereof), and common indicia of an effective,
and presumably compliant, fraud and abuse
program.
Increased fraud and abuse compliance
requirements
Both federal and state government agencies
expect contracted Medicare and Medicaid
health plans to act as sentinels against
provider and “downstream” fraud and abuse.
Although prosecutors will continue to rely on
“whistleblowers” for federal, and increasingly,
state-level, fraud or False Claims Act cases,
recent comments show that prosecutors are
affirmatively expecting increased referrals for
By Steven E. Skwara
health care fraud prosecution from program
safeguard contractors. 1 Safeguard contractors,
in turn, rely on the reporting of fraud and
abuse by the front-line health plans.
The seemingly inexorable result of this
governmental sentinel effort, as evidenced by
increasingly specific regulatory and contractual
requirements regarding fraud and abuse,
is that government-contracted health plans
will have to demonstrate the efficacy of an
outward-looking fraud and abuse program
as part of an overall compliance portfolio.
As to Medicare, the Centers for Medicare
and Medicaid Services (CMS) has set forth
specific fraud and abuse requirements for
Medicare D plans and has stated its intention
to issue fraud and abuse requirements for
Medicare Advantage plans early in 2009.
In light of recommendations made by the
General Accounting Office in a recent report,
increased CMS auditing of the fraud and
abuse programs of Medicare Part D plans
appears imminent and has been identified
as an area of focus in the HHS-OIG FY
2009 Work Plan. As to Medicaid, against a
backdrop where the federal government has
recently renewed emphasis on Medicaid fraud
and abuse, state Medicaid agencies increasingly
require Medicaid HMOs systematically
to address fraud and abuse in their provider
networks.
Medicare Part D requirements for plan
sponsors
Congress and CMS have required Medicare
Part D plan sponsors to guard against fraud
and abuse by pharmacy benefits managers
(PBM), pharmacies, prescribing physicians,
pharmaceutical manufacturers, and others, as
part of a comprehensive compliance program.
Under the Medicare Modernization Act of
2003, 2 the federal government mandated that
Part D plan sponsors establish a program to
control fraud and abuse.
CMS has issued guidance to “assist Sponsors
in implementing a comprehensive
program to prevent and detect fraud and
abuse in the prescription drug program”
in Chapter 9 of CMS’ Prescription Drug
Benefit Manual (Manual). Although many
of the Manual’s recommendations purport
to be aspirational (e.g., “this chapter provides
recommendations,” 3 ), in reality, many Part D
plan sponsors view the “recommendations”
as mandatory, because those sponsors may
soon be subject to CMS reviews focused in
part on the efficacy of the sponsor’s fraud and
abuse program. Indeed, the HHS-OIG FY
2009 Work Plan specifically identifies this as
an area of focus for fiscal 2009, stating that
“[w]e will determine the extent to which plan
sponsors conduct inquiries, initiate corrective
actions and make referrals regarding potential
fraud and abuse.” 4 (CMS has also announced
that it plans to update its Part D fraud and
abuse guidance in early 2009, but that update
was not available at the time of this publication’s
deadline.)
The CMS Manual requires Part D plan
sponsors to implement plans to monitor and
investigate their transactional partners – “first
tier,” “downstream,” and “related” entities
involved in the administration or delivery
of the drug benefit. 5 These entities include a
plan sponsor’s PBM, pharmacies, prescribing
physicians, drug wholesalers, and pharmaceutical
manufacturers. The Manual does not,
however, explain how a health plan sponsor
Continued on page 56
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
55
March 2009

Increased government oversight of managed care plans ...continued from page 55
might, for example, go about reviewing or
investigating transactions between pharmaceutical
manufacturers and physicians for
purposes of identifying “inappropriate transactions”
or “illegal remuneration schemes.”
Examples provided by CMS of the fraud or
misconduct for each type of entity for which
the plan sponsor must be vigilant include:
1. PBMs – inappropriate formulary decisions;
prescription drug switching; unlawful
remuneration; inappropriate formulary
decisions. 6
2. Pharmacies – inappropriate billing
practices; prescription drug shorting;
prescription refill errors. 7
3. Prescribers – illegal remuneration
schemes; prescription drug switching;
provision of false information. 8
4. Wholesalers – counterfeit and adulterated
drugs through black and gray market
purchases. 9
5. Pharmaceutical manufacturers –
kickbacks, inducements, other illegal
remuneration; formulary and formulary
support activities; inappropriate relationships
with physicians. 10
Additionally, plan sponsors must “identify
overpayments and underpayments at any level
within the sponsor’s network.” 11
Upon learning of possible fraud or abuse
within its network of first tier, downstream,
and related entities, a plan sponsor must
conduct a “reasonable inquiry,” and, upon
determining that potential fraud or misconduct
related to the Part D program occurred,
must promptly report the conduct to a
Medicare Integrity Contractor (MEDIC).
