Quality of the estimate. December, p. 47 - Health Care Compliance ...

Volume Thirteen 

Number Twelve 

December 2011 

Published Monthly 

Meet 

Mary Dunaway, Hospital 

Revenue Cycle Compliance 

Director, University of 

Arizona Health Network 

page 14 

Feature Focus: 

Medicaid RACs: Tool of 

transparency or torment 

page 44 

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org 

Earn CEU Credit 

www.hcca-info.org/quiz—see page 50 

How to respond 

to a regulatory 

investigation 

page 8 

This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888/580-8373 with all reprint requests. 

1 

December 2011

HCCA Ad 

SAVE 

THE 

DATE 

Managed Care 

Compliance Conference 

February 12–14, 2012 | Scottsdale, AZ 

HCCA’s MAnAged CAre CoMpliAnCe ConferenCe provides essential 

information for individuals involved with the management of compliance at health 

plans. Plan to attend if you are a compliance professional from a health plan (all levels 

from officers to consultants), in-house and external counsel for a health plan, internal 

auditor from a health plan, regulatory compliance personnel, or managed care lawyer. 

Learn more at hcca-managedcare-conference.org 


2 

Health Care Compliance Association • 888-580-8373 • www.hcca-info.org

INSIDE 

5 The rising tide: Recognizing your criminal 

prosecution risks abroad 

By Winston Y. Chan and Justin S. Liu 

Companies with international third-party 

distributors and resellers, consultants, and 

foreign clinical trials face high levels of 

criminal enforcement scrutiny. 

8 CEU: Mail call: How to respond to a 

regulatory investigation By K Royal 

A step-by-step process for responding to a 

complaint notification letter. 

12 HCCAnet and Website News 

14 Meet Mary Dunaway, Hospital Revenue 

Cycle Compliance Director, University of 

Arizona Health Network 

An interview by Roy Snell 

18 Letter from the CEO By Roy Snell 

Change 

19 Social Networking By John Falcetano 

Zone Program Integrity Contractor (ZPIC) 

20 Exhale By Shawn DeGroot 

Exercise a good sense of humor 

23 People on the Move 

24 CEU: Losing sleep over health care 

marketing arrangements 

By Lawrence Conn 

Health care providers are faced with 

substantial limitations and risk potential 

criminal liability for common marketing 

efforts, unlike many other industries. 

29 Regulatory compliance for research in an 

academic medical center 

By Jeffrey N. Joyce 

Establishing an effective research 

infrastructure requires coordination 

among many departments to develop and 

implement regulatory policies and processes 

that work for everyone. 

38 CIAs: A look back to the future at OIG 

investigations By Jamie L. Kendall 

A look at the government agreements with 

several pharmaceutical companies may 

predict the focus of investigations regarding 

sales and marketing tactics. 

43 Newly Certified CHC ® ; CHPC ® ; CHRC ® 

44 Feature Focus: Medicaid RACs: Tool of 

transparency or torment 

By Rebecca Jones McKnight 

Providers should prepare for greater scrutiny 

and view claims and denial data for warning 

signs for greater enforcement. 

47 Confidence and precision in claims 

audits: Quality of the estimate 

By Cornelia M. Dorfschmid 

Understanding some common auditing 

terms will help you determine if an 

estimated overpayment amount is 

reasonable or should be contested. 

51 Accountability is the key to compliance 

effectiveness 

By Jane A. Obert 

An independent review of your compliance 

program by an outside consultant may 

lead to a culture of continuous quality 

improvement. 

56 CEU: Compliance 101: Pay now or pay 

later By Joyce Freville 

Time and effort spent on prevention practices 

can pay off better than money spent fixing a 

regulatory problem after that fact. 

60 How internal controls support compliant 

business practices: Part 1 

By Kelly Nueske 

The five components of internal controls 

and how they support “doing it right the 

first time.” 

68 Documenting fair market value for 

physician contracting By Penny Stroud 

Using the right tools and knowing what 

and when to document can help ensure 

your facility is paying comparable rates for 

comparable services. 

73 New HCCA Members 


3 


DON’T GO 

HALFWAY. 

GO 360. 

MANAGE CLAIMS AUDITS WITH TOTAL CONFIDENCE. Multiple audits, hundreds 

of claims, dozens of team members, zero free time. Miss one date and you forfeit hard-earned revenue. With so 

much complexity – and so much at stake – only Compliance 360 offers the confidence of a 24x7 Virtual Audit 

Coordinator that manages every step of every audit in one central system. No gaps, no guesses, no gotchas. 

Visit www.compliance360.com/ClaimsAuditor to learn how we’re helping thousands of providers protect their 

revenues – and their peace of mind. GET THE 360° VIEW. 


www.compliance360.com 

4 


The rising tide: 

Recognizing your 

criminal prosecution 

risks abroad 

By Winston Y. Chan and Justin S. Liu 

Editor’s note: Winston Y. Chan is 

Of Counsel in Gibson, Dunn & 

Crutcher’s San Francisco office. 

Winston may be contacted by e-mail 

at wchan@gibsondunn.com. 

Justin S. Liu is an Associate in 

Gibson, Dunn & Crutcher’s Los 

Angeles office. He may be contacted 

by e-mail at jliu@gibsondunn.com. 

In recent years, US law 

enforcement authorities have 

demonstrated an increasing 

willingness to scrutinize the 

health care industry for criminal 

conduct. A new academic study, 1 

released on August 17, 2011 

by Syracuse University, starkly 

quantifies this trend, finding that 

health care fraud prosecutions 

by the Department of Justice 

(DOJ) during the first eight 

months of 2011 numbered more 

than 900 cases, representing a 

brisk prosecutorial pace that is 

85% greater than last year, 157% 

greater than five years ago, and 

115% greater than 10 years ago. 

Immediately on the heels of the 

study—as if on dramatic cue— 

the Department announced on 

September 7, 2011, that it had 

charged 91 health care professionals 

across eight cities for their 

alleged participation in schemes 

that falsely billed more than $295 

million. 2 Just three weeks later, 

on September 26, 2011, Assistant 

Attorney General Lanny A. Breuer 

announced that “[t]he civil rights, 

criminal, and civil divisions of 

the Department of Justice are all 

working together to fight health 

care fraud.” 3 

As part of this escalation in 

government resources directed 

against health care fraud, the 

DOJ has not hesitated to examine 

the conduct of the health 

care industry globally, primarily 

through the lens of the Foreign 

Corrupt Practices Act (FCPA), 

which gives prosecutors the 

ability to focus on wholly foreign 

conduct in a way that the traditional 

health care fraud criminal 

statutes do not. Indeed, in April 

2011, Johnson & Johnson paid a 

$21.4 million fine in connection 

with a criminal FCPA settlement 

with the DOJ, based on acts purportedly 

occurring inside Greece, 

Poland, and Romania. 4 


Accordingly, pharmaceutical, 

biotechnology, and medical device 

and service companies that do 

business internationally must be 

equally vigilant in recognizing 

and mitigating the compliance 

risks that they face abroad, as they 

do within the United States. We 

set forth some of those primary 

risks herein: the use of third-party 

distributors and resellers, health 

care consultants, and—the newest 

subject of US law enforcement 

attention—foreign clinical trials. 

FCPA risks in the health care 

industry 

The Johnson & Johnson 

settlement related to charges that 

its subsidiaries in Greece, Poland, 

and Romania bribed publiclyemployed 

health care providers in 

those nations in order to induce 

them to use and purchase Johnson 

& Johnson medical devices and 

drugs. Similar allegations have 

abounded. In 2010, Merck 

revealed that it was subject to 

an FCPA investigation. In 2009 

and 2010, Eli Lilly disclosed 

that an FCPA probe that began 

in 2003 with an investigation of 

its Polish unit, was expanding. 

Other pharmaceutical companies, 

including AstraZeneca, 

Baxter, Bristol-Myers Squibb, 

GlaxoSmithKline, and Pfizer, 

reportedly have received letters 

of inquiry from the DOJ. In 

2007 and 2008, six medical 

device manufacturers (Biomet, 

Continued on page 6 

5 


The rising tide: Recognizing your criminal prosecution risks abroad ...continued from page 5 


6 

Medtronic, Smith & Nephew, 

Stryker, Wright Medical, and 

Zimmer Holdings) disclosed their 

own FCPA investigations. 

Nor is the DOJ’s interest in the 

health care industry as a target 

for FCPA investigations likely 

to wane, particularly because 

the largest foreign purchasers 

of pharmaceuticals and medical 

equipment generally are state-run 

hospitals and state-affiliated health 

care providers. Assistant Attorney 

General Breuer in a November 

2009 speech said, “[O]ne area of 

criminal enforcement that will be 

a focus for the Criminal Division 

in the months and years ahead… 

[is] the application of the Foreign 

Corruption Practices Act to the 

pharmaceutical industry.” He 

further noted that, in 2009, close 

to $100 billion dollars, or onethird 

of pharmaceutical revenues, 

stemmed from sales outside of the 

United States. 

Interactions with non-US 

doctors and hospitals 

The DOJ interprets the FCPA 

to encompass all employees of 

state-owned enterprises and 

government agencies, treating 

them as “government officials” 

for purposes of the FCPA. This 

includes staff members and 

doctors employed by public 

and quasi-public hospitals and 

clinics, and so the sales practices 

of health care companies need 

to be particularly sensitive 

to how gifts, hospitality, and 

travel expenditures are handled 

abroad. Rule-of-reason policies 

on these expenditures, with 

pre-approval procedures that 

involve the Compliance or 

Legal functions, should be put 

in place; and employees should 

receive anti-corruption training, 

including compliance with local 

law. As the Johnson & Johnson 

settlement illustrates, health care 

companies cannot afford to focus 

only on the risks of violating 

the traditional health care fraud 

statutes, which otherwise require 

a connection to state and federal 

health care insurance programs. 

Foreign distributors and resellers 

Health care companies should be 

particularly careful when relying 

on third-party distributors and 

resellers, which can be necessary 

in regions where the pharmaceutical, 

biotechnology, medical device, 

or medical service company may 

not have a sufficient indigenous 

sales capability—particularly in 

vast geographic markets, such as 

China and Russia. These third 

parties pose compliance risks, 

because of pass-through liability 

under the FCPA coupled with 

their often opaque business practices. 

When utilized, third-party 

distributors and resellers should 

not be injected into transactions 

without a clear and legitimate 

business purpose, and localized 

due diligence on these business 

partners should be conducted 


to ensure that they are reputable 

and they abide by anti-corruption 

laws. This due diligence should 

occur prior to any partnership, 

and should be actively supplemented 

on a recurring basis. 

Anti-corruption provisions should 

be included in contracts and 

agreements with distributors and 

resellers, and the health care company 

should seek to make clear 

to its sales channel partners its 

commitment to anti-corruption 

compliance, including by sharing 

best practices and training. 

Foreign health care consultants 

Another risk area is the use of 

consulting arrangements with 

prominent foreign doctors or 

health experts to promote the 

health care company’s products 

or services. Often these “key 

opinion leaders” will be employed 

by or affiliated with a government 

agency or state-owned enterprise. 

These individuals can be legitimately 

contracted to research, 

review, and promote health care 

products and services, of course, 

but particular care should be 

exercised to ensure that the consultant 

has not been implicated in 

corruption in the past and is being 

reasonably compensated relative 

to a bone-fide and value-adding 

service, such as conducting an 

independent medical study or 

providing necessary education in 

relation to the company’s health 

care product or service. Preapproval 

by the Compliance or

Legal function of any consulting 

arrangement abroad may be desirable, 

as would be a requirement 

that no consultant be retained 

while the company or its affiliates 

has business pending before any 

entity related to the consultant. 

Foreign clinical trials 

Outside of the international sales 

and marketing context, a novel 

area of concern to US officials is 

the growing reliance on non-US 

clinical trials when seeking 

approval of new drugs and medical 

devices. A 2010 report by the 

Office of the Inspector General 

of the Department of Health 

and Human Services, entitled 

“Challenges to FDA’s Ability to 

Monitor and Inspect Foreign 

Clinical Trials,” found that 80% 

of drugs approved by the Food 

and Drug Administration (FDA) 

relied on non-US clinical trials 

and that 78% of all subjects who 

participated in clinical trials did so 

outside of the United States. 5 The 

report also noted the lower rate at 

which the FDA audited foreign 

clinical trial sites. Congress has 

also recognized these concerns. US 

Representative Rosa DeLauro said 

the report “highlights a very frightening 

and appalling situation” 

because of “clinical trials in foreign 

countries with lower standards and 

where FDA lacks oversight.” 

Government scrutiny has 

expanded to law enforcement, 

who reportedly are reviewing 

foreign clinical trials for potential 

FCPA violations. Because such 

trials generally would be conducted 

by doctors at state-run or 

state-affiliated hospitals or academic 

institutions, payments by 

pharmaceutical, biotechnology, or 

medical device companies could 

be viewed as potential conduits 

for bribes. A health care company 

that seeks to utilize foreign clinical 

trials should conduct the same 

level of localized due diligence and 

active monitoring of its clinical 

trial partners abroad, just as the 

company would do with respect 

to an international third-party 

business partner. Significantly, 

a company should be especially 

mindful when the proposed clinical 

trial operator is a current or 

potential customer of the company’s 

products—a likely scenario 

if the trial operator is a stateaffiliated 

health care provider. 

Conclusion 

Health care companies now face 

the highest levels of DOJ criminal 

enforcement scrutiny that they 

ever have, not just for domestic 

behavior in violation of traditional 

health care fraud statutes, but 

also for international conduct 

in violation of the FCPA. Such 

companies should implement 

robust global compliance policies 

and procedures, and tailor them 

to the special risks of doing business 

in foreign countries where, 

in the health care context, the line 

between public and private can be 


especially blurred. For pharmaceutical, 

biotechnology, and medical 

device and services companies, 

three of the primary international 

corruption risks arise through 

their use of third-party distributors 

and resellers, consultants, and 

foreign clinical trials. n 

1 Syracuse University Transactional Records 

Access Clearinghouse: Health Care Fraud 

Prosecutions for 2011. August 17, 2011. 

Available at http://trac.syr.edu/tracreports/ 

crim/258/ 

2 Dept of Justice press release: Medicare 

Fraud Strike Force Charges 91 Individuals 

for Approximately $295 Million in 

False Billing. September 7, 2011. Available 

at http://www.justice.gov/opa/pr/2011/ 

September/11-ag-1148.html 

3 Dept of Justice press release: Assistant 

Atorney General Lanny A. Breuer Speaks at 

the American Health Lawyers Association 

and Health Care Compliance Association’s 

2011 Fraud and Compliance Forum. September 

26, 2011. Available at http://www. 

justice.gov/criminal/pr/speeches/2011/crmspeech-110926.html 

4 Dept of Justice press release: Johnson 

& Johnson Agrees to Pay $21.4 Million 

Criminal Penalty to Resolve Foreign 

Corrupt Practices Act and Oil for Food 

Investigations. April 8, 2011. Available 

at http://www.justice.gov/opa/pr/2011/ 

April/11-crm-446.html 

5 Available at http://oig.hhs.gov/oei/reports/ 

oei-01-08-00510.pdf 

HCCA has stepped 

up our environmental 

responsibility by printing 

Compliance Today 

on recycled paper. The 

interior pages are now printed on 

paper manufactured with 100% postconsumer 

waste. The cover stock is 

made up of 10% post-consumer waste 

and is locally produced in Minnesota 

near our printing facility. In addition, 

the energy used to produce the paper 

is 100% renewable energy. This is not 

to mention that the ink used in our 

magazine is 100% soy-based water 

soluble ink. Certifications for the 

paper include The Forest Stewardship 

Council (FSC), Sustainable Forestry 

Initiative (SFI), and Green-e.org. 

7 



8 

Mail call: How 

to respond to 

a regulatory 

investigation 

Editor’s note: K Royal is the Privacy 

and Security Officer with Concentra 

in Addison, Texas. She may be 

contacted at 972/725-6675 or by 

e-mail at k_royal@concentra.com. 

In this ever-increasing culture 

of compliance and oversight, 

we are starting to see more 

investigations and audits occur, as 

evidenced by the US Department 

of Health and Human Services 

award of a $9.2 million contract 

to KPMG LLP to conduct audits 

of 150 entities in 2012. Section 

13411 of the HITECH Act of 

2009 requires periodic audits of 

covered entities and business associates 

to evaluate their HIPAA 

security compliance. The penalties 

increased from $100 a day to 

$50,000 a day for not correctly 

implementing the HIPAA Security 

Rule’s required Administrative, 

Physical, and Technical Safeguards 

(45 C.F.R. 164.308, 310, 

and 312) and Organizational 

Requirements, Policies and 

Procedures and Documentation 

(45 C.F.R. 164.314 and 316). 

By working through a simple scenario, 

this brief article will cover 

By K Royal, RN, JD, CIPP 

some basic material regarding a 

privacy and security investigation, 

but it is generally applicable to 

any regulatory investigation. 

Complaint notification letter 

A variety of authorities, such as the 

Office of Civil Rights (OCR), state 

licensing division, or a consumer 

protection office may send out 

complaint notification letters. This 

can be a little intimidating at first, 

but it is not proof that you have 

done anything wrong. It is typically 

a notification that an individual has 

launched a complaint and the agency 

is looking for more information, 

because they cannot dismiss the 

complaint based on the information 

they have. For the convenience of 

both reader and writer, we’ll use the 

OCR in its general representation 

of any regulatory agency that might 

issue such a letter. Please know that 

agencies receive many more complaints 

than those upon which they 

issue notification letters. 

OCR letters will generally tell you 

the location of the facility the complaint 

is lodged against, the date of 

the alleged occurrence, the person 

making the complaint (and the 


patient, if different), and the rule 

that was allegedly violated. This 

does not mean you have violated 

this rule; it means someone thinks 

you have and the OCR cannot 

discount it immediately. OCR 

receives some complaints that do 

not violate HIPAA. For example, 

OCR may receive a complaint 

from a patient who is dissatisfied 

with the quality of medical care 

he received. This is not a HIPAA 

concern, so OCR would not 

investigate this allegation. With 

the number of complaints that 

come in, depending on the allegation, 

you may be receiving the 

notification letter a year after the 

incident allegedly happened. For 

critical patient rights, such as a 

denial of the right to access, a fast 

track review process occurs and the 

notification letter would be sent 

within a couple of weeks. 

Scenario: 

In August, 2011, you receive 

a letter from OCR stating 

that patient Jane Smith filed a 

complaint with their office July 

15, 2010. She believes that you 

violated the Privacy Rule by 

impermissibly disclosing her protected 

health information (PHI) 

to a member of the public. OCR 

asks that you provide information 

about this occurrence. 

Starting the investigation 

Initial actions 

First, do not get defensive. This 

is an opportunity to present your

side and show that proper actions 

were taken and correct procedures 

are in place. 

At the end of the letter, OCR 

includes the name and contact 

information for the investigator 

assigned to the case. Call the 

investigator. You should cover at 

least three main areas: 

n Let the investigator know that 

you have the letter, are starting 

the investigation, and whether 

you think you need to pull 

records from off-site storage. 

n Make sure to determine how 

the investigator would like to 

receive your response: fax, mail, 

or e-mail. We will cover these 

methods below. 

n Ask for more details on the 

complaint. Typically, they will 

read you the actual letter. By 

doing this, you obtain this 

further information. In our 

example scenario: 

“On July 12, 2010, XYZ office 

faxed my medical record to 

the wrong fax number. They 

were supposed to send it to the 

person preparing my disability 

application. They did not get this 

information back and did not 

send me a written notification.” 

With this more detailed information, 

you are armed to start the 

investigation. Locate the patient 

record and start collecting all 

data on the event. According to 

the records, the patient requested 

that you fax certain records 

to an individual. The patient 

completed an authorization to 

disclose records, including the 

fax number. Your employee used 

a fax cover sheet that was appropriately 

addressed and included 

a disclaimer addressing if the fax 

was sent it error, etc. Attached 

to it is a fax confirmation sheet 

for the day after the call was 

made, to a fax number that was 

one digit off. Taped to that is 

a phone memo note, stating 

that the patient called. Last is 

an Accounting of Disclosure 

form in the chart, capturing the 

event. The patient stated that the 

individual did not receive the 

fax. Apparently, the patient had 

provided the wrong number, so 

once the number was verified, 

the fax was sent to the correct 

number and confirmed received 

correctly. Another fax was sent to 

the wrong number stating that 

a record was faxed in error, and 

to please contact the office and 

confirm that the information was 

shredded. 

Then check the records that were 

faxed. In this scenario, the Social 

Security number was abbreviated 

to the last four digits; no date 

of birth or address was filled 

in; and only the patient name 

and medical information (Note: 

nothing about drugs, contagious 

diseases, or psychological concerns/notes) 

and physician office 

information could be seen. 


Policies 

Pull your policies that apply to privacy. 

Make sure to include policies 

addressing these elements: general 

privacy protections, authorizations, 

disclosures, fax communications, 

violations, and/or breaches, and risk 

assessment of potential breaches. 

Review the applicable policies and 

verify that the policies were followed. 

If you notice a provision of 

the policies that should be improved 

upon in light of this occurrence, 

consider making that change. 

If you do not have policies that 

cover these elements, you need to 

develop them. This can be done as 

segments of a larger overall policy 

or broken into discrete policies 

for the various HIPAA sections. 

Additionally, documentation is 

critical. Defending an allegation 

made weeks, months, or years 

later is challenging enough, 

without having a clear paper trail 

to follow. 

In this scenario, it appears that 

the disclosure was made pursuant 

to a proper authorization for 

disclosure in reliance on the fax 

number provided by the patient, 

which was written by the patient 

on the authorization. The patient 

was aware of the disclosure per 

the phone call notes. There was a 

disclosure log entry and attempt 

to mitigate the breach. Last, a 

review of the disclosure demonstrates 

little risk of financial 


9 


Mail call: How to respond to a regulatory investigation ...continued from page 9 


10 

harm. There is potentially a risk 

for reputational harm, but if there 

is nothing truly sensitive in the 

medical information, it is likely 

not a significant risk of harm. If 

you need to contact the patient 

for any reason, such as to offer 

credit monitoring, verify that the 

investigator has no objection to 

you doing so. 

Response 

Look at what the notification 

letter asks you to provide and 

the due date. Write a clear letter 

that includes the case reference 

number, provides a succinct 

description of the occurrence, 

and whether you agree with the 

allegation. List the documents you 

are sending in support of your 

response and include them in a 

well-ordered attachment. These 

attachments should include copies 

of the authorization form, both 

fax cover sheets and confirmation 

sheets, the phone note, disclosure 

log, and applicable policies. 

Also, make an entry in the new 

disclosure log in the file related 

to sharing PHI in response to an 

agency investigation and make a 

copy of the submission for your 

records. If for some reason you 

cannot submit the response in a 

timely fashion, you must contact 

the investigator and ask for an 

extension of time. 

If you identified any actions you 

need to take or policies that need 

to be adopted or revised, either 

do so and send proof or indicate 

what you have done and provide a 

date for anticipated completion. It 

is likely that OCR will want to see 

the items completed. 

Once you have completed your 

response, let the investigator know 

that it is being sent and reiterate 

the delivery method as determined 

in the earlier conversation. 

E-mail: If sending by e-mail, the 

e-mail should be encrypted. Do 

not put the patient name in the 

subject line, but the reference 

number is a convenient indicator. 

If you do not have an e-mail 

encryption system, there are 

several free zip technologies that 

enable attachments to be zipped 

and encrypted. Again, when the 

file is zipped, the patient name 

should not be the file name, but 

the reference number works fine 

with the patient’s last name as 

the password. Please note that 

password-protected only files are 

not encrypted—only the zipped 

and encrypted files. If you use 

the patient’s last name as the 

password, then in the e-mail, you 

can indicate that the attached 

file’s password is the patient’s last 

name and the investigator can 

look up the name by the reference 

number. Otherwise, the password 

should be sent in a separate e-mail 

or provided over the phone. 

Fax: If sending the file by fax, 

please confirm the fax number 


and use a confirmation sheet. 

Once sent, check the fax number 

against the confirmation. 

Mail: If sending by mail, use a 

mail service that offers delivery 

confirmation with a signature. 

This may cost a little more, but 

the peace of mind and proof of 

delivery is priceless. 

Final determination 

Now all you can do is wait for 

further contact. There are four 

responses you may get back: 

n No regulatory action taken 

(which can mean either no violation 

or voluntary compliance) 

n Request for more information 

n Completion of identified 

actions 

n Regulatory action in the form 

of a violation found with or 

without a penalty 

If the investigator asks for more 

information, provide that in a 

timely manner. If the investigator 

asks for proof of completion of 

an action you identified in your 

response, either provide it, if completed, 

or discuss with the investigator 

your time frames and plans 

for completion. You may have a 

constraint around policy adoption, 

implementation, or training. 

Additionally, the investigator 

may require you to take some 

action, such as revising a form or 

policy. If so, you should clarify the 

rationale behind this request and 

which rule mandates this action.

If you disagree with the requested 

action, you can offer a counter 

solution. The agency will consider 

the counter and provide explanations 

if it is unacceptable, as 

long as the requirements and the 

patient’s interests are met. If you 

receive a notice of violation, you 

will also be provided the mechanism 

to appeal the decision. 

Determinations may take some 

time, but if two months have 

passed without receiving a letter, 

you should contact the investigator. 

The letter may have been 

misdirected. 

Additional considerations 

In some instances, patients may file 

complaints with multiple agencies, 

either concurrently or after 

receiving notice that you were not 

penalized. You may be required 

to undergo this process with a 

state agency and this is when your 

meticulous record-keeping will 

be helpful once again. You can 

provide copies of your response 

to OCR to the state agency and 

OCR’s final determination if it 

has been received, especially if the 

determination was no violation. 

Under HIPAA, there is typically 

nothing wrong with allowing a 

state oversight agency to have 

access to patient records—however, 

there is also nothing wrong 

with requesting it to be in writing. 

You should be clear with the 

agency that you are not opposing 

their right, but that you need 

something in writing so that you 

have a record of the disclosure, 

when, why, how, etc. Discuss with 

the agency what they require to 

conduct their investigation and 

provide the minimum necessary, 

but if they require the full chart, 

then provide the full chart. Once 

again, make an entry in the disclosure 

log for the file and document, 

document, document. 