The scope of the potential “fraud or misconduct”
is not limited to particular jurisdictions
or even just criminal laws. CMS instructs
plan sponsors to “refer potential violations
of applicable federal and state criminal, civil
and administrative laws, rules and regulations
to the MEDIC and/or law enforcement for
further investigation.” 12
In sum, for Part D plan sponsors, CMS has
prescribed a system under which Part D
plan sponsors must implement monitoring
and auditing processes focused on the entire
pharmaceutical delivery system, from manufacture
to dispensing. (The reasonableness
and wisdom of this “soup to nuts” approach is
discussed in Part II of this article.)
CMS oversight in this area has, however,
been minimal to date. In August 2008, the
Government Accountability Office (GAO)
issued a report showing that a selected sample
of Part D sponsors had not fully implemented
all of CMS’ required fraud and abuse compliance
plan elements, including the monitoring
and auditing requirements, and recommended
that “CMS conduct timely audits of
Part D sponsor’s fraud and abuse programs.” 13
The GAO noted that CMS had not audited
Part D sponsors’ fraud and abuse programs
in 2007 and did not plan to do so in 2008. 14
In an October 2008 audit report, HHS‐OIG
found that although CMS conducted 19
audits of plan sponsors in 2007, only one of
these audits included a review of the sponsors’
compliance plan.
Also, HHS‐OIG reported that although
CMS stated that its MEDIC would begin
auditing sponsors’ compliance plans in
summer 2008, as of early August 2008, the
MEDICs had not yet done so. HHS‐OIG
recommended that CMS “conduct routine
audits of PDP sponsors’ compliance plans
to ensure that these compliance plans meet
all federal requirements. Specifically, these
audits should cover all compliance plan
requirements contained in regulations as well
as requirements included in Chapter 9 of the
‘Prescription Drug Benefit Manual.’” 15
In its defense, CMS has cited the lack of
funding from Congress as a reason for its
limited fraud and abuse program oversight. 16
CMS funding issues notwithstanding, as
evidenced by the specific reference to reviews
of plan sponsors’ fraud and abuse programs
in the HHS-OIG 2009 Work Plan, plan
sponsors should anticipate that CMS and its
MEDICs will begin a more vigorous program
of auditing the fraud and abuse programs of
Part D sponsors.
Medicare Advantage Plans
As of the publication deadline for this
article, CMS intended to issue fraud and
abuse guidance for Medicare Advantage plan
sponsors for implementation in early 2009. 17
In the meantime, CMS advises Medicare
Advantage plans to rely on the fraud and
abuse guidance from the Part D Prescription
Drug Benefit Manual. 18 Because Medicare
Advantage plans cover many medical services
other than prescription drugs, the Manual’s
specific guidance concerning fraud and abuse
by PBM’s and pharmacies is less relevant than
its general fraud and abuse guidance.
An application of the Manual’s general
approach by Medicare Advantage plan
sponsors would seem to require that those
plans monitor and investigate providers in
the plan’s network for potential fraud and
abuse. The physicians, hospitals, laboratories,
durable medical equipment (DME) providers,
etc. in the Medicare Advantage plan’s
network presumably comprise the “first
tier,” “downstream,” and “related” entities
involved in the administration or delivery of
Medicare Advantage plans’ members’ health
care services and products. Specific areas for
fraud and abuse monitoring and investigation
will likely include things like billing for
services not rendered, upcoding, unbundling,
and other traditional types of provider fraud.
Also, as required in the Part D Manual,
March 2009
56
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

Medicare Advantage plan sponsors may be responsible
(however implausibly) for monitoring illegal remuneration
schemes involving providers and “downstream” entities (e.g.,
potentially unlawful payments from a supplier to a physician).
Medicare Advantage plan sponsors will also likely
have specific reporting requirements for referrals to program
safeguard contractors.
In short, Medicare Advantage plans will be given specific
guidelines for monitoring, investigating, and reporting
external fraud and abuse, but the Part D Manual does provide
clues about CMS’ fraud and abuse compliance expectations
that plan sponsors should consider acting upon now.
Medicaid HMOs
As is the case with the Medicare-related plans, Medicaid
HMOs (health maintenance organizations) too, face increasing
compliance demands with respect to provider fraud and
abuse activity. This movement began taking shape as part of
CMS’ (then called the Health Care Financing Organization
or HCFA) “National Medicaid Fraud and Abuse Initiative.”
In HCFA’s “Guidelines for Addressing Fraud and Abuse in
Medicaid Managed Care,” published in October 2000, HCFA
asserted that
“[w]hether established as a compliance program or a
state-approved fraud and abuse plan, managed care organizations
should undertake such efforts as . . . developing
procedures to monitor service patterns of providers,
subcontractors, and beneficiaries.” 19
More succinctly, “[t]he MCO should be monitoring provider
fraud . . . .” 20 And, according to HCFA, “[a]n MCO might
identify provider fraud and abuse by reviewing for a lack of
referrals, improper coding (upcoding and unbundling), billing
for services never rendered or inflating the bills for services
and/or goods provided.” 21
Never Face a
Compliance or Ethics
Challenge Alone
Now you can meet and collaborate with
ethics and compliance professionals year
round and around the clock. The Compliance
& Ethics Social Network puts you directly in
touch with your peers.
Get your questions answered. Learn from
what others are doing. Share your experience,
policies, and other documents. To get
started:
• Go to community.hcca-info.org.
• Log in using your e-mail address and
HCCA password.
• Click “Social Network” (in the top black bar).
• Click the name of a community (or
communities) that interest you.
• Select your communications
option and save.
• Start communicating and
collaborating!
• Maybe set up
your own
community…
It’s fast, easy, and can help
improve both your work and
the profession as a whole.
Sign on today.
Moreover, the federal government has recently placed
increased emphasis on Medicaid fraud and abuse as exemplified
by the antifraud provisions of the Federal Deficit
Reduction Act (DRA). 22 Though it has begun implementing
the Medicaid Integrity Program pursuant to the DRA’s directive,
CMS has not focused much on managed care, apparently
Continued on page 58
HCCA’S Compliance &
Ethics Professional
Social Network
57
March 2009

Increased government oversight of managed care plans ...continued from page 57
content to leave that oversight function to the
states for now.
Consistent with these federal exhortations,
the state-level agencies that directly oversee
Medicaid managed care plans typically
require those plans to monitor and investigate
their provider networks for fraud and
abuse. For example, a state Medicaid agency
may require, by contract, the following fraud
and abuse-related obligations:
n Develop a comprehensive internal fraud
and abuse program;
n Upon a complaint of fraud or abuse
or upon identifying any questionable
practices, conduct a preliminary review
to determine whether in the contractor’s
judgment, there is sufficient reason to
believe that the provider or enrollee has
engaged in fraud or abuse, and where sufficient
reason exists, report the matter in
writing;
n Make diligent efforts to recover improper
payments or funds misspent due
to fraudulent or abusive actions by the
organization or its subcontractors;
n Require providers to implement corrective
actions or terminate provider agreements,
as appropriate;
n Submit reports on its fraud and abuse
activities; and
n Certify in writing on an annual basis
that to the best of its (or its designated
signatory’s) knowledge, the contractor is
in compliance with its contract and is not
aware of any instances of fraud and abuse
in the program covered by the contract,
other than those previously reported in
writing.
Medicaid managed care fraud and abuse
requirements may vary by state, but they
will tend to share common elements, and, if
anything, they will become more demanding
in light of the government’s recent emphasis
on curtailing Medicaid fraud and abuse.
Practical implications for governmentcontracted
plans
The practical challenge for many governmentcontracted
health plans is implementing a
competent fraud and abuse infrastructure,
particularly for smaller plans that may not
historically have investigated external fraud
and abuse with vigor.
The not-so-insignificant question of reasonableness
remains open as well. As it stands,
for example, CMS’ Part D fraud and abuse
requirements for plan sponsors are impractical,
if not impossible, to meet in certain
respects and hopefully, with experience, CMS
will recognize this fact.
Finally, there are certain elements of an
outward-looking fraud and abuse compliance
program that, if implemented, should not
only meet a government-contracted plan’s
compliance obligations, but that also may
make sense as a business proposition.
The balance of this article addresses each of
these practical implications in turn.
Implementing an outward-focused
program
The ease with which a government-contracted
health plan can implement a reasonable,
compliant fraud and abuse program will vary,
obviously, by the size and type of plan.
For larger insurers that manage governmentcontract
plans alongside other lines of health
insurance, compliance with the burgeoning
externally-focused fraud and abuse requirements
have been, and will be, relatively
painless. Most such insurers have established
special investigations units (SIU’s), antifraud
functions in audit or legal areas, or
investigative outsourcing relationships for
all of their lines of insurance, and it is not
difficult to fold the government-contract
business into the plan’s pre-existing antifraud
activities. There will be additional, minimallyburdensome
reporting obligations, but the
antifraud infrastructure will be in place and
the incremental cost of government-required
fraud and abuse activities will be small.
Even though insurers or plans may already
have an investigative structure in place,
however, there is still a need to develop a
government program-specific monitoring and
audit plan. For instance, in its recent report
on fraud and abuse programs at Part D plans,
the GAO noted that only one of five plan
sponsors that the GAO reviewed conducted
data analysis of Part D claims separate and
apart from its “regular” analyses. 23 The implication
from this finding is that, at least in the
GAO’s view, a plan sponsor’s fraud and abuse
program should include a Part D-specific
work plan.