Conclusion 

Any investigation is likely to 

produce a fair amount of consternation 

and worry. However, 

with proper procedures in 


place, responding to a request 

from a regulatory agency can 

be merely a matter of compiling 

the documents, providing 

appropriate information, and 

communicating clearly with the 

investigator. Regulators are not 

our enemy; they are the fact 

finders of whether the rules are 

being followed. They are there 

to ensure that patients’ rights are 

protected, and most entities do 

not deliberately set out to purposefully 

violate those rights. n 

Help keep your program fully staffed 

List Your Job Openings 

Online with HCCA 

Basic Classified Ads 

Our basic ads are listed on 

our website for 90 days and 

cost just $400 per position. In 

addition, for each month you 

advertise with us, your listing 

is included in our monthly 

HCCA Jobs Newsletter, which 

we send out to over 24,000 

email addresses. 

Premium Listings 

Want to make sure your job 

listing gets noticed first Try a 

premium listing. For just $100 

more, your job listing is placed 

in the top section of the site, 

and it is also featured in the 

top section of the newsletter, 

making it stand out. 

LIST MY JOB OPENING: 

hcca-info.org/newjobs 

HCCA_JobBoard_thirdpagead_2c.indd 1 

11 

11/14/2011 4:41:34 PM 


HCCAnet 

HCCAnet is the most comprehensive 

social network for health 

care compliance professionals. 

Subscribe to dozens of discussion 

groups and get your compliance 

questions answered. Offer your 

experience with your colleagues. 

Share your resources and policies 

in the libraries. 

Resources 

n Creating a Compliance Plan 

o Posted in: Compliance and 

Ethics Main Library at 

http://bit.ly/complianceplan 

n Compliance Audit Review Plan 

o Posted in: Compliance and 

Ethics Main Library at 

http://bit.ly/auditreviewplan 

n Compliance Newsletter 

Example 

o Posted in: Health Care 

Library at http://bit.ly/ 

compliancenewsletter 

Mobile App 

n Search for Mobile Membership 

Look for the logo 

n Download app, then search for 

HCCAnet 

Read some of the latest 

HCCAnet discussions: 

Chief C&E Officer Health Care Network 

n Pharma, Docs, and Conflicts of Interest 

o Interesting article about how pharma reps try to manipulate 

doctors, written by Dan Ariely, Duke University Professor and 

author of Predictably Irrational (http://www.wired.co.uk/magazine/ 

archive/2011/11/ideas-bank/dan-ariely) 

One highlight: It was interesting to see how well these reps employed 

classic persuasion strategies. One tactic was to hire doctors to lecture 

other practitioners about a drug. The reps weren’t interested in what 

the audience took from the talk, but in the effects on the speaker 

himself. They found that after giving an address about a drug’s 

benefits, the speaker would begin to believe his own speech and 

prescribe accordingly. 

n http://bit.ly/pharmapost 

Hospital Network 

n Texting compliance 

o We are re-looking at texting communication with health care 

providers such as texting of orders by physicians to nurses on 

private cell phones. I am against this for several reasons; however, 

our physicians feel this is an evolving and convenient form of 

communication. Is there anyone who is willing to share how you 

are handling this issue, and any policies that address this form of 

communication Thank you. 

n http://bit.ly/textinghc 

HIPAA: Health Insurance Portability and Accountability Act Forum 

n Elevator Incident 

o An elevator closed early and struck a patient. There is a video of the 

incident and the elevator repair company would like to review this. 

No audio and no other PHI is available—only the image of the 

patient. Is it permissible to allow the repair company to view the 

video as long as the patient is not identified in any other manner My 

gut says yes, but I have some doubt... (Note: this question pertains 

only to the privacy piece, not any other legal ramifications.) 

n http://bit.ly/elevatorincident 


12 


n Starting from Scratch 

o I just returned from the Philadelphia conference 

for Physician’s Practice Compliance 

Conference and am now faced with what 

seems to be the daunting task of drafting the 

initial compliance agreement and would very 

much appreciate any templates, examples, 

etc., anyone could share with me. It seems 

a little overwhelming to start from scratch. 

Would appreciate anything you have. 

n http://bit.ly/compliancescratch 

Healthcare Billing and Reimbursement 

Group 

n Facility Fees 

o For differing hospital clinics, may the facility 

fees differ for the same visit code 

n http://bit.ly/facilityfees 

Contact Eric Newman at 952-405-7938, or 

e-mail Eric at eric.newman@hcca-info.org 

with any questions about HCCAnet. Also, 

ask Eric about the new HCCAnet mobile 

app for the iPhone, Blackberry, and Android 

devices. 

HCCA Website News 

Upcoming Webinars 

Many different webinars are coming up on a variety 

of compelling compliance topics. You may register 

online for any or all of the upcoming live webinars; 

and you can view past webinar at www.hcca-info.org/ 

webconferences 

2012 Compliance Institute Preliminary Brochure 

The 2012 Compliance Institute is coming up fast. 

Take a look at the Preliminary Brochure to see which 

speakers and sessions will be in Las Vegas next April 

at www.hcca-info.org/CIbrochure 

Viewing your CEUs online 

Don’t get stressed out about your certification renewal 

date at the last minute. Stay on top of your CEUs, 

and make sure they are all listed in your account. 

To view them, go to “Member Center” and then 

“Update My Info,” then click on “Activities” and 

“CEUs” 

Gift Giving Policy 

With Christmas just around the corner, giving and 

receiving gifts is on our minds. Take a look at the 

HCCA/SCCE Survey on Corporate Gifts & Entertainment 

Policies at www.hcca-info.org/GiftsSurvey 

OIG Compliance Program Guidance 

The Office of Inspector General developed compliance 

program guidance for different segments of the 

health care industry (e.g., hospital, nursing home, 

clinical lab, third-party billers). Take a look at your 

industry’s program under Compliance Info, then go 

to external links at www.hcca-info.org/guidancedoc 

Contact Tracey Page at 952-405-7936, or e-mail 

Tracey at tracey.page@hcca-info.org with any questions 

about the HCCA website. 



13

feature 

article 

Meet Mary Dunaway 

Hospital Revenue Cycle Compliance Director, 

University of Arizona Health Network 


14 

Editor’s note: This interview with 

Mary Dunaway was conducted in 

the fall by HCCA CEO Roy Snell. 

Roy may be contacted by e-mail at 

roy.snell@hcca-info.org and Mary 

may be contacted by e-mail at 

Mary.Dunaway@uahealth.com. 

RS: Please share a little bit about 

your professional background 

and your work at University of 

Arizona Health Network. 

MD: I have worked in health 

care for over 30 years. Upon 

graduating from nursing school, 

I worked for short stints in 

acute medical and pediatric 

hospital units. As my nursing 

skills improved, I moved into 

critical care nursing, where I 

quickly developed an interest in 

newly emerging technological 

advancements in cardiac care. 

Then in the late 1980s, I unexpectedly 

stumbled into health 

care auditing work when given 

an opportunity to learn hospital 

insurance counter auditing 

(i.e., substantiating the services 

hospitals provide 

patients). Shortly 

thereafter, a physician 

practice 

administrator 

with University 

Physicians asked 

if a similar methodology 

could be 

applied to professional 

service 

claims, thus 

beginning my foray into health 

care coding and compliance. 

Over the years, I have been 

afforded many opportunities 

to advance my skills in coding, 

revenue cycle management, and 

compliance on behalf of both the 

University Physician’s (practice 

plan) and University Medical 

Center (hospital). Just over one 

year ago, both organizations 

merged, recently adopting the 

name “University of Arizona 

Health Network.” The newly 

formed health system includes 

two hospitals, a behavioral health 

facility, numerous clinics, a 


health plan, and approximately 

6,000 employees. 

RS: Mary, please tell us how 

you first became involved in the 

Compliance profession. 

MD: In the early to mid 1990s, 

the CFO with University 

Physicians offered me an opportunity 

to develop an internal 

audit program. The program was 

initially developed to evaluate 

and strengthen organizational 

processes and procedures from 

appointment scheduling through 

payment reconciliation. As it 

turned out, the foresight of the

CFO was particularly timely 

in light of impending regulatory 

scrutiny. Academic medical 

centers were among the first 

to experience such scrutiny, as 

adherence to Medicare Teaching 

Physician rules (PATH) was put 

under the microscope. 

RS: What do you remember of 

the fatefull call you and I had 

and the subsequent meeting held 

as part of the AGMA conference 

that eventually led to the establishment 

of HCCA 

MD: Mostly, I remember how 

timely the first call was. The 

AGMA conference set the stage 

for networking opportunities as 

academic medical centers shared 

their early experiences with regulatory 

enforcement activities and 

the early development of compliance 

and education programs. The 

collective experience and perspective 

that you, Brent Saunders, Ed 

Longozel, Lisa Murtha, Debbie 

Troklus, the Russos, and others 

openly shared helped organizations 

shift away from a reactive 

to a proactive solution-based 

approach. As you may recall, 

following the AGMA conference, 

several meetings were held 

with CMS officials and academic 

medical centers to clarify the 

Teaching Physician rules. These 

meetings were instrumental in 

clarifying documentation requirements 

and subsequently paved the 

way for future dialogue with other 

governmental agencies. 

RS: Please tell us how the 

Compliance profession has 

changed over the past 16 years. 

MD: Early compliance programs 

raised organizational awareness 

and laid the ground work for 

current programs. In addition to 

implementing effective compliance 

program elements (as per 

OIG recommendations), compliance 

efforts seemed to primarily 

focus on areas of financial risk or 

vulnerability in response to regulatory 

enforcement (e.g., coding, 

billing, Teaching Physician rules, 

Stark and anti-kickback legislation, 

etc.). With the emergence 

of data mining technologies and 

integrated/complex organizational 

structures, these areas remain 

high on the priority list. Other, 

equally important, priorities have 

subsequently emerged as well. 

Privacy and security regulations, 

coupled with advancements in 

medical technologies, telecommunications, 

and the use of 

electronic health records has 

necessitated changes in compliance 

programs. Recent trends also 

include integrating quality-of-care 

initiatives with compliance activities, 

as care standards, metrics, 

and outcomes impact third-party 

payer contracts and payments. It 

is not uncommon for large health 

systems to employ numerous 

compliance professionals who 

have a broad spectrum of skill 

sets, to provide the necessary oversight 

in today’s quick-changing 

regulatory landscape. 


RS: Would you say that HCCA 

has helped in these changes and, 

if the answer is “yes,” how 

MD: Absolutely, HCCA has been 

and remains an invaluable resource 

for health care compliance professionals. 

The association provides a 

wealth of information for compliance 

professionals at any level of 

development. Access to sample 

policies, templates, PowerPoint 

presentations, regulatory 

documents, and educational opportunities 

is very helpful. Membership 

lists and social networking sites 

make it easy for compliance professionals 

to make connections and 

learn from one another. 

RS: You regularly attended 

HCCA’s annual Compliance 

Institute. Please tell us why. 

MD: The annual Compliance 

Institute is like a “big box store” 

for compliance professionals. 

The Institute affords compliance 

professionals an opportunity to 

access a wide variety of regulatory, 

enforcement, program development, 

problem resolution, and 

system support information that 

is both relevant and timely. The 

program content is applicable to 

all aspects of health care. Most 

notably, it is the one event that 

brings together a broad spectrum 

of compliance experts, both 

within and outside the health 

care field (e.g., government, legal, 

health care institution, finance, 

other industry experts). 



15

Meet Mary Dunaway, Hospital Revenue Cycle Compliance Director, University of Arizona Health Network 

...continued from page 15 


16 

RS: If you received a call today 

from someone just starting out in 

the Compliance profession, what 

advice and recommendations 

would you offer him or her 

MD: Definitely connect with 

the HCCA and, if at all possible, 

attend a Compliance Institute. It 

is a terrific venue to learn about 

compliance, hear about trending 

topics from government agency 

perspectives and experts in the 

field, network with other compliance 

professionals, and preview 

vendor products and tools. 

RS: How does HCCA best 

support the work you are doing 

and what could HCCA be doing 

to support your work and the 

profession even more 

MD: HCCA provides exceptional 

program development and compliance 

education opportunities, 

covering a broad spectrum of 

health care entities. The website 

is easy to navigate and provides 

quick access to regulatory 

resource information, compliance 

documents, templates, members, 

and social networking sites. I 

am especially appreciative of the 

PowerPoint presentations, educational 

materials, and sample 

documents that can readily be 

adapted for organizational use. As 

a compliance professional, I am 

always on the lookout for tools 

and information that can lead 

to best practices. HCCA is in a 

unique position to help members 

maintain relevant and current 

compliance programs by continuing 

to facilitate the exchange 

of information and material, such 

as the following: 

n Current compliance program 

effectiveness benchmarking data 

n Updated sample job descriptions 

and compliance documents 

n Sample metrics, board reports, 

and dashboards 

n More industry-specific sample 

audit tools and data management 

solutions 

n Member reviews of compliance 

products and tools (e.g., similar 

to Amazon’s five star ratings) 

RS: Where do you see 

Compliance headed in the future 

MD: I see both regulatory agencies 

and compliance programs 

being continually challenged 

to keep pace with the advancements 

in health care delivery, 

telecommunications, electronic 

health records, and payment 

systems. The possibilities are 

endless for how health care is 

delivered as robotics, minimally 

invasive surgery, genetic-based 

pharmaceuticals, and remote 

monitoring technologies (to 

name a few) become common 

place. Technological advancements 

will continue to link health 

care providers globally to their 

patients as well as each other. As 

the delivery of health care changes 

and budgets stretch, payment 

reforms will continue to be a 

priority for governmental and 

other third-party payers. 


RS: What do you enjoy most 

about working in the health care 

compliance industry 

MD: I enjoy how dynamic this 

industry is as it strives to improve 

individuals’ quality of life through 

advancements in health care. 

Every day presents an opportunity 

to learn something new and 

exciting. Amidst all the advancements 

in the delivery of health 

care, compliance programs are 

also compelled to adapt and grow. 

RS: What has been your biggest 

challenge over the past year 

MD: This year has been particularly 

challenging as work loads 

have shifted and changed in 

response to both internal priorities 

and the expansion of regulatory 

programs/initiatives. The 

compliance program continues 

to evolve, change, and mature in 

response to the needs of our newly 

integrated health care system. 

Simultaneously, it has been necessary 

to adapt and change to meet 

the demands of regulatory initiatives, 

such as the expansion of 

privacy and security regulations, 

pay-for-performance/quality-ofcare 

initiatives, and Medicare’s 

Recovery Audit Contractors 

(RACs) and other third-party 

payer audit programs. 

RS: What has been your biggest 

challenge as a compliance professional 

and how did you overcome it 

MD: Health care compliance 

programs were unchartered

territory in the early years. The 

management and resolution of 

problems was often complicated 

by conflicting advice/perspectives 

within the industry and government. 

HCCA was instrumental 

in engaging a network of industry 

and government experts in meaningful 

dialogue, practical advice, 

and regulatory guidance. 

RS: What skills and/or techniques 

do you employ to help resolve 

potential compliance problems 

MD: Approximately 10 years ago, 

quality improvement programs 

shifted away from looking at 

incidents and near misses from 

an outcomes-based perspective 

to root cause analyses. I find this 

methodology particularly useful 

when evaluating potential compliance 

incidents as well. Rather 

than assigning blame, or focusing 

too narrowly on the outcome of 

an adverse finding or incident, 

the goal is to validate the problem 

and understand the root cause 

(i.e., what, when, where, why, 

how). This approach helps achieve 

effective analyses by reducing/ 

eliminating bias, promoting 

objectivity, and facilitating 

communication. By drilling down 

to the root cause of a problem, an 

effective resolution can be implemented 

to correct and prevent 

future occurrences. 

RS: Mary, tell us what about 

your hobbies and what you do to 

relax when you’re not at work. 

MD: Any opportunity to get 

outdoors for a walk, enjoy some 

play time with our dog Bo Jangles, 

get together with friends, or read a 

good book tops the list of favorite 

pastimes. Our daughter’s 4-H 

horseback riding activities and the 

occasional day trip to local artisan 

events also makes for a fun and 

relaxing change of pace as well. 

RS: What is the title of the last 

book your read 

MD: Most recently I read Cutting 

for Stone. n 

Compliance Today Editorial Board 

The following individuals make up the Compliance Today Editorial Advisory Board: 

Gabriel Imperato, Esq, 

CHC 

CT Contributing Editor 

Managing Partner 

Broad and Cassel 

Ofer Amit 

MSEM, CHRC 

Research Compliance 

Administrator 

Baptist Health South Florida 

Janice A. Anderson 

JD, BSN 

Shareholder 

Polsinelli Shughart, PC 

Christine Bachrach 

CHC 

Chief Compliance Officer 

University of Maryland 

Dorothy DeAngelis 

Managing Director 

FTI Consulting 

Gary W. Herschman 

Chair, Health and Hospital 

Law Practice Group 

Sills Cummis & Gross P.C. 

David Hoffman, JD 

President 

David Hoffman & 

Associates 

Richard P. Kusserow 

President & CEO 

Strategic Management 

F. Lisa Murtha, JD 

CHC, CHRC 

SNR Denton US LLP 

Robert H. Ossoff, DMD, 

MD, CHC, Assistant Vice 

Chancellor for Compliance 

and Corporate Integrity 

Vanderbilt Medical Center 

Jacki Pemrick 

Privacy Officer 

Mayo Clinic 

Deborah Randall, JD 

Law Office of Deborah 

Randall 

Emily Rayman 

General Counsel and Chief 

Compliance Officer 

Community Memorial 

Health System 

Rita A. Scichilone 

MSHA, RHIA, CCS, CCS-P 

Director of Practice Leadership 

American Health Information 

Management Association 

James G. Sheehan, JD 

Chief Integrity Officer. 

New York City Human 

Resources Administration 

Lisa Silveria, RN, BSN 

Home Care Compliance 

Catholic Healthcare West 

Jeffrey Sinaiko 

President 

Sinaiko Healthcare 

Consulting, Inc. 

Debbie Troklus, CHC-F, 

CCEP-F, CHRC, CHPC 


Aegis Compliance and Ethics 

Center 

Cheryl Wagonhurst, JD 

CCEP, Partner 

Law Office of Cheryl Wagonhurst 

Linda Wolverton, CHC, 

CPHQ, CPMSM, CPCS, 

CHCQM, LHRM, RHIT 

Vice President Compliance 

Team Health, Inc. 



17

ROY sNELL 


18 

Change 

HCCA and SCCE have had another great year. We 

have had significant membership growth—HCCA 

and SCCE just hit 10,000 members. Our financials 

look very good and we are building a reserve that 

will help us weather future challenges. 

We have made several improvements to our operations. 

We have updated our phone system with a 

voiceover IP system that will allow our staff, many 

of whom travel, to receive their voicemail via email. 

We are updating our website and our membership 

database management system. With these changes, 

members will be able to move easily between our 

social media, the website, and the membership 

database. We have updated the magazine and will 

be providing more information about the compliance 

profession. We have added new columnists 

and improved the magazine’s look and feel. The first 

redesigned issue of HCCA’s Compliance Today will 

be published this spring. 

As we’ve grown we have added new staff. We are able 

to dedicate people to tasks rather than have them be 

distracted or diluted by several tasks. We are able to 

have staff specialize in certain areas, allowing them to 

focus on how to improve their function. For example, 

we now have an individual dedicated specifically 

to our website. This staff member is able to spend 

more time improving the system and studying new 

trends in website management. 

We also continue to improve our conferences. We 

have added conferences, such as the new regional 

meetings in Houston, Texas and Oakland, California. 

We have added Academies to meet the growing 

demand for those interested in certification. We have 

added new technology to our meetings, such as realtime 

social media reporting and audience response 

technology for audience feedback and polling to our 

Advanced Discussion Group track at the Compliance 

Institute. 

During the last Board strategic planning session, 

the Board focused on social media. We are now one 

of the leading associations in adopting social media 

for member networking. In the next Board strategic 

planning session, the Board will focus on new 

projects to help compliance professionals deal with 

the stress associated with their job. 

And finally, we are very excited to have our first 

few applicants for our advanced certification—the 

Certified in Healthcare Compliance Fellowship 

(CHC-F). Debbie Troklus and her committee have 

been working on certification for over ten years. 

They have added a research certification and a 

privacy certification in recent years and spend a great 

deal of time making sure our original certifications 

are updated in a timely manner. HCCA and 

SCCE now have some of the most highly regarded 

certifications in the compliance and ethics 

profession. n 

If you have any questions that you would like Roy to 

answer in future columns, please e-mail them to: roy. 

snell@hcca-info.org. 


Social Networking 

John Falcetano 

Editor’s note: John Falcetano, 

CHC-F, CCEP-F, CHRC, CHPC, 

CIA is Chief Audit/Compliance 

Officer for University Health Systems 

of Eastern Carolina and Second Vice 

President of the HCCA Board of 

Directors. John may be contacted by 

e-mail at jfalcetano@uhseast.com. 

Zone Program Integrity Contractor (ZPIC) 

One of the best benefits of our social network site is the 

ability for members to discuss a wide range of compliance 

topics. One topic currently being discussed is the 

Zone Program Integrity Contractor (ZPIC). As many of 

you are aware, the Program Safeguard Contractor (PSC) 

transitioned to ZPIC. ZPICs do a lot of data analysis 

and evaluate complaints. They also make referrals to law 

enforcement. ZPICs may also support law enforcement 

during an investigation. 

Some of the questions asked as part of the online discussion 

include: 

n How much time do the ZPICs have before they respond 

to a claim on audit 

n Is anyone using a data analysis software product to do 

proactive data mining in preparation for ZPICs 

Get Connected. 

Subscribe to dozens of discussion 

groups, download hundreds of 

resources, and connect with thousands 

of compliance professionals on 

HCCAnet 

http://community.hcca-info.org 

Start a discussion in the HCCA LinkedIn 

group 

http://www.hcca-info.org/LinkedIn 

Follow @hcca_news for the latest trends 

in health care compliance 

http://www.twitter.com/hcca_news 

For the answers to these questions and others, go to the 

HCCA Social Network site. Remember social networking is a 

great way to make friends, obtain needed compliance documents, 

or just talk with peers. Visit our network and start a 

blog or join a discussion group. You will be glad you did. 

To participate in the discussion, review the comments, or 

just talk with your peers, you can access the HCCA Social 

Network site by going to the following link: www.hccainfo.org/hccanet 

n 

Get the latest compliance news and 

HCCA event information in your 

facebook news feed. “Like” that HCCA 

facebook page at 

http://www.hcca-info.org/Facebook 


19 

HCCASocialNetworking_halfpage_301nK_CTad.indd 1 8/31/2011 10:05:0 


Exhale 

By Shawn DeGroot, CHC-F, CCEP, CHRC 


20 

Shawn DeGroot 

Editor’s note: Shawn DeGroot, 

CHC-F, CCEP, CHRC is Vice 

President of Corporate Responsibility 

at Regional Health located in 

Rapid City, South Dakota. Shawn 

also serves as Vice President of the 

HCCA Board of Directors. She may 

be contacted by e-mail at 

SDegroot1@regionalhealth.com. 

Exercise a good sense of 

humor 

A person with a sense of humor 

often lives longer, typically doesn’t 

sweat the small stuff, and obviously 

is comfortable in his own 

skin. When I think of comedians 

in a general sense, one of my 

favorites is Robin Williams, and 

typically a lawyer would not 

come to mind; however, Dan 

Mulholland, a very seasoned 

health care lawyer since 1978, 

possesses characteristics of an 

incredible legalistic mind with a 

constant twist of humor. Without 

hesitation, Dan has the ability to 

recite the exact Code of Federal 

Regulations, then interpret, add 

commentary, or make an analogy 

regarding the Mafia or Worldwide 

Wrestling that quickly alleviates 

heartburn and/or anxiety. Dan 

joined the Horty Springer law 

firm over 35 years ago, and to his 

knowledge, he is still employed by 

the firm. 

What keeps Dan up at night 

Street noise and occasional indigestion 

are the most problematic, 

with other items not for public 

disclosure. 

What tactics does Dan use to 

handle stress professionally 

and personally 

A shot and a beer at the local bar 

on a weekend, tooling around 

aimlessly on his boat with his six 

kids, and spending time with his 

sainted wife of 30 years are a few 

of Dan’s solutions. 

Dan’s practical advice to compliance 

professionals can be boiled 

down to the following bromides: 

n Don’t let the perfect be the 

enemy of the good. Too often 

Dan sees compliance professionals 

focusing on minutiae, 

while larger problems are either 

ignored or set aside. 

n Don’t make mountains out of 

molehills. For example, if you 

conduct an audit of 100 cases 

and find a 20% error rate, it 

doesn’t necessarily mean that 

20% of every case you’ve done 

is bad; it just means that you 

made 20 mistakes. Refund the 

money as needed, develop a 

good corrective action plan, and 

move on. 

n Don’t go looking for trouble; 

it will look for you. This doesn’t 

mean put your head in the 


sand, but don’t go chasing down 

every rabbit hole trying to identify 

theoretical problems that 

may or may not actually constitute 

compliance violations. This 

is especially true in the area of 

physician contracts and leases. 

There are a lot of things, such 

as backdated contracts, that, 

based on obscure governmental 

pronouncements, some might 

say fall outside Stark law exceptions, 

but based on state law, 

may not be a problem at all. 

n Talk to your attorneys when 

in doubt. Dan isn’t just singing 

for his supper here. The advice 

of counsel is the most effective 

defense available if you are 

accused of wrongdoing, such 

as a False Claims Act violation. 

If you fully disclose the facts of 

your situation to your attorney, 

and he or she gives you a reasoned 

legal opinion that what 

you have done is OK, and you 

faithfully follow the attorney’s 

advice, you will be OK—even 

if the attorney’s advice turns out 

to be incorrect. 

What does Dan predict for the 

future 

Aside from the general meltdown 

that will occur in 2014 when the 

Affordable Care Act’s individual 

mandate kicks in, there will 

be between 30 and 50 million 

people who will be dropped 

from employer health insurance. 

Equally important will be the 

increased enforcement activity

y the federal and state agencies 

that define otherwise common 

behavior in the industry as 

fraud—the biggest concern for 

providers right now. The regulatory 

web in health care is so vast 

and complex, and the regulators 

often define neutral or beneficial 

activity as illegal. Virtually 

everyone can be accused of fraud, 

simply as a way for the governmental 

payers to get money back, 

now that they are effectively 

broke. Compliance officers ought 

to be on the front line, making 

sure that their organizations do 

the best they can—keeping on 

the right side of the law when 

the lines are clear and working 

with counsel to develop realistic 

strategies to deal with increasing 

number of grey areas. 