Smaller or newer government-contracted
plans may face a relatively greater challenge
in demonstrating a compliant “downstream”
fraud and abuse program, because they may
not have a dedicated SIU or other antifraud
infrastructure in place. To be sure, CMS
expressly states that its Part D guidance
does not require a health plan to develop
an SIU. CMS does require a fraud and
abuse program however. 24 In addition to the
obvious solution — creating and staffing an
SIU — a niche health care fraud investigations
outsourcing industry is growing and
may be a more financially-viable solution for
small to mid-sized health plans. In any case,
a program should be established in some
demonstrable fashion.
Reasonableness of fraud and abuse
programs
Reasonableness should be a core attribute of
March 2009
58
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

any governmental guidelines for fraud and
abuse programs, but, as shown, there may
be a perception gap regarding reasonableness
that will hopefully be bridged as both
government agencies and plan sponsors
become more experienced in this area. For
example, taken literally, certain aspects of
CMS’ Part D fraud and abuse guidance are
virtually impossible to administer. CMS does
not (and cannot as a practical matter) specify
how and to what extent, for instance, plan
sponsors should “monitor” and “investigate”
downstream entities, such as drug wholesalers
or PBMs. Typically, a plan sponsor will not
have practical or legal access to the books,
records, or data of such downstream entities
nor will it have the expertise to review such
records and data even if it were to have access.
A plan sponsor will typically have little ability
to determine whether a downstream entity
is properly calculating true out-of-pocket
costs for drugs or whether a pharmaceutical
manufacturer’s relationship with a physician
may violate federal law.
Likewise, CMS does not explain how a plan
sponsor might, for example, go about reviewing
or investigating transactions between
pharmaceutical manufacturers and physicians
for purposes of identifying “inappropriate
transactions” or “illegal remuneration
schemes.” Plan sponsors typically do not have
access to information that would allow them
to even begin to identify such transactions or
schemes. Thus, it does not seem reasonable
for CMS to expect significant “monitoring”
or “investigating” of any entities other than
the “first tier” entities with which the plan has
direct day-to-day interaction (e.g., network
pharmacies and physicians). CMS’ expectations
and guidance will likely moderate over
time.
Indeed, HHS-OIG’s audit work tends to
prove that plan sponsors are generally unable
to investigate once-or-more-removed entities
with any vigor. In another October 2008
audit, HHS-OIG reviewed the fraud and
abuse reporting data from 86 plan sponsors
to determine what types of fraud and abuse
the plans were identifying and what they were
doing in response. 25 Although the general
results of this audit are not terribly interesting
— some plans identify and report more
fraud and abuse incidents than others — the
results of the type-of-fraud survey show that
most identified incidents result from “direct”
interaction with the plan sponsor (e.g.,
improper billing being the most prevalent
type of fraud and abuse identified). In
contrast, and unsurprisingly, the plan sponsors
identified very few “downstream” types
of fraud and abuse by entities not in direct
contractual privity with the plan sponsors
such as illegal renumeration, bribes, inappropriate
formulary decisions, manipulation
of “true out-of-pocket costs,” or inappropriate
manufacturer sales techniques.
The most reasonable approach for all fraud
and abuse compliance would seem to be that
exemplified in the Medicaid HMO contractual
language set forth above. It is reasonable
to ask government-contracted plans to monitor,
investigate, and resolve fraud and abuse
issues with their direct networks of providers,
members, or others (e.g., PBM’s) for which
the plan has reasonable access to claims data,
medical records, and similar information. It
is also reasonable to expect that plans analyze
and monitor their claims data for aberrations
or patterns indicative of fraud and abuse.
Indeed, at least based on anecdotal information,
Part D plans seem to be structuring
their fraud and abuse compliance plans
assuming that they are responsible for reasonable
outward-looking fraud and abuse efforts
focused on entities with which the plan has a
direct relationship.
Elements of a reasonable program
CMS and Medicaid programs will continue
to require specific, unique fraud and abuse
program components, but a reasonable
outward- or downstream-looking fraud and
abuse investigation program generally will
include the following, scalable elements:
n Monitoring. A “fraud hotline” for members
and providers to report fraud or abuse
by providers and other downstream entities
will be of obvious utility. Depending
on the size of the plan, a dedicated
Medicare or Medicaid fraud hotline might
be warranted. The hit and miss nature of
relying on ad hoc “tips” or “leads” from a
fraud hotline will not be entirely sufficient
for compliance purposes, however. A plan
will want to demonstrate a regularized,
data-driven monitoring process by which
it looks for aberrational billing patterns
based on recognized pattern-detection
methods, for example, peer-group analysis
(e.g., identifying those physicians who
perform the most services per patient and
conducting further investigation). A plan’s
data analysis should also include a specific
focus on claims or risk areas associated
with government-contracted claims or
members.
n Investigating. Depending on the size of
the plan, a qualified, dedicated investigative
staff may be required. The days of
assigning a provider relations employee
to “follow up” on allegations of provider
fraud are over. The investigative function
should be performed by trained personnel;
the specialized skills necessary for
the function are now widely recognized
and accreditation is becoming the norm.
Again, this is a function that could be outsourced
for smaller plans. For example,
using criteria of years of experience,
continuing education, and an examination,
the National Health Care Anti-Fraud
Continued on page 60
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
59
March 2009

Increased government oversight of managed care plans ...continued from page 59
Association (NHCAA) has certified over
200 individuals in the private and government
sectors as Accredited Healthcare
Fraud Investigators since 2002. NHCAA
is a coalition of private payers and law
enforcement agencies created to address
health insurance fraud, Annual surveys
of NHCAA member plans show that the
typical respondent’s recovery-to-cost ratio
is usually in the 2:1 range.
n Reporting. Policies and procedures on
how, when, and whom to report potential
fraud and abuse in compliance with
governmental expectations are essential.
Establishing and documenting guidelines
for reporting potential fraud by a government-contracted
health plan are important
parts of a compliant fraud and abuse plan.
Not only should objective guidelines be
put in place, the reporting function should
be insulated from the influences of other
business units whose interests may not
be entirely congruent with respect to a
provider, for example, engaged in abusive
billing behavior but who otherwise is held
in favor by the plan for whatever reason.
n Risk prioritization. A governmentcontracted
health plan should prioritize its
monitoring and auditing activities based
on risk assessments. This risk assessment
and the resultant prioritization of auditing
should be documented and should include
specific reference to risk factors associated
with the government plan at issue.
These are the general elements of an effective
outward-looking fraud and abuse function
for any government-contracted health plan.
CMS and state Medicaid-related agencies will
undoubtedly come up with more exacting
specifications, but Medicare and Medicaid
health plans can anticipate that the above will
comprise the core of their fraud and abuserelated
compliance obligations.
The independent business case
There is also a business case to be made for
provider-focused fraud and abuse programs
by health plans. In the experience of private
health insurance plans that have dedicated
provider-focused antifraud programs,
the average private payer recovers claims
payments at an approximately 2:1 ratio to
expenses. 26 Imputed savings (e.g., claims denials,
effect of terminating a network provider
for fraud) and deterrent effects further
enhance the benefit side of the ratio.
Another, albeit intangible, compliance-related
benefit can result from a health plan’s establishing
a vigorous externally-focused antifraud
function. SIUs in health plans with strong
antifraud programs tend to develop good
working relationships with state and federal
law enforcement types. Often, providers who
defraud government programs simultaneously
defraud private insurance plans and in
a number of instances, law enforcement has
included private insurance claims as part of a
Medicare or Medicaid case. Those same law
enforcement types in a given locality may be
the ones asked to look at a health plan’s activities,
when allegations of impropriety arise.
A health plan’s historically strong working
relationship with law enforcement can be a
useful thing when it is the plan’s conduct that
is under scrutiny.
Conclusion
In light of the converging requirements for
fraud and abuse programs for governmentcontracted
plans (whether Medicare or Medicaid)
focused on providers and “downstream”
entities, a plan’s actual performance in
detecting and reporting fraud in its provider
networks and beyond will soon be on the
government’s compliance checklist. For
instance, CMS will undoubtedly react to the
GAO’s recent recommendation for increased
auditing in this area and the HHS-OIG Work
Plan expressly provides for reviews of plan
sponsors’ fraud and abuse-related compliance.
This is an evolving area of compliance and the
related audit experience is minimal. Government
contracted Medicare and Medicaid
plans, particularly smaller to mid-sized plans
that have not historically conducted robust
antifraud operations, should consider whether
their fraud and abuse programs are sufficient
for purposes of monitoring, investigating, and
reporting fraud and abuse by its providers
and other downstream entities. Although the
CMS and typical state Medicaid fraud and
abuse requirements are a mix of the useful,
the obvious, and the sometimes unreasonable,
they are coherent enough such that
government-contracted health plans should
address these fraud and abuse issues in their
overall compliance efforts in anticipation of
increased audit and oversight activity in these
areas and for sound business reasons. n
1. See “Prosecutors Look Beyond False Claims Act to Fight Health Care
Fraud,” Health Care Daily Report, vol. 13, No. 66 (BNA April 7,
3008).