Of course, watch out for potential 

whistleblowers. Where possible, 

call them out when you 

spot people who find fault with 

anything that you do, but don’t 

suggest any realistic solutions to 

deal with the real or imagined 

problems they conjure up. Dan’s 

closing comment was that they 

would do well to recall that “the 

lowest circle of hell in Dante’s 

Inferno was reserved for cheese 

eaters.” n 

The HCCA HIPAA 

Training Handbook 

The Health Insurance Portability 

and Accountability Act (HIPAA) 

has had lasting impact on U.S. 

health care providers since its 

passage in 1996. Now HIPAA, 

along with HITECH, affect health 

care professionals on a daily basis. 

This newly revised handbook is 

intended for anyone who needs a 

basic understanding of the privacy 

and security regulations governed 

by HIPAA and HITECH. Suitable 

for staff training courses, it covers: 

• Who must comply with HIPAA and HITECH 

• When and by whom is the use or disclosure of protected 

health information (PHI) permitted 

• What rights does an individual have regarding his or 

her PHI 

• What are the basic safeguards required to protect the 

security of e-PHI 

• What happens when a breach occurs 

• And much more 

This handbook can prepare all health care professionals to 

help protect the privacy and security of their patients’ health 

information. 

Visit www.hcca-info.org or call 888-580-8373 to order. 

HCCA MEMBER DISCOUNTS 

# of handbooks cost per book 

1–9 ...........................$25 

10–24 .......................$23 

25–49 .......................$20 

50–74 .......................$18 

75–99 .......................$16 

100+ .........................$15 

6500 Barrie Road, Suite 250 

Minneapolis, MN 55435 

Phone 888-580-8373 | Fax 952-988-0146 

www.hcca-info.org | helpteam@hcca-info.org 


HIPAAHandbook2ndEd_2c_2columnAd.indd 1 


21 

8/3/2011 4:53:04 PM

Soar to higher levels 

of compliance and 

risk management . . . 

When you’re forced to rely on labor-intensive 

spreadsheets, point solutions, or a software 

system retrofitted to the health care industry, 

it can feel as if your risk is managing you. 

Go beyond risk management to continuous 

improvement with a customized, scalable 

and complete solution, fully supported by 

experts in the health care compliance industry. 

Created exclusively for the health care 

industry, MediRegs ® ComplyTrack from 

Wolters Kluwer Law & Business provides you 

with the tools you need to proactively assess, 

understand, communicate and mitigate risk 

across your entire enterprise. 

ComplyTrack delivers 

industry-leading 

solutions for: 

■ Compliance 

■ Risk 

■ Internal Audit 

■ Privacy & Security 

■ Audit & Compliance 

Committee 

■ Legal 

■ Health Information 

Management 

Visit MediRegs.com/ERM and learn why 

customers prefer our solution for enterprise 

compliance and risk management. 

HCCA ComplyTrack ad 7-11.indd 1 

5/9/2011 11:09:20 AM

People 

on the Move 

Former Medicaid Inspector 

General James Sheehan joins 

New York City HRA as Chief 

Integrity Officer 

Former New York State Medicaid 

Inspector General and Associate 

U.S. Attorney for the Eastern 

District of Pennsylvania James 

Sheehan recently joined the New 

York City Human Resources 

Administration (HRA) as the 

agency’s Chief Integrity Officer. 

Mr. Sheehan will report directly 

to the Commissioner on anything 

related to agency and program 

integrity. Mr. Sheehan will have 

direct oversight of the Investigation, 

Revenue and Enforcement 

Administration (IREA) and the 

Office of Audit Services. Mr. 

Sheehan plans to use his experience 

with Medicaid integrity to 

build on the HRA’s past record 

of cost avoidance and recoveries 

from fraud investigations – in 

2010, the Agency’s efforts led to a 

combined recovery and cost savings 

amount of more than $225 

million—and focus on the further 

reduction of abuse, waste and 

fraud in New York City’s largest 

social services programs. 

“After serving the leading federal 

and state government agencies in 

prosecuting fraud and protecting 

program integrity, I am honored 

to work for the greatest city in the 

world and the largest municipal 

social services agency in the country,” 

said James Sheehan, HRA 

Chief Integrity Officer. “My job 

will be to ensure the protection of 

public dollars by continuing the 

Agency’s excellent record in investigating 

and vigorously prosecuting 

individuals caught engaging 

in fraud or other illegal activities, 

and developing new data mining 

and analytic techniques to identify 

risk areas and prevent fraud.” 

HHS-OIG team honored 

On October 18, 2011, the 

HHS-OIG’s Health Care 

Reform Technical Assistance 

Team received the Glenn/Roth 

Exemplary Service Award in 

recognition of the team’s expert 

technical assistance to Congress 

throughout the health care 

reform legislative drafting process. 

This award was presented 

at the 14th annual Inspector 

General Community Awards 

ceremony. 

VA appoints new Chief 

Compliance and Business 

Integrity Officer 

The Veterans Health Administration 

recently announced the 

appointment of Robert Criscuolo 

as the new Chief Compliance and 

Business Integrity (CBI) Officer. 

Criscuolo will serve as the principal 

advisor to the Undersecretary 

of Health in matters relating to 

compliance and organizational 

integrity in the business arena. 


Omnicare appoints Kathleen 

McGuan Chief Compliance Officer 

Recently Omnicare, Inc. announced 

Kathleen McGuan was appointed 

Senior Vice President and Chief 

Compliance Officer. Ms. McGuan 

will oversee and lead Omnicare’s 

corporate compliance function. In 

this role, she will be a key contributor 

as the company continues to 

reinforce its commitment on 

compliance. Ms. McGuan will 

report directly to Omnicare’s Board 

of Directors and John Figueroa, 

Omnicare’s Chief Executive Officer. 

Welmont Health System 

appoints Nolan Senior VP of 

Assurance and Compliance 

Robert Nolan, a veteran leader 

in the health care compliance 

field, has been named Senior 

Vice President of Assurance and 

Compliance Services at Wellmont 

Health System. n 

Received a promotion Have a new 

hire in your department If you 

have received a promotion, award, 

or degree; accepted a new position; 

or added a new staff member to 

your compliance department, please 

let us know. It’s a great way to let 

the Compliance community know 

where you have moved on to, or who 

has joined the Compliance team. 

Send your job change information 

to: service@hcca-info.org. 


23


24 

Losing sleep over 

health care marketing 

arrangements 

Editor’s note: Lawrence Conn is 

Special Counsel to Foley & Lardner 

LLP in Los Angeles. He is a member 

of the firm’s Health Care Industry 

Team and represents hospitals, 

physicians, clinical laboratories, 

pharmacies, and therapy and DME 

suppliers in a wide range of legal areas 

and issues. Larry may be contacted by 

e-mail at lconn@foley.com. 

As with any industry, 

health care providers 

typically find marketing 

a valuable means of ensuring 

economic vitality, goodwill, and 

community outreach. Unlike 

almost any other industry, 

however, health care providers are 

faced with substantial limitations 

and potential criminal liability 

in connection with these efforts, 

even when no false or misleading 

claims are made and no coercive 

tactics are used. The principle 

hurdle providers face is the 

federal Anti-kickback Statute 

[42 U.S.C. § 1320-7b(b)], 

which prohibits remuneration 

not only for referrals, but also 

in exchange for, or to induce 

recommending an item or service 

covered by a governmental health 

care program. Many states have 

laws that equal or even exceed 

By Lawrence Conn 

the scope of the federal Antikickback 

Statute, often extending 

to items or services regardless of 

the payer. Because recommending 

use of items and services is the 

very essence of marketing, health 

care providers operate in a highly 

unusual and potentially perilous 

legal environment. 

The Department of Health 

& Human Services, Office of 

Inspector General (OIG) has 

expressed a longstanding concern 

regarding health care marketing. 

Back in 1991, when the initial 

Anti-kickback Statute safe harbors 

(i.e., regulatory exceptions) were 

finalized, the OIG declined to 

offer any special protections for 

marketing, stating: [W]e believe 

that many marketing and advertising 

activities may involve at least 

technical violations of the statute. 1 

These concerns have continued to 

play out through a long series of 

OIG Advisory Opinions, including 

two recent opinions addressing 

marketing arrangements for 

sleep testing laboratories, which 

are addressed later in this article. 

Safe harbor 

Although the OIG declined to 


offer any special protection for 

marketing arrangements, it also 

noted that marketing and advertising 

can potentially fit within the 

personal services and management 

contracts safe harbor to the Anti- 

Kickback statute. 2 However, unless 

a provider engages or employs 

an exclusive, full-time marketer, 

whom it pays on a wholly fixed-fee 

basis, it will be difficult to meet 

this safe harbor. Among other 

standards, the safe harbor requires 

that any part-time arrangement 

must specify “exactly the schedule 

of such intervals, their precise 

length, and the exact charge 

for such intervals.” 3 It may be 

highly impractical for the parties 

to specify in advance the exact 

periods during which a marketer 

will perform its services, particularly 

if the marketer is a consultant 

or other independent contractor, 

rather an employee of the provider. 

Moreover, unless the marketer 

is paid on a fixed hourly basis 

and the marketing services are 

performed in discrete time chunks, 

it would likely be impossible to 

specify the “exact charge” for each 

interval of service rendered. 

Failure to meet a safe harbor does 

not mean an arrangement violates 

the Anti-kickback Statute, but 

rather that it will be subject to 

scrutiny under the statute and 

potentially could be found to be a 

violation. Still, marketing arrangements 

that fall outside the personal 

services/management safe harbor

may find themselves in a netherworld 

of legal uncertainty. OIG 

has addressed such arrangements 

in a number of Advisory Opinions, 

which provide the clearest guidance 

that exists in this area. 

OIG guidance regarding 

marketing and sales agents 

OIG has, over a number of years, 

addressed marketing arrangements, 

as well as payments to sales agents, 

in a variety of Advisory Opinions. In 

particular, the OIG has consistently 

identified so-called “success fees” 4 

and compensation based on a percentage 

of revenue 5 as problematic. 

Most recently, the OIG explained its 

concerns with success fees as follows, 

regarding a proposal where the 

“Requestor” would provide management 

and marketing services for a 

sleep laboratory provider: 

Marketing fees paid on the basis 

of successful orders for items or 

services are inherently subject 

to abuse because they are linked 

to business generated by the 

marketer. Because the Requestor 

receives a fee each time its marketing 

efforts are successful, the 

Requestor’s financial incentive 

to arrange for or recommend 

the Hospital’s sleep testing facility 

is heightened. The more test 

orders the Requestor’s marketing 

efforts generate, the more 

fees the Requestor receives. 6 

As this article will discuss further 

in the context of the recent sleep 

laboratory opinions, this conclusion 

is inconsistent with standard 

business practice. In virtually any 

other context, it is a matter of 

course to structure compensation 

that incentivizes a service provider 

to furnish services in an effective 

manner. OIG seems to recognize 

the customary and legitimate role 

marketing plays in the health care 

industry, but it has clear concerns 

if the marketer is paid in a manner 

that reflects the actual quality of 

marketer’s services, even when the 

marketer is not in a position to 

refer patients, and even when the 

marketer is not in a special position 

of influence with respect to 

recommending the provider. 

OIG, however, has acknowledged 

that greater concern arises out of 

marketing arrangements where 

the marketer is in a special position 

of influence. In a series of 

Advisory Opinions, the OIG has 

listed elements of what it considers 

to be potentially suspect marketing 

arrangements. These include 

marketing directly by providers 

and suppliers (particularly what the 

OIG refers to as “white coat” marketing 

by health care professionals, 

including physicians), because they 

are in a position of trust and may 

exert undue influence. 7 

Additional suspect elements that 

the OIG has identified include: 

n The degree to which the marketing 

activity may be coercive, or 

perceived to be coercive; 8 


n Direct contact between sales 

agents and physicians in a position 

to order covered items or services; 9 

n Direct contact between sales 

agents and beneficiaries; 9 

n Marketing items or services 

for which there is a likelihood 

of overutilization (e.g. sleep 

laboratory testing services); 10 

n Marketing or promotional 

activity focused on federal 

health care program beneficiaries; 

10 and 

n Marketing of items or services 

that are separately reimbursable 

(i.e., not included in a bundled 

or composite rate). 9 

It is not clear how many of these 

factors need to exist before the 

OIG will decide the arrangement 

presents a significant risk of abuse. 

Certain of these factors seem more 

pertinent than others. With most of 

these elements, the OIG’s concerns 

regarding the risk of improper influence 

are readily understandable. For 

example, the fact that marketing 

may be “coercive” seems to be a 

substantial sign of potential abuse. 

Here, the OIG explained that, “for 

example, door-to-door marketing, 

telephone solicitations, and direct 

mailings are more intrusive, and 

typically pose a greater potential for 

abuse, than truthful passive advertising 

in general circulation newspapers 

or on television.” 11 (However, 

one may question the extent to 

which direct mailings could possibly 

be considered “coercive.”) 



25

Discover the antidote to data breach strain. 

Finding the resources to clean up a data breach causes 

stress for you, strain on your staff, and slows down your 

whole organization. But it doesn’t have to be that way. 

More health care organizations trust ID Experts® as their 

partner for data breach solutions than any other vendor. 

We work with you to eliminate the strain of data breach 

by supplementing your team with our expertise and 

substantial resources. 

Only ID Experts has proprietary tools for assessing the 

unique compliance requirements surrounding loss of 

PHI. We tailor each breach response to address the real 

risks to your patients — and your reputation. 

Act now to see for yourself why ID Experts is the 

antidote to data breach strain. 

Experience a less painful recovery from data breach. 

Visit www.IDExpertsCorp.com today. 


26 


HAVE A BREACH NOW Call our Data Breach Lifeline: 866-726-4271

Losing sleep over health care marketing arrangements ...continued from page 25 

On the other hand, the mere 

fact that a service is separately 

reimbursable should not by itself 

render a marketing arrangement 

suspect. It is clear that a provider 

has a financial incentive to increase 

use of a separately reimbursable 

service, and it therefore may be 

likely to put special emphasis on 

marketing that service. However, 

that does not necessarily mean 

that the provider (or its marketing 

agent) will assert improper influence 

to encourage beneficiaries to 

obtain that service or, worse, seek 

to furnish that service when it is 

not clearly medically necessary. 

As with its overriding concern 

regarding “success fees,” the OIG 

seems to assume that any time a 

provider stands to gain financially 

from rendering services, it is more 

likely to engage in (or incentivize 

its marketer to engage in) improper 

activities. Similarly, merely because 

a particular marketing activity is 

focused on Medicare patients does 

not necessarily signal potential 

abuse; rather, the provider may 

simply be undertaking community 

outreach and education geared 

towards a higher risk population. 

Recent sleep laboratory 

opinions 

In two Advisory Opinions concerning 

sleep testing laboratory 

services, 12 the OIG has most 

recently expressed its concern that 

sleep laboratory testing services 

“may be particularly susceptible 

to the risk of overutilization” and 

its concern with a marketing fee 

that reflects the successfulness of 

the marketer’s efforts. The facts 

in the two opinions are similar, 

except for the manner in which 

the marketing fees are paid. In 

each arrangement, a supplier 

provides equipment and services 

for a hospital sleep testing laboratory. 

The supplier also provides 

marketing, including a part-time 

marketing manager who visits 

offices of physicians who are 

potential referral sources. OIG 

reached different conclusions 

depending on whether the marketing 

fee was fixed or whether 

it was determined based on how 

many tests the supplier performed 

(i.e., a per-test basis). 

In one opinion (Opinion 10-24), 

the compensation was based 

on aggregate, fixed fees that are 

consistent with fair market value 

in arm’s-length transactions and 

that do not take into account the 

volume or value of federal health 

care program business—factors 

the OIG identified as “key 

safeguards.” OIG concluded that 

it would not impose sanctions, 

because the fixed fee structure 

would “mitigate against any 

undue or additional incentive 

to generate unnecessary or an 

increased volume of sleep tests.” 

In contrast, the OIG declined 

to approve the structure under 

which the supplier receives a 

per-test fee (Opinion 10-23). 


OIG stated that “because the 

Supplier receives a fee each time 

its marketing efforts are successful, 

the Supplier’s financial incentive 

to arrange for or recommend the 

Hospital’s sleep testing facility is 

heightened.” However, the OIG’s 

concern went beyond this. OIG 

further stated that “per-click” fee 

structures are inherently reflective 

of the volume or value of services 

ordered. Although this statement 

is undeniably true, it ignores the 

fact that the supplier receives the 

same fee regardless of whether 

its marketing efforts generated 

the referral or the referral came 

completely irrespective of the 

supplier’s efforts. 

OIG also believed that packaging 

the marketing compensation 

together with compensation for 

general management services in an 

all-inclusive per-test fee, heightened 

the potential risk, because 

this packaged fee prevented “the 

transparent assessment of the 

marketing services provided and 

the compensation paid for them.” 

Broader implications for 

marketing 

OIG’s unwillingness to approve 

the per-test fee scenario does not 

necessarily mean that the OIG 

concluded the arrangement is 

unlawful. Instead, the OIG had 

sufficient concerns such that it 

could not “conclude that the 

Arrangement poses a sufficiently 



27

Losing sleep over health care marketing arrangements ...continued from page 27 


28 

low level of risk that [it] should 

protect it.” As noted above, 

the OIG’s reasoning is open to 

question. However, as a practical 

matter, providers need to take 

the OIG’s position carefully into 

account when they structure and 

evaluate any proposed marketing 

arrangement. Providers may wish 

to consider the following steps 

in order to reduce the inevitable 

legal risk that marketing arrangements 

present. 

n Fair market value 

determination. 

Providers should carefully document 

the means by which they 

determined the proposed amount 

and methodology of compensation 

to marketers is fair market 

value, particularly where compensation 

reflects success of marketing 

efforts. The strongest documentation 

can be obtained by engaging 

an independent valuation expert. 

In all cases, factors to examine 

may include (1) the expected costs 

the marketer will incur; (2) the 

expected time the marketer will 

expend, and a fair market value 

hourly rate for these services; (3) 

excluding any referrals generated 

directly by the marketer (e.g., 

by a medical director that the 

marketer furnishes as part of a 

broader range of services for the 

provider) from the compensation 

formula; (4) the expected costs to 

the provider if it performed the 

marketing services itself; (5) fees 

paid in similar arrangements, to 

the extent the parties have this 

information; and (6) fee quotations 

the provider obtains from 

other potential marketers. 

n Compliance program and 

contractual protections. 

In order to reduce the risk of 

improper activities, providers 

should require, in writing, that 

marketers abide by the provider’s 

compliance program and procedures. 

Among other elements, 

this should require marketers to 

utilize only truthful and accurate 

materials, and to ensure that its 

staff is adequately trained to make 

communications that are accurate 

and non-coercive. Further, the 

marketer should be contractually 

obligated to indemnify the 

provider for any failure to abide 

by the written contract (including 

the foregoing requirements), the 

provider’s compliance program, 

or applicable law. Finally, the 

provider should immediately 

investigate any complaints of possible 

impropriety by the marketer, 

whether those complaints arise 

from the provider’s own staff or 

from the community. 

n Review of marketing 

materials. 

The provider should consider 

requiring and performing prior 

review of all written marketing 

materials. If questions arise as to 

the propriety of any materials, 

the provider should consult legal 

counsel. Similarly, the provider 


should consider requiring written, 

preapproved “scripts” for 

any marketing presentations and 

telephone calls. 

Conclusion 

Although it may be difficult 

or impractical to structure an 

arrangement to be risk-free (other 

than those rare arrangements that 

meet the safe harbor), prudent 

structuring, documentation, and 

monitoring can give providers 

considerable comfort in implementing 

marketing arrangements 

that are effective and beneficial, 

while at the same time not posing 

undue legal risk. n 

1. 56 Fed. Reg. 35952, 35974 (6/29/91). 

2. 42 C.F.R. §1001.952(d) 

3. 42 C.F.R. §1001.952(d)(3). 

4. See, e.g., Advisory Opinions 03-08 

(4/10/03), 08-19 (10/29/08). 

5. See Advisory Opinions 99-3 (3/16/99), 

98-10 (8/31/98) and 98-4 (4/15/98). 

6. Advisory Opinion 10-23 (10/28/10). 

7. See Advisory Opinions 99-12 (11/23/99), 

99-3 (3/16/99) and 08-19 (10/29/08). 

8. See Advisory Opinion 99-8 (7/6/99). 

9 See Advisory Opinions 99-3 (3/16/99) 

and 98-10 (8/31/98). 



See also 56 Fed. Reg. 35952, 35974 

(6/29/91). 

12. Advisory Opinions 10-23 and 10-24 

(both issued 10/28/10).

Editor’s note: Jeffrey N. Joyce is 

the Director of the Department of 

Research at Maricopa Integrated 

Health System in Phoenix. He may 

be contacted by e-mail at Jeffrey. 

Joyce@mihs.org. 

Traditional academic medical 

centers that have a 

teaching hospital associated 

with a medical school have 

been the home for clinical and 

translational research for several 

decades. However, increasing 

amounts of research are being 

conducted at free-standing hospitals, 

particularly those providing 

residency training. Maricopa 

Integrated Health System (MIHS) 

is headquartered in the heart of a 

large urban area. The cornerstone 

of MIHS is Maricopa Medical 

Center (MMC), a major teaching 

hospital with a 100-year history. 

By public vote, MIHS (including 

MMC) became an independent 

health care district governed by 

a five-member board of directors 

in 2005. The stand-alone medical 

system, hosting ten residency 

Regulatory 

compliance for 

research in an 

academic medical 

center 

By Jeffrey N. Joyce, PhD 

programs that train 275 residents 

annually, established the 

Department of Research in 2006. 

The Department of Research was 

created to meet several goals, but 

the driving need was to strengthen 

financial and regulatory oversight 

while simultaneously reducing 

barriers to conducting research. 

Another important driving 

force was the MIHS intention 

to assume the role of a major 

university-affiliated teaching 

hospital and clinical hub for its 

research partners, and thus, to 

increase clinical research opportunities. 

Senior leadership developed 

goals in 2006 that required rapid 

growth of research administration 

and support, and called for 

the establishment of regulatory 

policies and processes that did not 

currently exist. This article will 

describe the planning, development, 

and implementation of the 

policies and processes that were 

aligned with the departments of 

Information Technology (IT), 

Finance, and Revenue, as well as 


with the Legal and Compliance 

areas. This information-driven 

process can be used to develop an 

effective research administration 

operation in other independent 

academic medical centers. 

Establishing an effective 

research infrastructure 

In 2005, the MIHS Institutional 

Review Board Administrator and 

Acting Director of Academic 

Research prepared a white paper 

that assessed the value of the 

research division that had been 

administered on behalf of MIHS 

by its Physician Practice Group 

for the previous three years. The 

white paper concluded that the 

research division provided some 

coordination that had long been 

lacking, but weaknesses and 

barriers remained. Three goals 

were identified that needed to 

be addressed: (1) Centralize the 

oversight and review of research 

that assured financial accountability 

for research funds; (2) Provide 

for the assurance of appropriate 

billing for research patients; and 

(3) Professionalize the research 

contract approval process and 

oversight. 

In 2007, a new Director of 

Research (the author) was 

appointed, and a plan was 

implemented to improve research 

administration by hiring an 

experienced team to manage the 

clinical research contracts and academic 

grants, and to restructure 


29

Regulatory compliance for research in an academic 

medical center ...continued from page 29 

the research administration organization to clarify 

reporting relationships. An increased effort to work 

with faculty and residents in assuring their compliance 

with administrative policies and processes was 

an important strategy to achieve these goals. This is 

an ongoing process, and to achieve the goals for these 

areas, continuous input is required from researchers, 

house staff, and others who are served by the 

Department of Research, other departments that 

it intersects with (e.g., IT, Finance, Legal), and our 

external partners. For example, in the 2007 assessment, 

research faculty communicated a pressing need 

to shorten the time it took to get sponsored research 

project documents, including contracts and Institutional 

Review Board (IRB) protocol, completed and 

approved to initiate clinical research studies. Faculty 

reported that it took 12-16 weeks, on average, for 

the processes to occur, with some study initiations 

taking nine months. The investigators’ expectation 

was that the timeline for initiating sponsored projects 

should be reduced to six to eight weeks. Thus, it 

was apparent that the competing needs for ensuring 

compliance, while reducing barriers to initiating and 

conducting the clinical studies, had to be managed. 


30 

The Department of Research contracted with an outside 

firm to provide a report on the “…assessment of 

major compliance, operational and structural risks and 

gaps and advice on potential approaches to enhancing 

its sponsored programs capabilities.” During this 

assessment, six domains were identified that required 

planning, information, and investment to have an 

effective research administration (figure 1 on page 

31). Three of those domains (i.e., Affiliations, Strategy 

and Mission, and Resources for Research) reflected 

the context for having a Department of Research at 

MIHS that was in alignment with the MIHS mission. 

Three key domains were then identified that needed 

to be appropriately strengthened and restructured 

for effective research administration (i.e., Legal and 

Organizational Structure, Operations/Compliance, 

and Intellectual Property and Technology Transfer). 


The first domain for establishing 

research administration was the 

consideration of the legal rationale 

(Legal and Organizational Structure) 

for research administration 

at this academic medical center. In 

this case, it was particularly important 

to establish a system-wide 

policy governing research operations, 

all research grants, contracts, 

or sponsored research agreements, 

because all oversight previously 

had been vested with a small 

physician-led foundation, then the 

Physician Contract Group. With 

the establishment of the Department 

of Research within MIHS, 

the MIHS CEO created a specific 

written authority for the new 

Figure 1 

entity to operate. The two other 

domains (Intellectual Property and 

Technology Transfer, and Operations/Compliance) 

are operations 

that were developed by the new 

research administration leadership 

with input from the medical staff; 

the departments of Finance and 

Revenue, Legal, and Compliance; 

and MIHS executive leadership. 

These operational domains were 

implemented in five steps. 

Establishing an infrastructure 

to support research 

A five-step strategy was put in 

place to encourage growth of 

research and adherence to compliance 

operations. 

Step 1: Restructuring operations 

and policies 

The first step in establishing 

research administration was the 

consideration of the proposed 

structure (i.e., the Legal and 

Organizational Structure) for 

research administration at this 

academic medical center. In July 

of 2007, the author guided a 

restructuring of the Department 

of Research in which two divisions 

were delineated with different 

responsibilities: (1) a division 

for industry-sponsored contracts 

and clinical trial oversight; and 

(2) a division for academic 

research and education with 

additional responsibilities for 


Developing a Research Infrastructure 

An effective research administration infrastructure involves 

planning and investment across six domains. 