2. Pub. L. No. 108-173, 117 Stat. 2066 (2003).
3. Manual § 20
4. HHS-OIG FY 2009 Work Plan, at 36 (October 1, 2008). The Work
Plan can be found at www.oig.hhs.gov/publications/docs/workplan/2009/WorkPlanFY2009.pdf
5. Manual § 50.2.1.
6. Manual § 70.1.2.
7. Id. § 70.1.3.
8. Id. § 70.1.4.
9. Id. § 70.1.5.
10. Id. § 70.1.6.
11. Id. § 50.2.1.2.
12. Id. § 50.2.1.2.
13. GAO, “Medicare Part D: Some Plan Sponsors Have Not Completely
Implemented Fraud and Abuse Programs, and CMS Oversight Has
Been Limited,” (GAO-08-760) (August 2008).
14. Id. at 6-7.
15. HHS-OIG, “Oversight of Prescription Drug Plan Sponsors Compliance
Plans,” Report OEI-03-08-00230, available at www.oig.hhs.gov/w-new.
asp (10-31-08 reports) (accessed November 4, 2008).
16. Id., Appendix II (Letter from CMS to GAO) (“[T]here have not been
sufficient additional resources to allow the MEDICs to engage in the
types of audit oversight activities originally envisioned at the onset of the
program.”).
17. Fed. Register Vol. 72, No. 233 at 68706.
18. Id.
19. Guidelines, at 39-40.
20. Id. at 40.
21. Id.
22. See 42 U.S.C. § 1396d.
23. GAO Medicare Part D: CMS Oversight Report (GAO-08-760), at 22.
24. Manual § 20 (Overview). Id.
25. HHS-OIG, “Medicare Drug Plan Sponsors’ Identification of Potential
Fraud and Abuse,” Report OEI-03-07-0380, available at www.oig.hhs.
gov/w-new.asp (10-31-08 reports) (accessed November 4, 2008).
26. NHCAA Annual Survey, available to members.
March 2009
60
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

New HCCA Members
The Health Care Compliance Association
welcomes the following new members and
organizations. Please update any contact
information using the Member Center on the
Web site, or e-mail Karrie Hakenson
(karrie.hakenson@hcca-info.org) with
changes or corrections.
Hawaii
n James F. Kahler, MBA PT COSC, Hale
Makua
n Patricia Lee, Kaiser Permanente
n Ernest J.T. Loo, Goodsill Anderson Quinn
& Stifel LLP
Idaho
n Steven Bradley Pitts, Attorney, Law Office
of Steven Pitts, P.A.
Ilinois
n Judith Blacklidge, Loyola Univ Health Sys
n Vivian Downing, BroMenn Healthcare
n Phyllis Gedzun, Midwest Physicians
Alliance
n Ellen S. Green, RHIA CCS-P, Rush
University Med Ctr
n Karen A. Hawthorne, Children’s
Memorial Hospital
n Agnes Hernandez, RHIT, Rush University
Med Ctr
n Sarah D. Hocking, JD, Carle Foundation
Hospitol
n Kelly Barar Keeler, MPPA, Alexian
Brothers Health System
n Erin M. Kinahan, Lake Forest Hospital
n Susan Kramer, Heart Care Centers of IL
n Brad Masterson, RHIA, Southern Illinois
Healthcare
n Chris F. Palazzolo, CVS-Caremark
n Joyce Shannon, MetroSouth Medical Center
n Jeffrey N. Teske, JD, Advocate Health
Care
n Cozette Trela, Heart Care Centers of IL
n Margaret Zonca, MS, MBA, JD,
Northwestern University
Indiana
n Ms. Mary Pat McCallister, CPC MCS-P
PCS, University Radiological Assoc
n Lisa P. McDonough, CPC CCP, Humana
n Kimberly Patton, DePuy Orthopaedics Inc
n Ms. Faith L. Pottschmidt, IN Univ
Iowa
n Kathy Bamman, Genesis Health System
n Suzie A. Berregaard, JD, NHA, SPHR,
Hospice of Central IA
Kansas
n Shannan Flach, Wamego City Hospital
n Terri Gehring, Memorial Hospital, Inc.
n Denise L. Klimek, MT ASCP, Mercy
Regional Health Center
n Dan Roehler, Argus Health Systems
Kentucky
n Donna T. Astudillo, MBA CPC CCP
MHP, Humana
n Jamie A. Burnett, RN, Univ Physician
Associates
n Terri L. Clark, BA MHP, Humana
n Carey Coleson, Humana Inc.