Affiliations 

Who are our natural affiliates 

What is expected from the affiliates 

How will we gauge success 

What is needed to fulfill the goals 

of the affiliations 

Intellectual Property and 

Technology Transfer 

Is Intellectual Property being 

protected and developed 

Is technology transfer appropriately 

enabled 

Do physicians and staff understand 

the Intellectual Property policy and 

technology transfer process 

Strategy and Mission 

What is the overall strategic value 

and mission of the Research 

department, within the Institution 

How will this be executed 

What are the key objectives of the 

Research department 

How will success be measured 

Research Department 

Elements Contributing to 

Overall Effectiveness & 

Efficiency 

Legal & Organization Structure 

What legal structure, organizational 

structure, and key leadership 

positions are needed to support the 

research infrastructure 

Resources for Research 

Do we have the appropriate key 

physician/scientists to be 

successful 

What therapeutic areas do we 

provide clinical research centers 

What will it take to transform to 

academic focus in departments 

Where will financial support be 

developed 

Operations / Compliance 

What is the most efficient and 

effective way to develop research 

How will it ensure compliant 

operations 

What are the key risks and success 

factors 

What physical and operations 

investment will need to be made 



31

Regulatory compliance for research in an academic medical center ...continued from page 31 


32 

administration of the human subjects 

protection program (IRB). 

Although there is no laboratory, 

bench-based, basic research at 

MIHS, historically there has been 

both industry and governmental 

grant-supported clinical research 

at MIHS. The processes for supporting 

and approving industrysponsored 

clinical trial contracts 

is fundamentally different from 

developing investigator-initiated 

research or partnering on multisite 

studies that are funded with 

non-commercial resources. 1,2 

There are points of intersection 

between the two, but the steps 

involved in approving industrysponsored 

clinical trials for the 

study initiation, contract negotiations, 

legal review, compliance 

approval, invoicing, and financial 

reporting are fundamentally 

different from that sponsored by 

non-commercial entities. Consequently, 

staffing was aligned 

with the different functions of 

the divisions with all commercial 

contract negotiations, budget 

development and review, coordination 

with legal counsel, and 

clinical trial compliance oversight 

within one division. The division 

for academic research and education 

included staff for pre-award 

grant development functions, 

biostatisticians, residency education 

in research, human subjects 

protection training, and IRB 

administration. Additional staff 

in the positions of research data 

analysis and post-award financial 

oversight functions were added in 

the second year to support both 

divisions’ activities. 

To accomplish the goal of adding 

staff for post-award financial 

oversight functions, a rationale 

for investing in staff with different 

expertise and the simultaneous 

development of supporting policy 

was needed. To achieve this, we 

invested in senior staff education 

initiatives, including sending the 

senior manager of the division for 

industry-sponsored contracts and 

clinical trials oversight to attend 

national meetings on CMS policy 

on Medicare billing for clinical 

trial participants. We also invested 

in in-house seminars for senior 

staff of the MIHS Departments of 

Finance, Revenue, and Research, 

to provide information on issues 

pertaining to accounting for all 

expenses and revenue generated 

through research contracts. 

Copies of this consultant’s report 

on “…assessment of major compliance, 

operational and structural 

risks and gaps and advice on 

potential approaches to enhancing 

its sponsored programs capabilities” 

were circulated to the MIHS 

chief operating officer and chief 

financial officer. Recommendations 

from that report were incorporated 

into a white paper that supported 

investment in staff, policies and 

processes for the financial management 

of grants, and research 


contracts accounting. A task force 

was convened to set policies and 

processes for financial and clinical 

trials reconciliation that included 

senior level administrators from 

the IT, Revenue, Finance, Business 

Affairs, and Research departments. 

The outcomes of this process 

included approval for hiring 

specialized staff in research grants 

accounting, approval of policies 

and procedures to manage compliance 

with federal regulations, and 

improved process efficiencies. A 

comprehensive clinical trials billing 

system and monthly financial 

reporting process was instituted. 

The alignment of all research staff, 

policies, and processes enabled the 

development and submission of a 

new indirect cost proposal to the 

Department of Health and Human 

Services in cooperation with the 

director of government reporting 

for the institution and an outside 

consulting organization. 

Step 2: Policies for research 

compliance 

MIHS employs a hybrid approach 

to research administration and 

support. Administrative assistance 

for research endeavors occurs both 

through the centralized Department 

of Research and through 

the separate clinical departments. 

The Physician Practice Group is 

contracted to provide all clinical 

services to MIHS, including 

clinical research activities, and 

that group’s administrative 

services provides billing support

for research services provided by 

physicians and their affiliated 

clinical research staff. In addition, 

both the Physician Practice Group 

and the Department of Research 

provide direct salary support for 

clinical research coordinators. The 

strategic plan assumed that, with 

maturation of the research activities 

within the clinical departments, 

administrative resources 

would be developed within the 

departments. The administrative 

resources developed would then 

interface with the MIHS Department 

of Research, to support centralized 

operational activities. This 

will ensure that the bureaucracy 

for research administration does 

not grow in excess of the needs 

of the investigators and drain 

resources needed for the growth of 

the faculty pool. However, it also 

required the substantial development 

of policies and procedures 

to ensure appropriate compliance 

in both organizations. Using a 

tool similar to that profiled by 

Campbell, 3 risk areas were prioritized 

and key policies identified 

for development. Five areas were 

initially identified that required 

policy and process implementation: 

Medical staff, IRB, Administration, 

Finance, and External 

Affiliations (see table 1). 

The first policy implemented was 

the Medical Staff Rules which 

required that all investigational 

implanted devices, investigational 

drugs, isotopes, or drug 

Table 1: Risk areas and key policies 

Category 

Medical staff 

Institutional 

Review Board 

Administration 

Finance 

External 

Affiliations 

2010 initiated 

Electronic medical 

records (EMR) 

Policy Title and Purpose 

Rules and regulations for investigational research 

Intellectual property 

Purpose, authority, responsibilities, membership, 

and operations of the IRB 

Protocol review processes for IRB 

Informed consent for research (including HIPAA 

authorization for use of protected health information) 

Research personnel: Qualifications, competency, 

continuing education and conflicts of interest 

Suspension or termination of IRB approval of 

research 

Conflict of interest 

Scientific misconduct 

Institutional approval and routing of grants and 

contracts 

Clinical research study audits 

Development of financial oversight responsibilities 

and processes 

Allocation and charging of direct and indirect costs 

Residual funds/closing accounts – industry 

sponsored contracts 

Cost sharing 

Time and effort reporting 

Development of indirect cost and submission to 

DHHS 

Establish billing processes for research subject 

flow within EMR 

Memorandum of Understanding executed with 

university partner and master research collaboration 

agreements executed with partner institutions 

Technology transfer, business associate agreements, 

and IRB reciprocity agreements and 

processes established with university partner 

Adjunct Research Associate program for external 

research collaborations 

EPIC system is 21CFR Part 11 compliant 

External entities’ review of records 

Establish controls and operations for research 

subject flow within EMR 




33



34 

therapy administered to hospital 

patients be approved by the IRB 

and Department of Research in 

accordance with hospital policies 

(e.g., IRB, HIPAA). In addition, 

contractual language between 

MIHS and the Physician Practice 

Group delegated to MIHS the 

authority to enter into clinical 

research study agreements with 

study sponsors for and on behalf 

of the Physician Practice Group 

and its qualified providers (i.e. 

study Principal Investigators). The 

contract further authorized MIHS 

to act as the fiduciary agent for 

the Physician Practice Group and 

its qualified providers under any 

clinical research study. 

Although the language of this 

contract offered the mandate to 

centralize clinical research operations 

and manage all aspects of 

the research within MIHS, buy-in 

from a broad range of individuals 

within MIHS and the Physician 

Practice Group was also needed. 

A quarterly research advisory 

board, composed of physician/ 

scientists, departmental chairs, 

the chief compliance officer, the 

vice president of Finance, and 

the Department of Research 

senior management team was 

instituted. At the first meeting, 


committed to resolving the major 

concerns of the key physician/ 

scientists by: 

n making research administration 

a transparent process, 

n reducing the time from contact 

initiation to the successful 

launch of clinical trials, 

n increasing research revenue, and 

n providing timely and accurate 

financial reporting of research 

accounts. 

Within the first year, the Department 

of Research met or exceeded 

all of the commitments and 

gained the recognition and respect 

of key opinion leaders in the clinical 

departments. We built on the 

success of the first year by engaging 

the Finance division to support 

operations for research grants 

accounting, and implementing 

policies for administration of 

research accounts (see below). 

This led to increased revenue 

capture and improved reporting, 

which in turn improved our 

performance measures for the key 

constituents. We have continued 

this process by offering ongoing 

educational programs to target 

audiences to provide information 

about different components of 

research compliance. 

Step 3: The Institutional Review 

Board 

Although the IRB had originated 

at MIHS during its prior life as 

the county hospital, the establishment 

of research administration at 

MIHS required the development 

and implementation of a new 

set of policies and procedures to 

better meet federal regulations on 

human subject protection, conflict 


of interest, scientific misconduct, 

informed consent, and more 

recently, HIPAA Privacy Rule and 

Health Information Technology 

Act (HITECH) compliance. 

The assurance that all protocols, 

contracts, and grants are compliant 

with HIPAA rules for the use 

and disclosure of protected health 

information (PHI) for research 

is shared with the Compliance 

department. Annual training in the 

definition of and MIHS policies 

for scientific misconduct, conflict 

of interest, and HIPAA/HITECH 

rules is provided by the Department 

of Research. In addition, 

because the majority of residents 

are engaged in research activities, 


provides courses in research design 

and statistical design annually to 

all residents. IRB protocols are 

developed with support and guidance 

by the IRB Office for all new 

investigators (including residents) 

and in conjunction with clinical 

research coordinators for industrysponsored 

studies. 

All protocol documents are 

reviewed to meet the required 

informed consent and information 

documentation (e.g., 

brochures) and to determine the 

need for language translation. The 

translation of the documents and 

informed consent to the patients 

and families are the coordinated 

responsibility of the Principal 

Investigator and the translation 

services within the Department of

Community Relations. A process 

to reduce the time to review and 

translate the documents was 

developed during 2009. The 

review of the process was initiated 

because our collaborative research 

partner institutions expressed 

concern that there was significant 

variability in the process. This was 

due, in part, to the review of the 

protocols and translation of documents 

among separate partner or 

collaborator IRBs. 

After the execution of a Memorandum 

of Understanding for 

Research and Graduate Education 

Partnerships between MIHS 

and a partner university, an 

IRB reciprocity agreement was 

executed that determines IRB 

authority over joint research 

programs where clinical research 

is conducted solely at MIHS. By 

stipulating that MIHS would 

be the IRB of record, the agreement 

ensured there would be a 

single review of the protocols and 

translation of documents, which 

has resulted in a significant reduction 

in the time needed for review 

and approval. For other partner 

institutions, master agreements 

were executed that stipulated the 

IRB of record and authority for 

translated documents, resulting 

in greater efficiency for approving 

individual research agreements. 

Step 4: Contracts and billing 

All financial activities related to 

clinical research were centralized 

during the Department of 

Research’s second year of operation. 

Accountabilities and controls 

were developed to ensure invoicing 

uniformity for all research 

studies with billable items and 

services, as well as research billing 

compliance throughout MIHS. 

All grant and contract-related 

budgets are initially processed 

through the Department of 

Research for prospective reimbursement 

analysis, budget 

development, and budget negotiation. 

In addition, the post-award 

team is charged with the review 

of billing issues and developing 

a process for invoicing for each 

study. At the time that the author 

assumed his current position 

(Director of the Department of 

Research) there was no specific 

plan for cost accountability or cost 

recovery for the department and 

its activities. 

The first step towards a full accounting 

was to realign the administrative 

structure (see Step 1) to reflect the 

principle differences in cost recovery 

for the activities of the department. 

The industry-sponsored 

Contracts and Clinical Trial Oversight 

division is responsible for 

activities that can provide a stable 

stream of income that is over and 

above the cost of administering 

the activities of this division. This 

occurs through direct costs billed 

to the clinical trials for the clinical 

research coordinator (CRC) staff 

and the indirect rate cost recovery 


from each clinical trial managed by 

the Department of Research. The 

goal for each budget year is to add 

CRC staffing only as the income 

generated from the clinical trials is 

able to fully support the additional 

positions. Obviously, bottlenecks 

during any step of the process, 

from initial contact by the clinical 

research organization (CRO)/sponsor, 

through contract negotiations, 

recruitment issues, and physician 

oversight, limits growth in research 

activities and income. To reduce 

the amount of time required for 

contract negotiation and to simultaneously 

improve consistency 

in the process, we worked with 

district legal counsel to develop a 

master language guide that detailed 

the information that was required 

to be included in any research contract. 

Each contract is reviewed for 

conformity and compliance with 

the template, including intellectual 

property protection language, 

and then submitted with a list of 

proposed changes in language for 

review by legal counsel. An edited 

research contract is developed in a 

short period of time and returned 

to the CRO/sponsor for revision. 

In part, because of the consistency 

of our approach, repeat contract 

negotiations with CROs/sponsors 

has resulted in developing 

master agreements to support a 

process for limited review and 

approval. A similar approach has 

been taken with non-commercial 

sponsors of research for review of 



35



36 

the contracts, albeit with a more 

limited need for language revision. 

Because we have numerous 

research collaborations with some 

partner institutions, we have developed 

overarching Memoranda of 

Understanding (MOU) with each 

one that covers many key compliance 

and regulatory matters, and 

research plans for individual collaborative 

studies can be attached 

to or refer to the master MOU 

and support the process for limited 

review and approval. 

Step 5: Information Technology 

and Research interface 

The IT environment or cyber 

infrastructure has a complex role 

in health systems. A number areas 

of regulatory compliance overlapped 

between IT and Research 

that required the development 

of policies and protocols. Several 

of the most critical policies and 

processes involved the use of 

the Epic 4 electronic medical 

record system (EMR) that was 

implemented in 2009. Integrating 

processes linking research subjects 

into the flow of clinical processes 

within the EMR, including 

registration, billing, service orders, 

source data in the medical record, 

and documentation of informed 

consent is essential. However, the 

implementation of the research 

subject flow processes was difficult 

for several reasons. First, the EMR 

was not fully implemented in 

both the outpatient and inpatient 

clinical settings simultaneously, 

and its initial implementation 

into the outpatient clinical setting 

did not realize all the available 

ancillary systems. Second, the 

original focus for integrating 

research subject flow was hospital 

billing only, via Epic Cadence and 

Resolute, with the assumption 

that correct registration would 

result in correct billing. What was 

not evident was that the other 

flow points for research subjects 

that were being handled through 

both paper documentation and 

multiple database systems also had 

to be integrated into the EMR 

system. As a consequence, to 

achieve correct billing, this other 

documentation had to be retrofitted 

into the EMR system with 

work-around designs. 

Following discussions with other 

hospital systems to share information 

on using the EMR system for 

both research subject and clinical 

processes, and engagement of the 

chief medical information officer 

at MIHS, resources were provided 

to implement tools in the EMR 

modules that better managed 

research subject flow in the EMR. 

Following the “rollout” of Phase I 

of the EMR system, we were able 

to work with the IT-managed 

EMR Implementation Project 

team to: 

n get tools (e.g., smart sets) developed, 

tested, and established 

as the way to build a research 

study functions in Epic; 

n get the clinical research 


coordinators added functions 

so that they could document 

in the EMR and set-up 

appointments; 

n establish “Research Only”(nonpatient 

care) appointments 

that would not result in a visit 

charge; and 

n route all charges for research 

subjects to a single reviewer who 

had the appropriate expertise 

to approve the charges or move 

them to the patient account. 

Most importantly, senior leadership 

recognized that “research” 

was an important input into the 

EMR and that the Department of 

Research needed to be included 

from the beginning for the next 

phase of EMR implementation 

in Spring 2012. In 2011, the 

Research team was included in 

the preliminary EMR strategy 

and validation sessions to ensure 

that work flows incorporated 

registration, documentation, and 

billing for research subjects and 

to interface with teams “building” 

work flows for laboratory 

records, pharmacy (investigational 

medications), and clinical content. 

Although different systems and 

tools are being utilized for research 

subject flow during Phase II of the 

EMR system implementation, 

the experience during Phase I 

provided invaluable insight into 

what functions had to be designed 

from the beginning to work 

appropriately in the Epic EMR 

environment.

With the implementation of the 

EMR system, additional cyber 

infrastructure-related processes 

had to be developed to address 

compliance with federal requirements 

for research. For example, 

the Food and Drug Administration's 

(FDA) 21 CFR Part II rule 

on electronic records and signatures, 

and external entities’ (e.g., 

monitors) review of the medical 

records of research subjects. In 

2010, we initiated a series of 

meetings between the Department 

of Research and the Department of 

Information Technology regarding 

compliance with 21 CFR Part II, 

Electronic Record and Electronic 

Signatures. Often referred to as 

Part II, it was published 

May 20, 1997 and was 

intended to enable the use of electronic 

documents in the regulatory 

process for drugs and devices. 

Part II specifies processes that must 

be in place to assure that electronic 

documents and signatures are 

equivalent to paper documents and 

handwritten signatures. Working 

with the chief information officer 

and director of operations within 

the Department of Information 

Technology and the MIHS HIPAA 

security officer, an assessment of 

the compliance of the EMR system 

with the guidelines was made, and 

a checklist of all component processes 

established were recorded. 

This checklist is maintained for all 

ongoing and future studies. Based 

on this process of verification, 

MIHS was able to provide a letter 

to the FDA that all electronic 

signatures executed in our electronic 

medical record system are 

the legally binding equivalent of 

traditional hand-written signatures. 

A second example was the need to 

document processes for external 

entities’ review of records. To meet 

FDA requirements, clinical Quality 

Assurance (QA) auditors perform 

audits of research subjects’ 

medical records at clinical research 

sites to ensure the validity of the 

data submitted and to report 

adverse events. However, there 

are legitimate concerns that access 

to the medical record violates the 

privacy rights of patients, and 

EMR systems do not easily limit 

access to a limited set of medical 

records. Consequently, many sites 

will provide hard copies of "pertinent" 

sections of the chart for the 

QA auditors’ review rather than 

allow access to the EMR. This 

may be in conflict with the need 

for verification of the source data, 

or the subject’s medical history 

and concurrent events, which are 

the core of monitoring/auditing. 

In addition, FDA regulations 

specifically require FDA-regulated 

entities to provide FDA employees 

or designated officers access to 

any required records or reports, 

including the ability to copy or 

verify any such records or reports. 

Under the Federal Food, Drug, 

and Cosmetic Act (FFDCA), it 

is a prohibited act to refuse "… 


to permit access to or copying 

of any record…" (See FFDCA 

section 301(e) and section 704). 

Because the Health Information 

Management team, the 

Compliance department, and IT 

had already begun conducting 

discussions about the need to 

change policies and procedures 

for external entities reviewing 

or documenting in the MIHS 

EMR system, the Department of 

Research was able to coordinate 

with their policy development. 

The process for monitoring 

research subjects’ medical records 

in the EMR requires that the 

auditor or inspector be assigned a 

temporary password and institutional 

account that is approved 

by the Director of Research. The 

account has a time-limited functionality, 

and the production of a 

hard copy of the medical record, 

when necessary, is limited to a 

specified range of medical records 

for review status only. The auditor 

is monitored to ensure that 

only specified medical records 

are viewed in the EMR system, 

and the system status availability 

is closed after the full review is 

completed. 

Conclusion 

Between 2006 and 2011, the 

number of active research 

projects (sponsored and residentrelated) 

at MIHS increased 

by 160% and the number of 

initiated sponsored contracts 



37


38 

CIAs: A look back to 

Editor’s note: Jamie L. Kendall is 

Senior Director of Compliance, 

Ethics & Legal Affairs with Compliance 

Implementation Services 

LLC in Media, Pennsylvania. 

Jamie may be contacted by e-mail at 

jamiekendall@cis-partners.com or 

by telephone at 484/445-7200. 

The government’s assertion 

under a variety of 

legal theories that a pharmaceutical 

company’s off-label 

marketing to a physician causes 

the physician to write an off-label 

prescription, which in turn causes 

a pharmacy to submit a false 

claim for payment to a federal 

health care program, requires several 

leaps of logic. Nevertheless, 

the government’s focus on certain 

pharmaceutical company activities 

often forms the factual predicates 

for an investigation. Today, many 

still believe that this focus remains 

heavily upon pharmaceutical sales 

and marketing efforts. However, 

as manufacturers continue to 

establish tighter controls over sales 

and marketing activities, government 

oversight and enforcement 

activities continue to rise. 

For better or worse, Corporate 

Integrity Agreements (CIAs) 

the future at 

OIG investigations 

By Jamie L. Kendall, Esq. 

resulting from related settlements 

are made public, and the place 

that the government now looks 

for evidence of corporate intent to 

promote off-label usage is Medical 

Affairs. Indeed, complaints filed 

against pharmaceutical companies 

resulting in CIAs demonstrate 

that the government does not 

distinguish in investigations 

between Medical Affairs and Sales 

departments, despite clear, formal 

delineations. 

A reason for this may be that 

although the sales representative 

is a drug company’s principal 

conduit between business planning 

and actual sales, the Medical 

Affairs department is a critical 

component of a drug company’s 

overall growth, including research, 

clinical development, and scientific 

reputation. This requires 

Medical Affairs’ employees to 

engage in a variety of health care 

professional (HCP) interactions. 

And despite the fact that certain 

off-label conduct is permissible, 

the line between prohibited offlabel 

promotion and permissible 

off-label education is murky, at 

best. However, pharmaceutical 

company CIA provisions, 

resulting from recent settlements 


involving off-label allegations, are 

often very similar, quite detailed, 

and reveal a fair amount about 

practices the government finds 

most problematic. 

During off-label investigations, 

the government routinely looks 

for evidence of manufacturer payments 

to physicians for prescribing 

off-label uses of the company’s 

drug. Enforcement cases typically 

involve a manufacturer’s provision 

of a payment or perk to 

a physician. Historically, this 

evidence was discovered through 

company marketing materials and 

documentation related to sales 

representatives’ activities. Over 

the past several years however, 

the pendulum of focus appears 

to have shifted towards Medical 

Affairs activities, as documentation 

submitted to the government 

within the scope of an investigation 

involving allegations around 

commercial (sales and marketing) 

practices expose manufacturers to 

liability stemming from Medical 

Affairs. From the government’s 

perspective, documentation and 

information, such as strategic 

drug development plans (including 

new uses, publication plans, 

and disease state awareness 

“campaigns”) serve as an obvious 

place for evidence of corporate 

intent to promote off-label usage 

of a drug. The Warner-Lambert 

case is illustrative. 1 According 

to the government, in that case, 

internal business plans allegedly

showed that the company viewed 

its continuing medical education 

(CME) program as an effective 

promotional program for 

Neurontin’s off-label use. 

The government often scrutinizes 

companies that hire medical 

professionals to do what the 

companies perceive sales representatives 

cannot do under US Food 

and Drug Administration (FDA) 

guidance. In the Warner-Lambert 

case, for example, the medical 

liaisons from the Medical Affairs 

department allegedly “initiated 

off-label promotions by raising 

off-label subjects” and presented 

themselves to HCPs as scientific 

experts when, in fact, they were 

not. The government suggested 

that the medical liaisons had a 

deceptive air about them and 

allegedly succeeded in accessing 

physicians (whom sales representatives 

had been unable to access) 

because they gave the appearance 

of having a scientific background. 

Warner-Lambert ultimately pled 

guilty and agreed to pay more 

than $430 million, in addition to 

executing a CIA requiring largescale 

compliance efforts by the 

company. The CIA included the 

requirement that Warner-Lambert 

(now Pfizer, Inc.) implement policies 

and procedures that address 

sponsorship or funding of research 

or related activities (including 

clinical trials, market research, or 

authorship of articles and other 

publications) that are designed 

to ensure that company funding 

or sponsorship of such activities 

complies with all applicable 

regulations and requirements. 2 

Additionally, the 2009 Pfizer CIA 

demonstrates the risks associated 

with medical liaisons being perceived 

as Sales field counterparts, 

as opposed to Medical Affairs staff, 

allegedly causing off-label HCP 

discussions to take place. Indeed, as 

part of its 2009 CIA, Pfizer agreed 

to apply provisions of its CIA to 

Medical Affairs personnel and their 

participation in HCP interactions 

at meetings or events and clarify 

their role at such events. 3 

CIAs and government complaints 

have signaled a common focus 

on payments to physicians that 

allegedly occurred under the guise 

of traditional Medical Affairs 

educational activities. Some 

examples include grant program 

payments relating to “observational” 

patient studies, consulting 

arrangement fees, and advisory 

meeting expenses. 4 Further, 

although investigator-initiated (or, 

“investigator-sponsored”) clinical 

trial grant programs encourage 

physicians and clinical investigators 

to study drug company 

products and release their findings, 

the government may view 

them as kickbacks in exchange 

for referrals. Significantly, at least 

three pharmaceutical manufacturers 

(AstraZeneca, Novartis, and 

Allergan) currently operate under 


CIA-mandated business policies 

related to investigator-initiated 

trials. Notably, all three company 

CIA’s use nearly the exact same 

language throughout the Investigator 

Sponsored Trial (IST) 

section, changing only the name 

of the company and the amount 

of days each company is given to 

complete their duties. All three 

CIAs require each manufacturer 

to enter into written agreements 

describing the scope of the clinical 

research or other work to be 

performed, the fees to be paid, 

and compliance obligations for 

the researchers. 5 

Each CIA also requires researchers 

to be paid according to a centrally 

managed, pre-set rate structure 

that is determined through a 

company-conducted fair market 

value (FMV) analysis. Annual 

budget procedures must also be 

created that identify the scientific 

or business need for the researchers, 

how many will be required, 

the activities to be performed, 

and the projected cost of those 

activities. Compliance personnel 

are also encouraged to review the 

budgets to ensure that they are 

being used for legitimate means. 

CIAs also require a needs assessment 

to be completed prior to 

obtaining researchers. The needs 

assessment is to identify the 

business or scientific need for the 

information to be provided by 



39

If you want to 

increase compliance, 

start with a training 

progam that 

engages your staff. 


40 


Healthcare facilities that 

are serious about reducing 

risk choose HCCS. 

Compliance is serious business and it takes a serious training 

program to increase awareness and change staff behavior. 

Compliance training must have emotional impact and must 

change attitudes to be effective. 

Engaging, professionally 

designed multimedia 

content is more effective 

than page-turning text. 

An effective training program requires more than asking 

your staff to flip through some electronic text pages. HCCS 

online compliance and 

competency training 

courseware uses professional 

multimedia 

elements to create an 

engaging, interactive 

learning environment. 

Real-life video scenarios 

with professional actors in healthcare settings, audio narration 

and interactivity are combined to increase the retention 

of the information presented. 

Adult learning is what works. 

HCCS courseware is designed using accepted principles 

of how adults learn and retain information. 

Research shows that retention is greatest when the learner 

sees, hears and interacts with training content. 

HCCS courses combine 

expert up-to-date content 

with expert learning 

methods to create 

a truly unique learning 

experience. 

The top University 

hospitals in the country 

choose HCCS. 

More than 50 Academic Medical Centers, 25 medical schools 

and hundreds of other healthcare facilities have chosen 

HCCS training courseware for their online education. 

With over one million registered learners, HCCS is the 

leading provider of online multimedia compliance and 

competency training courseware. 

When 

employees 

pay 

attention, 

you reduce 

your risk. 

Looking for a more effective training solution Want to 

increase compliance 

Don’t take our word for it, take one of our free educational 

webinars or test drive our courseware yourself at 

www.hccs.com. 

hccs 

Experts in Healthcare Learning 

Call 877-933-4227 for more information and a schedule of 

FREE training webinars or go to www.hccs.com 

Medicare • Medicaid • HIPAA • Quality Improvement • Research • Nursing 



41

CIAs: A look back to the future at OIG Investigations ...continued from page 39 


42 

the researcher, and specific details 

about the research arrangement. 

Establishment of a research monitoring 

program, which conducts 

audits on at least 30 research 

arrangements with HCPs (at least 

20 of which must be ISTs) is also 

required. AstraZeneca’s CIA also 

provides provisions related to ISTs 

that is similar to sections in the 

company CIAs which establish 

monitoring programs and reporting 

structures for others business 

divisions within each company. 

For example, all of the CIAs 

require the establishment of a 

field force monitoring program to 

monitor and evaluate sales representative 

interactions with HCPs. 

A trend towards documentation of 

objective business justifications is 

further demonstrated in that CIA 

needs assessment requirements 

are not exclusive to investigatorinitiated 

trials. CIA publication 

policies also require Compliance 

personnel to oversee company 

publication activities from inception-to-completion 

and beyond. 

Authors must now enter into 

agreements which detail the work 

to be done, fees to be paid, and 

acknowledgement of compliance 

obligations. Publishing companies 

will have to create centrallymanaged, 

pre-set rate structures 

based on fair market value of the 

publications. Annual publication 

plans, based on objective business 

need assessment, along with 

activity budgets and estimated 

numbers of publications, need 

to be reviewed and approved by 

Compliance personnel in order 

to ensure that publication activities 

are being used for legitimate 

purposes and comply with company 

policy and procedures. The 

needs assessment process that will 

justify publication plans must be 

completed and approved by either 

Legal or Compliance personnel, 

with consultation by Medical 

Affairs, and will provide specific 

details of the publication activities 

to be performed. 

Moreover, recent CIAs uniformly 

require the establishment of 

a monitoring program to be 

implemented through the Compliance 

department. Specifically, 

risk-based and random-sampling 

approach audits of publication 

activities are expected to be conducted 

by Compliance personnel 

to ensure that the activities align 

and are compliant with company 

policies and procedures. Notably, 

recent CIAs also consistently 

require results from the monitoring 

program to be compiled and 

reported to a Compliance department 

for review and follow-up. 6 

As you can see, CIAs executed 

today are more robust and include 

a variety of compliance controls 

around Medical Affairs activities. 

These controls arguably hinder 

the off-label use of approved 

drugs, despite evidence of off-label 

usage being an indispensable 


component of effective medical 

treatment. Indeed, in order for 

physicians to make appropriate 

choices about new off-label uses, 

it is essential that they be properly 

educated about them. The industry 

plays a critical role in advising 

the medical profession and the 

public about these advances. For 

example, peer-to-peer meetings in 

the form of speaker programs are 

an effective way for physicians to 

be educated about a new product 

or developments with an existing 

product. However, a paid speaker 

is considered an agent of the drug 

company and must adhere to 

the same compliance guidelines 

as a sales representative. Because 

physicians who deliver companyapproved 

product messaging are 

often asked to also provide medical 

opinions, speaker programs 

can be viewed by the government 

as an area of high risk regarding 

off-label promotion compliance. 

Past CIAs make clear that the 

government’s focus on various 

pharmaceutical company activities 

has and will continue to evolve 

in the future. As practices in the 

industry have changed in response 

to the government’s heavy focus 

on interactions between company 

sales representatives and HCPs, 

recent CIA provisions indicate 

that the focus is shifting to Medical 

Affairs. The FDA’s focus also 

includes clinical trials, emerging 

markets and reimbursement. 

Without further regulatory

CCB 

The Compliance 

Professional’s 

Certification 

definition by the FDA as to what 

constitutes acceptable Medical 

Affairs information dissemination 

practices, industry participants 

will continue to have to expend 

resources looking back to reactive 

CIA settlements in order to enact 

Medical Affairs department policies 

that attempt to predict what 

the FDA will focus on in future 

investigations. n 

1. See Sentencing Memorandum of the 

United States. Warner-Lambert Co., LLC; 

see also Press Release, Dep’t of Justice, 

Warner-Lambert To Pay $ 430 Million 

To Resolve Criminal & Civil Health Care 

Liability Relating to Off-Label Promotion 

(May 13, 2004), 

2. See Sentencing Memorandum of the 

United States at 30. Warner-Lambert Co., 

LLC. 

3. Available at http://oig.hhs.gov/fraud/cia/ 

agreements/pfizer_inc_08312009.pdf 

4. See e.g., Sentencing Memorandum of the 

United States at 27, Warner-Lambert Co. 

LLC; Government’s Redacted Sentencing 

Memorandum at 24, Schering Sales Corp.; 

Press Release, United States Dep’t of Justice, 

Cell Therapeutics, Inc. to Pay United 

States $10.5 Million to Resolve Claims for 

Illegal Marketing of Cancer Drug (Apr. 17, 

2007). Available at http:// www.usdoj.gov/ 

opa/pr/2007/April/07_civ_258.html. 

5. Available at http://oig.hhs.gov/fraud/cia/ 

agreements/astrazeneca_04272010.pdf 

6. See Corporate Integrity Agreement between 

OIG and Allergan, Inc. Available at http:// 

oig.hhs.gov/fraud/cia/agreements/Allerga_ 

Executed_CIA_with_Appendices.pdf. 

See also Corporate Integrity Agreement 

between OIG and AstraZeneca Pharmaceuticals 

LP and AstraZeneca LP. Available 

at http://oig.hhs.gov/fraud/cia/agreements/ 

astrazeneca_04272010.pdf. 


OIG and Forest Laboratories, Inc. Available 

at http://oig.hhs.gov/fraud/cia/agreements/ 

forest_laboratories_inc_09152010.pdf. 

See also Corporate Integrity Agreement between 

OIG and Novartis Pharmaceuticals 

Corporation. Available at http://oig.hhs. 

gov/fraud/cia/agreements/Novartis_Pharmaceuticals_Corporation_09292010.pdf. 


between OIG and Pfizer Inc. Available at 

http://oig.hhs.gov/fraud/cia/agreements/ 

pfizer_5_11_2004.pdf. 

Congratulations!! The following individuals have recently successfully completed the CHC® 

certification exam, earning their certification: 

John Stanley Bokosky 

Kita D. Cathey 

Alexander M. Fear 

John H. Fisher 

Maria Luisa Germani 

Lawrence Hendricks 

Keri Jennings 

The Compliance Certification Board (CCB) compliance 

certification examinations are available in all 

50 states. Join your peers and demonstrate your 

compliance knowledge by becoming certified today. 

Jacqueline L. Kniska 

Henri-Alexandre N. Lauer 

Deborah C. Mack 

Janice L. Meister 

Mary M. Menard 

Francine Nigrello 

Kathy C. Perkins-Smerdel 

Stacy A. Schulze 

Maria V. Sessions 

Kimalisa K. Shamblin 

Anna E. Ward 

Angele T. White 

Kelly Victoria Wittmeyer 

Congratulations!! The following individual has recently successfully completed the CHRC® 

certification exam, earning her certification: 

Cynthia R. Molnar 

Congratulations!! The following individuals have recently successfully completed the CHPC® 

certification exam, earning their certification: 

Blaine A. Kerr Karen C. Schimpf Laurie A. Smaldon 

The CCB offers certifications in Healthcare Compliance (CHC®), Healthcare 

Research Compliance (CHRC®), and the Certified in Healthcare Compliance 

Fellowship (CHC-F®). 

Certification benefits: 

n Enhances the credibility of the compliance practitioner 

n Establishes professional standards and status for compliance professionals in 

Healthcare and Healthcare Research 

n Heightens the credibility of compliance practitioners and the compliance 

programs staffed by these certified professionals 

n Ensures that each certified practitioner has the knowledge base necessary to 

perform the compliance function 

n Facilitates communication with other industry professionals, such as physicians, 

government officials and attorneys 

n Demonstrates the hard work and dedication necessary to succeed in the 

compliance field 

For more information about certification, 

please call 888/580-8373, email ccb@hcca-info.org, or visit our 

website at www.hcca-info.org. 



43


44 

focus 

feature 

Medicaid RACs: 

Tool of transparency or torment 

Editor’s note: Rebecca Jones McKnight is an Associate 

with DLA Piper LLP (US) in Austin, Texas. She may be 

contacted by e-mail at rebecca.mcknight@dlapiper.com. 

Children often share a fascination with ants. 

As a child, you may have watched worker 

ants crossing your sidewalk, carrying seemingly 

impossible loads of food back to the queen 

and her brood. This fascination with ants often leads 

children to use glass—a rather simple substance—as 

a tool to learn more about ants. 

Maybe you set up a glass ant farm (technical term: 

formicarium) to provide a window into the inner 

workings of an ant colony, watching the ants go 

about their ant business. Maybe you used a magnifying 

glass to examine ants more closely, marveling at 

their mandibles, and being thankful that the 1954 

movie Them! (in which atomic tests caused ants to 

mutate into giant man-eating monsters) was, in fact, 

fiction. But maybe there was a kid on your block 

who did not share your appreciation for our diligent 

insect friends. With a less benevolent interest in 

these creatures, he used his magnifying glass as a tool 

to torment unassuming ant victims. 

On September 14, 2011, the Centers for Medicare 

& Medicaid Services (CMS) issued its anxiously 

awaited final rule on state Medicaid Recovery 

Audit Contractor (RAC) programs. The final rule 

implements section 6411 of the Patient Protection 

and Affordable Care Act, which requires states to 

By Rebecca Jones McKnight 

establish a program with one or more Recovery 

Audit Contractors (RACs) in order to identify 

underpayments and overpayments to Medicaid, and 

to recoup the overpayments. 

In other words, to see whether the worker ants are 

shortchanging the queen. 

CMS issued a proposed rule on Medicaid RACs on 

November 10, 2010. The original due date for states 

to implement RACs was April 1, 2011. It became 

clear, however, that this was not a realistic time 

frame. On February 1, 2011, CMS announced that 

the proposed implementation date would be pushed 

back to await the final rule. 

Now the time is at hand. Under the final rule, states 

must have Medicaid RAC programs in place by January 

1, 2012. Will Medicaid RACs be a tool of transparency 

into provider payment practices, or a tool of 

torment for providers already subject to numerous 

types of government oversight and inquiry 

Why is that kid eyeballing me 

The Medicaid RAC program draws on history. After a 

demonstration period for the Medicare RAC program 

identified over $1 billion in improper payments, 

Congress permanently authorized that program in the 

Tax Relief and Health Care Act of 2006 (TRHCA). 

Congress required CMS to push the program out to all 

the states. This law and the program that implemented it 

influenced the development of the Medicaid RAC rules. 


Legislators viewed the Medicare RAC demonstration 

period as a major success. Stakeholders, however, had 

their concerns. They cited inconsistency in the RACs’ 

documentation of “good cause” for reviewing claims 

and lack of physician presence on RAC staffs. CMS 

addressed these concerns when it implemented its 

permanent Medicare RAC program. Stakeholders also 

took issue with the contingency fee payment structure 

required by TRHCA. Although TRHCA mandated 

that RACs be paid on a contingency fee basis, CMS’s 

implementation of the program provided that if a 

RAC’s determination were overturned at any stage of 

the appeals process, the RAC would be required to 

return the related contingency fee payment. 

n provides guidance on the payment methodology 

for state payments to Medicaid RACs; 

n directs states to ensure that adequate appeal processes 

are in place for providers to dispute adverse 

determinations made by Medicaid RACs; and 

n directs states to coordinate with other contractors 

and entities that audit Medicaid providers, as well 

as state and federal law enforcement agencies. 

Should I be worried 

With the thought of the beam of illumination narrowing, 

and hearing a sizzle in their minds, providers 

have concerns. Who will be behind the glass, looking 

in Will it be Dr. Dolittle Jr. 2 or “The Good Son” 3 

Medicaid providers may feel they’re already thoroughly 

watched and examined through the glass. 

They have already been subject to their share of 

audits through programs such as the Medicaid Audit 

Medicaid Integrity Contractors (Audit MICs). The 

new Medicaid RACs will not replace existing Medicaid 

audit programs; they will create yet another 

oversight and scrutiny mechanism. CMS anticipates 

“working both internally and with the States to 

minimize [the] administrative burden” of overlapping 

audits. 1 Providers remain skeptical. 

Even within this context, and with the benefit of 

lessons learned from the Medicare RAC program, 

providers were concerned. Seventy-six commenters 

weighed in on the November 10, 2010 proposed rule. 

As a result of “numerous comments” from stakeholders, 

CMS made some modifications to the proposed 

Medicaid RAC program in the final rule. That said, 

many of the key proposed elements remain. Although 

the rule itself is not that lengthy, the proposed 

Medicaid RAC regulations garnered significant attention, 

and CMS spent more than 100 pages addressing 

comments and defending its approach. The final rule: 

n provides guidance to states on federal/state funding 

of state start-up, operation, and maintenance 

costs of Medicaid RACs; 

Under the final rule (42 C.F.R. §§ 455.500 - .518), 

a Medicaid RAC must demonstrate to a state that it 

has the “technical capability” to carry out required 

activities. RACs must employ trained medical professionals 

in good standing with the state to review 

Medicaid claims. Unless a state obtains an exemption, 

each Medicaid RAC must hire a minimum of 

one full-time employee medical director who is a 

Doctor of Medicine or Doctor of Osteopathy. The 

rule also requires Medicaid RACs to hire certified 

coders, unless the state determines that certified 

coders are not required for the effective review of 

Medicaid claims. The rule provides additional elements 

of “customer service” that RACs and states 

must develop to provide education and outreach to 

providers, including: 

n Communication of audit policies and protocols; 

n Minimum customer service measures, such as: 

o providing a toll-free customer service telephone 

number staffed during normal business hours, 

and 

o compiling and maintaining provider approved 

addresses and points of contact; 

n Mandatory acceptance of provider submissions 

of electronic medical records on CD/DVD or via 

facsimile at the providers’ request; 




45

Medicaid RACs: Tool of transparency or torment ...continued from page 45 


46 

n Notifying providers of overpayment findings 

within 60 calendar days; 

n Unless a state obtains an exemption, a 3-year 

maximum claims look-back period; and 

n Unless a RAC obtains an exception from a state, the 

RAC must follow state-established limits on the number 

and frequency of medical records requested by a RAC. 

Can I trust the kid with the magnifying glass 

Are that kid’s parents paying him by-the-ant to act 

as an amateur exterminator The use of contingency 

fees for RAC compensation has continued to raise 

provider concerns. One commenter said contingency 

fee structures have the “overwhelming tendency to 

push auditors ‘to take a chance’ and inappropriately 

deny claims.” Another commenter maintained 

contingency fees “perversely incentivize...RACs to 

engage in bounty hunting, which leads to increased 

expenses and administrative burdens for providers.” 4 

It is notable that in the Medicare RAC pilot program, 

96% of the errors identified by the RACs were 

overpayments. A substantial number of the RACs’ 

payment denials were not upheld on appeal. 

CMS’s responses emphasized that the statute requires 

Medicaid RACs to be paid on a contingency fee basis. 

Neither CMS nor the states have discretion to change 

this basic approach to compensation, unless state law 

prohibits the arrangement. CMS also asserted that the 

methodology “has been a standard practice accepted 

among private health care payers for more than 20 

years,” and that it had “surveyed States that have RAClike 

programs which utilize a contingency fee payment 

structure and ha[d] not learned of any circumstances in 

which RACs were improperly incentivized to recover 

overpayments from Medicaid providers.” 5 

CMS also cited, as a safeguard, the final rule’s provision 

requiring that RACs return contingency fees 

within a reasonable time frame if a Medicaid RAC 

determination is reversed at any level of appeal. 

But I’m tired of being a science project! 

Inquisitive scientific minds are all well and good, but 

what happens when the ant that has been captured 

for observation in an ant farm is finally released at a 

parent’s behest, only to be captured by another wellmeaning 

child Commenters were concerned with 

duplication of existing program integrity efforts. Several 

commenters suggested this could ultimately impact 

provider participation and patient access to care. 

CMS disagreed. CMS does not think the Medicaid 

RAC program is duplicative of the federal national 

audit program in which federal MICs conduct audits 

of Medicaid providers. CMS considers MICs and 

RACs “fundamentally different” and “complementary,” 

with MICs addressing vulnerabilities at the 

regional and national level, and RACs addressing 

state-specific vulnerabilities, tailored to the characteristics 

of each state’s Medicaid program. According 

to CMS, Congress directed the establishment of 

Medicaid RACs “with full awareness of the various 

program integrity initiatives for which it had given 

previous authority” and “Congress did not relax any 

of those previously authorized program integrity 

activities.” 6 As a result, CMS believes Congress 

intended Medicaid RACs to supplement previously 

authorized program integrity activities. 

Prepare to be examined 

Medicaid compliance should be at the top of providers’ 

lists for compliance activities. While states are 

developing their Medicaid RAC programs, providers 

should not sit idly by. With states moving to implement 

the Medicaid RAC tool, providers should 

ensure they are ready to be examined, with comprehensive 

Government Audit Committees prepared to 

address Medicaid RAC issues, among others. These 

multi-disciplinary committees should review claims 

and denial data for warning signs; develop standard 

approaches to responding to RAC requests; design 

standard correspondence and appeal letters that 



Confidence and 

precision in claims 

audits: Quality of the 

Editor’s note: Cornelia M. 

Dorfschmid is Executive Vice 

President with Strategic Management 

in Alexandra, Virginia. She may be 

contacted by e-mail at cdorfschmid@ 

strategicm.com or by telephone at 

703/683-9600, ext 419. 

The contractor reform in 

health care brought a 

consolidation of Medicare 

contractors and new contractors, 

as exemplified by the Medicare 

Administrative Contractors 

(MACs), Medicaid Integrity 

Contractors (MICs), Medicare 

Recovery Audit Contractors 

(RACs), and Zone Program 

Integrity Contractors (ZPICs). 

These government contractors 

have different objectives, some are 

more fraud oriented (e.g., ZPIC), 

and others are focused on detecting 

payment errors (e.g., MACs, 

RACs). They conduct pre- and 

post-payment audits. However, 

no matter what their charge and 

CMS-assigned tasks are, these 

contractors have aggressively 

been monitoring and auditing 

claims that were paid to health 

care organizations by the federal 

and state health care programs. In 

estimate 

By Cornelia M. Dorfschmid, PhD 

their claims audits, the contractors 

typically assess whether there were 

inappropriate payments received 

by a health care organization and, 

if so, they determine the recovery 

amount. Oftentimes the totality of 

cases (e.g., charts, claims, line item 

of claims, beneficiaries, or whatever 

the unit of observation may be), 

which may potentially be affected 

by a suspected billing error, cannot 

be reviewed. Time and cost 

constraints and benefit/cost considerations 

make a sample a much 

more viable alternative. If the sample 

is a statistically valid random 

sample (SVRS), such as a “probability 

sample” as set forth in the 

Centers for Medicare & Medicaid 

Services (CMS) Medicare Program 

Integrity Manual (PIM), then the 

contractor may draw conclusions 

from the sample to the universe 

(total number) of cases. Simply 

put, one can estimate the total 

overpayment in the total number 

of cases by projecting overpayments 

from a relatively small sample 

to the universe at large. 

Similar considerations, which 

weigh the possibility of using the 

universe of cases affected by a 


potential payment error pattern 

versus a sample with appropriate 

projection, are increasingly also 

part of many providers’ internal 

auditing and monitoring strategies. 

So what does it take to develop a 

good estimate Three aspects can 

be considered. 

n Correct interpretation of the 

projected estimate 

To begin with, it requires that the 

estimate is projected from a random 

sample that was based on the correct 

interpretation and application 

of the various medical documentation 

requirements and payer coverage 

rules. If the medical review, the 

application of coverage criteria, and 

case-by-case review findings can be 

challenged in an appeal or a quality 

assurance process, the overpayment 

estimate derived from the sample 

would not be tenable. 

n Statistically valid random 

sample 

Another aspect of a good estimate 

is that it must be generated from 

a statistically valid random sample 

that was selected. If there is no 

statistically valid sample, then 

the validity of the projection of 

the total overpayment estimate is 

difficult to defend. 

n Confidence and precision 

If each sampled case was reviewed 

correctly and the sample was a 

statistically valid random sample, 

acceptable confidence (i.e, degree 



47

Confidence and precision in claims audits: Quality of the estimate ...continued from page 47 


48 

of certainty that the sample correctly 

depicts the universe) and 

precision (i.e., range of accuracy) 

are the third piece needed for 

a quality estimate of the total 

overpayment in the universe. 

Precision and confidence 

trade–off 

The quality of the estimate depends 

on the precision and confidence 

levels reached in the estimation process. 

Both high confidence and high 

precision are desirable qualities in 

an overpayment estimate. They are 

expressed in ranges or percentages. 

There are one- and two-sided confidence 

intervals that are reported 

at various levels of precision. 

One-sided confidence intervals deal 

with whether the true value for the 

universe (e.g., total overpayment) is 

greater or smaller than the estimate. 

Two-sided confidence intervals deal 

with whether the true value for 

the universe is between two given 

numbers (lower and upper bounds), 

i.e., a bounded range. 

In overpayment extrapolations, 

the quality of the estimate of 

total overpayment in the universe 

can be described as a range or a 

percentage for the so-called “point 

estimate.” The point estimate is 

simply the average overpayment in 

the sample inflated by the universe 

size. Using the point estimate views 

the universe as just a larger version 

of the sample. The observed 

confidence and precision levels are 

statistical measures calculated from 

the data of a particular sample 

and qualify that view by reporting 

the uncertainty that is associated 

with the particular point estimate. 

Namely, confidence and precision 

allow us to give a range of uncertainty 

around the point estimate. 

This range implies that the random 

sample that was drawn is not an 

exact miniature version of the 

universe. Each sample may render 

a somewhat different picture, 

hence a range. 

For example, if an auditor reports 

the overpayment estimate of 

$10,000 with a two-sided 90% 

confidence interval and 5% 

precision level, this means that the 

auditor is 90% certain that the 

true overpayment value for the 

universe is $10,000 +/- $500, (i.e., 

is between $9,500 and $10,500). 

The $500 is the precision amount 

and the precision percentage is 

5%. Clearly, if we could raise the 

confidence level to 95% or even 

99% for that same precision level 

of 5%, that would render a higher 

quality estimate. Similarly, if we 

could tighten the precision range 

and thereby make the estimate 

more precise at 90% confidence 

level (e.g., make it +/- 3% or 

equivalent to a $600 range), that 

would also be preferable. 

For any given sample, the auditor 

can always raise the certainty 

(i.e., raise the confidence level) by 

making the statement about the 

estimate in relation to the true 


value in the universe less precise. 

The extreme position may be 

illustrative. For example, one can 

always say for the point estimate 

that one is 100% confident that the 

true value is between minus infinity 

and plus infinity (i.e., pairing complete 

imprecision with complete 

certainty/confidence). Any other 

more meaningful combinations 

of confidence/precision levels for 

the same point estimate that was 

generated from one-and-the-same 

sample are just re-statements of 

an inherent tradeoff. This tradeoff 

renders the same statistical information. 

To conclude, whenever 

the sample size is fixed and the 

point estimate is calculated, there 

is a tradeoff between confidence 

and precision levels. One cannot 

improve both any more. 

Another valid method of stating 

confidence and precision levels 

that is sometimes used for point 

estimates in overpayment cases is 

using the one-sided confidence 

interval. In this approach, the auditor 

typically states the confidence 

level of the point estimate at a 

lower limit. Rather than reporting 

a bounded range around the 

estimate, the range becomes openended. 

For example, the auditor 

may report a point estimate of 

$10,000 for a one-sided 90% 

confidence interval with a $9,650 

lower limit. This means the auditor 

reports a point estimate of $10,000 

for which he/she is 90% confident 

that the true overpayment in the

universe is no less than $9,650. No 

upper bound is reported for this 

one-sided confidence interval; the 

interval is open-ended upwards. 

Sample size affects precision 

and confidence 

Generally speaking and all else 

being equal, the higher the confidence 

and precision levels of a 

point estimate, the closer one is 

to the true overpayment in the 

universe. High precision and confidence 

are therefore indications 

of a quality estimate. The larger 

the sample size that underlies the 

overpayment extrapolation, the 

better the confidence and precision 

levels (i.e., narrower ranges 

around the point estimate) one 

may expect. These basic concepts, 

however, are not always fully 

understood and therefore, sample 

size and validity of the estimate 

can be confused in this context. 