n Shelly Denham, BSN, Univ Physicians Massachusetts
Associates
n Beth R. Belt, Deloitte & Touche
n Derek Dennison, CPA, MBA, Twin Lakes n Kate Bolland, Health Dialog
Regional Med Ctr
n Rosa Chiacchierarelli, CHC, Healthdrive
n Tracy Farley, Jewish Hospital & St. Mary’s Medical & Dental Practices
HealthCare
n Helen G. DeRosa, Fresenius Medical Care
n Rhonda Hoffman, Jewish Hospital & St. NA
Mary’s HealthCare
n Deborah Drexler, UMass
n Sharon E. Jones, NHC, Norton
n Sheila Murphy Fireman, Harvard Pilgrim
Healthcare
HealthCare
n Anthony Leachman, Jewish Hospital n Judith Flynn, Partners Home Care
n Jeffrey T. Lewandowski, MBA MHP, n Eileen Gibbons
Humana Inc
n Linda S. Hanna-Casey, Caritas Christi
n Ed Miller, Jewish Hospital & St. Mary’s Healthcare System
HealthCare
n Luke Igweobi, Dana-Farber Cancer
n Elizabeth L. Muse, RN, BSN, CPC,
Institute
Norton Healthcare
n David McLoon, Franciscan Hospital for
n Stephanie L. Redfern, U of L Hospital Children
n Ann Shircliff, CPC CCP PCS, Humana
Continued on page 62
Health Care Compliance Association • 888-580-8373 • www.hcca-info.org
n Furqan Siddiqui, MD, Univ of Louisville
Hospital
n Trinia Simmons-Hill, University of
Louisville
Louisana
n John J. Finn, Ph D, Self-Client
CommCare Corporation
n Byron Johnson, Navigant Consulting, Inc
n Phyllis Krebs, Lafayette General Med Ctr
n Larry Smith, United Medical Rehab Hosp
Maryland
n Shallie Bryant, MedStar Health
n Andrea B. Cherenzia, Care First BCBS
n Mary Flanery, CPC, Medstar
n Kristen Geissler, Navigant Consulting
n Margaret E. Henry, Practice Dynamics Inc
n Frederick R. Herman, Univ of MD
Medical Center
n Mark Loper, Coventry Hlth Care Inc
n Shari LoPresti, Harford Primary Care
n Sharon McNamara, BSN, JD RN,
Erickson Retirement Communities
n Michelle Russell, Catalyst Rx
61
March 2009

New Members ...continued from page 61
n Laurie A. Richard, BS CHC, Univ MA
Med School
n Michael P. Taylor, RN MS, Shaughnessy
Kaplan Rehab Hosp
Michigan
n Laurel Berends, CHC, Spectrum Health
United Hospital
n Kathleen Carolin, Karmanos Cancer
Center
n Colleen C. Cohan, Blue Care Network of MI
n Joyce DeNooyer, Bronson Methodist Hospital
n Frances E. DeVos, Henry Ford Health Sys
n Kim Dorotinsky, CPC, Spectrum Health
n Allie Galovich, Lakes Surgery Center
n Nancy J. Hay, Henry Ford Health System
n J Fabiana Johnson, BA, University of
Michigan
n Allison Reynolds, J.D., Residential Home
Health, LLC
Minnesota
n Gary A. Danisch, BCBS Northern Plains
Alliance
n Bethan Davies, Medica
n Camilla Emmans
n Joey Filipiak, Summit Orthopedics LTD
n Carrie A. Hogan, BCBS of MN
n Susan Humiston, Leonard Street and
Deinard
n Lisa M. Kampa, Gillette Children’s
Specialty Healthcare
n Marcia Miller, Health Law Institute,
Hamline University School of Law
n Sue Ricker, VA Medical Center
n Paul Rosol, CFSA, CISA, CFE, Jefferson
Wells
n Michael J. Rugani, JD, Fairview Health
Services
n Sherrie Schiebe, Zimmer Spine, Inc
n Mary Ward, Mille Lacs Health System
Mississippi
n Mary Curtis, Curtis Management Services
n Gregory Olivier, MHA, Hancock Medical
Center
Missouri
n Rose Dennis, RHIT, Saint Luke’s
Northland Hosp
n Ms. Christie M. Holm, MS, Tri-County
Mental Hlth Svc, Inc
n Ms. Linda A. Jesberg, RN, BSN, CPC,
Barnes-Jewish Hospital
Montana
n Haley B. Denzer, Great Falls Clinic
North Carolina
n Fran Anderson, Rutherford Hospital,Inc.