One of the first issues, which I 

often see raised by providers and/ 

or their attorneys in appeals that 

involve extrapolated overpayments 

in claims, is that the sample 

size was too small and hence the 

extrapolation not valid. However, 

the validity of the sample does not 

depend on the sample size. A small 

but statistically valid sample can 

always generate a valid overpayment 

estimate. Validity is only a necessary 

condition, but not a sufficient condition 

for a quality estimate. The 

quality of the estimate is, however, 

affected by the sample size because 

it affects confidence and precision 

levels. The latter are statistical 

concepts that describe the quality of 

the estimate. They can also be set as 

thresholds or targets and then used 

in the decision process to determine 

when valid overpayment estimates 

are actually “good enough” (i.e., of 

acceptable quality). 

OIG and CMS on confidence 

and precision 

Once the auditor has selected the 

sample, the size is set and claims get 

reviewed. The precision percentage 

for the point estimate derived from 

the particular sample can then be 

reported at 80%, 90%, 95%, or 

even 99% confidence level. It is a 

matter of choice how it is reported. 

The higher the confidence level 

used to report the point estimate, 

the lower the precision percentage 

will be. This trade–off between 

confidence and precision is simply 

driven by the data audited and laws 

of statistics. Without more observations 

one cannot improve both. 

But, what should be done How 

should it be reported How do we 

compare apples to apples 

Government contractors and 

agencies set different objectives 

that describe the minimum 

standards or targets levels for the 

quality of the point estimate (i.e., 

precision and confidence levels of 

the total overpayment estimate). 

A 90% confidence interval is most 

frequently used in government 

audits and self-disclosures. 


Understanding the basic concepts 

above and nuances in the government 

agencies and contractors’ 

expectations are critical to success in: 

n appealing a claims review result 

or recovery amount demand, and 

n applying government auditing 

standards and best practice 

claims review methods proactively 

in provider-internal monitoring 

and auditing projects. 

OIG (Office of Inspector General 

of the US Department of Health 

and Human Services) has put 

forward target levels for: 

n providers that self-report 

overpayments to the OIG, and 

n Independent Review 

Organizations (IROs) that 

review claims of certain health 

care entities under Corporate 

Integrity Agreements (CIAs). 1 

OIG requires reporting the overpayment 

point estimate for the 

universe at 90% confidence level 

(two-sided) and requires that it 

must reach a precision of +/- 25%. 

If the precision of the point estimate 

that is reached is worse and 

exceeds this percentage threshold, 

the point estimate is not considered 

acceptable. One way to cure 

this deficiency would be to increase 

the sample size and re-project. 

CMS is less clear in its requirements 

on confidence and precision 

levels for the point estimate 

of overpayments. They allow 



49

Confidence and precision in claims audits: Quality of the estimate ...continued from page 49 


50 

the point estimate for recovery 

amount demanded, but only if the 

precision is high. The CMS Medicare 

Program Integrity Manual 

(PIM) states the following: 

In most situations the lower 

limit of a one-sided 90 percent 

confidence interval shall be 

used as the amount of overpayment 

to be demanded for 

recovery from the provider 

or supplier. The details of the 

calculation of this lower limit 

involve subtracting some multiple 

of the estimated standard 

error from the point estimate, 

thus yielding a lower figure. 

This procedure, which, through 

confidence interval estimation, 

incorporates the uncertainty 

inherent in the sample design, 

is a conservative method that 

works to the financial advantage 

of the provider or supplier. 

That is, it yields a demand 

amount for recovery that is 

very likely less than the true 

amount of overpayment, and 

it allows a reasonable recovery 

without requiring the tight 

precision that might be needed 

to support a demand for the 

point estimate. However, the 

PSC [Program Safeguard Contractor] 

or ZPIC BI [Benefit 

Integrity] unit or the contractor 

MR [Medical Review] unit is 

not precluded from demanding 

the point estimate where high 

precision has been achieved. 2 

The PIM does not define what 

exactly “high precision” means 

in claims audits and recovery 

situations. There is no clear CMS 

standard for acceptable precision in 

overpayment audits. The ambiguity 

has led to much debate and can 

be an issue raised in the appeals 

process. CMS contractors routinely 

use and demand the lower limit 

of the one-sided 90% confidence 

interval of the point estimate as 

the recovery amount. The problem 

with this is that technically, one 

can always calculate the lower limit 

of a one-sided 90% confidence 

interval for any point estimate, 

regardless how precise it may be. 

What remains unclear is when a 

low precision is just too low to 

render a point estimate that is still 

meaningful. Without a meaningful 

point estimate, however, there 

may also not be a good reason 

in calculating and using a lower 

bound either. OIG, in that respect, 

defined a much clearer standard for 

the health care industry. 

This author believes the OIG’s 

standard of 90% confidence/25% 

precision is one that is clear and 

worth referring to as a minimum 

standard in any claims audit that 

involves overpayment extrapolation 

using the point estimate. 

Providers and suppliers may want 

to consult this standard in any 

payment disputes. n 

1 HHS Office of Inspector General, Publication 

of the OIG’s Provider Self-Disclosure 

Protocol (1998). Available at http://oig. 


hhs.gov/authorities/docs/selfdisclosure.pdf 

2 See, CMS Medicare Program Integrity 

Manual, Chapter 8-Administrative Actions 

and Statistical Sampling for Overpayment 

Estimate, 8.4.5.1 - The point estimate. 

(Note, the PIM was recently rearranged and 

sections of Chapter 3 moved to Chapter 8.) 

Available at http://www.cms.gov/manuals/ 

downloads/pim83c08.pdf; http://www.cms. 

gov/Transmittals/Downloads/R377PI.pdf 

Be Sure to 

Get Your 

CHC® CEUs 

Articles related to the quiz 

in this issue of Compliance 

Today: 

n Mail call: How to 

respond to a regulatory 

investigation—By K Royal, 

page 8 

n Losing sleep over 

health care marketing 

arrangements—By Lawrence 

Conn page 24 

n Compliance 101: Pay now or 

pay later—By Joyce Freville 

page 56 

To obtain one CEU per quiz, go to 

www.hcca-info.org/quiz and select 

a quiz. Fill in your contact information 

and take the quiz online. Or, 

print and fax the completed form 

to CCB at 952/988-0146, or mail 

it to CCB at HCCA, 6500 Barrie 

Road, Suite 250, Minneapolis, MN 

55435. Questions Please call CCB 

at 888/580-8373. 

Compliance Today readers taking 

the CEU quiz have one year 

from the published date of the 

CEU article to submit their completed 

quiz. Only the first attempt 

to pass each quiz is accepted.

Accountability is the 

key to compliance 

Editor’s note: Jane A. Obert is a 

founding member of Corporate 

Integrity Partners, LLC located 

in Joplin, Missouri. She may be 

contacted by e-mail at jobert@ 

corporateintegritypartners.com. 

When spring arrives, it 

is time to work off 

some of that extra 

weight that has accumulated over 

the long winter. Many of us have 

picked up a few extra pounds over 

the holidays and the generally less 

active winter months. How many 

times have you made the same 

springtime commitment year after 

year, only to end up failing to 

achieve it Why does this happen 

Most often, it’s because no one is 

holding you responsible—there’s 

just no accountability. The presence 

of outside accountability 

significantly increases the likelihood 

for success in meeting any 

goals that are set. Accountability 

is a critical element to succeeding 

in almost any weight reduction 

program. That same factor— 

accountability—can also be the 

key to success in reducing risk for 

health care organizations. 

Health care organizations 

are increasingly under the 

effectiveness 

By Jane A. Obert, CPA, CHC 

enforcement gun, and reducing 

the risk of fines and penalties 

from noncompliance with laws, 

rules, regulations, and standards 

can pay off in a big way. Now is 

a great time for hospitals, physician 

groups and other health care 

providers to resolve to reduce the 

risk of fines and penalties that 

frequently stem from investigations 

by government agencies by 

enhancing the effectiveness of 

their compliance programs. And 

the best way to ensure success 

with this resolution is with an 

accountability partner. 

Reducing the risk 

With dozens of federal, state, and 

local government agencies overseeing, 

monitoring, auditing, and 

enforcing a plethora of laws, rules, 

regulations, and standards, health 

care stands out as one of the most 

highly regulated industries in the 

United States. Following all the 

requirements can be daunting. 

Earlier years of health care law 

enforcement efforts often resulted 

in widely disparate punishment 

for comparatively similar cases, 

because there were no uniform 

standards for sanctioning organizational 

violators. The Sentencing 

Reform Act of 1984 created the 


United States Sentencing Commission, 

which is responsible for 

promulgating the Federal Sentencing 

Guidelines. It wasn’t until 

1991, however, and after much 

debate and input, that the Commission 

issued an entirely new 

chapter dealing with sentencing 

for organizational offenders. This 

new approach to enforcement 

has had a significant impact on 

corporate conduct. 

The Federal Sentencing Guidelines 

have created an incentive 

for organizations to establish 

far-reaching programs that 

promote legal compliance and 

ethical behavior. The approach 

set forth in the 1991 guidance 

focused on restitution and terms 

for probation-type monitoring 

(i.e., corporate integrity 

agreements). Beyond that, they 

promote practices focused on 

deterrence and provide sentencing 

benefits for organizations that can 

demonstrate “an effective program 

to prevent and detect violations 

of law.” 1 The movement toward 

prevention and detection has 

given rise to the development of 

well-defined standards for ensuring 

good corporate behavior that 

we have come to know as corporate 

compliance programs. 

The 1991 guidance provides 

minimum criteria that should be 

present in order for a compliance 

program to be deemed effective. 



51

CTfpAD:Layout 1 2/3/11 3:59 PM Page 1 

Let's you and I talk about effective 

Healthcare Corporate & HIPAA compliance training 

for your staff, contractors, and physicians 

Healthcare facilities that are serious about 

training and educating their staff choose 

eHealthcareIT and PricewaterhouseCoopers. 

We don’t need to tell you, healthcare compliance is a very 

serious business. In fact, one of the greatest risks to consider in 

2011 is the increase in targeted healthcare fraud enforcement 

efforts by the government’s Health Care Fraud Prevention 

and Enforcement Action Team (HEAT). 

Expertise 

PricewaterhouseCoopers’ Health Industries Practice and 

eHealthcareIT is comprised of highly qualified healthcare 

professionals specializing in regulatory compliance. Included 

within this group of professionals are physicians, registered 

nurses, certified coding specialists, registered records 

administrators, certified public accountants and attorneys. 

You know as well 

as we do that one 

size does not fit all: 

• Over 100 engaging, 

department specific 

HIPAA Compliance, 

Clinical Research 

Compliance, and 

Corporate Compliance 

courses. 

• Customization that allow 

you to embed your 

policies, procedures, 

welcome messages, site 

specific pictures and 

“contact information”. 

• Department specific topics 

ensures that your staff 

will receive compliance 

education geared specifically 

to their needs and 

responsibilities. 

Your compliance education 

should not be a matinee at 

the movies. Contact 

eHealthcareIT for further 

information or consultation. 

Engaging & Practical Learning 

Reliable, engaging, IT friendly and up to date content is key 

to a successful compliance education program, which is what 

eHealthcareIT brings to the table. 

eHealthcareIT 

e L e a r n i n g & I T S o l u t i o n s 

email: info@ehealthcareit.com 

or call 1-800-806-0874. 

www.ehealthcareit.com 


52 


Accountability is the key to compliance effectiveness ...continued from page 51 

These minimum criteria are 

also reflected in guidance issued 

by the United States Office of 

Inspector General, Department 

of Health and Human Services 

(OIG DHHS) to “promote 

voluntarily developed and implemented 

compliance programs for 

the health care industry.” 2 OIG 

further explains, “The adoption 

and implementation of voluntary 

compliance programs significantly 

advance the prevention of fraud, 

abuse, and waste in these health 

care plans while at the same time 

furthering the fundamental mission 

of all hospitals, which is to 

provide quality care to patients.” 2 

Substantially similar guidance has 

been issued by the OIG for physician 

groups, clinical laboratories, 

home care providers, and other 

health care organizations. 

Common to all the guidances 

issued by the OIG are the following 

seven elements as identified 

by the United States Sentencing 

Commission and which the 

OIG believes are, at a minimum, 

necessary for compliance program 

effectiveness: 

1. Standards of conduct that 

demonstrate overarching 

ethical principles supported by 

detailed internal controls set 

forth in written policies and 

procedures. 

2. Designation of a compliance 

officer who is a member 

of senior management and 

who reports directly to the 

governing body and the chief 

executive officer; and the 

establishment of a Compliance 

Committee to advise and assist 

the compliance officer. 

3. General compliance training 

for all employees and specialized 

training appropriate to the 

high-risk positions of the diverse 

workforce in health care. 

4. Self-monitoring of the organization’s 

operations to evaluate 

ongoing compliance with laws 

and regulations; auditing of highrisk 

activities by independent and 

qualified auditors; and an overall 

assessment of the effectiveness of 

the compliance program. 

5. Confidential and retaliationfree 

reporting mechanisms 

(including methods such as a 

hotline to provide the option 

to remain anonymous) and a 

commitment to log, track, and 

investigate all credible reports. 

6. Fair, equitable, and consistent 

enforcement of the standards 

of conduct, policies and 

procedures, and appropriate 

disciplinary measures (progressively 

intensified for severe 

infractions) for engaging in 

unlawful conduct or violating 

the standards, policies, and 

procedures. 

7. Prompt and appropriate 

response to identified violations 

(including notification of law 

enforcement or other government 

agencies, as applicable, and 

restitution or reimbursement of 

identified overpayments) and 


the imposition of processes to 

prevent and detect recurrences. 

Demonstrating compliance program 

effectiveness can significantly 

reduce fines and penalties in the 

event violations are identified 

by government agencies or law 

enforcement officials. Chapter 8 of 

the Federal Sentencing Guidelines 

allows for mitigation of sentencing 

for organizations that have 

documented the effective implementation 

of the seven essential 

compliance program elements, 

have self-reported, and cooperate 

with authorities. In assessing organizational 

culpability, the Justice 

Department will consider: 

n how well the organization’s 

compliance program is 

designed; 

n the extent to which the organization’s 

compliance program is 

earnestly applied; 

n whether good faith efforts have 

been exerted to assure effectiveness 

in all phases of the compliance 

program; and 

n whether the organization’s compliance 

program has, in fact, been 

effective at preventing, detecting, 

and correcting violations. 

In order to measure up, the 

presence of the seven minimally 

necessary elements of an effective 

compliance program will have 

to be well documented, along 

with due diligence exhibited on 

the part of governing bodies, the 



53

Accountability is the key to compliance effectiveness ...continued from page 53 


54 

compliance officer, and others 

designated to carry out the day-today 

functions of the compliance 

program. Effective implementation 

of the seven elements means 

going beyond mere adoption of 

standards and policies to integrating 

compliance principles into the 

business activity of the organization 

at all levels. 

In order to receive credit for 

maintaining an effective compliance 

program under the Federal 

Sentencing Guidelines, the new 

amendment adopted in 2010 sets 

forth four criteria that must be 

evident when members of senior 

management are involved with, 

condoned, or willfully ignored the 

criminal activity: 

n The compliance officer is 

required to and has, in fact, 

reported directly to the governing 

body or a designated 

subcommittee thereof. 

n The compliance program was 

effective in discovering the 

criminal activity before it was 

discovered by or was likely to 

be discovered by governmental 

authorities. 

n The organization self-reported 

the offense to the appropriate 

federal agency. 

n No compliance officials were 

complicit with, condoned, or 

willfully ignored the criminal 

activity. 3 

In addition, the organization may 

receive credit for making timely 

restitution to victims. This is a 

two-pronged process. To receive 

credit, the organization must not 

only remedy the harm done, but 

must have made demonstrable 

changes to its compliance program 

to prevent recurrences. 

Accountability 

As previously noted, the Federal 

Sentencing Guidelines provide 

incentives, such as favorable sentencing 

benefits, for organizations 

that can demonstrate an effective 

compliance program to prevent 

and detect violations. The key term 

is “effective.” Adopting a welldefined 

compliance program and 

giving it lip service is simply not 

enough. Organizational compliance 

programs must become part 

and parcel with the fabric of the 

entity at all levels—starting with 

the governing body and extending 

to entry-level staff and volunteers. 

And, to obtain favorable treatment 

under the Federal Sentencing 

Guidelines, organizations must be 

able to prove the effectiveness of 

their compliance programs. 

The 1998 Compliance Program 

Guidance for Hospitals issued 

by the OIG, as reinforced with 

supplemental guidance issued in 

2005, sets forth the expectation for 

every provider to periodically assess 

the effectiveness of its compliance 

program. The assessment should be 

completed no less than once a year. 

Many health care providers perform 

a self-assessment. Although 


reviewing your own program will 

be considered more favorably than 

failing to do so altogether, selfevaluations 

are fraught with the 

shortcomings that lack of objectivity 

brings to any monitoring or 

auditing activity. Self-reviews are 

frequently overseen by the compliance 

officer who is charged with 

the overall responsibility for the 

success of the compliance program 

in the first place, thus creating a 

conflict with the need to disclose 

inadequacies that may reflect 

poorly on the compliance officer’s 

personal job performance. 

Having an independent review of 

the effectiveness of the compliance 

program, performed by a qualified 

outside consultant, can yield big 

benefits for any health care organization. 

An independent review 

provides the kind of outside 

accountability needed to ensure 

the success of the compliance 

program. Engaging the review 

can demonstrate to the governing 

body how seriously the compliance 

officer takes his/her responsibilities. 

Outside reviewers bring in 

fresh ideas and leverage a knowledge 

base otherwise inaccessible 

to the organization’s compliance 

program. By implementing objective 

recommendations coming out 

of the assessment, the compliance 

officer adds value to the organization 

he/she serves, supporting the 

continuous quality improvement 

culture found in top-notch health 

care organizations.

Regulatory compliance for research in an academic medical center 

...continued from page 37 

In addition to overall compliance 

program effectiveness reviews, 

organizations can benefit from 

targeted monitoring by independent 

experts. For organizations 

that have detected violations, the 

2010 amendment to the Federal 

Sentencing Guidelines permits a 

health care organization to decide 

whether to retain an independent 

monitor to ensure that changes to 

the compliance program which 

were designed to prevent recurrences 

have been effectively implemented. 

3 This form of accountability 

will be seen quite favorably 

when serious infractions have been 

discovered and will demonstrate to 

the government that the organization 

is serious about remediating 

the harm done and preventing 

future misconduct. 

Having an effective compliance 

program not only reduces the 

likelihood of fines and penalties 

in the event of a government 

investigation, but it protects the 

organization’s public image and 

reputation from damage and 

fosters trust by investors, patients, 

and the community. n 

1. United States Sentencing Guidelines, 

Chapter 8, Subsection 8A1.2 

2. Publication of Compliance Program Guidance 

for Hospitals, Federal Register, Vol. 

63, No. 35, Monday, February 23, 1998/ 

Notices 

3. US Sentencing Commission, Amendment 

to the Sentencing Guidelines at 17-18 

(April 30, 2010) 

completed per month increased 

by 250%. Federal and state 

awards increased by more than 

200% in three years, and the 

number of research projects that 

are part of the residency training 

programs increased 375%. 

These increases occurred as a 

consequence of the institution’s 

commitment to growth in capacity 

and resources for the Department 

of Research. A strategy was 

developed for systems, policies, 

and processes that required 

prioritization in development and 

implementation. Also, a focus 

was placed on education before 

regulation to identify appropriate 

growth of research administration 

functions. The steps outlined in 

this article reflect the experience 

of this institution and Department 

of Research, but should 

have applicability to other standalone 

academic medical centers. n 

1. Elliott C. Kulakowski and Lynne U. Chronister: 

Research Administration and Management. 

Jones and Bartlett Publishers, 2006. 

2. Goldenberg NA, Spyropoulos AC, 

Halperin JL, et al: Antithrombotic Trials 

Leadership and Steering Group. Improving 

academic leadership and oversight in 

large industry-sponsored clinical trials: 

the ARO-CRO model. Blood; 2011 Feb 

17;117(7):2089-92. 

3. Campbell, JM: Assessing and managing 

research compliance risks in the health care 

setting. Compliance Today, 12(11):20-25, 2010. 

4. EpicCare EMR is a product of Epic. More 

information at http://www.epic.com/ 

software-ambulatory.php 

Health Care Auditing & 

Monitoring Tools 

More than 100 sample 

policies, procedures, 

guidelines, and forms to 

enhance your compliance 

auditing and monitoring 

efforts. Updated 

biannually with new tools. 

For more information, 

visit www.hcca-info.org/books, or 

call 888-580-8373. 



55

COMPLIANCE 

101 


56 

Pay now or pay 

later 

By Joyce Freville, PhD, CHC 

Editor’s Note: Joyce Freville is the 

Vice Presidentand Chief Compliance 

Officer for Trilogy Health Services, 

LLC in Louisville, Kentucky. 

Joyce may be contacted by telephone 

at 502/213-1725 or by e-email at 

joyce.freville@trilogyhs.com. 

Fraud, waste and abuse are 

spiraling out of control 

in the United States. The 

federal government is the biggest 

target for fraudsters because 

it spends hundreds of billions 

of dollars subsidizing more than 

1,800 federal programs. 1 The 

government is cracking down on 

fraud, waste, and abuse one regulation 

at a time. Amendments 

and new regulations overlap and 

reinforce each other to strengthen 

the government’s oversight. 

The False Claims Act (FCA) is 

the grandfather of them all. The 

FCA was first passed during the 

Civil War and later amended in 

1943, 1986, 2009, and 2010. The 

federal FCA permits a person with 

knowledge of fraud against the 

United States government (referred 

to as the qui tam plaintiff) to 

file a lawsuit on behalf of the 

government against the person or 

business that committed the fraud. 

If the action is successful, the qui 

tam plaintiff is rewarded with a 

percentage of the recovery. The 

enforcement initiatives have been 

very successful. In fact, over 80% 

of all new FCA actions were filed 

by whistleblowers. 2 

A whistleblower is a person who 

tells the public or someone in 

authority about alleged dishonest 

or illegal activities (misconduct) 

occurring in a government department, 

a public or private organization, 

or a company. The alleged 

misconduct may be classified 

in many ways. For example, it 

may be a violation of a law, rule, 

regulation, and/or a direct threat 

to public interest, such as fraud, 

health/safety violations, or corruption. 

Whistleblowers may make 

their allegations internally (e.g., to 

other people within the accused 

organization) or externally (e.g., 

to regulators, law enforcement 

agencies, to the media, or to 

groups concerned with the issues). 

Recoveries related to health care 

fraud make up a large percentage 

of the total recoveries. In fiscal 

year 2009, health care fraud 

recoveries reached $1.6 billion, 

encompassing two-thirds of the 

year’s total for recoveries of all 

government programs. 3 In 2010, 

Medicare covered 47 million 

people and had estimated outlays 


of $509 billion. The Centers for 

Medicare & Medicaid Services 

(CMS) estimated improper payments 

for Medicare fee-for-service 

and Medicare Advantage of 

almost $70 billion in 2010. 4 

More than 2,400 qui tam suits 

have been filed since 1986, 

at which time the statute was 

strengthened to make it easier and 

more rewarding for private citizens 

to sue. The government has 

recovered more than $24 billion 

as a result of the suits, of which 

almost $340 million has been 

paid to whistleblowers as rewards. 

Because Medicare and Medicaid 

programs make up the largest 

percent of government spending, 

the Department of Health and 

Human Services benefited the 

most from the recoveries. In addition, 

recoveries were made by the 

Office of Personnel Management, 

which administers the Federal 

Employees Health Benefits Program; 

the Department of Defense 

for its TRICARE insurance 

program; and the Department 

of Veterans Affairs. 3 Since 1986, 

billions in taxpayer money that 

otherwise would have been lost to 

fraud have been recovered through 

tips from whistleblowers. Health 

care is not the only industry 

affected by fraud. Occupational 

fraud and abuse are found in every 

industry. 

According to the 2006 ACFE 

Report to the Nation on

Occupational Fraud and Abuse, it 

is estimated that organizations lose 

7% of their revenue to fraud each 

year. This equates to over $994 

billion nationwide. The Association 

of Certified Fraud Examiners 

(ACFE) defines occupational fraud 

as “the use of one’s occupation for 

personal enrichment through the 

deliberate misuse or misapplication 

of the employing organization’s 

resources or assets.” It reaches all 

levels of the organization, although 

accountants commit approximately 

30% of occupational fraud. Furthermore, 

20% is committed by 

upper management or executives. 5 

ACFE found that the amount of 

the loss from occupational fraud is 

directly related to the position of 

the perpetrator. The study showed 

that losses by owners and executives 

averaged $900,000, which 

was six times higher than the losses 

caused by managers, and 14 times 

higher than the losses caused by 

employees. Unfortunately, the 

medium recovery is only 20% of 

the loss, and 40% of the defrauded 

organizations recovered nothing 

at all. Even though the owners 

and executives were the primary 

perpetrators, organizations were 

more likely to forgo legal action 

against them. However, legal action 

against managers and employees 

was prevalent. 5 Organizations that 

do not take legal action against 

all violations put themselves at a 

greater risk of being defrauded. 

Many organizations have adopted 

the zero tolerance policy that 

imposes automatic punishment for 

infractions of a stated rule, regardless 

of the position the individual 

holds in the organization. 

A zero tolerance policy imposes a 

pre-determined punishment for 

any infraction of a rule, regardless 

of accidental mistakes, ignorance, 

or extenuating circumstances and 

regardless of individual culpability, 

extenuating circumstances, or 

past history. Management should 

always consistently apply the punishment. 

Failure to do so could 

expose the organization to higher 

risks of fraud. Furthermore, zero 

tolerance policies forbid persons 

in positions of authority from 

exercising discretion or changing 

punishments to subjectively fit 

the circumstances. Zero tolerance 

policies deter fraud, waste, and 

abuse of company assets. 

Combating fraud, waste, 

and abuse 

The best way to combat fraud, 

waste, and abuse is through prevention. 

After all, prevention efforts are 

usually very cost- and time-effective, 

compared to reactive efforts 

after the fact. Methods of detecting 

and preventing fraud and abuse 

include but are not limited to: 

n confidential reporting mechanisms 

such as hotlines, e-mail 

accounts, customer satisfaction 

surveys, and employee satisfaction 

surveys; 

n surprise audits; 


n anti-fraud training and education; 

and 

n internal controls. 

Of these options, studies show that 

confidential reporting mechanisms 

are the primary way of detecting 

fraud. This is consistent with the 

data that shows whistleblowers are 

responsible for 80% of the money 

returned to the federal government. 6 

The 2006 ACFE study found that 

organizations with confidential 

reporting mechanisms, such 

as hotlines, had an average of 

$100,000 in fraud related losses 

as compared with $200,000 for 

companies without hotlines. Furthermore, 

hotlines cut the time it 

took to detect fraud from 24 to 

15 months. 5 Hotlines work not 

only for people employed by your 

company, but also for third parties 

who work with you and need a 

way to inform you of what you 

may not know. Additionally, 44% 

of the million-dollar fraud cases in 

the study were detected by tips. 

Another deterrent of fraud is 

an Internal Audit department. 

Organizations with an Internal 

Audit department that conducts 

surprise audits experienced a 

median loss of $120,000, while 

those that did not had a median 

loss of $218,000. What’s more, 

organizations that conduct routine 

compliance and anti-fraud 

training have fewer instances of 



57

Pay now or pay later ...continued from page 57 


58 

fraud. Internal audits detected 

fraud in 18 months, as opposed 

to 24 months for those without 

an Internal Audit function. 5 

Without a doubt, organizations 

benefit from confidential reporting 

mechanisms as well as auditing 

and monitoring mechanisms 

as part of an effective compliance 

plan. In addition to providing a 

mechanism to report fraud, waste, 

and abuse, it is important to have 

adequate internal controls. 

Internal controls 

Lack of adequate internal controls 

was commonly cited as the factor 

that allowed fraud to occur. 5 

Internal controls are processes to 

ensure the integrity of financial 

and accounting information, 

meet operational and profitability 

targets, broadcast management 

policies throughout the organization, 

and comply with laws and 

regulations. Lack of management 

review and override of existing 

controls open the doors for fraud 

and abuse. A few procedures will 

improve internal control. 

1. Develop well-written policies 

and procedures manuals which 

address significant activities 

and unique issues. Clearly 

communicate employee responsibilities, 

limits to authority, 

performance standards, control 

procedures, and reporting 

relationships. 

2. Train all employees on the policies 

and procedures that pertain 

to their job responsibilities. 

3. Conduct mandatory compliance 

and ethics training. With the 

passage of the Deficit Reduction 

Act of 2005, this is required for 

health care providers. 

4. Make sure that employees 

comply with the Conflict of 

Interest policy and disclose 

potential conflicts of interest 

(e.g., ownership interest in 

companies doing business or 

proposing to do business with 

the organization). 

5. Develop job descriptions that 

clearly state responsibility for 

internal control, and correctly 

translate desired competence 

levels into requisite knowledge, 

skills, and experience. Make 

sure that hiring practices result 

in hiring qualified individuals. 

6. Conduct employee performance 

evaluations periodically. 

Good performance should be 

valued highly and recognized in 

a positive manner. 

7. Take appropriate disciplinary 

action when an employee does 

not comply with policies and procedures 

or behavioral standards. 

Compliance program 

The Office of Inspector General 

(OIG) contends that an effective 

compliance plan helps detect and 

prevent fraud, waste, and abuse 

and will significantly reduce losses 

to both the government and 

private sectors. OIG recommends 

that compliance plans include 

the following seven elements that 

are taken from the United States 


Federal Sentencing Guidelines. 7 

1. Establish compliance standards 

and procedures that provide reasonable 

assurance of reducing the 

possibility of criminal conduct. 

2. Assign high-level personnel 

with overall responsibility to 

oversee compliance. 

3. Use due care not to delegate 

substantial discretionary authority 

to individuals whom the 

organization knows, or should 

have known through the exercise 

of diligence, had a propensity 

to engage in illegal activities 

(i.e., screen employees). 

4. Communicate compliance 

standards and procedures 

effectively to all employees 

by requiring participation 

in training programs and by 

disseminating publications that 

explain in a practical manner 

what is required. 

5. Achieve compliance with standards 

by utilizing monitoring 

and auditing systems designed 

to provide reasonable assurance 

of detecting misconduct 

by employees and by having a 

reporting system in place whereby 

employees can report misconduct 

without fear of retaliation. 

6. Enforce standards through 

appropriate disciplinary mechanisms, 

including discipline 

of individuals responsible for 

failure to detect an offense. 

7. Respond appropriately to 

an offense once it has been 

detected and take reasonable 

steps to prevent further

offenses, including modification 

of the program to prevent 

and detect violations of the law. 

A solid infrastructure that 

includes the seven elements is vital 

to any compliance program. Each 

element is important; but confidential 

reporting mechanisms, 

employee fraud awareness training, 

and surprise audits are the 

most effective elements. 

A compliance plan sets the standards 

for how an organization and 

its employees will conduct business. 

It demonstrates the organization’s 

commitment to comply with 

federal and state laws and regulations 

as well as the organization’s 

own policies. Compliance programs 

help organizations establish 

clear standards and polices that 

are designed to detect and prevent 

fraud, waste, and abuse. The code 

of ethical conduct is the foundation 

of a compliance program. 

Code of ethical conduct 

Codes of ethical conduct generally 

entail documents at three levels: 

code of business ethics, code of 

conduct for employees, and code 

of professional practice. The code 

of business ethics sets out general 

principles about an organization’s 

beliefs on matters such as mission, 

quality, privacy, or the environment. 

It outlines proper procedures to 

determine whether a violation of the 

code of ethics has occurred and, if so, 

what remedies should be imposed. 

A code of conduct for employees 

sets out the procedures to be 

used in specific ethical situations, 

such as conflicts of interest or the 

acceptance of gifts, and delineate 

the procedures to determine 

whether a violation of the code of 

ethics occurred and, if so, what 

remedies should be imposed. A 

code of practice may be designed 

as a code of professional responsibility 

that will discuss difficult 

issues and decisions that will often 

need to be made, and provide a 

clear account of what behavior is 

considered “ethical” or “correct” 

or “right” in the circumstances. 

The effectiveness of a code of ethical 

conduct depends on the extent to 

which management supports it with 

sanctions and rewards. The code of 

ethical conduct provides guidelines 

to employees as well as assists those 

in the organization when called 

upon to make decisions. 

Conclusion 

Effective compliance programs are 

an essential tool for identifying and 

mitigating risks. One of the most 

significant benefits of a compliance 

program is that it reinforces that 

the organization’s culture does not 

tolerate illegal or actionable behavior 

and prompts management and 

staff to consider the potentially 

adverse legal consequences of 

certain conduct. Equally important, 

it increases the likelihood of 

early detection if potentially illegal 

or actionable conduct does occur, 


thus creating the opportunity to 

correct or self-report. Furthermore, 

it serves as a basis to persuade 

governmental authorities to decline 

prosecution or the initiation of a 

civil or regulatory action, thereby 

significantly reducing penalties 

or fines. The efforts and time a 

company puts into proper prevention 

practices and procedures can 

have concrete payoff in terms of 

financial and regulatory problems 

associated with trying to fix a 

problem after the fact. As the old 

saying goes “an ounce of prevention 

is worth a pound of cure”, so 

pay now or pay later. n 

1. Chris Edwards: “Number of Federal Subsidy 

Programs Tops 1,800.” Cato Institute 

Tax and Budget Bulletin no. 56, April 

2009. Available at http://www.cato.org/ 

pubs/tbb/tbb_56.pdf. 

2. The 1986 False Claims Act Amendments: 

A Retrospective Look At Twenty Years of 

Effective Fraud Fighting In America. Available 

at http://www.quitamhelp.com/static/ 

false_claims/retrospective.pdf 

3. Department of Justice: Justice Department 

Recovers $2.4 Billion in False Claims Cases 

in Fiscal Year 2009; More Than $24 Billion 

Since 1986. Available at http://www. 

justice.gov/opa/pr/2009/November/09- 

civ-1253.html 

4. U.S. General Accounting Office: Medicare 

Program Remains at High Risk Because 

of Continuing Management Challenges. 

(Publication No. GAO-11-430T, 2011). 

Available at http://www.gao.gov/new.items/ 

d11430t.pdf 

5. Association of Certified Fraud Examiners. 

2006 ACFE Report to the Nation on 

Occupational Fraud & Abuse. Available at 

www.acfe.com/documents/2006-rttn.pdf 

6. Kardell, Robert L: “Three Steps to 

Fraud Prevention in the Workplace.” 

The Nebraska Lawyer, 2007. Available 

at http://www.bkd.com/docs/news/ 

WorkplaceFraud-NebLawyer.pdf 

7. U.S. Sentencing Guidelines Manual 

Section 8A1.2 cmt.n3(k)(1). Available 

at http://www.ussc.gov/2009guid/TAB- 

CON09.htm 


59


60 

How internal controls 

support compliant 

business practices: 

Editor’s note: Kelly Nueske is a 

Managing Director in Enterprise 

Risk Services, Internal Audit & 

Compliance at Sinaiko Healthcare 

Consulting, Inc. in Los Angeles. 

Kelly may be contacted by e-mail at 

kelly.nueske@altegrahealth.com. 

Recently, a number of 

us “seasoned” compliance 

professionals spoke 

with a group of new compliance 

officers who had varying degrees 

of health care experience. We 

spent a fair amount of that time 

discussing the evolution of compliance-related 

regulatory guidance. 

A number of the seasoned 

compliance professionals started 

our careers in Internal Audit and 

transitioned into the Compliance 

space over the past 15 years. We 

have observed or read about a 

number of the scandals over the 

years that have lead to much of 

the current health care regulatory 

environment. This article is 

part one of a two-part series and 

outlines the framework of internal 

control as it relates to health care 

compliance. The second article 

will discuss monitoring and auditing 

of various internal controls. 

Part 1 

By Kelly Nueske 

In the beginning, there were five 

professional associations that 

independently worked to address 

the needs of various accounting, 

financial, and auditing professionals 

and to establish standards, 

including guidance on internal 

controls: 

1. American Institute of CPAs, 

formed in 1887 

2. American Accounting Association, 


3. Institute of Management 

Accountants, formed in 1919 

4. Financial Executives International, 


5. The Institute of Internal Auditors, 


These five professional organizations 

joined forces in 1985 to form the 

Committee of Sponsoring Organizations 

of the Treadway Commission 

(COSO or Treadway Commission). 

The US Congress and the Security 

and Exchange Commission (SEC) 

asked COSO to inspect, analyze, 

and make recommendations on 

fraudulent corporate financial reporting 

due to questionable corporate 

political campaign finance practices 

and corrupt foreign practices in the 

mid-1970s. 


COSO is a voluntary, private-sector 

organization that provides guidance 

concerning organizational 

governance, business ethics, internal 

control, enterprise risk management, 

fraud, and financial reporting. 

COSO studied the issues for a few 

years and published a four volume 

report in 1992, entitled Internal 

Control—Integrated Framework. The 

report established a common internal 

control model that companies and 

organizations may use to assess their 

control systems. However, “may” 

hasn’t become much of an option, 

given the framework is a common 

theme in the US Federal Sentencing 

Guidelines, OIG model compliance 

program guidance, and Corporate 

Integrity Agreements (CIAs). 

So what is an internal control 

The COSO framework defines 

internal control as “a process, 

effected by an entity’s board of 

directors, management and other 

personnel, designed to provide 

‘reasonable assurance’ regarding 

the achievement of objectives in 

the following categories: 

n Effectiveness and efficiency of 

operations, 

n Reliability of financial reporting, 

and 

n Compliance with applicable 

laws and regulations.” 

If you are like me, the first time 

you read the COSO definition, 

your question was still “So what is 

an internal control” Simply, it is 

the following five components.

n Control environment 

The control environment sets the 

tone of an organization, influencing 

the control consciousness of 

its people. It is the foundation for 

all other components of internal 

control, providing discipline and 

structure. Control environment 

factors include the integrity, ethical 

values, management's operating 

style, delegation of authority 

systems, as well as the processes 

for managing and developing 

people in the organization. 

n Risk assessment 

Every entity faces a variety of 

risks from external and internal 

sources that must be assessed. A 

precondition to risk assessment 

is the establishment of objectives 

and thus, risk assessment 

is the identification and analysis 

of relevant risks to the achievement 

of assigned objectives. 

Risk assessment is a prerequisite 

for determining how the risks 

should be managed. 

n Control activities 

Control activities are the policies 

and procedures that help ensure 

management directives are carried 

out. Control activities occur 

throughout the organization, at 

all levels and in all functions. 

They include a range of activities 

as diverse as approvals, authorizations, 

verifications, reconciliations, 

reviews of operating 

performance, security of assets 

and segregation of duties. 

n Information and 

communication 

Information systems play a key 

role in internal control systems 

as they produce reports, including 

operational, financial and 

compliance-related information. 

In a broader sense, effective 

communication must ensure 

information flows down, across 

and up the organization. Effective 

communication should also be 

ensured with external parties, such 

as customers, suppliers, regulators, 

and shareholders about related 

policy positions. 

n Monitoring 

Internal control systems need 

to be monitored—a process 

that assesses the quality of the 

system's performance over time. 

This is accomplished through 

ongoing monitoring activities 

or separate evaluations. Internal 

control deficiencies detected 

through these monitoring activities 

should be reported upstream 

and corrective actions should 

be taken to ensure continuous 

improvement of the system. 

If you are in the “compliance 

business” the concepts may look 

familiar to you if you have read 

the Office of Inspector General’s 

(OIG) model compliance program 

guidance, the US Federal 

Sentencing Guidelines, and/or a 

Corporate Integrity Agreement 

(CIA). To write this article, I 

checked out the OIG website to 


make sure I had the correct dates 

for program guidance, and this 

is the OIG’s introduction to the 

program guidance section: 

OIG has developed a series of 

voluntary compliance program 

guidance documents directed 

at various segments of the 

health care industry, such as 

hospitals, nursing homes, 

third-party billers, and durable 

medical equipment suppliers, 

to encourage the development 

and use of internal controls to 

monitor adherence to applicable 

statutes, regulations, and program 

requirements. (Emphasis 

added) 

When I came across the word 

“voluntary” my initial reaction 

was “not really,” if you look at the 

Federal Sentencing Guidelines and 

the content of CIAs. Table 1 on 

page 62 illustrates how the COSO 

framework maps to the “reality” of 

health care compliance. 

For the sake of simplicity, this 

table does not address Sarbanes 

Oxley, the Government Auditing 

Office “Yellow Book” Standards, 

and other guidelines that exist. 

However, these standards or 

regulations could also be mapped 

to the original COSO framework 

around internal control. 

So who is responsible for all of 

this Well, the guidance suggests 



61

How internal controls support compliant business practices: Part 1 ...continued from page 61 

“management” is responsible 

for internal control. Managers 

are responsible for establishing 

policies and processes and 

providing management oversight 

(monitoring) to ensure the procedures 

(controls) are being executed 

as management intended. 1 

What about the chief compliance 

officer (CCO) Well, the guidance 

suggests the CCO is responsible 

for overseeing (monitoring) and 

managing compliance issues within 

an organization, ensuring the 

Table 1 

COSO Internal 

Control Framework 

Component (1992) 

Control 

Environment 

Risk Assessment 

Control Activities 

Information & 

Communication 

Monitoring 

OIG Compliance Program Guidance 

– exact language from model guidance 

(1998 – 2008) 

Designation of a chief compliance officer 

and other appropriate bodies, (e.g., a 

Corporate Compliance Committee, 

charged with the responsibility of operating 

and monitoring the compliance 

program, and who report directly to the 

CEO and the governing body) 

Additional risk areas should be assessed as well 

and incorporated into the written policies and 

procedures and training elements developed 

as part of their compliance programs. 

Development and distribution of written 

standards of conduct, as well as written 

policies and procedures that promote 

commitment to compliance. 

Development and implementation of 

regular, effective education and training 

programs for all affected employees. 

Maintenance of a process, such as a 

hotline, to receive complaints, and the 

adoption of procedures to protect the 

anonymity of complainants and to 

protect whistleblowers from retaliation. 

Use of audits and/or other evaluation techniques 

to monitor compliance and assist in 

the reduction of identified problem area. 

Although many monitoring techniques 

are available, one effective tool to 

promote and ensure compliance is the 

performance of regular, periodic compliance 

audits by internal or external auditors 

who have expertise in federal and 

state health care statutes, regulations, and 

federal health care program requirements. 

Federal Sentencing 

Guidelines Chapter 8 

(2004) 

§8B2.1.(a)(2) Promote 

organizational culture 

§8B2.1.(b)(2)(A) 

Governing authority’s 

knowledge of program 

§8B2.1.(b)(1) Standards 

and procedures 

§8B2.1.(c) Periodic 

assessment of risk 

§8B2.1.(b)(1) 

Standards and 

procedures 

§8B2.1.(b)(4)(A) 

Compliance training 

§8B2.1.(b)(5)(A) 

Monitoring and 

auditing activities 

§8B2.1.(b)(5)(B) 

Evaluate effectiveness 

of compliance and 

ethics program 

Corporate Integrity 

Agreement, 

typically Section III 

Compliance Officer 

& Committee 

Board of Director’s 

compliance 

obligations 

Code of Conduct 

Language can be 

present but not 

standard 

Policies and 

procedures 

Board reporting 

Training & Education 

Notifications to 

government 

Implementation and 

annual reporting 

(Section V, typically) 

Review procedures 


62 


organization is complying with 

regulatory requirements, and that 

the organization and its employees 

are complying with internal policies 

and procedures (controls). 2 

What about the Internal Audit 

department Again the Institute 

of Internal Auditors professional 

practice standards indicate internal 

auditors perform audits to evaluate 

whether the policies and processes 

are designed and operating effectively 

and providing recommendations 

for improvement. 3 

Internal controls can be preventive 

or detective and manual or 

automated. Ideally, there would 

be higher reliance on preventive 

controls, activities, and processes 

that support “doing it right the 

first time” rather than detective 

controls that identify errors 

after the fact. The reason is that 

detective controls can be a lower 

priority and overlooked, with so 

many competing priorities in a 

manager’s busy day. In the age 

of technology, it is also ideal to 

have automated controls rather 

than manual controls. Automated 

controls can serve as prompts to 

help employees follow established 

processes or help ensure accurate 

information is entered that others 

can rely on later in the process, 

to name a few. With the rapid 

implementation of electronic 

medical records, we often don’t 

maximize the functionality during 

the design processes, which is a 

significant lost opportunity to 

address ongoing compliance issues 

that could be improved with the 

help of technology. 

Conclusion 

In the end, an effective internal 

control structure is the foundation 

of good business, which includes 

compliance. As the voice of the 

seasoned compliance professionals, 

we challenge you, as a compliance 

officer, to learn more about 

internal controls. When something 

is not going right, look at the 

internal control structure to help 

determine what could be implemented 

to mitigate the risk going 

forward. I have seen many corrective 

action plans that state policies 

and procedures will be developed 

and/or training will be provided. 

Granted these elements are part 

of the internal control framework 

but they are not the most reliable 

controls. Dig further and see what 

can be done to implement checks 

and balances in the process, as the 

process is occurring. That is often 

the key to mitigating many compliance 

risks. n 

1. COSO Internal Control-Integrated Framework, 

1994 

2. Scott Cohen, editor and publisher of 

Compliance Week, dates the proliferation 

of CCOs to a 2002 speech by SEC commissioner 

Cynthia Glassman. (See http:// 

en.wikipedia.org/wiki/Chief_compliance_ 

officer) 

3. Institute of Internal Auditors: International 

Professional Practices Framework (IPPF). 

Published by The IIA Research Foundation, 

2009. 


False Claims 

Act Training 

Doesn’t Have 

to Be Hard 

A Supplement to Your 

Deficit Reduction Act 

Compliance Training 

Program offers a clear, 

concise review of the 

False Claims Act and 

its impact on federal 

health care programs. 

Bulk pricing 

available for 

HCCA members. 

To order, visit 

www.hcca-info.org, 

or call 888-580-8373. 


63

SaVe tHe Date! 

Space is limited to 70 attendees 

Improving Governance Practices 

Audit & 

Compliance 

committee conference 

February 13–14, 2012 

Scottsdale, AZ 

This conference is designed for board members and 

members of a board audit and/or compliance committee of 

not-for-profit health care organizations. Compliance officers 

may attend with their board member(s). CEOs, CFOs, and 

other senior officers are also welcome to attend. 

Learn more at 

www.auditcompliancecommittee.org 


64 


Publisher: Health Care Compliance Association 

888-580-8373 

Executive Editor: Roy Snell, CEO, roy.snell@hcca-info.org 

Contributing Editor: Gabriel Imperato, Esq., CHC 

Editor: Margaret R. Dragon 

781-593-4924, margaret.dragon@hcca-info.org 

Copy Editor: Patricia Mees, CHC, CCEP 

888-580-8373, patricia.mees@hcca-info.org 

Layout and Production Manager: Gary DeVaan 

888-580-8373, gary.devaan@hcca-info.org 

HCCA Officers: 

Frank Sheeder, JD, CCEP 

HCCA President 

Partner 

DLA Piper 

Shawn Y. DeGroot, CHC-F, 

CHRC, CCEP 

HCCA Vice President 

Vice President of Corporate 

Responsibility 

Regional Health 

John Falcetano, CHC-F, CIA, 

CCEP-F, CHRC, CHPC 

HCCA Second Vice President 

Chief Audit/Compliance Officer 

University Health Systems of 

Eastern Carolina 

Gabriel L. Imperato, JD, CHC 

HCCA Treasurer 

Managing Partner 

Broad and Cassel 

Sara Kay Wheeler, JD 

HCCA Secretary 

Partner–Attorney 

King & Spalding 

Sheryl Vacca, CHC-F, CHRC, 

CCEP, CHPC 

Non-Officer Board Member 

Senior Vice President/Chief 

Compliance and Audit Services 

University of California 

Jenny O’Brien, JD, CHC, CHPC 

HCCA Immediate Past President 

Chief Medicare Compliance Officer 

UnitedHealthcare Medicare & Retirement 

CEO/Executive Director: 

Roy Snell, CHC, CCEP-F 

Health Care Compliance Association 

Counsel: 

Keith Halleland, Esq. 

Halleland Habicht PA 

Board of Directors: 

Urton Anderson, PhD, CCEP 

Chair, Department of Accounting and 

Clark W. Thompson Jr. Professor in 

Accounting Education 

McCombs School of Business 

University of Texas 

Deann M. Baker, CHC, 

CCEP, CHRC 

Chief Corporate Compliance Officer 

Corporate Compliance & Integrity 

Services, Alaska Native Tribal Health 

Consortium 

Catherine Boerner, JD, CHC 

President 

Boerner Consulting, LLC 

Julene Brown, RN, MSN, CHC, CPC 

Regional Compliance Director 

Organizational Integrity and Compliance 

Essentia Health West Region 

Brian Flood, JD, CHC, 

CIG, AHFI, CFS 

National Managing Director 

KPMG LLP 

Margaret Hambleton, MBA, 

CPHRM, CHC 

Senior Vice President 

Ministry Integrity, Chief Compliance 

Officer, St. Joseph Health System 

Robert A. Hussar, JD, MS, CHC 

Of Counsel 

Manatt, Phelps and Phillips LLP 

Robert H. Ossoff, DMD, 

MD, CHC 

Assistant Vice-Chancellor for 

Compliance & Corporate Integrity 

Vanderbilt University Medical Center 

Daniel Roach, JD 

Vice President 

Compliance and Audit 

Catholic Healthcare West 

Matthew F. Tormey, JD, CHC 

Vice President 

Compliance, Internal Audit, and 

Security 

Health Management Associates 

Debbie Troklus, CHC-F, CCEP-F, 

CHRC, CHPC 


Aegis Compliance and Ethics Center 

Compliance Today (CT) (ISSN 1523-8466) is published by the Health Care 

Compliance Association (HCCA), 6500 Barrie Road, Suite 250, Minneapolis, MN 

55435. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address 

changes to Compliance Today, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. 

Copyright 2011 Health Care Compliance Association. All rights reserved. Printed in 

the USA. Except where specifically encouraged, no part of this publication may be 

reproduced, in any form or by any means without prior written consent of the HCCA. 

For Advertising rates, call Margaret Dragon at 781-593-4924. Send press releases to 

M. Dragon, 41 Valley Road, Nahant, MA 01908. Opinions expressed are not those of 

this publication or the HCCA. Mention of products and services does not constitute 

endorsement. Neither the HCCA nor CT is engaged in rendering legal or other 

professional services. If such assistance is needed, readers should consult professional 

counsel or other professional advisors for specific legal or ethical questions. 



65

All 2011 Basic Compliance 

Academies sold out. 

Register now for 

2012 

BAsiC CompliAnCe 

ACADeMieS 

New York, NY 

January 23–26, 2012 

San Francisco, CA 

Feb 13–16 , 2012 

San Antonio, TX 

March 26–29 , 2012 

Scottsdale, AZ 

June 4–7 , 2012 

New York, NY 

August 6–9 , 2012 

Location TBD 

Sept 10–13 , 2012 

Boston, MA 

Oct 1–4 , 2012 

Orlando, FL 

Nov 5–8 , 2012 

San Diego, CA 

Dec 10–13 , 2012 

REGIONAL 

CONFERENCES 

2012 REGIONAL CONFERENCES 

Southeast 

January 20 | Atlanta, GA 

South Atlantic 

January 27 | Orlando, FL 

Southwest 

February 17 | Dallas, TX 

Alaska 

March 1 - 2 

Anchorage, AK 

Upper North Central 

May 11 | Columbus, OH 

Upper North East 

May 18 | New York, NY 

NEW! 

Gulf Coast 

June 8 | Houston, TX 

Pacific Northwest 

June 15 

Seattle, WA 

West Coast 

June 22 | Newport Beach, CA 

New England 

September 7 | Boston, MA 

Upper Midwest 

September 14 

Minneapolis, MN 

Midwest 

September 21 

Overland Park, KS 

North Central 

October 5 | Indianapolis, IN 

East Central 

October 12 | Pittsburgh, PA 

Hawaii 

October 19 | Honolulu, HI 

Mountain 

October 26 | Denver, CO 

Mid Central 

November 9 | Louisville, KY 

Desert Southwest 

November 16 | Phoenix, AZ 

South Central 

November 30 | Nashville, TN 

NEW! 

Upper West Coast 

December 7 | Oakland, CA 

Learn more & register at 

www.hcca-info.org 

regiSTrATiON FOr eACh ACADeMY LiMiTeD 

TO 75 ATTeNDeeS 

HCCA’s Compliance Academy is a four-day intensive program 

focusing on subject areas at the heart of health care compliance 

practice. Courses are designed for participants who have a basic 

knowledge of compliance concepts and some professional 

experience in a compliance function. 