n Kimberly Ashburn, Novant Medical
Group
n Karen A. Cole, MBA CPC CCP, HMR Inc
n Kathryn Dever, Carolina’s Medical Center
n Vivian Ette
n Nancy Hall, Novant Medical Group
n Veronica Hodges, Novant Medical Group
n Adriane B. Jarvis, Novant Health
n Laura Leonard, Novant Medical Group
n Ronald May, MD, Craven Regional Med
Center
n Tiffany McCluney, Novant Medical
Group
n Deborah Pondexter, Novant Medical
Group
n Lorraine Schumacher, Novant Medical
Group
Your HCCA Staff
Sarah Anondson
Graphic Artist
sarah.anondson@hcca-info.org
Gary DeVaan
IT Manager/Graphic Artist
gary.devaan@hcca-info.org
Margaret Dragon
Director of Communications
margaret.dragon@hcca-info.org
Darin Dvorak
Director of Conferences
and Exhibits
darin.dvorak@hcca-info.org
Wilma Eisenman
HR Director/Office Manager/
Compliance Officer
wilma.eisenman@hcca-info.org
Nancy G. Gordon
Managing Editor
nancy.gordon@hcca-info.org
Melanie Gross
Conference Planner
melanie.gross@hcca-info.org
Karrie Hakenson
Receptionist
karrie.hakenson@hcca-info.org
Elizabeth Hergert
Certification Coordinator
elizabeth.hergert@hcca-info.org
Patti Hoskin
Member Relations
patti.hoskin@hcca-info.org
April Kiel
Member Relations
april.kiel@hcca-info.org
Meghan Kosowski
Receptionist
meghan.kosowski@hcca-info.org
Caroline Lee Bivona
Project Specialist
caroline.leebivona@hcca-info.org
Shawn Leonard
Webmaster/Privacy Officer
shawn.leonard@hcca-info.org
Amy Macias
Member Services
amy.macias@hcca-info.org
Patricia Mees
Communications Editor
patricia.mees@hcca-info.org
Jennifer Power
Conference Planner
jennifer.power@hcca-info.org
Marlene Robinson
Audio Conference Planner
marlene.robinson@hcca-info.org
Beckie Smith
Conference Planner
beckie.smith@hcca-info.org
Roy Snell
Chief Executive Officer
roy.snell@hcca-info.org
Charlie Thiem
Chief Financial Officer
charlie.thiem@hcca-info.org
Allison Willford
Accountant
allison.willford@hcca-info.org
Adam Turteltaub
VP Member Relations
adam.turteltaub@hcca-info.org
Julie Wolbers
Accountant
julie.wolbers@hcca-info.org
6500 Barrie Road, Suite 250
Minneapolis, MN 55435
Phone 888-580-8373
Fax 952-988-0146
www.hcca-info.org
info@hcca-info.org
March 2009
62

Case
Management
& Quality
Coding,
Charge
Capture &
Billing
BESLER
BRIDGE SERVICES
Connecting Everyone
To Support Medical
Necessity & Revenue
Enhancement
Physicians &
Clinical Staff
(Clinical
Documentation)
© 2009 Besler Consulting
The BESLER Bridge
Each admission is medically appropriate. Clinical documentation accurately reflects the patient’s
condition and each claim is billed accurately. How is this possible? It’s the unique BESLER Bridge.
And it could be your solution as well for bridging case management, clinical documentation
improvement and coding with physicians and clinical staff. No gaps. Just optimum results.
Can we build one for you?
BESLERCONSULTING.COM • 877.4BESLER

Corporate
Compliance
& Ethics Week
May 3–9, 2009
Acting With Integrity
Corporate Compliance & Ethics
Week has moved—it will be
celebrated the fi rst full week
in May going forward.
Co-sponsored by HCCA and
the Society of Corporate
Compliance and Ethics (SCCE),
the fi fth Corporate Compliance
& Ethics Week will be celebrated
May 3–9, 2009.
HCCA and SCCE have a number
of items available for purchase to
help spotlight compliance and
ethics in your organization. Place
your order by Friday, April 17, to
ensure delivery before this event.
Order at www.hcca-info.org or
www.corporatecompliance.org, or
call the Compliance Week Order
Fulfi llment Center at 877 646 9226.
Official poster for Corporate
Compliance & Ethics Week
20" x 28" glossy color poster
$6.25 ea. (min. order 10)
Six colorful glossy posters, 20" x 28",
each showcasing a different ethical
message. New this year, the Corporate
Compliance & Ethics Week logo is on
a perforated strip that can be easily
removed once the celebration week is
over (1 each per 6-pack) $40 per 6-pack
2.5" jelly-smacker stress ball
$4.75 ea. (min. order 5)
Extra-large 3.5" x 3.5"
magnetic star-shaped clip
$2.75 ea. (min. order 20)
Mini 2.5" flashlight with retractable
tether and snap-link ring
$3.50 ea. (min. order 20)
2" x 3.5" solar calculator
$3.50 ea. (min. order 20)
Magnifier bookmark
$1.95 ea. (min. order 20)
Stainless steel mug; insulated
with screw-on, spill-resistant lid
and 15 oz. capacity
$5.50 ea. (min. order 5)
Tri-stic widebody pen (black ink)
$1.99 ea. (min. order 20)
3.5" x 5.25" jotter pad with pen
and business-card sleeve
$4.50 ea. (min. order 5)
Order at www.hcca-info.org or www.corporatecompliance.org
Order before April 17 to ensure delivery by Compliance Week!