ChC ® CerTiFiCATiON eXAM OFFereD 

FOLLOwiNg eACh ACADeMY 

Be recognized for your experience and knowledge in health care 

compliance! Take advantage of the opportunity to sit for an optional 

CHC ® exam on the last day of the Academy. 

LEARN MORE AND REGISTER AT 

WWW.HCCA-INFO.ORG 


66 

2012-HCCA-ALL-Academies_halfpage_2c_ad.indd 1 


9/30/2011 2011-12-HCCARegionals_halfpage_2c_ad.indd 12:47:41 PM 

1 

10/27/2011 12:23:18 PM

esearch 


Conference 

June 3–6, 2012 

austin, tX 

This is the research conference 

you cannot miss if you work for 

a research site, a CRO or SMO, 

a hospital or hospital system, 

a sponsor, or for clinicians/ 

investigators who conduct 

research. Learn the latest 

trends in compliance with 

research accounting standards, 

clinical trial billing and process 

improvements, effort reporting, 

scientific misconduct, conflicts 

of interest, off-label use issues, 

FDA compliance, and government 

enforcement trends. Hear from 

industry experts who can provide 

practical perspectives for handling 

research compliance risks. 

Learn more 

& register at 


Try one of HCCA’s upcoming 

Web Conferences 

earn 1.2 CEU credits. 

It doesn’t get any easier. 

Records & Information Management- 

Managing Information Overload for 


December 06, 2011 

HIPAA Audits 


Ready for Action: Preparing Your 

Organization for Governmental Audits 

with Practical Steps for Compliance 


Stark-Beyond the Basics 

January 11, 2012 

Auditing Hospital/ Physician Financial 

Arrangements 


How to Cope With Compliance Liabilities 

Using Technology 


learn more at 

www.hcca-info.org/ 

webconferences 

2012Research_halfpagevert_CTad.indd 1 


10/27/2011 HCCAWebConferences_halfpage_2c.indd 12:34:16 PM 

1 

67 


10/27/2011 12:55:49 PM


68 

Documenting fair 

market value for 

physician contracting 

Editor’s note: Penny Stroud is 

Founder and CEO of MD Ranger, 

Inc., located in Burlingame, 

California. She may be contacted by 

telephone at 650/692-8873 or by 

e-mail at pstroud@mdranger.com. 

The rising costs of physician 

service contracts and 

compliance documentation 

is affecting hospitals across 

the country. California hospitals 

spend in excess of 3% of all 

expenses on non-salary physician 

costs for a broad range of services 

that includes medical direction, 

emergency call coverage, leadership 

positions, administrative 

services, diagnostic test interpretations, 

and more. In addition to 

the cost of service contracts, the 

cost of fair market value (FMV) 

documentation for service contracting 

is rising as government 

oversight and enforcement efforts 

are increasing. 

All health care providers are 

subject to the regulations that 

require FMV compliance and 

documentation. There are a 

number of approaches to consider 

for the review of physician 

contracts and documentation of 

compliance. The costs, associated 

By Penny Stroud 

risks, and benefits of each of these 

approaches varies considerably. 

This article will explore the growing 

number of tools that enable 

hospitals, health systems, and 

other providers to institute cost 

effective strategies for controlling 

the cost and burden of compliance 

while upgrading the level 

of documentation for physician 

contracts. 

Trends in physician contracting 

and compliance costs 

The cost of physician contracts 

for non-salaried, non-billable 

services is rising rapidly for health 

facilities. Physicians are demanding 

more and higher pay for 

call coverage; medical direction; 

attendance at meetings; leadership 

positions; and many other teaching, 

research, and administrative 

functions that they formerly provided 

without pay in exchange for 

medical staff privileges or visibility 

in a medical community. 

Data submitted to the California 

Office of Statewide Health Planning 

and Development 1 show 

that since 2000, these costs 

have increased 14% per year 

for California hospitals, reaching 

more than $8 million per 


hospital annually (see graph 1). 

Trauma hospitals pay considerably 

more. Other types of providers, 

including nursing homes, dialysis 

centers, ambulatory surgery 

centers, and clinics experience 

similar demands for physician 

services. The growing burden of 

administrative compliance, quality 

and peer review activities, and 

evidence-based practice protocols 

has increased the need for physician 

involvement in administrative 

and leadership functions at 

most health care organizations. 

Another factor and trend impacting 

call compensation is the increasing 

number of uninsured patients who 

are treated in America’s dwindling 

Emergency Rooms. One recent 

study 2 found that the number of 

hospital Emergency Departments 

(EDs) in urban areas fell 27% 

from 1990 to 2009, from 2,446 

EDs to 1,779. Overall, about 

two-thirds of EDs are at safety 

net hospitals, which tend to have 

a worse payer mix. Many call 

payments begin when physicians 

ask for compensation for treating 

uninsured patients in the ED, and 

later expand into full-fledged per 

diem payments for call coverage. 

Clinical integration initiatives, 

planning for health reform, 

electronic health records (EHR), 

and the development of Accountable 

Care Organizations also 

benefit from physician participation 

and leadership. Yet, decreased

eimbursement and the growing 

separation of many physicians’ 

hospital and ambulatory practices 

have increased the challenge of 

engaging physicians to participate 

in these non-billable services. 

These trends, coupled with regulatory 

mandates, such as the Emergency 

Medical Treatment and 

Active Labor Act (EMTALA), are 

increasing the demand for services 

and the demand for payment by 

physician contractors. 

Government regulations mandate 

that payments to physicians by 

a provider meet FMV. Compliance 

requires documentation of 

comparable rates for comparable 

services. Many providers seek an 

outside FMV opinion from an 

expert valuation consultant, often 

at a cost of $3,000 to $10,000 per 

opinion. An analysis conducted 

by MD Ranger to evaluate the 

FMV costs for outside opinions at 

a sample of 40 hospitals in California, 

found annual expenditures 

ranging from $5,000 to $100,000 

per hospital, with a strong upward 

Graph 1 

$8000 

$7000 

$6000 

$5000 

$4000 

$3000 

$2000 

$1000 

$0 

trend driven by heightened 

administrative and board requirements 

for objective documentation 

of FMV. 3 

As enforcement efforts raise the 

bar on compliance documentation, 

these costs are escalating at a time 

when most hospitals are working 

to reduce costs in anticipation of 

health reform. Strategies to control 

the cost of physician contracts and 

the cost of documentation can be 

a critical component of addressing 

budget challenges. 

Compliance landscape 

Regulations governing FMV 

payment for physician contracts 

include the Stark, anti-kickback, 

and private inurement rules. These 

laws were passed to deter health 

care providers from paying physicians 

for referrals, colluding on 

price, or otherwise manipulating 

physician relationships to disguise 

fraud and abuse. 

There is growing evidence that 

government enforcement efforts 

to ensure FMV are intensifying. 

Average Physician Expense in California Hospitals 

2000-2008, in thousands 

2000 

2001 

2002 

2003 

2004 

SOURCE: OSHPD Annual Financial Reports 1995-2008. 

2005 

2006 

2007 

2008 


OIG reported in June 2011 that it 

expected to collect more than $3.4 

billion from fraud investigations, 

including anti-kickback cases, in 

2011. Between 2000 and 2010, 

almost 100 anti-kickback cases were 

settled with health care organizations, 

ranging from less than 

$100,000 to several million. Twenty 

new cases alone occurred in 2010 

through May 2011, with settlements 

ranging between $50,000 

and $7.3 million. At least five of 

these settlements included medical 

direction, administrative services, or 

call coverage components. 4 

Hospitals found guilty of noncompliance 

with FMV and documentation 

guidelines risk lawsuits, 

civil and monetary penalties, 

and even the loss of Medicare 

and Medicaid funding, as well as 

long and complicated settlement 

agreements. 

What and when to document 

In short, any negotiated agreements 

regarding physician 

compensation should always 

be documented, with proof of 

sources for FMV. The risk is just 

too high not to have documentation 

on file for all contracts. 

The laws require documentation 

for any type of payment to physicians 

(or other providers) who 

are in a position to refer patients, 

including payments for: 

n On-call coverage 



69

Documenting fair market value for physician contracting ...continued from page 69 


70 

n Medical direction 

n Hospital-based services, such as 

emergency, radiology, anesthesiology, 

or hospitalists 

n Leadership positions, such as 

chiefs of staff or other medical 

staff officers 

n Ad hoc or ongoing committee 

or administrative services work 

n Consulting for quality initiatives, 

peer review, and electronic 

health records 

n Over-read and test 

interpretations 

All of these physician payment 

arrangements are eligible for 

review in a Compliance audit, 

as would any other agreement to 

pay a physician or group who is 

in a position to refer patients to 

another provider. 

Fair market value is generally 

considered to be the price at 

which a service would change 

hands between a willing buyer and 

willing seller on the open market 

at arm’s length, when neither is 

under compulsion to complete the 

transaction. Because there is not 

an open market for most physician 

services, hospitals and valuators 

must find other ways to evaluate 

the FMV for arrangements. 

In addition to the FMV standards, 

payments must also be “commercially 

reasonable.” This term 

is a subjective test of a “standard 

of reasonableness” (i.e. what a 

reasonable entity would do in the 

specific circumstance, taking all 

factors into account, and judged 

by the standards of the applicable 

business community). For a health 

care entity, this means that the 

payment should reflect the business 

practice both for payment for 

the specific service, as well as for 

the amount of payment or time 

required to perform the service. 

Examples of agreements that do 

not pass the commercial reasonableness 

standard could include 

payment for excessive hours for a 

medical direction or administrative 

services agreement, payment 

for call coverage to a specialty 

with limited or no demand in 

the Emergency Department, or 

payment for multiple medical 

directors for the same or very 

similar services. 

Tools for documentation 

So, what can a provider do to 

ensure an agreement is within 

FMV and is commercially reasonable 

There are a few options for 

staying compliant. Some hospital 

administrators call colleagues at 

other health care organizations 

to ask about going rates. This 

method could help determine 

what other hospitals in a similar 

geography are paying, but it is 

unlikely to hold up to scrutiny, 

and at worst, could be construed 

as anti-competitive behavior. 

A more objective, systematic 

approach will provide more 

“cover” from government scrutiny. 


Once it is determined that 

compensation is necessary for a 

physician contract, hospitals must 

document that the rate agreed 

upon is FMV. In many cases, 

high-quality market data—that 

with a robust sample—is acceptable 

as documentation of FMV. 

These market data also provide 

information that can be helpful in 

negotiating contracts and managing 

physicians’ expectations. 

National benchmark data for all 

or some of these services is published 

by several sources, including 

MD Ranger, Inc., Sullivan 

Cotter, Inc., and the Medical 

Group Management Association 

(MGMA). Non-salary physician 

service cost data is a new area, 

with more limited information 

sources compared to the availability 

of physician salary and 

compensation data. 

Compensation benchmarking 

data is typically collected on an 

annual basis via survey to update 

information and benchmarks 

for on-call coverage, medical 

direction, hospital-based services, 

various contract non-payment 

terms, and certain diagnostic and 

testing services. Several of the 

surveys include hourly rates and 

hours required for various medical 

directorships. Hospitals using 

survey data and benchmarking 

databases for documentation are 

seeing a decrease in the need for 

FMV consultants, and sometimes

even a decrease in physician payments, 

as they bring the number 

of hours or hourly rates into line 

with industry benchmarks. Many 

valuation consultants recommend 

use of the 25th to 75th percentile 

range of published benchmarks to 

document FMV. 

For unusual or very expensive 

situations, it may still be necessary 

or advisable to obtain an independent 

FMV opinion. Examples of 

such circumstances might include 

the need to justify a higher-thanmarket 

rate for hiring a nationally 

renowned physician for a specialty 

center, or implementation of an 

EHR system that requires exceptional 

participation of a physician 

champion. 

Another instance could be when 

a physician is demanding higher 

than market rates for call coverage, 

because of limited supply in 

the community, but the hospital 

must provide coverage due to 

EMTALA. Hospitals needing 

a formal FMV opinion should 

engage a professional who: 

n takes into account local, regional, 

and national market data; 

n has the experience to evaluate 

the unique features of a particular 

service and organizational 

needs; and 

n has experience employing the 

cost method of valuation to 

estimate costs of providing the 

service. In this method, the 

valuation experts calculates 

what it will cost the physician 

to provide the service relative to 

his/her expected income from 

other sources. However, be 

aware that payments for nonclinical 

services are not meant 

to replace lost income. OIG 

specifically cautions against 

taking into account the value of 

“lost opportunity” when formulating 

on-call or other physician 

arrangements. 

Finally, an organization can seek a 

competitive bid for a service. This 

can be a costly and time-consuming 

process that could end with the 

lowest bid being much higher than 

anticipated. However, it may be necessary 

if payment demands exceed 

industry benchmarks or standards 

for commercial reasonableness. 

Summary 

The risk of failing to comply with 

FMV payments and documentation 

is increasing. However, new 

sources of published benchmark 

data and consistent use of standards 

and documentation can 

reduce the cost of compliance and 

the risk of overpayment. 

1. California Office of Statewide Health Planning 

and Development. Available at http:// 

mdranger.com/services-benefits.html 

2. California Healthline: Number of Emergency 

Departments Decreasing in U.S., 

Study Concludes. http://www.californiahealthline.org/articles/2011/5/18/numberof-emergency-departments-decreasing-inus-study-concludes.aspx 

(May 2011). 

3. MD Ranger analysis (proprietary information) 

4. Enforcement statistics available at http:// 

oig.hhs.gov/newsroom/news-releases/2011/ 

sar_release.asp 


Medicaid RACs: Tool of transparency or 

torment ...continued from page 46 

support claims as appropriate 

from coding, clinical, and legal 

perspectives; and determine the 

best approach for coordination 

of these efforts. In our experience 

with Medicare RACs, providers 

are usually fully capable of 

doing all of this with a reasonable 

amount of outside legal support, 

as opposed to outsourcing all or 

substantial parts of these tasks to 

lawyers or consultants. n 

1. Medicaid Program; Recovery Audit 

Contractors, 76 Fed. Reg. 57,808, 57,812 

(Sept. 16 2011) 

2. From the children’s classic The Story of 

Doctor Dolittle by Hugh Lofting, Peter 

Glassman, Fredrick McKissack. 

3. From the 1993 psychological thriller film 

The Good Son, directed by Joseph Ruben 

and written by Ian McEwan, starring Macaulay 

Culkin, Elijah Wood, and Wendy 

Crewson. 

4. Medicaid Program: Recovery Audit Contractors, 

supra note 1, at 57,814, 57,823. 


supra note 1, at 57,824. 


supra note 1, at 57,816. 

Contact Us! 


info@hcca-info.org 

Fax: 952/988-0146 

HCCA 



Phone: 888/580-8373 

To learn how to place an 

advertisment in Compliance 

Today, contact Margaret 

Dragon: e-mail: 

margaret.dragon@hcca-info.org 

phone: 781/593-4924 


71

Health Care Privacy 

Compliance Handbook 

This book will help privacy professionals sort through the complex 

regulatory framework and significant privacy issues facing health 

care organizations. Written by the faculty of HCCA’s Basic Privacy 

Compliance Academy, it offers up-to-date guidance on: 

• HIPAA 

• HITECH 

• FERPA 

• The Federal Privacy Act 

• Privacy and Research 

• Vendor Relations 

• Payor Privacy Issues 

• Auditing & Monitoring 

HealtH Care PrivaCy ComPlianCe Handbook 

Qty 

Cost 

________ HCCA Members: $149 ..........................$ __________ 

________ Non-Members: $169 ................................$ __________ 

________ Join HCCA: $200 .........................................$ __________ 

Non-members, add $200 to join HCCA, and pay member 

prices for your order (regulAr dues $295/yeAr) 

sales tax for mn (6.875%) or pa (8%) $ __________ 

Contact information (PleAse tyPe or PriNt) 

total $ __________ 

make check payable to HCCa and mail to: 

HCCA, 6500 Barrie Road, Suite 250 


or fax order to: 952-988-0146 

My organization is tax exempt 

Check enclosed 

Invoice me | Purchase Order # 

I authorize HCCA to charge my credit card (choose below): 

AmericanExpress Diners Club MasterCard Visa 

Credit Card Account Number 

HCCA Member ID 

First Name M.I. Last Name 

Title 

Organization 

Street Address 

Credit Card Expiration Date 

Cardholder’s Name 

Cardholder’s Signature 

Prices subject to change without notice. HCCA will charge your credit card the correct amount if the 

total above is incorrect. All purchases within the continental U.S. receive free FedEx Ground shipping. 

Additional charges apply for international orders: please contact HCCA for more information. HCCA is 

required to charge sales tax on purchases from Minnesota and Pennsylvania. Please calculate this in 

the cost of your order: PA = 8% and MN = 6.875%. (Federal tax id: 23-2882664) 

City State Zip 

Telephone 



Phone 888-580-8373 | Fax 952-988-0146 

www.hcca-info.org | helpteam@hcca-info.org 

Fax 

E-mail 


72 


New HCCA Members 

Alabama 

n Patricia A. Davis, HealthSouth 

n Wanda Hayes, HealthSouth 

n Melanie P. Medley, 

HealthSouth 

n Rosalyn M. Spencer, 

HealthSouth 

Arizona 

n Sally A. Aubrey, Abrazo 

Health Care 

n Mary A. Kimmel, ABC Medical 

Billing Consultants 

n Patrick Peters, MGRMC 

Arkansas 

n Wayne Winkle, Western 

Arkansas Counseling & 

Guidance Ctr 

California 

n Merritt Quisumbing Anderson, 

Kaiser Permanente 

n Cynthia Bonner 

n Cheryl A. Busch, Tenet 

Healthcare Corporation 

n Laura Byrne, On Lok Senior 

Health Services 

n Susan K. Byrne, Los Alamitos 

Medical Center 

n Rebecca Chavez, CalOptima 

n Wendi Hodgen, Gardner 

Family Health Network, Inc 

n Eileen M. Kunz, On Lok Sr 

Health Svcs 

n Eric Nelson, Secure Privacy 

Solutions 

n Hanifa H. Staine, Molina 

Healthcare 

n Erica Stanley, UCLA-Dept of 

Pediatrics 

n Gary Thompson, Nuvasive, Inc 

n Patricia Annabel Vaughn, 

CalOptima 

Colorado 

n Christine Lukowicz, Quest 

Diagnostics 

n Barbara Mettler, Spanish Peaks 

Mental Health Ctr 

n Lori Silva, Mt. San Rafael 

Hospital 

Delaware 

n Patty Resnik, Christiana Care 


District of Columbia 

n Nina Kudszus, Booz Allen 

Hamilton 

n Aaron M. Testa, Dept of 

VA Compliance & Business 

Integrity 

Florida 

n Renee Bentley, Huron 

Consulting Group 

n Jayshree Chulani, West Boca 


n Barbara J. Grimaldi, Indian 

River Med Center 

n Elizabeth Hernandez, Apollo 

Information Services 

n Sheila Keene-Lund, Villa 

Medical Group 

n Alexandra Plasencia, MCCI 

Medical Holdings, LLC 

n William Thomas, Protiviti, Inc 

n Cynthia Vorhees, Dell 

Georgia 

n Pamela J. Alexander, Atlanta 

Cancer Care PC 

n Sonia O. Delbridge, Emory 

University 

n Michell Thurmond, AWAC 

LLC 

Illinois 

n Lesley Arca 

n Amrita D. Goel, Accretive 

Health Inc 

n Katie Randall, Resurrection 

Health Care 

n Susan M. Strickland, Central 

DuPage Hospital 

n Denise Sunderland, OSF Saint 

Francis Inc 

n David Verona 

n Denise Williams, Illinois Dept 

of Health Human Services 


Indiana 

n LaMont Freeze, Memorial 

Health System, Inc 

n Sheila Witous, Radiology, PC 

Iowa 

n Nancy June Sharp, Harden 

Healthcare at Iowa Hospice 

Kentucky 

n Brandy Blackburn, White 

House Clinics 

Louisiana 

n Michael Lightfoot, Ochsner 

Corporate Integrity 

n Ann J. Mobley, North Oaks 


n Pam S. Robinson, North Oaks 


Maryland 

n Kylie McCleaf, Family Services, Inc 

n Paula Polek, Johns Hopkins 

HealthCare LLC 

Massachusetts 

n Douglas G. Bush, Fresenius 

Medical Care North America 

n Candace Darcy, Behavioral 

Health Network 

n Thomas A. Dumas, NHIC 

- Medicare 

n Joseph Passeneau, MBHP 

n Roxanne Van De Water, 

Advocates, Inc. 

Michigan 

n Margaret Chappell, Touchstone 

Innovare 

n Dirk Love, Shiawassee County 

CMH 

n Donna O’Connor, Vanguard 

Health Systems 

n Margaret Predhomme 

n William D. Smith, Hurley 


Minnesota 

n Casey Berndt, Blue Cross Blue 

Shield of Minnesota 


73

New Members ...continued from page 73 


74 

n Nicholas Cichowicz, Target 

n Peter J. Eng, Prime 

Therapeutics 

n Chandelle Heyer, Blue Cross 

Blue Shield of Minnesota 

n Carrie Jenkins, Blue Cross Blue 


n Matthew Landis, Hill-Rom 

Company, Inc 

n Deborah Nitti, Blue Cross Blue 


n Pamela Ann Shotts 

Mississippi 

n Karen Deavenport, CSCS of 

Mississippi 

Missouri 

n Tomi Hagan, Wright Memorial 

Hospital 

n Stephen Johans, Western 

Anesthesiology Associates, Inc 

n Rocky L. McLain, Northwest 


n Suzanne R. Shepherd, Mobile 

Medial Services, Inc 

n Amy Stehli, Surgery Center of 

St. Joseph, LLC 

Nebraska 

n Laurie Dubas, Deloitte 

New Jersey 

n Jennifer Krusa 

n Linda Penston, Cooper 

University Hospital 

n Margaret Sparks, Sanofi US 

New Mexico 

n Debra Gonzales 

n Rebecca Wahler, LCF Research 

New York 

n Ralph Hanselman, Oswego 

Health 

n Chad Harris, New York 

Downtown Hospital 

n Paloma Hernandez, Urban 

Health Plan 

n Kristen Johnson, Huron 

Consulting Group 

n Kirsten Pope, CVPH Medical 

Center 

n Rosemarie Povinelli, Mercy 

Medical Ctr 

n Marie Saintelmy 

n Marguerite Spence, North 

Shore Health System 

n Natalya Tchedrik, Parent Care 

Home Care, LLC 

n Beverly A. Welshans, UB 

Associates Inc 

n Barbara Wright, Inter-Lakes 

Health, Inc 

North Carolina 

n Rachel Mitchell, Applied 

Medical Systems 

North Dakota 

n Jeanne L. Folmer, Medcenter 

One 

n Tiffany Kramer-Richard, St 

Alexius Heart & Lung Clinic 

Ohio 

n Hayley Johnson, Holzer Clinic 

n Grace M. Lockett, The 

Princeton Group, Inc 

Oklahoma 

n Kari Johnston, Oklahoma 

Foundation for Medical Quality 

Oregon 

n Kara Bastien, Agate Healthcare 

n Lisa Fischer, Hospice and 

Palliative Care of Washington 

County 

n Heather Seward, ID Experts 

Pennsylvania 

n Noelle Conners, St. 

Christopher’s Hospital for 

Children 

n Tracie Giles, Inglis Foundation 

n Kelly Hoover Thompson, The 

Hospital and Healthsystem 

Association of Pennsylvania 

n Shari A. Kelly, Excela Health 

n Kenneth Turner, Olympus 

Corp of the Americas 


n Matthew T. Uebele, Bravo 

Health 

Puerto Rico 

n Limarie Gomez, RSM ROC & 

Company 

South Carolina 

n Robert Hamill, Hampton 

Regional Medical Center 

n Nancy Sprouse, Spartanburg 

Regional Medical Center 

n Rebecca Stroman, Hilton Head 


Tennessee 

n John Arredondo, Tennessee 

Department of Mental Health 

n Moni Cook, Church Street 

Health Mgmt 

n Jennifer S. Graham, Church 

Street Health Mgmt 

n Zack S. Griffith, Tennessee 

Dept of Mental Health 

n Pamela W. Guthrie, Wright 

Medical Technology 

n Dawn Praytor, Center 

for Sports Medicine and 

Orthopaedics 

n Kayla Wiley, Emdeon 

n Jamilah Wood, St Jude 

Children’s Research Hosp 

Texas 

n Cynthia D. Chambers, 

Parkland Health & Hospital 

System 

n Robbie L. Evans, Harden 


n Jayne Fleck Pool 

n Susan Jacobson, MD Anderson 

Cancer Center 

n Andy G. Navarro, Trinity 

Mother Frances Health System 

n Amy Osborn, Children’s 

Medical Ctr of Dallas 

n Keely Scamperle, Wright 

Medical Technology 

n Cindy Simmonds, Conifer 

Health Solutions

What could you do with 

The Power of Certainty 

Imagine being so consistent and accurate 

in outpatient charging, you’d always know 

where you were going to land. Your CEO 

could launch cost-saving finance initiatives, 

without putting your hospital in the 

compliance hot seat. You could better 

preserve revenue, without compromising 

revenue integrity. And you could do it all, 

without takeback audit programs throwing 

you off balance. This is the advantage of 

going with a proven revenue management 

solution. This is The Power of Certainty TM . 

Proven solutions for consistent, 

accurate outpatient charging. 

www.lynxmed.com 

© 2011 LYNX Medical Systems, now part of OptumInsight. All rights reserved “LYNX”, LYNX Medical Systems, E/Point, I/Point, C/Point and the Power of Certainty may be trademarks or registered trademarks of LYNX Medical Systems in the United States. 

Highest Shallow Dive by Professor Splash, image courtesy of Guinness World Records Limited. 



75

Health Care Compliance Association’s 16 th Annual 

Compliance Institute 

April 29–May 2, 2012 • Las Vegas, NV • Caesars Palace 

Full Program now available 

HCCA 4C ad 

Visit www.compliance-institute.org 

to view the brochure and register 

EARLY BIRD 

REGISTRATION 

Register by or on 

January 6, 2012, 

and save $575! 

Join us in Las Vegas for 

the single most comprehensive 

compliance conference designed 

specifi cally to meet the needs of 

today’s healthcare compliance 

professionals and their staff. 

Register now at 

www.compliance-institute.org 


76

Quality of the estimate. December, p. 47 - Health Care Compliance ...

Create successful ePaper yourself

Delete template?

Save as template?